microsoft word - interim report 05-11-2010 final. · web viewmicrosoft word - interim report...
TRANSCRIPT
Guidance for auditing disaster preparedness (draft)
INTOSAI WORKING GROUP ON THE ACCOUNTABILITYAND AUDIT OF DISASTER-RELATED AID
THE DRAFT GUIDELINES FOR AUDITING OF DISASTER PREPAREDNESS
October 2011
Antalya, TURKEY
Arife COSKUN - November 2010 version the draft guide for audit of disaster preparedness (0II.04)
Turkish Court of Accounts (TCA) Inonu Bulvari, No: 45, Balgat/ Ankara - Turkeye-mail: [email protected] Tel: +90 312 295 37 01
THE DRAFT GUIDELINES FOR AUDITING DISASTER PREPAREDNESS
CONTENT
Preamble
PART I: DISASTER PREPAREDNESS
1. Background
2. Purpose of the Guidelines
3. Issues to be Covered
Definitions of Disaster
Types of Disaster
Why Disaster Preparedness? Scope
of Disaster Preparedness
4. Specific Elements of Disaster Planning
5. Geographical Information Systems (GIS)
6. Government's Role
7. Role of SAIs
PART II: AUDIT OF DISASTER PREPAREDNESS
8. Introduction
9. Challenges for the auditor
10. Audit Mandate of SAIs
11. Types of Audit
12. Planning and carrying out audit work
Audit Approach/ Scope
i
Audit Objectives Audit
Methodology Audit
Criteria
Audit Findings and Recommendations
PART III: AUDIT PROGRAM FOR DISASTER PREPAREDNESS
13. Audit Program
14. Lessons Learned
ANNEXES
ANNEX 1: An example of governance structure - Canada ANNEX
2: Geographical Information Systems (GIS)
ANNEX 3: A case for understanding the organization and framework of authorities preparing for disaster
ANNEX 4: Audit Objectives - examples concerning disaster preparedness
ANNEX 5: Audit Criteria - examples concerning disaster preparedness
ANNEX 6: Audit Recommendations - examples concerning disaster preparedness
ii
Preamble
I. The INTOSAI Working Group on Accountability for and Audit of Disaster-related Aid (AADA) was
established as a successor to the INTOSAI Task Force on Tsunami Aid on which its knowledge was
based. The first meeting of the INTOSAI Working Group on the AADA was held by its chair, between
30 June and 2 July 2008 in Luxembourg. The participants at that meeting accepted the Work Program
(2008-2010), which was based on the Draft Work Plan for 2007-2010 and was drafted beforehand by
the Chair of the INTOSAI Task Force on the ADAA, taking into account the new developments in this
field.
II. In the Work Program (2008-2010), separate tasks and their descriptions were grouped into two work
packages in order to give a clear picture and develop a successful strategy for strengthening
accountability and creating an audit trail concerning audits of disaster-related issues. The first work
package deals with the development of guidance and good practice in the area of accountability; the
second one clarifies the development of guidance and good practice in this area by Supreme Audit
Institutions (SAIs). Work Package II is divided into nine different tasks that are to be prepared by sub-
groups. One of the tasks under Work Package II is the "Audit of disaster preparedness (0II.04)".
Turkey, Austria and Kenya are named as the SAIs responsible for this task. The Turkish Court of
Accounts (TCA) is leading the sub-group.
III. Firstly, a work plan for the study team was prepared, outlining the main activities and a timetable.
Then, literature was reviewed and samples of audit reports were examined. After the Working
Group's second meeting in Seoul, the audit of disaster preparedness team prepared a survey and
sent it to all INTOSAI members to gather information on their experience in this field so that it could
be reflected in these guidelines. A draft of the guidelines for auditing disaster preparedness was
prepared and circulated to members of the INTOSAI Working Group on the AADA for review and
comments after the third meeting in Lima, Peru. A second draft was improved in the light of the
feedback gathered. The current document is still a draft, and is not an official INTOSAI-endorsed
publication.
IV. The INTOSAI Working Group on the Accountability for and Audit of Disaster-related Aid (AADA)
wishes to express its appreciation for the contributions made by member Supreme Audit Institutions.
We would especially like to thank the following SAIs which replied to our survey.
1
The SAIs which replied to the survey
1. Australia European Court of Auditors 19. Lesotho 2 8 . Philippines2. Austria 11. Denmark 20. Macedonia 2 9 . Poland3. Bangladesh 12. Germany 21. Madagascar 3 0 . Saint Lucia4. Cameroon 13. Guatemala 22. Morocco 3 1 . Singapore5. Canada 14. Hungary 23. Netherlands 3 2 . Turkey6. Cape Verde 15. Japan 24. New Zealand 3 3 . Ukraine7. Czech Republic 16. Korea 25. Norway 3 4 . USA8. Egypt 17. Kyrgyz Republic 26. Papua New Guinea 3 5 . Yemen9. Estonia 18. Latvia 27. Peru
2
PART I: DISASTER PREPAREDNESS
1. Background
1.1 Disasters, most of which are natural, have occurred for centuries across the world. However,
owing to the risks arising from the advent of complex technologies and from dramatic
economic and social events in a chaotic environment, the world has been witnessing a new
type of disaster: the man-made disaster. Recent natural disasters, such as the Indian Ocean
Tsunami, Hurricane Katrina and the large-scale earthquakes and floods in Pakistan, Haiti and
China, as well as man-made disasters such as the Chernobyl Nuclear Accident and September
11 have thus affected many countries.
1.2 The global impact of natural and man-made disasters has dramatically increased over the last
few decades, owing to social, demographic, political, environmental and climatic factors. The
degree of vulnerability and exposure, leading to larger losses in the disasters, has also
increased considerably. Apart from the growth of urban development and population density
in exposed areas, the fact that large proportions of the world's population and assets are
concentrated near to the coast has also contributed to the rise in social and economic
devastation. The increasing uncertainty of weather patterns due to climate change and the
rise in terrorist attacks can be regarded as reasons, amongst others, for the big disasters.
1.3 200 million people are affected by natural disasters or technological accidents worldwide
every year. These catastrophes are responsible for huge losses of human life, homes and
livelihoods as well as for a vast number of injuries. In addition to the social damage they also
cause economic losses: 69 billion USD every year according to the EU Working paper on
"Disaster Preparedness and prevention (DPP): State of play and strategic orientations for EC
policy". The number of geophysical disasters reported over the last decade has remained fairly
steady, while hydro-meteorological disaster has increased since 1996. According to some
scientists this trend could further increase as a result of global climate change.
1.4 The growing impact of major disasters on economic and social life has led to demand for an in-
depth assessment of possible strategies to reduce their large-scale damaging effects. So,
international policies concerning natural and man-made disasters have been radically changed
over the last decade. Previous policies that allocated large resources to post-disaster relief and
reconstruction activities have proved inefficient without curbing the needs generated after the
disaster. The international community
3
has therefore altered the objectives of disaster policies in line with a strong determination to
reduce risks prior to any catastrophe. The Yokohama (1994) and Kobe (2005) Conferences and
the Hyogo Framework for Action (HFA) have set the new objectives, monitored by the UNISDR 4
(2000), for developing a Global Platform and demanding the formation of National Platforms,
the latter comprising not only the related official bodies but also NGOs and universities.
1.5 Despite the fact that some countries revised their disaster policies for risk mitigation after the
Global Platform (2007), which produced tenable results, many countries remain totally
opposed to the new policy. Most emergencies in the world are local in nature and are
managed at municipal or provincial/territorial level. However, certain risk factors increase the
potential for catastrophes to transcend geographical boundaries and to challenge the capacity
of federal and provincial/territorial governments, and sometimes the international
community, to manage emergencies. These risk factors include: increased urbanization, critical
infrastructure dependencies and interdependencies, terrorism, climate variability and change,
animal and human health diseases, and the increased mobility of people and goods around
the world. Taking measures against disasters concurrently is therefore important not only for
individual countries but also for countries in exposed areas.
1.6 However, risk reduction or mitigation policies call for new approaches, new methods and
expertise. The new policy requires a capacity for identifying various types of risks at different
levels, making projections of likely consequences, and also a capacity for devising methods to
avoid, reduce and share risks. This means recruiting an entirely different type of professional
expertise than that employed under the previous policies. Planners in particular are now
expected to have a dominant role to play under the aegis of a new global disaster policy. In
short, disaster preparedness that includes all these activities, such as risk mitigation and
prevention, requires a new management approach and, accordingly, a new audit approach.
1.7 In line with the emerging new disaster management approach, the INTOSAI Accountability for
and Audit of Disaster-related Aid (AADA) Working Group has tried to draw up guidelines so as
to improve the SAIs' auditing of disaster preparedness. Especially in times of a worldwide
financial crisis the effective and economic use of the financial resources put into disaster
preparedness deserves special attention. The financial resources at the governments' disposal
are becoming scarce, owing to the restricted spending policy of governments facing the
financial crisis. As a result of
4
4 The UN International Strategy for Disaster Reduction, "Hyogo Framework for Action 2005-2015: Building the Resilience of Nations and Communities to Disasters", http://www.unisdr.org/eng/hfa/hfa.htm, March 2010.
these developments, the audit of disaster preparedness has gained great importance for SAIs.
2. Purpose of the Guidelines
2.1 Guidance provided to SAIs for auditing disaster preparedness has an important objective:
encouraging SAIs and their auditees to take a more active role in preventing the impact of
natural events from turning into disasters.
• Lack of awareness of public entities that investing in disaster preparedness is more
efficient and effective than investing in disaster response. This lack of awareness/priority is
fostered by the fact that the added value of investing in disaster preparedness can only be
assessed when a disaster actually happens (and when it is in fact too late). Preparedness
costs, but its benefits may never occur (or in many years' time) or may not be clearly
visible.
• Lack of awareness of SAIs that they have a role which they should and can play in
prevailing upon governments to invest in disaster preparedness. This lack of
awareness/priority is exacerbated by the fact that we tend to look at ex-post events (after
disasters occur) and that we use public expenditure as the basis for selecting our audit
topics: if governments lack the priority for investing in disaster preparedness, they will not
invest in it and SAIs will not audit it.
• Complexity of assessing the quality of disaster risk assessment, disaster mitigation and
disaster prevention: this requires using other types of information (for instance,
geographical information, information about the probability of events, etc.) and
information from sources other than those normally used in audits (such as information
from more technical agencies, universities, international bodies). Examples from SAIs that
have experience in tackling this complexity can be very helpful for SAIs.
2.2 The purpose of this document is to give guidance to SAIs for auditing the preparedness of
governments for disaster and to help auditors draw up a framework for how to analyze
disaster preparedness. In this context a basic audit program has been developed. In order to
prepare this document, a questionnaire was compiled by the group and sent to the SAIs which
are members of INTOSAI. The information obtained from the questionnaire has been
incorporated into this paper, thus ensuring worldwide practicability. The SAIs may strengthen
their capacities in terms of methodology for auditing disaster preparedness; moreover, the
SAIs could be encouraged to initiate and implement concurrent and/or coordinated audits.
This document is expected to help the auditors and the SAIs with the following issues in this
field:
5
• Obtaining and documenting an understanding of disaster preparedness activities, the
organization and the framework of the authorities governing the actors;
• Establishing a preliminary view of the strengths and weaknesses of the overall control
environment;
• Providing information for our assessment of risk and the design of the audit studies;
• Establishing an effective and sound audit process;
• Forming a common basis for partnership audits among the SAIs.
2.3 Generally, it is expected that these guidelines will contribute to the efforts to reduce disaster-
related loss of life and loss of other social, economic and environmental assets worldwide. It is
also expected that forming a common basis for auditing disaster preparedness and actually
auditing these activities and the resources allocated to them will ensure that all parties, such
as governments, institutions, citizens and NGOs of donor and recipient countries, will support
disaster preparedness activities.
3. Issues to be Covered
Developing a more effective audit methodology requires good definition of the audit area. The starting
point is therefore to ask "what is disaster?" or, to put it differently, "What is disaster from the
SAIs' point of view?"
Definitions of Disaster
3.1 The UN International Strategy for Disaster Reduction (ISDR) defines disaster as: "A serious disruption of the functioning of a community or a society involving widespread human, material, economic or environmental losses and impacts, which exceeds the ability of the affected community or society to cope using its own resources."5 In many
international humanitarian aid policy documents, disaster is defined in a similar way to that of
the European Commission Humanitarian Aid Office (ECHO), the United Nations Office for the
Coordination of Humanitarian Affairs (UN-OCHA) and the Good Humanitarian Donorship
Initiative. In addition, the International Federation of Red Cross and Red Crescent Societies
(IFRC) adds that disasters, although often caused by nature, can be caused by human beings.
