Export-Import Bank: The Bank Needs to Continue to Improve Fraud Risk Management
Fast Facts
The Export-Import Bank of the United States helps U.S. companies that want to sell to foreign buyers but can’t get private financing. According to the Bank, its programs support tens of thousands of U.S. jobs annually. However, the Bank is backed by the U.S. government—so taxpayers could be responsible for losses.
We reviewed the Bank's controls for preventing losses from fraud. The Bank has taken steps to improve fraud risk management, including adopting some practices in our fraud risk management framework. However, it should conduct a comprehensive fraud risk assessment and use that to design antifraud controls. We made 7 recommendations.
This is a photo of the Export-Import Bank of the United States.
Highlights
What GAO Found
In managing its vulnerability to fraud, the Export-Import Bank of the United States (the Bank) has adopted some aspects of GAO's A Framework for Managing Fraud Risks in Federal Programs (Fraud Risk Framework). This framework describes leading practices in four components: organizational culture, assessment of inherent program risks, design of tailored antifraud controls, and evaluation of outcomes. As provided in the framework, for example, the Bank has identified a dedicated entity within the Bank to lead fraud risk management. GAO also found that Bank managers and staff generally hold positive views of the Bank's antifraud culture. However, GAO also found that management and staff hold differing views on key aspects of that culture. These differing views include how active the Bank should be in addressing fraud. For example, Bank managers told GAO the Bank's current approach has been appropriate for dealing with fraud. However, about one-third of Bank staff responding to a GAO employee survey said the Bank should be “much more active” or “somewhat more active” in preventing, detecting, and addressing fraud. These and other divergent views indicate an opportunity to better ensure the Bank sets an antifraud tone that permeates the organizational culture, as provided in the Fraud Risk Framework.
GAO found the Bank has taken some steps to assess fraud risk. For example, the Bank's practice has generally been to assess particular fraud risks and lessons learned following specific instances of fraud encountered, according to Bank managers. However, the Bank has not conducted a comprehensive fraud risk assessment, as provided in the framework. The Bank has also been compiling a “register” of risks identified across the organization, including fraud. This register, however, does not include some known methods of fraud, such as submission of fraudulent documentation, thus indicating it is incomplete. Without planning and conducting regular fraud risk assessments as called for in the framework, the Bank is vulnerable to failing to identify fraud risks that can damage its reputation or harm its ability to support U.S. jobs through greater exports. As provided in the framework, managers should determine where fraud can occur and the types of internal and external fraud the program faces, including an assessment of the likelihood and impact of fraud risks inherent to the program.
At the conclusion of GAO's review, Bank managers said they will fully adopt the GAO framework. They said they plan to complete a fraud risk assessment by December 2018, and to determine the Bank's fraud risk profile—that is, document key findings and conclusions from the assessment—by February 2019. Work to adopt other framework components will begin afterward, the managers said. However, they did not provide details of how their efforts will be in accord with leading practices of the framework. As a result, GAO makes framework-specific recommendations in order to enumerate relevant issues and to present clear benchmarks for assessing Bank progress. This complete listing of recommendations is important in light of the Bank's recent embrace of the framework; recent changes in Bank leadership; and expected congressional consideration of the Bank's reauthorization in 2019.
Why GAO Did This Study
According to the Bank, it serves as a financier of last resort for U.S. firms seeking to sell to foreign buyers but that cannot obtain private financing for their deals. Its programs support tens of thousands of American jobs and enable billions of dollars in U.S. export sales annually, the Bank says. The Bank is also backed by the full faith and credit of the United States government, meaning that taxpayers could be responsible for Bank losses.
The Export-Import Bank Reform Reauthorization Act of 2015 included a provision for GAO to review the Bank's antifraud controls within 4 years, and every 4 years thereafter. This report examines the extent to which the Bank has adopted the four components of GAO's Fraud Risk Framework—commit to combating fraud; regularly assess fraud risks; design a corresponding antifraud strategy with relevant controls; and evaluate outcomes and adapt. GAO reviewed Bank documentation; interviewed a range of Bank managers; and surveyed Bank employees about the extent to which the Bank has established an organizational culture and structure conducive to fraud risk management.
Recommendations
GAO makes seven recommendations, centering on conducting a fraud risk assessment, tailored to the Bank's operations, to serve as the basis for the design and evaluation of appropriate antifraud controls. The Bank agreed with GAO's recommendations, saying it will take steps to improve its fraud risk management activities.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Export-Import Bank of the United States | The acting Bank president and Board chairman should ensure that the Bank evaluates and implements methods to further promote and sustain an antifraud tone that permeates the Bank's organizational culture, as described in GAO's Fraud Risk Framework. This should include consideration of requiring training on fraud risks relevant to Bank programs, for new employees and all employees on an ongoing basis, with the training to include identifying roles and responsibilities in fraud risk management activities across the Bank. (Recommendation 1) |
In February 2021, EXIM provided GAO with documentation reflecting the steps taken to promote and sustain an antifraud tone that permeates EXIM's organizational culture. For example, EXIM established ongoing fraud risk training for all and documented fraud risk management roles and responsibilities for all levels of the agency in its Antifraud Strategy. Additionally, EXIM conducted a Fraud Risk Survey in fiscal year 2020 as part of a biannual survey to identify substantive changes in the agency's fraud risk environment. These actions can aid EXIM in further promoting and sustaining an antifraud tone that permeates the agency's organizational culture.
