Skip to main content

Fraud Risk Management: OMB Should Improve Guidelines and Working-Group Efforts to Support Agencies' Implementation of the Fraud Reduction and Data Analytics Act

GAO-19-34 Published: Dec 04, 2018. Publicly Released: Dec 04, 2018.
Jump To:

Fast Facts

Fraud in federal programs can erode public trust in government. We reviewed what the Office of Management and Budget and agencies are doing to manage fraud risk.

We found that OMB established a working group and held meetings to help agencies share fraud risk management practices. However, the group did not meet as often as required in 2017 and not all relevant agencies were involved.

Most agencies we surveyed had started implementing required fraud risk management activities, but reported needing more involvement and information from the working group.

We recommended 3 ways to improve compliance with fraud risk management requirements.

Agencies' Implementation Status of Fraud Risk Management Activities

Agencies' Characterization of the Status of Implementation of Fraud Risk Management Activities

Agencies' Characterization of the Status of Implementation of Fraud Risk Management Activities

Skip to Highlights

Highlights

What GAO Found

At varying stages, agencies have begun planning for and implementing fraud risk activities (like conducting an evaluation of fraud risks) required by the Fraud Reduction and Data Analytics Act of 2015 (FRDAA), according to GAO's survey of agencies subject to the act. Overall, most of the 72 surveyed agencies (85 percent) indicated that they have started planning how they will meet FRDAA requirements, and about 78 percent indicated that they have also started taking steps to implement the requirements.

To assist agencies in implementing fraud risk management activities, the Office of Management and Budget (OMB) established FRDAA-related guidelines and a working group, as required by the act. However, agencies experienced challenges with OMB's guidelines and the working group, among other things, according to GAO's survey and roundtable discussion results (see figure below).

Agencies Indicating Challenges with the Sufficiency of Office of Management and Budget Guidelines, Progress Reporting, and Working-Group Efforts

102278_HLP_5_v4_McM

Implementation guidelines. To meet FRDAA requirements, OMB updated Circular No. A-123 guidelines that govern executive agencies. However, this update included limited information on the methodologies agencies can use to assess, document, and report on internal controls required by FRDAA, according to GAO's review of the guidelines. Surveyed agencies had mixed perspectives on the usefulness of OMB's guidelines for implementing FRDAA controls. Similarly, agencies identified the lack of clear requirements and guidance as top challenges in GAO's roundtable discussion with 14 selected agencies.

Reporting on implementation progress. Although not required by FRDAA, OMB updated annual financial report guidelines to include FRDAA requirements, but GAO found that the guidelines did not contain enough information to aid agencies in producing complete and detailed progress reports in 2017, the first year of reporting. Additional guidelines from OMB could help agencies produce more complete and detailed reports for 2019, the final year of required reporting. Without a longer reporting period, however, Congress may not have the useful information for continued oversight of agencies' progress.

Working Group. OMB has taken steps to establish the working group, but GAO found the working group did not fully meet FRDAA requirements. As Chair, OMB did not (1) involve all agencies subject to the act in the working group or (2) hold the required number of meetings in 2017. Most surveyed agencies indicated a lack of involvement with and information from the working group as challenges in implementing FRDAA.

Why GAO Did This Study

Fraud poses a significant risk to the integrity of federal programs and erodes public trust in government. Implementing effective fraud risk management processes can help ensure that federal programs fulfill their intended purpose, spend their funding effectively, and safeguard assets.

FRDAA requires agencies to establish internal controls to manage their fraud risks and to report implementation progress for the first 3 years after enactment. It also directs OMB to (1) develop guidelines for agencies to establish fraud risk management controls and (2) establish a working group to share best practices in fraud risk management and data analytics.

GAO was asked to review agencies' and OMB's efforts to implement FRDAA. This report examines steps (1) agencies and (2) OMB have taken to implement FRDAA. GAO conducted a survey of the 72 agencies subject to the act, held a roundtable discussion with 14 selected agencies, reviewed 24 selected annual financial reports, examined OMB guidelines, and interviewed OMB staff.

Recommendations

GAO is making three recommendations, including that OMB (1) enhance its guidelines for establishing controls, (2) enhance guidelines for reporting on agencies' progress, and (3) fully implement the working group. OMB did not concur with the need for the recommendations. GAO continues to believe the recommendations are valid, as discussed in the report. Additionally, Congress should consider extending agencies' reporting requirements.