Many countries have their own definitions of disaster that are based on their experiences and
their environment. For example, Austrian Development Cooperation defines disaster as: "A disaster is sudden disruption of a community caused by loss of human life and/or property and/or infrastructure including essential services, which the community concerned can no
6
5 The UN International Strategy for Disaster Reduction, "UNISDR terminology on disaster risk reduction (2009)", http://www.unisdr.org/eng/terminology/terminology-2009-eng.html, March 2010.
longer cope with on its own in spite of coordinated use of all locally and regionally available resources."6 The variety of definitions is a good illustration of the broad range of possible disasters
and their complexity.
3.2 The widespread human, economic and environmental losses and the tremendous volume of
resource needs are highlighted in each definition. To cope with all these matters, governmental
departments at all levels have to undertake activities and, consequently, all these activities will be
within the audit scope of SAIs.
Types of Disaster
3.3 There are various types of disaster, such as earthquakes, tsunamis, volcanic eruptions, etc. They are
generally categorized into two main types: natural and man-made disasters. A natural disaster is the
consequence of a natural hazard that affects human life. Man-made disasters are caused by human
activities or negligence or involve the failure of a system. Indeed, there are no clear-cut differences
between natural and man-made disasters since many natural events turn into disaster owing largely
to failure to take precautions in time and mismanagement.
HYDROLOGICAL/METEOROLOGICAL TECHNOLOGICAL
(Windstorms, floods, tornados, droughts, etc.)(Nuclear weapons, nuclear plant meltdown, etc.)
NATURAL
DISASTERS
7
SOCIOLOGICAL
(Desertification, freezing, etc.)
CLIMATOGICALGEOPHYSICAL
►BIOLOGICAL
(Plagues, Epidemics, etc.) (Terrorism, Famine, etc.)
www.entwicklung.at/uploads/.. ./PD_International_humanitarian_aid_03 .pdf.
8
countries. Identifying human-induced root causes, and advocating structural and political
changes to combat them, is long overdue. For example, destruction of the natural
environment because of logging or inappropriate land uses for short-term economic gain is
one of the major factors causing floods or mudslides. Similarly, migration of populations to
urban and coastal areas increases human vulnerability. Accordingly, population densities
increase, infrastructure becomes overloaded, living areas move closer to potentially
dangerous industries, and more settlements are built in fragile areas such as floodplains or
areas prone to landslides. By the same token, in general, mismanagement of the economy and
resources - especially turning cultivated areas into urban areas - leads to widespread famine.
As a result, natural disasters affect more people and economic losses increase.
3.5 Disaster risk arises when hazards interact with physical, social, economic and environmental
vulnerabilities. For example, despite the fact that seismic activity has remained constant over
recent years, the effects of earthquakes on the urban population appear to be increasing. The
large majority of disasters are events of hydro-meteorological origin such as floods, droughts
and windstorms. Events of geological origin such as earthquakes are secondary to these.
3.6 The precautions taken by government institutions and their activities will be determined by
the disaster type. Depending on this, the management risks arise in different areas. For
example, for some disasters, such as famine or terrorist attacks, control risks may come to the
fore. For others, like earthquakes and tsunamis, the coordination risk might rank higher among
the management risks. A sound knowledge of disaster types is therefore vital for those
auditing disaster preparedness.
Why Disaster Preparedness?
3.7 Disaster mainly leads to the disruption of normal life; human effects such as loss of life, injury,
hardship and adverse effect on health; effects on social structure such as the destruction of or
damage to government systems, buildings, communications and essential services; community
needs such as shelter, food, clothing, medical assistance and social care. Furthermore, disaster
also leads to significant loss of infrastructure, population and government facilities. Because of
the increase in disaster frequency and the effects in terms of casualties and damage, disaster
preparedness, more specifically disaster mitigation and prevention, has gained importance in
recent years. The core idea is that the impact of disasters can be minimized.
3.8 As mentioned above, international policies concerning disaster management have radically
changed in the last decade. Correspondingly, disaster preparedness has gained great
importance within this new policy. Since disaster management was previously organized in
accordance with policies that allocated large resources to
9
post-disaster relief and reconstruction activities, the new policy requires big changes not only
in governmental departments, but also in national and international society. The success of
this transformation is closely connected with redefining governments' organization, work and
planning processes; developing an awareness of society and good governance; strengthening
critical infrastructure and adopting economic policy tools in accordance with the needs of
disaster preparedness. All these changes will undoubtedly compel the SAIs to review their
auditing in this field and to develop ways of auditing more effectively.
3.9 A government's approach to disaster preparedness should be determined bearing these factors in
mind. Naturally, the government approach will change depending on disaster types and their
probability and risk impact. As shown in Graphic 1, if the probability and risk impact of
Preparedness
3.10 The definition and scope of disaster preparedness can shape the roles and responsibilities ascribed
to the government in managing and the SAIs in auditing. For the purposes of this document,
disaster preparedness includes disaster prevention and disaster mitigation. According to the
UN International Strategy for Disaster Reduction (ISDR), Disaster Risk Reduction (DRR)
comprises the actions of preparedness, mitigation and prevention.
• Disaster prevention involves disaster mitigation and containment of destruction in the
face of acute risk factors. Disaster prevention also includes disaster preparedness
measures.
• Disaster mitigation consists of activities taking place before the occurrence of
unavoidable disasters to minimize damage caused by impending risks. Disaster mitigation
measures also reduce risks by lessening the vulnerability of households, infrastructure and
natural or economic resources.
10
SAIs too should be concerned
with disaster preparedness and
give priority to this subject within
the strategic plan and annual audit
program."
disaster were high, the
government would have to specify
the approach and take the
necessary precautions. From the
standpoint of the SAIs, this can be
read as "the
Definition and Scope of Disaster
• Disaster preparedness includes activities that prepare communities for a possible disaster
and improve the reaction of the various actors to such an event. These measures, like
disaster mitigation measures, reduce the impact of the disaster. There is an essential
difference: disaster mitigation measures often involve a reduction in the disaster risks
themselves, whereas the aim of disaster preparedness is to ensure that the various
stakeholders are not caught unprepared by the disaster and that assistance is provided in
a coordinated manner.7
3.11 According to the EU working paper, disaster preparedness comprises "organizational activities
which ensure that the systems, procedures and resources required to confront a natural
disaster are available in order to provide timely assistance to those affected, using existing
mechanisms wherever possible (e.g. training, awareness raising, establishment of disaster
plans, evacuation plans, pre-positioning of stocks, early warning mechanisms, strengthening
indigenous knowledge)."
3.12 Disaster preparedness encompasses disaster
mitigation and disaster prevention. Disaster
mitigation describes measures taken before
disasters which are intended to reduce or eliminate
their impact on society and environment. These
measures reduce the physical vulnerability of
existing infrastructures or of vulnerable sites, which
directly endanger the population (e.g. retrofitting of
buildings, reinforcing "lifeline" infrastructure).
Disaster prevention comprises activities conceived
to ensure permanent protection against a disaster. They include engineering, physical
protection measures, legislative measures for the control of land use and codes of
construction. These activities reduce physical vulnerability and/or risk exposure by providing
new infrastructures, improving existing infrastructures and through sustainable development
practices. 8
3.13 In the light of these definitions, disaster preparedness may be seen as an umbrella concept
including risk assessment, disaster prevention and disaster mitigation. In reality, many actions
that are being taken with the aim of preparing for disaster at the pre-disaster stage consist of
a mix of both mitigation and prevention. The SAIs'
11
7 The European Commission on EU Strategy for Disaster Risk Reduction, 15/4-2008 and Austrian Development Cooperation, "International humanitarian aid policy document", Vienna, March 2009, p.9.
8 The European Commission on EU Strategy for Disaster Risk Reduction, 15/4-2008 and Austrian Development Cooperation, "International humanitarian aid policy document", Vienna, March 2009, p.9.
auditing of disaster preparedness therefore covers all activities that prepare communities, the
economy and the environment for a possible disaster.
4. Specific Elements of Disaster Planning
4.1 Carrying out disaster management activities (pre-disaster, during the disaster and post-
disaster) effectively is ensured by means of comprehensive and integrated planning and sound
risk assessment. These plans are the essential tools guiding the institutions with a role in the
disaster management process. They ensure that timely, proactive and forward-looking
precautions are taken. Broadly speaking, they are the tools for responding most appropriately
to every stage of disaster management. For disaster preparedness, the disaster plan is the
single most important tool. The auditor should therefore pay special attention to the disaster
plans in order to evaluate the activities and transactions of disaster management at the pre-
disaster stage.
Disaster Management Law
4.2 To take disaster preparedness measures before a disaster and to take the necessary action
during the disaster, it is first necessary to clearly determine who is responsible for what. In
order to clarify these issues, countries mostly enact a basic national law covering the general
framework of disaster management. Such a law generally includes the following provisions:
• Developing a national disaster
management policy,
• According to this national policy, preparing
national plans and programs,
• The general framework of
responsibilities and roles of the
institutions involved in the disaster
management and the arrangements for
coordination between these
institutions, etc.
National Disaster Plans
4.3 As mentioned above, most disaster management legislation includes provisions for the
preparation of a national plan9. These are often entitled "National Disaster Management Plan",
though their names differ from country to country. They generate national strategies including
a basis for setting priorities for all functions of
12
Canada: The Emergency Management Act of August 2007 governs the national leadership responsibility of the Ministry of Public Safety for emergency management and for conserving critical infrastructure. It also defines cooperation between the federal ministries.
Sri Lanka: The Disaster Management Act of May 2005 governs the establishment, responsibilities and duties of the National Council for Disaster Management and the Disaster Management Center and the preparation of disaster management plans.
9 Hereinafter "National Plans" are referred to as "National Disaster Plans".
disaster management by considering all national and international risks. The National Disaster
Plan covers all the actors and activities in the field and provides coordination between the
related institutions. By virtue of these features, national disaster plans are the main
documents for auditing disaster preparedness.
4.4 In many countries which are advanced in terms of disaster management, a national disaster
plan is prepared with the aim of drawing up a general framework for disaster management. In
addition to this plan, implementation plans, known as the specific plan, operation plan or
emergency plan, are made. On the other hand, in countries which are setting up disaster
management and especially in those that have a more simple governmental structure,
national disaster plans are rather like operation plans.
4.5 Disaster management activities including disaster preparedness are carried out at every level,
from the public sector to the private sector, from non-governmental organizations to
individuals. Generally, coordination provided as the main function of the primary organization/
institution responsible is envisaged in the national plan. How best to perform disaster
management activities in a coordinated manner is indicated in the national plans. Accordingly,
the primary components of a national plan include:
• National Strategy: When determining the national strategy, it is critically important to
assess the potential threats and weaknesses with which the country may be faced. Hazard
mapping, disaster databases and impact analysis are the tools available for making risk
assessments.
• Priorities: In the context of disaster management planning, priorities are also set by using
the results of risk assessments. When making national disaster plans, it is of prime
importance that priorities are determined
rationally, taking account of limited
resources.
• Coordination: Comprehensive
coordination at all stages of disaster
management -pre-disaster, during disaster and post-disaster - is essential for carrying out
the activities and fulfilling the responsibilities which are shared among many institutions.
National plans define the coordination tools, such as meetings and setting up committees.
• Governance structure: Governance is a key element in implementing disaster
preparedness properly and involves a set of relationships between different levels of
government. Governance also provides the structure through which the
13
In Canada strategies are determined and actionplans are designed for 10 sectors which areprioritized as "critical infrastructure".The sectors include Health, Information andCommunication, Technology, Energy andUtilities.
4.6 In addition to the National Disaster Plans, the institutions that are responsible for disaster
management functions make plans and programs related to their fields of responsibility. These plans
can vary
depending on the executive authorities and/or
disaster types. Some examples are as follows:
• Departmental/operational/ emergency management plans, made
by institutions/local authorities,
• Specific plans/strategies, designed for specific disasters to which countries attach importance,
• Business continuity plans which are related to disaster preparation, and
4.7
• Action plans which will be applied
during a disaster.