|
Export-Import Bank of the United States | As the agency begins efforts to plan and conduct regular fraud risk assessments and to determine a fraud risk profile, the acting Bank president and Board chairman should ensure that the Bank's risk assessments and profile address not only known methods of fraud, including those that are absent from its current risk register, but other inherent fraud risks as well. (Recommendation 2) |
In February and November 2019, EXIM provided GAO evidence that its fraud risk assessment and profile contained both known fraud risks previously absent from its risk register, as well as other inherent fraud risks. By including these fraud risks in its risk assessment and profile that were previously absent from its risk assessments, EXIM is better positioned to assess the extent to which its antifraud controls mitigate the broader range of fraud risks it faces.
|
Export-Import Bank of the United States | As the agency begins efforts to plan and conduct regular fraud risk assessments and to determine a fraud risk profile, the acting Bank president and Board chairman should ensure that the risk profile includes risk tolerances that are specific and measurable. (Recommendation 3) |
In February and November 2019, EXIM provided GAO evidence that its fraud risk profile included risk tolerances that are specific and measurable. By establishing a specific and measurable fraud risk tolerance, EXIM is better positioned to determine whether the fraud risks it faces are within its risk tolerance and, as necessary, take action in response to fraud risks that exceed its risk tolerance.
|
Export-Import Bank of the United States | The acting Bank president and Board chairman should ensure that the Bank develops and implements an antifraud strategy with specific control activities, based upon the results of fraud risk assessments and a corresponding fraud risk profile, as provided in GAO's Fraud Risk Framework. (Recommendation 4) |
In February 2021, EXIM provided GAO with documentation reflecting the steps taken to develop and implement an antifraud strategy with specific control activities. EXIM developed its Antifraud Strategy with specific control activities based on the results of EXIM's 2019 fraud risk assessment and a corresponding fraud risk profile. These actions can aid EXIM in ensuring its fraud risk strategy mitigates fraud risks identified the fraud risk assessment.
|
Export-Import Bank of the United States | The acting Bank president and Board chairman should ensure that the Bank identifies, and then implements, the best options for sharing more fraud-related information--including details of fraud case referrals and outcomes--among Bank staff, to help build fraud awareness, as described in GAO's Fraud Risk Framework. (Recommendation 5) |
In February 2021, EXIM provided GAO with documentation reflecting the steps taken to share fraud-related information among EXIM staff. EXIM provided a log of all suspicious activity referrals to EXIM's Office of the Inspector General (OIG). The log covers fiscal years 2017-2020 and will be updated for forthcoming years. EXIM also provided examples of annual reports summarizing the suspicious activity referred to the OIG in a given year. In 2019, EXIM shared recent trends in fraud referrals to the OIG with EXIM staff. These options for sharing more fraud-related information can aid EXIM in building fraud awareness among staff.
|
Export-Import Bank of the United States | The acting Bank president and Board chairman should lead efforts to collaborate with the Bank's OIG to identify a feasible, cost-effective means to systematically track outcomes of fraud referrals from the Bank to the OIG, including creating a means to link the OIG's proven cases of fraud to the specific Bank transactions from which the OIG actions arose. If any such means are found to be feasible and cost-effective, the acting Bank president and Board chairman should direct appropriate staff to implement them, with such information to be used for purposes consistent with GAO's Fraud Risk Framework, such as data analytics. (Recommendation 6) |
In December 2020, EXIM developed procedures for an information exchange with the EXIM OIG. The procedures detail EXIM OGC's responsibility to maintain a log of suspected fraud referrals made to the OIG. EXIM provided us the log of all suspicious activity referrals to the OIG, which covers fiscal years 2017-2022. EXIM OIG uses part of the log to track information about an investigation, such as when a matter is closed. The procedures also specify that when possible, the conviction of a party is correlated to specific EXIM transactions. By taking these steps, EXIM is better positioned to collaborate with the EXIM OIG and analyze trends in fraud activity to mitigate fraud risks, consistent with leading practices identified in GAO's Fraud Risk Framework.
|
Export-Import Bank of the United States | The acting Bank president and Board chairman should ensure that the Bank monitors and evaluates outcomes of fraud risk management activities, using a risk-based approach and outcome-oriented metrics, and that it subsequently adapts antifraud activities or implements new ones, as determined to be appropriate and consistent with GAO's Fraud Risk Framework. (Recommendation 7) |
In February 2021, EXIM provided GAO with documentation reflecting how EXIM monitors and evaluates outcomes of fraud risk management activities, using a risk-based approach and outcome-oriented metrics. For example, EXIM uses its log of suspicious activity referrals to EXIM's Office of the Inspector General to monitor and analyze emerging trends and adjust controls, as needed. As a result of EXIM's analysis of these trends, two controls were adjusted, including controls regarding EXIM's application procedures and cybersecurity risks.
|