Matter for Congressional Consideration

Matter Status Comments
Congress should consider extending the requirement in FRDAA for agencies to report on their implementation of fraud controls, identification of fraud risks, and strategies for mitigating them, beyond the current 2019 expiration. (Matter for Consideration 1)
Closed – Implemented
In March 2020, the Payment Integrity Information Act of 2019 (PIIA) was enacted to improve efforts to identify and reduce government-wide improper payments, including payments that are the result of fraud. Among other things, PIIA repealed and replaced the Fraud Reduction and Data Analytics Act of 2015 (FRDAA). Due in part to our review of FRDAA implementation, congress included a provision in PIIA to extend to 2020 the requirement for agencies to report on their progress implementing fraud risk management activities. By requiring an additional year of reporting, Congress is better positioned to ensure oversight and accountability of agencies' fraud risk management activities.

Recommendations for Executive Action

Agency Affected Recommendation Status
Office of Management and Budget
Priority Rec.
The Director of OMB should enhance the guidelines for agencies to establish the controls required by FRDAA, by clarifying the difference between FRDAA and ERM requirements, and through collaboration with agencies to determine what additional information agencies need to implement the controls. (Recommendation 1)
Closed – Implemented
In March 2020, the Payment Integrity Information Act of 2019 (PIIA) was enacted to improve efforts to identify and reduce government-wide improper payments, including payments that are the result of fraud. PIIA repealed and replaced FRDAA, maintaining FRDAA requirements for OMB to provide implementing guidelines and for agencies to establish financial and administrative controls for managing fraud risk, among other things. In October 2022, in consultation with GAO, OMB issued a Controller Alert to clarify the distinction between FRDAA/PIIA requirements to establish fraud-related financial and administrative controls and Enterprise Risk Management to ensure fraud risks are appropriately managed. The Controller Alert reminds agencies that they should adhere to leading practices in GAO's Fraud Risk Management Framework as part of their efforts to effectively design, implement, and operate an internal control system that addresses fraud risks - including fraud risks that do not rise to the level of enterprise-wide risks. The Controller Alert also reminds agencies that the dollar thresholds established in Section 3352 of PIIA for "significant" improper payments are for the purposes of improper payment reporting and not for managing fraud risks pursuant to Section 3357. And as such, all programs regardless of their improper payment risks or rates should be strategically managing their fraud risks. Clarifying these requirements for fraud risk management will help ensure that agencies are better positioned to improve controls and procedures to assess and mitigate fraud risks in federal programs.
Office of Management and Budget The Director of OMB should enhance FRDAA reporting guidelines by directing agencies to report complete and detailed information on each of the reporting elements specified by FRDAA, which should include information related to financial and nonfinancial fraud. (Recommendation 2)
Closed – Not Implemented
In March 2020, the Payment Integrity Information Act (PIIA) of 2019 was enacted to improve efforts to identify and reduce governmentwide improper payments, including payments that are the result of fraud. PIIA repealed and replaced FRDAA, but maintained similar reporting requirements for federal agencies regarding fraud risks and also extended the timeline for reporting through 2020. Although OMB did not update its previous reporting guidance for FRDAA as we recommended, agencies are no longer required to report on FRDAA requirements. GAO continues to believe that improving reporting guidelines for financial and nonfinancial fraud will help reduce fraud and improper payments.
Office of Management and Budget
Priority Rec.
The Director of OMB should ensure the working group's composition meets FRDAA requirements by involving the CFO of all agencies subject to the act by inviting them to participate or otherwise providing access and input into the working group, and ensure that mechanisms to share controls, best practices, and data-analytics techniques are in place. (Recommendation 3)
Closed – Implemented
In our review of OMB's actions to implement the Fraud Reduction and Data Analytics Act of 2015 (FRDAA), we found that OMB did not involve all agencies subject to FRDAA in the working group and that most surveyed agencies indicated a lack of involvement with and information from the working group as challenges in implementing FRDAA requirements. Since issuance of our report, OMB has widened its outreach to agencies subject to the act, as evidenced by its listserv of fraud working group members, which includes representatives from every CFO-Act agency as well as an array of representatives from non-CFO act agencies. In addition, OMB is sharing best practices and other working group information with the broader counter-fraud community on its OMB MAX information system and through its listserv. OMB's wider outreach and mechanisms for sharing best practice and working group information provides agencies with opportunities to learn from each other's experiences and share solutions for establishing financial and administrative controls to prevent, detect, and respond to fraud risks in their programs, and sufficiently addresses the spirit our recommendation.

Full Report

GAO Contacts

Topics

Best practicesExecutive agenciesFederal agenciesFinancial reportingFraudInformation sharingInternal controlsProgram implementationReporting requirementsRequirements definitionRisk management