As disaster management becomes more
important, disaster preparedness
activities figure largely in all types of
disaster plan. Consequently, in many
countries,
In Canada, a "Federal Emergency Response Management System" has been established
and, within this structure, the coordination tools and processes are defined. On the one hand, "the management team", which is composed of delegates of the institutions involved in disaster management, collects the needs of the performers. On the other hand, it issues guidance to them regarding cooperation and coordination.
14
objectives are set, and the means of attaining those objectives and monitoring performance
are determined. For this reason, it is essential to create a governance structure in which
corporate responsibility areas are defined exactly. National plans define the primary
functions of disaster management and the organizations that are responsible for performing
these functions. Indeed, there is no single, specific model of good governance for disaster
preparedness. Therefore, examining the legal, institutional and regulatory framework in the
light of the different models that exist helps the auditor identify some of the common
elements underlying good governance. (See Annex 1 for an example.)
Guidance: National disaster plans guide the responsible institutions in their disaster
management work. Within this scope, the corporate aims and goals, risk assessments, etc.
determined in the corporate disaster plans should be aligned with the national plan's
strategy. Therefore the planning, monitoring and reporting capability of the main institution
responsible for national disaster planning should be optimal, with additional resources
provided if necessary.
Sub-Plans
In Canada, a "National Disaster Mitigation Strategy" is prepared and the mitigation activities are carried out in accordance with this plan. Similarly, one of India's disaster preparedness plans is "Preventive/Protection and Mitigation from Risk of Tsunami".
operational plans are being developed along these lines and disaster preparedness activities
come to the fore. The common points of sub-plans can be summarized as follows:
• Coordination: As in the national disaster plans, coordination is the primary factor in the
sub-plans. Carrying out the activities of the institutions which have a broad array of roles
and responsibilities in the field is crucial for the sub-plans, which are operation oriented.
In order for there to be effective disaster management, including preparedness, activities
such as policy, planning, risk assessment, training, public awareness-outreach and
protection of critical infrastructure need to be carried out in a coordinated manner by the
stakeholders in the field. For example, the "Istanbul Provincial Disaster and Emergency
Directorate" was established and the main purpose of this body is to ensure coordination
and cooperation between the related institutions in this region. To do this, the Directorate
uses telecommunication tools and information systems.
• Risk assessment: The sub-plans specify probable risks - generally the risk assessment
tool for natural disasters is hazard mapping, for man-made disasters the appropriate tools
are monitoring and reporting - and, in addition, vulnerability assessments are made; for
the purposes of these assessments, preparedness
is tested through practical applications.
Training: Training is another important issue covered by
sub-plans. Many countries have a training unit which
organizes the training activities related to each stage
of disaster management. For example, the
Emergency Management Institute in Australia has such a training unit. Additionally, sub-
plans emphasize the need to prepare training programs concerning specific subjects. For
example, in Canada the "Emergency Management Training Program" and the "Chemical,
Biological, Radiological, and Nuclear (CBRN) First Responder Training Program" are
prepared to be used for training qualified personnel who will be employed in disaster
preparedness activities.
Public awareness: In the context of disaster preparedness, public awareness concerning
disaster should be raised in order to reduce the adverse affects of disasters. Raising public
awareness requires all the authorized institutions in this field, the private sector and NGOsIn Australia "Emergency Action Guides" are developed and
each action guide offers clear and concise information on how to be prepared for, what to do during, and what steps to take after a major hazard.
15
Tsunami Risk in India and the Tools for its Assessment
• Tsunami Hazard Map• Tsunami Vulnerability Assessment• Tsunami Risk Assessment• Practical Applications
to work in coordination and
cooperation. For this purpose, disaster
guidelines giving
information and advice about the actions to be taken pre-disaster, during disaster and post-
disaster are prepared- Public awareness-raising programs are also being arranged.
• Critical Infrastructure: This is a service, facility or a group of services or facilities, the loss
of which will have severe adverse effects on the physical, social, economic or
environmental well-being or safety of the community.10 The risks to critical infrastructures
have to be identified and managed in an appropriate way. To reinforce the critical
infrastructures by minimizing the risks affecting them, it is critically important that
governments, local governments and especially the critical infrastructure owners and
private business managers should work in cooperation.
• Measures: In operational plans, there are some general and specific measures that have
to be taken during the disaster management process. These are structural measures
especially for natural disasters, such as the reinforcement of existing buildings, the
construction of disaster-resistant buildings and evacuation of residential areas before
and/or during disaster.
India Specific Measures for Safety from Tsunamis
• Tsunami Effects and Design Solutions• Specific Design Principles for Tsunamis• Know the Tsunami Risk at the site• Avoid new developments in Tsunami Run-up Areas• Site Planning Strategies to reduce Tsunami Risk• Tsunami Resistant Buildings - New Developments• Protection of existing buildings and infrastructure - Assessment, Retrofit, Protection measures• Special Precautions in locating and designing infrastructure and critical facilities• Planning for Evacuation
4.8 Under the new global disaster policy and disaster preparedness management, planning is of crucial
importance. Auditors should therefore pay special attention to all types of disaster plans
during audit work on disaster preparedness. To evaluate the disaster plans, examining similar
plans at international level and making comparisons with them will provide good benchmarks
and will facilitate the auditors' work.
16
10 Critical Infrastructure Emergency Risk Management and Assurance Handbook, Australia 2004.
5. Geographical Information Systems (GIS)11
5.1 In general terms, Geographic Information Systems (GIS) are applications which integrate,
store, analyze, manage and present data that are
linked to location. They are used in various areas,
such as cartography, remote sensing, land
surveying, utility management, navigation,
geography, urban planning and emergency
management, etc. Like many disciplines, auditing
can also benefit from GIS technology. This is
because GIS technology enables users to create
their own searches and analyze spatial information,
edit data, maps, and present the results of all these
operations. For example, GIS might enable
emergency planners to easily calculate emergency response times in the event of a natural
disaster.
5.2 The ability of leaders and administrators to make sound disaster management decisions, to
analyze risks and decide upon appropriate counter-measures can be greatly enhanced by
cross-sector integration of information.13 GIS technology is used to combine information on
natural hazards, natural resources, population, and infrastructure, etc. easily, precisely and in a
timely manner. This combination of information can help to identify areas where further
hazard evaluations are required, areas where mitigation strategies should be prioritized and
less hazard-prone areas which are most suited to development activities.14 Basically, GIS can:
• improve the quality and analytical power of natural hazard assessments and risk
assessments,
• guide development activities, assist planners in selecting mitigation measures and in
implementing preparedness and response actions.15
17
GIS12 is an integrated collection of computer software and data used to view and manage information connected with specific locations, analyze spatial relationships, and model spatial processes. GIS technology integrates common database operations, such as query and statistical analysis, with the unique visualization and geographic analysis benefits offered by maps.
11 See Annex 2 for examples.12 ESRI, Geographic Information Systems and Pandemic Influenza and Response, s.6.13 Rego, Aloysius J, "National Disaster Management Information Systems & Networks: An Asian Overview",
Primer on Natural Hazard Management in Integrated Regional Development Planning, "Geographic Information Systems in Natural Hazard Management",http://www.oas.org/DSD/publications/Unit/oea66e/begin.htm#Contents, (06 May 2010).
15
Primer on Natural Hazard Management in Integrated Regional Development Planning, "Geographic Information Systems in Natural Hazard Management",http://www.oas.org/DSD/publications/Unit/oea66e/begin.htm#Contents, (06 May 2010).
5.3 All these characteristics make GIS one of the most important tools for effective disaster
management, development planning and decision making. Important in terms of auditing, GIS
include important tools for selecting samples in performance audit studies on disaster
preparedness.
Risk Assessment-Prediction
5.4 On the other hand, GIS technology can be used for natural hazard assessments to show where
hazardous natural phenomena are likely to occur. This, combined with information on natural
resources, population and infrastructure, can make it possible to assess the risk posed by
natural hazards and to identify critical elements in high-risk areas. This information can then
be used to formulate less vulnerable development activities and/or mitigation strategies to
lessen vulnerability to acceptable levels.16 Also, the auditors can benefit from this information
when assessing risk mitigation strategies and activities.
5.5 In the audit work on disaster preparedness, the evaluation of risk assessment, risk analysis and
vulnerability assessment will depend on whether GIS are used, and also on whether the
elements of GIS that exist are suitable for use in the process of disaster preparedness or not.
This is rather important to ensure in terms of efficiency and effectiveness.
Planning
5.6 With GIS, it is possible to analyze an almost unlimited number of factors associated with
historical events and present conditions, including present land use, presence of
infrastructure, etc. So planners can use GIS to draw up specific mitigation strategies for
disaster prevention activities. At national level, GIS can be used to provide general
familiarization with the possible disaster area, giving a reference to the overall hazard
situation and helping to identify areas that need further studies to assess the effect of natural
hazards on natural resource management and development potential17.
5.7 For example, in Indonesia, the GIS activities aim to develop risk maps at national, provincial
and district level. The national and provincial-level maps are used to determine priority
provinces and areas for disaster management activities, planning and installation of early
warning systems. The district-level maps are used for district contingency planning. Under this
system, a number of modules on Forest Fires,
18
Primer on Natural Hazard Management in Integrated Regional Development Planning, "GeographicInformation Systems in Natural Hazard Management",http://www.oas.org/DSD/publications/Unit/oea66e/begin.htm#Contents, (06 May 2010).17 Primer on Natural Hazard Management in Integrated Regional Development Planning, "GeographicInformation Systems in Natural Hazard Management",http://www.oas.org/DSD/publications/Unit/oea66e/begin.htm#Contents, (06 May 2010).
Earthquakes/Tsunami, Volcanic Eruption and Social Unrest have been developed for building a
database system in an internet mode.18
5.8 When known hazards and potential sources of disasters are mapped, better decisions and
plans can be made. The role of mapping has many aspects and influences the performance of
systems in many ways: 19
• It improves the ability of decision makers, planners, academics, researchers and care
professionals to organize and link thematic and spatial datasets.
• It makes it possible to create relations between datasets that may seem unrelated without
using the geographical dimension. These links help in discovering and creating new
knowledge which can be translated into action or policies.
• Mapping enables professionals to understand complex spatial relationships visually, and
as planning has an element of informed prediction, mapping can be a powerful tool for
forecasting and trend analysis.
5.9 As we know, planning underlies the activities of disaster preparedness. Hence, the auditors
should examine all kinds of plans and the process of planning. For evaluating the plans, GIS will
help both the auditors and the planners.
6. Government's Role
6.1 Disaster risks arise when hazards interact with physical, social, economic and environmental
vulnerabilities. In this context, disaster preparedness is a cross-cutting issue covering most
activities of government and is multi-sector and inter-disciplinary in nature. It is widely
acknowledged that efforts to get ready for disaster must be systematically integrated into
policies, plans and programs and supported by national and local governments, the
international community, the private sector, civil society and even private individuals.
Organizing and coordinating all these efforts and institutions requires great power. Only
governments have the power and capacity that is needed.
6.2 Governments play a major role in laying down policy, the institutional framework and
programs for disaster preparedness as part of disaster management. The tasks assigned to
governments in respect of the common organizational procedures of disaster preparedness
cover alarming, evacuation, supply and assessment of the situation. In this context,
governments should identify risks, assess and monitor them properly and develop a
governance model for all the actors concerned, consisting of government institutions, regional
and local organizations and civil society, including volunteers, the private sector and the
scientific community.
19
18 Rego Aloysius J, "National Disaster Management Information Systems & Networks: An Asian Overview",s.3.Al-Shorbaji, Najeeb: "Use and potential of geographic information systems for health mapping in theEastern Mediterranean Region", s.3.
6.3 Achieving disaster preparedness objectives requires the full commitment and involvement of all the
actors concerned. So following a more pro-active approach to informing, motivating and
involving people in all aspects of disaster preparedness will be important. The scarcity of
resources allocated specifically to disaster preparedness is also another important issue. To
ensure the effectiveness of disaster preparedness, governments should specify the needs and
make national and preparedness/mitigation/emergency plans and monitor all work
undertaken by the different sectors regularly. This means that governments are involved in all
activities concerning disaster preparedness.
7. Role of SAIs
7.1 The government's role may also vary according to the different ways a state can be affected by
disasters. The different roles also determine the government's scope of action, the tasks it has
to fulfill and, in consequence, the challenges for SAIs regarding their audit. The results of the
survey conducted among INTOSAI members show that the majority of SAIs, about 75 %, have
experience of auditing disaster-related aid. Approximately 43 % of this experience was in the
disaster preparedness field including disaster mitigation. SAIs have a significant role in
assisting governments in carrying out their role and responsibilities by auditing whether the
aid and funds allocated for disaster preparedness were used efficiently and effectively for the
purposes intended. So disaster preparedness should take greater place in the SAIs' audit work
programs.
Phase of Disaster Management that SAIs audit
7.2 More generally, a distinction can be made between whether the disaster preparedness aims to
cope with a disaster on the territory of the country itself or in another country. The tasks
naturally differ in the one case or the other.
• Disaster preparedness (limited dimension): the country is able to deal with the
consequences of the disaster on its own;
20
• Disaster preparedness (large-scale dimension): international help and aid are necessary,
raising questions regarding international cooperation and coordination;
• Disaster preparedness for the protection of citizens in a foreign country: actions of one
country are to be taken on the territory of another country hit by a disaster, if citizens of
the former are in danger (e.g. evacuation of the country's citizens);
• Disaster preparedness for participation in an international response to a national/regional
disaster.
Stakeholders will also vary in terms of their size and involvement is possible disaster. Taking this
into account, SAIs should design and conduct their audit and give assurance to all stakeholders
that the funds received have been utilized effectively, efficiently and economically. On the
other hand, audit of disaster preparedness requires a capacity for identifying various types of
risks at different levels, assessment of projections and plans for likely consequences and of
management tools and methods to avoid, reduce and share risks.
7.3 As we know, there is an intricate structure in the humanitarian sector, with multiple donors and
recipients at national and international levels. Many actors, such as national and local
governments, the international community, the private sector, civil society and even private
individuals are thus involved in and support disaster preparedness work. Each actor concerned
will be audited by different institutions and subject to a different audit process. This being so,
assuring accountability of funds allocated to disaster preparedness will be difficult. For these
reasons, SAIs should draw up a framework for efficient and effective auditing, taking into
account international measures to improve accountability and transparency in disaster
preparedness. This means that a good relationship and cooperation between SAIs and other
audit institutions, especially internal audit, has great importance in this area.
21
PART II: AUDIT OF DISASTER PREPAREDNESS
8. Introduction
8.1 Disaster mainly leads to disruption of normal life; the impact on human life consists in loss of
life, injury, hardship and adverse effects on health; the impact on social structure involves the
destruction of or damage to government systems, buildings, communication networks and
basic services; community needs such as shelter, food, clothing, medical assistance and social
care. Because of an increase in the frequency and effects of disasters, disaster preparedness,
including the activities of mitigation and prevention, has gained importance in recent years.
Briefly, the idea is that the impact of disasters can be minimized.
8.2 It is obvious that activities aimed at disaster preparedness will involve the fields of finance,
legislation, governance, education, management and society as a whole. Transparency and
accountability in these areas call for audit work to be carried out, especially as regards
performance and finance. As stated in the draft audit guidance on disaster-related aid of 2
June 2009, the great impact of disasters results in billions of US$ of emergency humanitarian
aid to the affected countries. Audit scope and type as well as cooperation between SAIs have
become more important because aid appears in many shapes and forms: from different donor
countries, national and international organizations, emergency relief organizations, etc.
9. Challenges for the auditor
9.1 The auditor needs to take disaster preparedness as an umbrella concept and keep in mind that in
reality many actions include a mix of both mitigation and prevention. In this framework, the
auditor should try to:
• Designate the organizational structure and main activities which ensure that the systems,
procedures and resources fulfill the disaster preparedness requirements such as training,
awareness raising, establishment of disaster plans, evacuation plans, pre-positioning of
stocks, early warning mechanisms and, lastly, strengthening local knowledge. This concept
includes, in particular, preparedness focused on enabling communities to help themselves
in the event of a disaster and financial preparedness in order to absorb the effects of a
disaster without creating undue macro-economic or budgetary problems (e.g. budgetary
provisions, contingency financing, stand-by agreements, risk assurance).
• Specify the measures taken before disaster which are intended to reduce or eliminate
their impact on society and environment. These measures reduce the physical
vulnerability of existing infrastructures or vulnerable sites which directly
22
endanger the population, e.g. retrofitting of buildings, reinforcing lifeline infrastructure.
• Determine the prevention activities conceived to ensure permanent protection against a
disaster, including engineering, physical protection measures, legislative measures for the
control of land use and codes of construction. These activities reduce the physical
vulnerability and/or exposure to risks through infrastructure.
10. Audit Mandate of SAIs
10.1 As mentioned above, many actors such as national and local governments, the international
community, the private sector, civil society, etc. are involved in disaster preparedness work. In
many countries, the SAIs' mandate does not cover all the activities and organizations involved
in disaster preparedness. To ascertain this fact, the adequacy of the audit mandate of SAIs was
assessed as part of the survey.
Part A Question 6: In your country, which disaster-related aid activities by funding source are considered as public domain that your SAI has a mandate to audit (you may select more than one options)?
Government Institutions 27 90,0%People/community 5 16,7%Organizations/private entities 5 16,7%Local Non-governmental Organizations (NGOs) 8 26,7%Foreign Governments 12 40,0%Foreign NGOs 4 13,3%International Institutions/donors 12 40,0%International Financial Institutions 13 43,3%Others 6 20,0%
According to the results of the survey carried out by the INTOSAI WG AADA, the SAIs mostly have a
mandate to audit government institutions; 40 % of them can audit the funds of foreign
governments, international financial and other institutions/donors. A few have a mandate to
audit NGOs and private entities, especially foreign ones. This means that the mandates of SAIs
do not cover all areas related to disaster preparedness as a whole. However, if the SAIs carried
out a joint audit, this gap could be overcome.
10.2 Not only the legislative body and government but also donors and stakeholders need
information on:
23
• Whether the funds are being used as intended,
• Whether the funds and aid provided have been spent in the most efficient and effective
manner.
However, one of the major problems in this area is the lack of a single and reliable information source,
thus hampering accountability and transparency. In addition, each actor concerned will be
audited by different institutions and be subject to a different audit process; thus, no single
audit institution has comprehensive and reliable information about the funds allocated and
activities concerning disaster preparedness.
10.3 The SAI is the only institution with the potential to audit all the structures concerning disaster
preparedness. If this is not yet the case, the SAI's mandate should therefore be extended and
broadened so as to involve all relevant institutions in its scope. The survey results collected by
the INTOSAI WG on the AADA show that approximately 40 % of the SAIs did not have access to
relevant audit reports such as those prepared by the governmental internal auditors, public
accounting firms, the provincial auditor general, the external audit function, the office of the
inspector general and special governmental commissions, etc.
The SAIs' right of access to audit reports prepared by the other institutions
SAIs should have full authority to access all kinds of information concerning the subject, including
internal and external audit reports, as well as having an audit mandate that covers all
activities. It is not possible to prepare a proper, sound audit report and to create trust in the
SAIs' work relating to disaster preparedness on the basis of unreliable and incomplete
information.
11. Types of Audit
11.1 When auditing disaster preparedness, the SAIs can perform all types of audit. Many SAIs
perform both financial and performance audits in the field of disaster
24
21%
21%
preparedness. In addition, a few SAIs perform a mixed type of audit, which does not conform
to INTOSAI auditing standards and guidelines. However, finding a common basis for this audit
will be extremely difficult.
11.2 SAIs have carried out financial and performance audits at almost the same rate. In the field of
disaster preparedness, the tendency is towards performance audit. The survey results show
that 61% of the disaster-related audits carried out by SAIs have been performance audits. Is
this type of audit more suitable and what types of audit should be conducted in the field of
disaster preparedness? This issue will be handled in the light of the INTOSAI auditing standards
and guidelines predominantly for performance audit.
Types of Audit at the Preparedness Stage
11.3 Financial audits are not directly performed on disaster preparedness transactions. Generally,
transactions concerning disaster preparedness are examined within/by routine and annual
financial audits of the governmental department/institutions. Occasionally, financial audits on
funds allocated to disaster preparedness or to foreign-aided projects are carried out directly
by SAIs. Financial audits therefore do not meet all donors' and stakeholders' needs. Unlike
financial audit, performance audit directly covers all aspects and activities of disaster
preparedness management and reports as a whole.
11.4 As stated before, in many countries, the SAIs' mandate does not cover all the activities and
organizations involved in disaster preparedness. 60 % of the SAIs have right of access to audit
reports prepared by other institutions. In spite of this, the SAIs20
have relatively extensive access to sources of information and data . It can therefore be said that
performance audit is more suitable for directly examining the disaster preparedness field and,
moreover, the activities and organizations that lie outside the SAIs' mandate can be shown by
performance auditing. However, the SAIs should
25
Performance 61%
Financial39% ,
20
See INTOSAI Auditing Standards, paragraph 1.0.33; "The SAI must have access to the sources of information and data as well as access to officials and employees of the audited entity in order to carry out properly its audit responsibilities. Enactment of legislative requirements for access by the auditor to such information and personnel will help minimise future problems in this area."
focus on the risks involved in disaster preparedness and decide on which type of audit will be applied in
accordance with the purpose of the audit.
12. Planning and carrying out the audit work
12.1 According to the INTOSAI Auditing Standards (AS 3.1.1), the auditor should plan the audit in a
manner which ensures that an audit of high quality is carried out in an economic, efficient and
effective way and in a timely manner. Especially in performance auditing, a well thought-out
plan is indispensable. Careful advance planning will prevent possible problems arising at a
later stage in the auditing. Before starting the audit study, it is consequently important to
define the audit objectives, the scope, and the methodology to achieve the objectives.21
12.2 After obtaining enough background information and knowledge about the audit environment,
the auditor should specify the risks to economy, efficiency and effectiveness (the 3Es).
Depending on disaster types and their probability and the risk impact, the management risks
to the 3Es will arise in different areas. Organization, planning, monitoring, control,
coordination, lack of a sound disaster management information system, etc. are principally the
risks to the 3Es in this field. Some of them might predominate, depending on the types of
disaster. They will show the auditors the gaps and unmanageable areas and issues regarding
disaster preparedness within disaster management.
12.3 As Figure 1 shows, there is a strong correlation between the risks to the 3Es and the audit
criteria and recommendations. For this reason, specifying the risks to the 3Es is very important
for designing a sound audit study on disaster preparedness. As we know, audit criteria show
"what should be". The risks to the 3Es indicate the area for setting the criteria, and also for
producing recommendations to resolve identified areas of poor practice.
26
21 INTOSAI Implementing Guidelines for Performance Auditing, Part 3 p. 3.3 July 2004. "What does planning of individual performance audits involve?"
Audit Approach/Scope
12.4 In the audit studies, for both financial and performance auditing the SAIs should apply
traditional audit approaches.22 For example, Turkey used a risk-based audit approach in the
performance audit study concerning disaster preparedness entitled "How well is Istanbul
getting prepared for the earthquake?" During their enquiries, the auditors tried in particular to
detect problems and drawbacks in the implementation. This audit approach helped the
auditors to determine the most risky activities and areas. On the other hand, Kenya's reports
in the financial audit field are based on a systems audit to establish the effectiveness of the
internal controls and an audit of the financial statements drawn up for the funds allocated to
disaster management. The reports on financial statements give an opinion as to the fairness
and truth of the financial statements.
12.5 As seen in these examples, the audit approach does not change in financial audits, because
transactions concerning disaster preparedness are examined as part of the routine and annual
financial audits of the governmental department/institutions. In contrast to financial auditing,
the audit approaches in performance auditing can change depending on the issues focused on.
For example, whilst using a risk-based audit approach may be more appropriate in an audit
study on natural disaster preparedness, a systems-based audit approach and/or a problem-
based audit
27
Figure 1: Correlation between risks/criteria/recommendations
22 INTOSAI Implementing Guidelines for Performance Auditing, Part 1, p. 1, 8 July 2004. "Are there differences in analytical ambitions and approaches?"
approach will be more suitable for examining preparedness for man-made disasters,23
such as nuclear accidents. Indeed, the risks identified by the auditor should be focused on, and then an
appropriate type of audit and audit approach according to these risks should be determined.
Audit Objectives
12.6 The most important step in drawing up any audit study is to define the specific issues to be
studied and the audit objectives. The way in which the audit objectives are determined will
change, depending on the type of audit. In financial auditing, the audit objectives are generally
defined by legislation. In financial audit, the SAIs audit the governmental
institutions/departments annually. These audits cover a review of the accounts and the
operation of the agency, including disaster-related accounts. It is conducted to ascertain
whether funds have been disbursed properly, the fairness and reliability of the agency's
financial position and compliance with laws, rules and regulations. In this context, the audit
objective might be specified as "to examine the management of the State Budget funds
earmarked from the State Budget for the protection against floods."
12.7 In performance auditing, however, the audit objectives will change depending on the disaster
preparedness issues that are focused on. In determining objectives, the auditor must take into
account the roles and responsibilities of the SAIs within the management of disaster
preparedness and the expected impact of the audit in this field. The disaster preparedness
area is a chaotic environment. There are a great number of interrelated activities, although
many actors perform their work separately. Audits therefore need to be well designed, as they
will be carried out in a complex and chaotic environment, and the audit scope should be
specified carefully.
12.8 The audit objectives should be defined within the audit scope. Otherwise, the chaotic
environment will be reflected in the audit studies and, as a result, a meaningful study will not
be achieved. Disaster preparedness contains a range of precautions taken against possible
disaster. These precautions are developed using different scenarios as a basis and form part of
the National Disaster Plans and/or the sub-plans. The disaster plans help auditors define audit
objectives.
12.9 In performance auditing, some examples of audit objectives are given below:
• Evaluation of distribution and use of resources from the disaster fund; decision-making
approaches, division of functions and coordination between federal, iander and local
authorities. (Preparedness-Mitigation/Austria)
28
23 For audit types and approaches, see INTOSAI Auditing Standards and INTOSAI Implementing Guidelines for Performance Auditing.
• To determine whether Public Safety Canada can demonstrate that it has exercised
leadership by coordinating emergency management activities, including critical
infrastructure protection in Canada; and to determine whether Public Safety Canada,
along with federal departments and agencies, can demonstrate progress in enhancing the
response to and recovery from emergencies in a coordinated manner. (Preparedness-
response/ Canada)
• To assess the effectiveness and operating efficiency of the recently established "National
Disaster Management Support System" (NDMSS); to provide an independent verification
of the reliability of the information contained in the NDMSS; and to examine the stock
management of relief goods and materials. (Preparedness/Korea)
• To determine factors affecting efficient distribution of food relief aid. (Mitigation/Lesotho)
• Audit as to whether the Minister of Home Affairs has fulfilled his responsibility for the
organization of disaster management in the Netherlands. (Preparedness/the Netherlands)
• To specify the risks faced during the short and medium-term preparatory work to
minimize the damage caused by a possible Istanbul earthquake and to identify the
measures to be taken. (Preparedness/Turkey)
• To determine whether the resources donated reached the intended beneficiaries and to
determine their impact in mitigating the effects of the famine. (Kenya)
29
Audit Methodology
12.10 Audit methodology is the set of techniques developed for data collection and the analysis
process. According to the INTOSAI Auditing Standards, to support the auditor's judgment and
conclusions regarding the activities under audit, competent,24
relevant and reasonable evidence should be obtained.
12.11 In financial audits, evidence is based on transactions, financial statements, project
implementation reports, physical verification, independent technical assessment, compliance
with tender/procurement procedures, etc.. In financial audit, the auditor focuses on the
following:
- review of internal controls and procedures,
- review of documents (disbursement and receipts of donations) and recording in the books of
accounts,
- test of accounting records,
- validation of beneficiaries on a sample basis.
12.12 Evidence in performance auditing is persuasive, and the way of obtaining it is for the auditor to
collect and analyze data, information and knowledge. When working in the field of disaster
preparedness, the auditor will have to seek data and information from different sources.
Developing methods for collecting data and information makes the auditor's work easier.
12.13 In performance auditing, the common methods used for data gathering are:
• File examination. In the disaster preparedness area, files contain a wide range of
documents, such as relevant guidance, protocols and legislation; disaster planning
documents and post-event reports of all levels of government, especially all the
documents of the institution responsible for disaster management. They should be
analyzed by the auditor. For example, for Turkey's audit study concerning earthquake
preparedness, building development planning, application works, ground condition
reports and the documents related to the reinforcement activities of Istanbul
Metropolitan Municipality and district municipalities were scrutinized on site.
• Site Visit. In order to observe and evaluate the work of the relevant institutions included
in the audit scope and to interview local key persons, a site visit is an important and
commonly used tool. It may be the only method possible for making observations at
distribution points and inspections of storage and transportation facilities.
30
24 See INTOSAI Auditing Standards, p. 3.5.1.
• Interview. Face-to-face in-depth interviews with key personnel, i.e. those that play a key
role in minimizing risks in the event of a likely disaster. These include authorized personnel
of disaster management institutions, heads and personnel of service groups and relevant
professionals taking part in disaster plans will help the auditor collect evidence. The
selected service groups are transportation, communication, rescue and debris removal,
first aid and health service groups, etc. Interviewing is an important tool for assessing
coordination and collaboration among levels of government, and the contribution of all
the parties concerned. Interviews with scientists and NGOs and other bodies concerned,
such as the Red Cross/Red Crescent, the Chamber of City and Regional Planners, local or
municipal governments, etc. known to have contributed to minimizing disaster risks, can
also help auditors formulate audit criteria and obtaining audit findings.
• Surveys/Questionnaire. To evaluate the activities of community preparedness and
training and to collect similar data from a vast number of different institutions, such as
ministries, municipalities, fire brigades and provinces, etc., surveys are the most
convenient tool. Surveys might also help the auditor evaluate public awareness to disaster
preparedness.
• Literature Review. Reviewing articles, studies, other audit reports and evaluations
concerning disaster preparedness will help in:
- understanding the overall control environment of disaster preparedness,
- specifying the different needs and approaches to disaster preparedness,
- formulating audit criteria,
- developing recommendations.
• Assessment of the adequacy of management tools. Carrying out activities related to
disaster preparedness depends on the adequacy of management tools such as disaster
plans, Geographic Information Systems (GIS), Remote Sensing (RS), Global Position System
(GPS), disaster information systems and other relevant software. The disaster plans should
therefore be analyzed and the adequacy of these systems should be assessed.
• Risk assessments. Disaster preparedness measures will be taken on the basis of risk
assessments and scenarios. For that reason, risk analysis should be evaluated in
performance audit studies.
• Observation and case studies. Observation and case studies are suitable tools for
evaluating the drills, training and education of professionals who are involved in disaster
preparedness activities.
31
• Sampling. Disaster preparedness generally covers too large an area and numerous
activities. In such a case, it is almost impossible to analyze all the work and sampling is a
useful and practical technique. GIS and/or similar tools help the auditor to select samples.
Audit Criteria
12.14 Audit criteria give direction to the assessment and help the auditor to determine whether the
activities/programs meet expectations or not. In financial audits, criteria are prefixed by the
legislation concerning financial management and establishing the audit entity. In performance
audits, audit criteria are generally formulated by the auditor. Thus, in performance auditing,
the general concepts of economy, efficiency and effectiveness should be interpreted in
relation to the subject; for that reason, criteria will vary from one audit to another.25
12.15 In performance auditing concerning disaster preparedness, the auditor should specify audit
criteria in accordance with the issues focused on. The general concepts of performance,
economy, efficiency and effectiveness should be turned into specific criteria relating to
disaster preparedness. Otherwise, the criteria do not give direction to the audit study and
might be vague.
Audit Findings and Recommendations
12.16 One of the important stages of performance audit is to determine audit findings and to draw
up audit conclusions and recommendations. As we know, audit findings are the specific
evidence gathered by the auditor to satisfy the audit objectives, to answer the audit questions
and to meet audit criteria. Audit findings show the current situation, i.e. "what is". The audit
program in Part III will help the auditor to determine audit findings.
12.17 The auditor should develop audit conclusions and recommendations by analyzing the causes
and effects of the findings carefully. As mentioned in paragraph 12.3, there is a strong
correlation between the risks to the 3Es and audit criteria and recommendations. When
producing recommendations, the auditor should not overlook the correlation between them.
Moreover, the auditor should pay special attention to recommendations that bring reasonable
solutions to identified areas of poor practice, i.e. the risks to the 3Es.
32
25 INTOSAI Implementation Guidelines for Performance Auditing, July 2004, p. 52.
PART III: AUDIT PROGRAM FOR DISASTER PREPAREDNESS
13. Audit Program
13.1 The audit of disaster preparedness should be predicated on a sound audit program focused on
understanding the operational environment of disaster preparedness. This includes the
organizational structure and resources of all the relevant authorities, as well as the overall
control environment. The aim is to design a sound audit study and to prepare a reliable audit
report with a high impact.
13.2 This audit program was based on an assessment of SAIs' audit reports and the disaster
management plans of various countries and the results of the survey which was prepared by
the INTOSAI WG on the AADA. It is intended to ensure a coherent and complete framework
for the audit of disaster preparedness. The program covers a broad range of possible
challenges for the auditor, clarifies definitions and presents different approaches by giving
best-practice examples from SAIs around the globe. Auditors should adapt this program and
specify which areas require particular attention and further development by taking into
account the conditions in the country being audited. The auditor should not expect to get an
answer to all the questions through this document. It is up to the auditor to develop the
program further in order to meet the specific tasks of their SAI and the particular needs of the
disaster.
13.3 This audit program is divided into seven parts:
• Identification of the disaster characteristics,
• Specifying and understanding the national strategy and action plans,
• Identification of the framework and organization of the authorities involved,
• Assessment of the adequacy of the coordination,
• Evaluation of disaster management tools,
• Evaluation of emergency exercises and training,
• Evaluation of disaster funds and grant administration.
Identification of the disaster characteristics
1. The auditor should first have knowledge of the following issues:
1.1 What types of disaster may occur in the country?
1.2 What is the probability of each type of disaster?
1.3 What could be the extent of loss or damage?
33
1.4 What is the government approach to such disasters?
1.5 Are there (updated) hazard maps and/or hazard analysis?
1.6 .........................................................................................................................................................
.......................................................................................(Please add your own questions)
Specifying disaster types and their probability should be the first step in auditing disaster preparedness. Government approach and policy preparedness activities depend on this probability. It should be noted that certain disaster risks may be so remote and/or unpredictable that preparation would be excessively costly and therefore it may be more efficient to deal with them after the event. The government approach to the potential disaster will determine the scope of audit study. In short, all these factors should be taken into account while undertaking and designing an audit of preparedness activities.
Specifying and understanding the national strategy and action plans
2. To understand the government approach to disaster preparedness, the auditor should carefully
examine the national disaster plan and/or substitute tools and assess the aims and targets:
2.1 Has a national disaster plan been prepared or are there any substitutes for a national disaster
plan?
2.2 Are the disaster plans/substitute tools updated regularly?
2.3 Are there procedures for systematically reviewing plans/substitute tools for timeliness,
completeness, consistency with existing guidelines and overall usefulness?
2.4 Which events/situations are accepted as disaster in the national disaster plan, or the
substitute tools?
2.5 Are the national disaster plans/substitute tools made by predicating on analyses like disaster
risk maps, risk assessment, etc.?
2.6 Which entity is responsible for coordination of disaster planning?
2.7 Have the goals, objectives and strategies defined by the disaster plan been integrated into the
annual budget process (emergency operations and grant application processes)?
2.8 Are the disaster preparedness planning efforts consistent and adequate? (General
preparedness plans as well as hazard-specific plans.)
2.9 What are the main activities for disaster preparedness within the plans/substitute tools?
2.10 Within the disaster plans/substitute tools, how are the roles and responsibilities defined and
allocated to each responsible unit?
34
2.11 Do these plans/substitute tools provide a good basis for timely, clear and organized actions -
as to when and who will perform such actions during an emergency or disaster?
2.12 Is the critical infrastructure determined on a national scale within the scope of disaster
plans/substitute tools?
2.13 What kinds of action plans and alternative plans are prepared?
2.14 Are the sub-plans (action plans, etc.) prepared in accordance with the national plan/ substitute
tools?
2.15 (Please add your own questions)
For the auditor, the national disaster plan (or a substitute tool) is one of the most important tools in the evaluation of disaster preparedness. The national disaster plan/substitute tool, which is prepared by the authority responsible for disaster management, along with event-specific and departmental plans, will guide the central government response to disasters. It should outline the processes and mechanisms to facilitate an integrated government response to a disaster. It should address specific threats, the response to international emergencies, and the National Emergency Response System which outlines a harmonized federal and provincial/territorial response to disaster. With a good national disaster plan, the auditor can identify and examine all activities related to disaster preparedness as a whole. Comparison between the national disaster plan and those of other countries exposed to similar disasters will help the auditor to evaluate the sufficiency of the disaster preparedness. Moreover, national disaster plans will be a good source for determining audit criteria because they identify what to do and to expect.
Identification of the framework and organization of the authorities involved
3. To design a sound audit of disaster preparedness and to understand the organization, the auditor
should focus on these points: (The word entity here covers institutions/agencies/private organizations and other participants.)3.1 What are the applicable laws/directives/national/local initiatives in that respect?
3.2 Which entity has the main responsibility for disaster preparedness?
3.3 Which entities are related to disaster preparedness at each level? (evaluate the organization
structure as a whole)
3.4 Are the organizational structures and systems well defined and designed to facilitate
successful disaster preparedness activities?
3.5 Are the relevant functions of these entities formulated clearly and sufficiently?
3.6 Are authority and responsibility clearly assigned?
35
3.7 Is there a reliable and effective internal control for the activities of disaster preparedness?
3.8 Does the main entity responsible have capable and sufficient human resources?
3.9 What are the staffing profiles? Is the staffing appropriate in order to coordinate and carry out
the activities of disaster preparedness?
3.10 Does the main entity responsible have a complete and detailed overview of the resources
allocated to disaster preparedness activities?
3.11 In which areas within the disaster preparedness process do non-governmental and other
organizations act?
3.12 Could the main entity responsible provide the facilities and support necessary for the activities
of the non-governmental actors?
3.13 Is a monitoring mechanism established with a view to following extra-budgetary funds and the
activities of non-governmental actors?
3.14 (Please add your own questions)
As stated before, there are many institutions and agencies in this field. Coordination among them can assist the completion of the interrelated activities without duplication and in a timely manner. For this reason, the auditor should have a comprehensive knowledge of the legal framework and organizational structure which includes entities that are out of and within the SAIs' jurisdiction. Defining their roles, responsibilities and how to ensure cooperation among them will help the auditor to assess where and how to collect data, who is responsible for what actions, etc. Additionally, it is beneficial to answer questions like "is there a sufficient legal framework?; are the activities well-coordinated?; what is the governance structure like?". (See Annex 3 for an example.)
Assessment of the adequacy of coordination
4. To assess the sufficiency of coordination with actors at regional, national and international level, the
auditor should examine the following issues:
4.1 Are the relevant participants included in the coordination mechanisms?
4.2 Is there any monitoring mechanism providing information to help ensure collaboration and
cooperation, as appropriate, with different bodies and actors at regional, national and
international level?
36
4.3 Does the existing coordination serve to foster the collaboration, to avoid the duplication and
overlap of activities in the field, to make the most efficient use of resources and to raise
awareness of the risk of disaster?
4.4 Are different forms of cooperation such as technical assistance, consultancy, equipment and
supplies, etc. for disaster preparedness activities specified in accordance with the nature, role
and work of different participants in this field?
4.5 Is a sound management system and governance structure established to provide26
coordination between the authorized institutions and agencies?
4.6 Are the critical infrastructures (see 4.7 on page 16) which assign the priorities of the
infrastructures according to the vulnerability to a disaster, designated with the
cooperation of the private sector and the public sector?
4.7
(Please add your own questions)
Recent events, such as Katrina, the tsunami and earthquakes in Pakistan and Haiti, have shown that the management of large-scale disasters is a matter that concerns not only the government, but also other stakeholders including businesses and individuals exposed to disaster risks. Therefore, the evaluation of coordination between all stakeholders is becoming more important in audit studies. In fact, the coordination should encompass intergovernmental bodies, such as regional organizations, as well as national bodies and institutions, and non-governmental organizations at national and international level.
The national disaster Act and the national disaster plan, along with event-specific and departmental plans, are the main tools for evaluating the coordination. Additionally, the auditor should pay special attention to the activities of the main authority responsible for the coordination and examine its management system and governance structure.
Evaluation of disaster management tools
5. To evaluate the sufficiency of the management tools used to accomplish the goals for disaster
preparedness, the auditor should assess the following:
5.1 Is there an updated disaster management information system?
37
26
See Annex 1 giving Canada's governance structure as an example. Canada FERPMS - the management system components: Governance Structure, Management, Government Operations Centre, Primary Functions, and Federal-Regional Component.
5.2 What are the components of the disaster management system? Are they sufficient, applicable
and beneficial for the user?
5.3 Did the main authority responsible establish a reliable and updated database containing
enough information for the disaster preparedness activities and training?
5.4 If so, was this database designed in a way that helped the main authority responsible to lead
the other entities and to ensure cooperation between them?
5.5 Has the main authority responsible developed the instruments that will effectively direct the
other entities in an appropriate manner to make the risk assessment in their own areas in
accordance with the national strategy and policies?
5.6 Is an appropriate geographical information system (GIS) used? How?
5.7 The questions below will help the auditor (as well as the planners) assess the needs for and
use of a GIS in disaster preparedness:1
• What planning decisions need to be made?
• Which decisions involve the use of mapped information and information susceptible to
map display?
• What information cannot be managed efficiently with manual techniques?
• What information management activities will be supported by the proposed GIS?
• What types of decisions will be supported with a GIS?
• Is the GIS principally appropriate for analysis? Is cartographic quality output needed?
• To what extent will a GIS help achieve the desired objectives?
5.8 To assess the suitability of the GIS, the following questions can help the auditor:
• What kind of GIS is it?
• What sort of hardware and software are used?
• Who are the current users? To what extent is the current user network compatible with
the network envisaged? What data does it contain?
• Are its capabilities compatible with the needs of the new users?
• Is the in-house technical expertise capable of serving the new users?
• What are the institutional arrangements that would enable the appropriate use of
this GIS?
5.9 In order to evaluate the sustainability of the GIS, the following questions can help the auditor:
• Who will be the users of the information generated with a GIS?
1Primer on Natural Hazard Management in Integrated Regional Development Planning, "Geographic Information Systems in Natural Hazard Management",http://www.oas.org/DSD/publications/Unit/oea66e/begin.htm#Contents, (06 May 2010).
38
• In terms of information, time, and training needs, what is required to obtain the desired
results?
• Is there budget and staff support?
• What agencies are participating in similar projects?
• To what extent would a GIS help to attract the interest of other agencies and facilitate
cooperation?
5.10 Are hazard maps prepared taking into consideration the environmental plans, the land use
planning and the building development scheme, etc.?
5.11 Are there any special tools intended to mitigate disaster risks and impacts?
5.12 Do the primarily authorized institutions perform the risk assessment and vulnerability
assessment activities?
5.13 ................................................................................................................................................
(Please add your own questions)
Geo-science technologies are in widespread use for disaster preparedness. GIS is a tool that can be used in all disaster types to collect different types of data. The structuring of GIS differs from country to country according to the disaster risks faced. For example, to understand the full short and long-term implications of floods and to plan accordingly, an analysis needs to be made of combined data on "meteorology, topography, soil characteristics, vegetation, hydrology, settlements, infrastructure, transportation,
28population, socioeconomics and material resources". These aspects, which vary in the field of disaster management, are easily processed with the help of GIS for risk analysis and carrying out the planning efforts.
GIS, and similar instruments such as Remote Sensing (RS) and Global Positioning System (GPS), are mostly used by planners. Before deciding to acquire or use a system, planners need to make a meticulous evaluation of their needs. This must include a definition of how their planning activities and decisions will be assisted by using a GIS. Specific objectives and applications of the GIS should be defined. For a GIS, planners need to carefully assess if the amount of spatial calculations and analysis to be performed justifies automating the process. So, the auditor has to scrutinize the GIS and planning process well in order to audit the disaster preparedness.
39
28 Rego, Aloysius J: "National Disaster Management Information Systems & Networks: An Asian Overview",
s.1.
Effective use of GIS in disaster preparedness will depend on the reliability, accuracy and adequacy of data and elements of these systems. At the same time, the benefit to be had from the data gathered by using GIS effectively is closely related to the extent to which these data have contributed to the planning process. The hazard maps, zone maps and risk assessments which are obtained by using GIS should be submitted to decision makers at the appropriate level and on time; and also these data should be used in the planning process. In this context, the auditors should determine whether a mechanism which transfers the technical data produced at this stage to the planning process is established or not.
Additionally, the GIS will increase communication and improve cooperation among the users of the information. GIS is an important tool for the auditor to evaluate the adequacy of communication among the relevant entities. In performance audits of disaster preparedness, the adequacy of the disaster management information system and especially GIS have to be evaluated carefully.
Evaluation of emergency exercises and training
6. To assess the planning and implementation of the emergency exercises and training and community
preparedness, the auditor should examine the following:
6.1 Have training requirements and effective training plans and coordination mechanisms been
defined and are they being modified as appropriate?
6.2 Do programs provide organizations and individuals with the necessary knowledge and skills to
effectively respond and quickly recover from various types of disaster?
6.3 Is it ensured that training functions and activities are not unnecessarily duplicated or
overlapping?
6.4 Is there a contingency plan for external collaboration mechanisms in an emergency situation?
• Formal structures?
• Collaboration at national, regional and local level?
6.5 Is the collaboration and coordination among the various municipal departments (fire
department, police, hospitals, etc.) as well as business and non-profit organizations, the Red
Cross/Red Crescent and others planned and implemented?
6.6 Are there plans for disaster preparedness training for the public and/or public education
campaigns in order to raise public awareness? Are these executed according to plan?
40
6.7 Is there any specific program for training/ emergency exercises for particularly vulnerable
people? (Patients in hospitals, students in schools)
6.8 Is the execution of plans monitored?
6.9
(Please add your own questions)
For large-scale disasters (involving international aid) an enhanced relationship between the national and international mechanisms would foster a better understanding of the situation in the field, thus contributing to better monitoring and implementation of disaster preparedness activities and aid. It would also promote national participation and ownership of disaster preparedness activities. Large parts of national and international funds, especially for exercises and training and community preparedness, are mostly used by various actors such as the NGOs. Therefore, the possibility of duplication in these activities will be particularly high. To give all stakeholders assurance, the auditor should examine all training activities carefully. Also, it should be assessed whether or not the organizations and individuals have, through training, gained the necessary knowledge and skills to effectively respond to and quickly recover from various types of disaster. In these subjects, the SAIs should pay special attention to promoting public accountability.
Evaluation of disaster funds and grant administration
7. To evaluate the sufficiency and management of the funds for disaster preparedness activities, the
auditor should examine the following:
7.1 Does central government and/or the authority responsible for disaster preparedness have a
complete overview of the funds allocated by all relevant entities to disaster preparedness
activities?
7.2 Is the national disaster plan prepared on the basis of realistic cost estimates?
7.3 From which sources are the funds provided for disaster preparedness? (Government institutions, people/community, organizations/private entities, local nongovernmental organizations (NGOs), foreign governments, foreign or local NGOs, international institutions/donors, international financial institutions (IFIs), etc.)
7.4 By whom are the funds from these sources used?
7.5 What are the legal arrangements for using the funds?
41
7.6 Have effective administrative processes been conceived for the application and processing of
grants? (Although in principle the administrative procedures for the allocation and use of
public funds should ensure timeliness, in the case of urgent
42
disaster preparedness activities these may not be sufficient. Therefore specific administrative
arrangements should be in place to allow maximum flexibility.)
7.7 By which instruments, such as projects/programs, etc., are the funds used?
7.8 Are the projects/programs completed on time and within the budget?
7.9 ................................................................................................................................................
(Please add your own questions)
The social and economic costs of disasters vary widely and are difficult to estimate on a global basis. The most expensive disasters in purely financial and economic terms are floods, earthquakes and windstorms. The precautions taken before disaster will decrease the devastation and economic impact. Less developed countries with limited economic diversity and poor infrastructure need mostly external funds when preparing for disaster. Conversely, in developed economies, governments, communities and individuals have greater capacities to cope. However, disaster will adversely affect all economies and societies in both developed and developing countries. Therefore, the national and external funds allocated to disaster preparedness should be used in an economic, efficient and effective manner.
For this reason international policies concerning disaster management have moved towards more emphasis on disaster preparedness. The financial procedure, specified in accordance with previous policies that allocated large resources to post-disaster relief and reconstruction activities, needs to be redefined in accordance with these changing policies. The auditor should pay special attention to whether the financial process is redefined in parallel with the new policy.
In order to contribute to improved economy, efficiency and effectiveness in this area, the auditor should carefully examine the costs of all projects/investments. For this, the auditor should handle the following matters:
In order to plan realistic needs and resources for disaster preparedness:
• A national disaster plan and sub-plans taking into account realistic cost estimates should be prepared.
• The projects to be implemented within the scope of the plans should be determined by means such as cost-benefit analysis.
Disaster preparedness activities can continue over several years. The sustainability of the projects/investments in the field of disaster preparedness needs to be assessed as follows:
• Resource planning must be performed and future financing models must be developed.
43
• In view of the high cost of investments such as GIS and its sustainability, alternative financing must be taken into account, and a system to ensure the utilization of the equipment beyond the actual need should be established
To prevent the duplication of actions/projects and investments, national and sub-plans should be prepared. By evaluating the capacities of the relevant entities, the needs should be identified. In order to prevent unnecessary investment in this field and to use the resources more efficiently, a mechanism should be established to monitor the physical and financial implementation of the action, projects and investments. This should help the decision-makers take timely corrective decisions. The institution which is responsible for coordination should establish a system that ensures the monitoring of the project on the basis of time/cost.
8. This section is for any other contribution to this program or any other comments on the audit of
disaster preparedness.
44
14.Lessons Learned
• Performance audit is more suitable for the audit of disaster preparedness. The activities and
expenditure related to disaster preparedness extend over several years and are carried out by
different entities. Financial audit is usually annual and covers the transactions of only one entity. As
many activities in this field do not require capital resources, and since many organizations are
outside the SAIs' jurisdiction, the contribution of financial audit will remain limited and not add
value to the management of disaster preparedness. Activities and funds extending over several
years and the different institutions that have responsibility in the disaster preparedness field can,
however, be audited within the scope of performance audit and under an audit study at the same
time. In addition, in order to prepare a sound and comprehensive disaster preparedness audit
report, auditors can also obtain relevant information from persons29
and institutions outside the SAIs' jurisdiction . Also, it should be borne in mind that the purpose of the
audit in this field will depend on the type of audit to be applied.
• The data obtained need to be reliable, accurate and updated. One important issue in the
audit of disaster preparedness is the reliability, accuracy and timeliness of data. In these audits,
data and information need to be obtained from many organizations, some of which are not under
the jurisdiction of the SAI. Auditors should therefore carefully collect, cross-check and analyze the
evidence, as well as establishing their own database that includes reliable and accurate data and
updating it during the study. Geographical Information Systems (GIS) could be used to complement
such a database.
• Special attention should be paid to tools such as GIS. Duplication and lack of coordination
among relevant entities in introducing new IT equipment are common problems. This is the same
in the area of disaster preparedness. GIS could easily be another area of duplicate investment if
they are developed separately by different stakeholders. According to the survey, the utilization
level of the "National Disaster Management Support System" (NDMSS) was much lower than
expected, but it was very difficult to conclude that there was overinvestment.
• Cooperation among SAIs should be developed. The country carrying out the disaster
preparedness activities and the country that provides funding are often different. If the SAIs of
donor and recipient countries do not collaborate with each other, their audits may not cover all
aspects of disaster preparedness. In addition, if cooperation and coordination between the parties
involved both domestically and worldwide are not
45
29
See INTOSAI Auditing Standards p. 2.2.19 "The legal mandate should provide for full and free access by the SAI to all premises and records relevant to audited entities and their operations and should provide adequate powers for the SAI to obtain relevant information from persons or entities possessing it."
enhanced, the SAIs would not be able to contribute to improving activities or strengthening
accountability in the disaster preparedness area. Such cooperation may range from the simple
exchange of information, which is already intrinsically beneficial, to much closer cooperation in the
form of coordinated or joint audits, allowing the direct use of audit results amongst SAIs. The latter
scenario requires a common understanding of the audit methodology to be applied and of the
relevant audit criteria to be followed. To this end, an agreement (e.g. memorandum of
understanding or protocol) may be developed to define the scope, extent and form of the
intended cooperation among the relevant SAIs.
• Joint audits by donor and recipient country SAIs might be helpful for good governance and accountability in the field of disaster preparedness. Disaster preparedness is usually the
responsibility of the national government and therefore the SAI of that country will be tasked with
the audit of disaster preparedness. If disaster preparedness activities are (co-)funded by donors,
the SAIs of such donors will also have an interest in the audit of the disaster preparedness activities
thus funded. The perspective of a donor country SAI might differ from that of the SAI of a recipient
country. However, the SAI of the donor country should consider the possibility of relying on the
audit carried out by the recipient country's SAI for its own purposes. An alternative option is to
carry out a joint audit by both SAIs, serving the purposes of both. To the same end, SAIs of donor
countries might join forces in a joint or parallel audit of disaster preparedness of one or several
recipient countries. Similarly, the SAIs of the recipient countries can use the tools of joint or parallel
audits, thus saving resources and learning from each other. Joint audits might also solve the
problem mentioned on p. 10 (pages 24-25) regarding the lack of the SAIs' audit mandate.
• Relationship between the SAIs and the other audit institutions should be improved. Many
entities audit the different aspects or phases of disaster management: for example, the
government's internal auditors, state/regional/local government auditors, inspectors of specific
agencies, private accounting firms. Approximately half of the SAIs in the survey do not have access
to the audit reports on disaster-related aid issued by such entities. Nevertheless these reports are
an important tool for obtaining information in fields outside the SAIs' audit mandate. For that
reason, the relationship between the SAIs and the other audit institutions should be formally laid
down.
46
ANNEXES
ANNEX 1: An example of governance structure - Canada
Governance2
Put simply, governance means the "rules, processes and behavior that affect the way in which
powers are exercised at any level, particularly as regards openness, participation,31
accountability, effectiveness and coherence." An analysis of governance focuses on the formal and
informal actors involved in decision-making and implementing the decisions made and the formal
and informal structures that have been put in place to arrive at and implement the decision.
Government is one of the actors in governance. Other
actors involved in governance vary, depending on the
level of government that is under examination. For
example, other actors may include NGOs, research
institutes, international donors, finance institutions,
political parties, etc. All these may play a role in decision-
making or in influencing the decision-making process.
Generally, good governance has five major
characteristics: participation, accountability,
effectiveness, coherence and openness. It is clear that
good governance is an ideal which is difficult to achieve.
However, to ensure sustainable development, action must be taken to work towards this ideal with
the aim of making it a reality.
An example: The Federal Emergency Response Management System Governance Structure -Canada3
Canada's Federal Emergency Response Plan (FERP) includes the Federal Emergency Response Management
System (FERMS) that is a comprehensive management system for an integrated
2 Prepared by examining http://www.unescap.org/pdd/prs/ProiectActivities/Ongoing/gg/governance.asp, 27.8.2010; "European governance - a white paper", Commission of the European Communities, Brussels, 25.7.2001 COM(2001) 428 final.; OECD Principles of Corporate Governance 2004, www.oecd.org/dataoecd/32/18/31557724.pdf3 Federal Emergency Response Plan, CANADA, Federal Emergency Response Plan, CANADA, http://www.publicsafety.gc.ca/prg/em/ferp, (March 2010).
47
31 "European governance - a white paper", Commission of the European Communities, Brussels, 25.7.2001COM(2001) 428 final.
response to emergencies. This system provides the governance structure and the operational facility (the
Government Operations Centre) to respond to emergencies. The following figure describes the governance
structure:
The Federal Emergency Response Management System Governance Structure
48
GOVERNANCE
Governance
Governance here refers to the management structures and processes that are in place during non-
emergency and emergency circumstances. The Committee of Cabinet, the Deputy Ministers'
Committee, the Federal Coordinating Officer and the Assistant Deputy Ministers' Emergency
Management Committee are identified as the highest level decision-makers. These committees are at
ministerial level to coordinate the Government of Canada's response. For the disaster preparedness
phase, the Committee of Cabinet coordinates the government's agenda, including legislation, planning
and management issues. It also provides a forum to address public safety, national security and
intelligence issues and discuss emergency management and readiness.
Management
At the second level, there is a management team that is responsible for the actions and functions of
FERMS. The management team conducts the completion of the objectives set for each operational
period. The management team consists of the Director-General of the Operations Directorate, who
leads the management team, and four representatives.
• The Operations Directorate is part of the coordinating department of the Minister of Public Safety.
It is responsible for management functions and working together with the Government Operations
Centre.
• Another representative from the Department of Justice or other related institutions provides
support and advice on legal issues.
• As a member of the management team, the Associate Director-General provides support for
communication issues.
• The primary departments, designated in accordance with the nature of the emergency, are a
federal department related to a key element of an emergency. The primary departmental
representatives inform the management team of the support needs based on the nature of the
emergency, the Director-General of the Operations Directorate, in consultation with the Federal
Coordinating Officer, will determine which departments will provide a primary departmental
representative to support response within the GOC.
• Within the management team, four directors from the Operations Directorate are responsible for
the primary functions. The directors guide departmental representatives through the process.
Government Operations Centre (GOC)
Public Safety Canada, which is responsible for disaster management, has an operations centre (the
Government Operations Centre or GOC) to coordinate the national response. The Government
Operations Centre is the hub of a network of operations centers run by a variety
49
of federal departments and agencies including the Royal Canadian Mounted Police (RCMP), Health
Canada, Foreign Affairs and International Trade Canada, the Canadian Security Intelligence Service
(CSIS) and National Defence. The GOC also maintains contact with the provinces and territories as well
as international partners such as the United States and NATO. The GOC's primary functions are
providing coordination between federal emergency response partners and guiding them for their
authorities.
The GOC communicates the FERP engagement and the response level to the government's emergency
response partners. Three response levels are intended to provide a logical progression of activity from
enhanced monitoring and reporting to an integrated federal response. At level 1, there is an incident or
event which has the potential to require an integrated federal response. At this level, the GOC collects
a wide range of information about the incident, and then it evaluates and shares this information with
the federal emergency response partners. Finally, it is expected that the GOC's information and
enhanced reporting efforts should support federal partners' planning and response activities. A level 2
response requires full understanding of an incident and, as it unfolds and the requirement for a federal
response appears more likely, a risk assessment is performed. This assessment identifies vulnerabilities,
aggravating external factors and potential impacts, and may be formalized in an Incident Risk Analysis
Report. At level 3, there should be an integrated response activity and this level includes the previous
two levels' activities. The GOC maintains coordination and constant communication with the federal
activated centers. It also provides regular situation reports for ministers and senior officials.
Primary Functions
Public Safety Canada carries out six primary functions to integrate federal response:
• Operations,
• Situational awareness,
• Risk assessment,
• Planning,
• Logistics,
• Finance and administration.The scope of the emergency will determine the scale and level of engagement of each of these
functions. Within the GOC, subject matter experts and liaison officers from government departments,
NGOs, and the private sector organize and perform the primary functions. For disaster preparedness
activities, operations, situational awareness, risk assessment and planning functions are of vital
importance.
50
Federal-Regional Component
Federal organization has regional components to communicate with provincial/ territorial authorities.
These regional components provide direction on emergency management planning and preparedness
activities. It also manages the flow of information and requests for federal assistance within the region.
Thus, disaster preparedness activities are provided in a more effective and timely manner.
51
ANNEX 2: Geographical Information Systems (GIS)
Before making the decision to acquire a GIS, planners need to determine what planning activities could be
supported with the system and carefully assess if the amount of spatial calculations and analysis to be
performed justifies automating the process. Before deciding to acquire or use a system, planners need to
make a meticulous evaluation of their GIS needs. This must include a definition of how their planning
activities and decisions will be assisted by using a GIS. Specific objectives and applications of the GIS should
be defined. Answers to the questions outlined in the33
box below can help.
Since GIS is a tool that can be used for all disaster types, the collection of different types of data and the
features of different technical structures are discussed according to the characteristics of the disaster.
Because of that fact, the structuring of GIS differs from country to country according to the disaster risks
which the countries face.
To understand the full short-term and long-term implications of "floods" and to plan accordingly, combined
data on "meteorology, topography, soil characteristics, vegetation, hydrology, settlements, infrastructure,
transportation, population, socioeconomics and material resources" need to be analyzed. As seen in the
example, the resources necessary for analyzing floods vary from case to case, but differ from those required
for other types of disaster. These resources vary, and in the field of disaster management they are easily
processed with the help of GIS and are used in areas such as making a "risk and threat analysis" and carrying
out the "planning" efforts.
An example: Turkey, Marmara Region Earthquake Preparedness Activities
An earthquake disaster which caused big losses over a wide area occurred in the Marmara Region of Turkey
in 1999. For this reason, the earthquake movements in this region have been monitored regularly by the
"Prime Ministry Head of Disaster and Emergency Management" which is the body responsible for disaster
management across the country. In May 2010, an "earthquake danger and risk analysis" was made within a
100 km radius area. It estimated that, over a 10-year period, the probability of an earthquake with a
magnitude of 6 occurring is 83.8 %.
These data, produced with the help of GIS, are used for regional planning. The protection band, which is
seventy-five widths from each side of the fault zone, has changed by twenty five each, so total 50m.
protection band is identified.
The actual benefit to be had from the data which are gathered by using GIS effectively is closely related to
the extent to which these data contribute to the planning process. The hazard maps, zone maps and risk
assessments which are obtained by using GIS should be submitted to the
52
33 Primer on Natural Hazard Management in Integrated Regional Development Planning, "Geographic Information Systems in Natural Hazard Management",http://www.oas.org/DSD/publications/Unit/oea66e/begin.htm#Contents, (06 May 2010).
decision-makers at the appropriate level and on time, and these data should also be used in the planning
process. In this context, at the stage of disaster preparedness, auditors should determine whether a
mechanism which transfers the technical data produced at this stage to the planning process is established
or not.
Other Examples: India and China
India and China are among the countries suffering from the most severe natural hazards in the world. In
order to keep the information flowing smoothly into the networks for earthquake preparedness and
rescuing, their governments have started a series of programs to set up digital networks; these digital
networks, based on GIS, GPS and RS, incorporate a lot of new achievements in earthquake engineering and
information science. The examples of India and China are given below.
53
34 Rego Aloysius J., "National Disaster Management Information Systems & Networks: An Asian Overview",s.4.35 http://www.gisdevelopment.net/application/natural_hazards/earthquakes/ma03135b.htm
Examples of using GISVulnerability Atlas of India China GIS ActivitiesIn 1997, a "Vulnerability Atlas" was prepared, taking into account the three natural hazards which are the most damaging to India: earthquakes, cyclones and floods. The zoning maps at macro level for the three hazards are available in small scale for the whole country. These maps were prepared in larger scale, showing each administrative unit, the district boundaries, for easy identification of the areas covered by the zones of various intensity levels. The Vulnerability Atlas is an important input into State-level Disaster Management Planning and it contains the following information for each State and34
Union Territory of India:• seismic hazard map• cyclone and wind hazard map• flood prone area map• housing stock vulnerability table for each district, indicating for each house type,
In recent years, as one part of "Digital Earth" and China's National Information Infrastructure (CNII) project, earthquake disaster mitigation system has taken in a great deal of information on the whole country. This includes the geological structure, past earthquakes, buildings and population distribution. Most cities with a population of over 500,000 have built themselves an information system for reducing earthquake disasters and hazards. These contain almost all the infrastructure information in urban areas, such as the water-supply network, power systems, telecommunications network, traffic systems, etc.35. The latest achievements in earthquake engineering continually add to this system, such as earthquake risk analysis methods, new anti-seismic criteria or codes, new knowledge and
the level of risk to which it could be subjected sometime in the future.
experience in pre- and post-earthquake36
emergencies.
54
' http://www.gisdevelopment.net/application/natural_hazards/earthquakes/ma03135b.htm
55
ANNEX 4: Audit Objectives - examples concerning disaster preparedness
ANNEX 3: A case for understanding the organization and framework of authorities preparing for disaster
TURKEY - audit report: "How well is Istanbul getting prepared for the earthquake?'
According to Turkey's current legal arrangements, the main authority responsible for disaster preparedness
is the Turkey Emergency Management Directorate General (TEMAD) attached to the Prime Ministry. This
was charged with preparing and executing disaster plans and taking the necessary measures to provide
effective emergency management nationwide and to coordinate all the bodies involved. The other
organizations responsible for disaster activities are:
• the Ministry of the Interior, which has set up regional centers for relief and emergency operations.
• the Independent National Earthquake Council.
• local authorities, whose responsibilities for disaster mitigation were extended after the TCA report
recommendations.
The activities of Turkish NGOs, such as the Turkish Red Crescent, the Association of Social and Economic
Solidarity with Pacific Countries, the Turkish Blue Crescent Association, the Foundation for Human Rights
Humanitarian Relief and other governmental institutions, are all coordinated by TEMAD.
In this framework, the TCA audited earthquake preparedness via the following questions:
• Does the organizational structure charged with earthquake preparedness for Istanbul measure up to
the needs?
• How does the organizational structure prepare Istanbul for an earthquake?
• How are resources allocated for earthquake preparedness?
• Is effective coordination and cooperation established?
• Are activities properly planned and executed?
• Is there sufficient work related to post-earthquake fires that increase initial damage?
• How well do service groups prepare their emergency plans?
56
Country Background/Title Audit Type/ Disaster Phase Audit ObjectiveAustria Prevention of Natural Hazards: Use of
resources from the disaster fundPreparedness-Mitigation/
Performance
Evaluation of distribution and use of resources from the disaster fund; decision making approaches, division of functions and coordination between federal, länder and local authorities.
Canada Fall 2009 Emergency Management - Public Safety Canada
Preparedness-response/ Performance
The objectives of this audit were to determine whether Public Safety Canada can demonstrate that it has exercised leadership by coordinating emergency management activities, including critical infrastructure protection in Canada; and determine whether Public Safety Canada, along with federal departments and agencies, can demonstrate progress in enhancing the response to and recovery from emergencies in a coordinated manner.
Czech Republic Funds spent on anti-flood measures and prevention in areas endangered by adverse climate changes. The audit is focused on finance for flood prevention and flood protection (meteorology and hydrology systems, proneness to landslides and rock collapses, mapping of flooding areas, mapping of proneness to landslides and rock collapses, evaluation of floods).
Preparedness/ compliance-performance
Economy, effectiveness, efficiency of finance for flood protection.
Lesotho The Distribution of Food Relief Aid Mitigation/ Performance To determine factors affecting efficient distribution of food relief aid.
57
ANNEX 4: Audit Objectives - examples concerning disaster preparedness
Netherlands Preparation for disaster management.
Preparedness/ Performance Audit as to whether the Minister of Home Affairs has fulfilled his responsibility for the organization of disaster management in the Netherlands.
Turkey How Well Is Istanbul Getting Prepared for the Earthquake?
Preparedness/Performance To specify the risks faced during the short and medium-term preparatory work to minimize possible Istanbul earthquake damage and to identify the measures to be taken.
58
ANNEX 59: Audit Criteria - examples concerning disaster preparedness
Canada - Fall 2009 Emergency Management - Public Safety Canada
• We expected that Public Safety Canada would exercise leadership by coordinating federal emergency
management activities, as described in legislation and policies.
• We expected that Public Safety Canada would coordinate federal emergency management activities with those
of the provinces and territories to provide timely and coordinated support to communities in an emergency.
• We expected that Public Safety Canada would regularly test and exercise federal emergency
management plans.
• We expected that Public Safety Canada would have a risk-based plan to lead and coordinate critical
infrastructure protection efforts, and to reduce vulnerability to cyber attacks and accidents, by:
S adopting an all-hazards approach
S agreeing upon roles and responsibilities for the federal government and others
S determining what critical infrastructure should be protected
S assessing the threats and risks to these assets
S prioritizing risks and resources to protect critical infrastructure
S implementing protective programs
S developing measures to monitor and assess effectiveness.
• We expected that Public Safety Canada and selected federal entities would use a risk-based approach to
identify the resources needed and to coordinate the response to and recovery from emergencies.
• We expected that Public Safety Canada would promote a common approach to emergency
management, including the adoption of standards and best practices.
• We expected that Public Safety Canada, together with its federal partners, would provide emergency
management training, based on a needs assessment and a risk-based plan.
The Netherlands - Lessons on the accountability, transparency and audit of Tsunami-related aid, 2008
• Central government policy should be implemented by municipalities.
• The Minister of Home Affairs should be active in encouraging municipalities and other entities to be prepared
for disasters and to cooperate in a coordinated manner.
• Agencies should be involved in disaster management cooperation.
• Risk assessment and analysis should be conducted in a structured and systematic manner.
• Disaster management plans should be developed based on risk assessment.
• Disaster management plans should be kept up to date.
• Relevant professionals should be trained properly.
• Disaster management plans should be tested in practice (via drills, etc.).
• The Minister of Home Affairs should have enough management information to be able to monitor the disaster
preparedness of municipalities and other entities.
The Netherlands
• A good procedure should be in place to transform a threat into an alert.
• That procedure should be implemented (does it work in practice?).
• The system related to other projects and procedures should be well-designed without overlap or blind spots.
Turkey - How Well Is Istanbul Getting Prepared for the Earthquake?
• There should be one single institution initially responsible for the planning, coordination and execution of the
activities regarding earthquake preparations, which has the authority to use the budget, staff and instruments
and that is authorized to provide cooperation among the institutions.
• Activities should be managed according to the data obtained from the Disaster Management Information
System. The data have to be up to date, clear, accurate, precise, integrated and easily accessible. The results
obtained should be reported after being analyzed periodically. In disaster preparation plans, the issue of who
will do what, where, when and how should be clearly defined, and adequate staff training should be provided.
• Precautions that will diminish fire danger should be given priority; in this context, early warning and emergency
intervention systems should be established as soon as possible.
• In the Building Development Plans and their modifications, the selection of settlement areas should be based on
ground surveys.
• Istanbul's buildings should be inventoried, earthquake risk analysis should be done in conjunction with ground
surveys and buildings inventories; based on this analysis, the reaction of the buildings in the face of a possible
earthquake should be determined.
60
ANNEX 6: Audit Recommendations - examples concerning disaster preparedness
The Netherlands - Lessons on the accountability, transparency and audit of Tsunami-related aid, 2008
Management Information System
• The Minister should improve the quality of the disaster management policy by making it more specific and by
monitoring and supervising the implementation. The Minister needs to enhance his management information
system so as to be able to monitor and supervise the implementation of disaster management and to intervene
when necessary. This management information system should also serve for accountability.
Coordination
• The Minister should enhance structural cooperation between relevant agencies with specific measures.
Turkey - How Well Is Istanbul Getting Prepared for the Earthquake?
A New Management Approach
• To organize Istanbul's preparedness for a possible earthquake in the best possible way and to minimize the
likely damage, there is a need for a new management approach. To this end, the desired outputs that are to be
achieved in the short, medium and long term should be clearly set and, at the same time, the institutions that
have a role and function in obtaining these outcomes should work in cooperation.
Coordination
• Achieving targeted results depends on the development of cooperation among public institutions based on
accountability relations. In cooperation established on the grounds of accountability, who will be responsible for
what and how long, resource needs and allocations, commitments and expectations should be clearly
determined.
Planning
61
• Public institutions should start working in cooperation within the framework of accountability, relevant public
institutions should set their objectives and develop strategies and action plans in order to reach set objectives.
Additionally, Istanbul should be integrated into the strategic plan.
• Necessary measures should be taken to carry out damage assessment and designation of beneficiaries properly
and within the shortest possible time.
Technical Personnel
• A sufficient number of technical personnel who are to carry out damage assessment activities and designate
beneficiaries should be trained beforehand.
Ukraine - International Coordinated Audit of Chernobyl Shelter Funds, 2007-08
• Establish specific performance benchmarks for the project that need to be met before additional pledges of
funds are made in the future;
• Facilitate accountability and transparency while financing the Project by the EBRD;
• Perform auditing of contract awards, planning, implementation, acceptance and invoicing under the criteria of
regularity and performance in order to evaluate the effectiveness of CSF's mission performance.
Canada - Fall 2009 Emergency Management - Public Safety Canada
• The Privy Council Office and Public Safety Canada should ensure that all components of the Federal Emergency
Response Plan are completed and should obtain government approval for the plan
• As stipulated in the Emergency Management Act, Public Safety Canada should establish policies and programs
and provide advice for departments to follow when identifying risks and developing their emergency
management plans
• As stipulated in the Emergency Management Act, Public Safety Canada should ensure that its coordination role
for the federal response to an emergency is well defined and that the operational policies and plans that
departments will follow are updated and consistent
• Based on the responsibilities outlined in the Emergency Management Act, Public Safety Canada should provide
policies and guidance for departmental sector heads to determine their infrastructure and assess its criticality,
based on risk and its significance for the safety and security of Canadians; it should establish policies and
programs to prepare plans to protect the infrastructure.
62
63