DOD Fraud Risk Management: Enhanced Data Analytics Can Help Manage Fraud Risks
Fast Facts
The cost and scope of DOD's contracting activity—e.g., contracts on major weapon systems, support for military bases, IT and consulting services—makes it inherently susceptible to fraud.
To fight fraud, DOD has a Fraud Reduction Task Force and an antifraud strategy document. DOD's updated 2023 strategy didn't include data analytics as a method for managing fraud risk, contrary to leading practices. Data analytics includes techniques such as data matching—comparing datasets, which can help identify potentially fraudulent contractors.
Our 11 recommendations address this and other issues. DOD's contract management is on our High Risk List.
Highlights
What GAO Found
The Department of Defense (DOD) issued an updated fraud risk management strategy in August 2023. Contrary to leading practices, the strategy does not establish data analytics as a method for fraud risk management or provide the direction needed to conduct such data analytics. Data analytics are control activities that can be used to prevent and detect fraud. Data analytics can include a variety of techniques, such as data matching. Data matching can be used to verify key information to determine eligibility to receive federal contracts. For example, if an entity reports that it is a small business in order to receive federal contracts, DOD can use third-party data sources to verify that the entity actually meets requirements to qualify as a small business.
DOD's strategy refers generally to data analytics but does not establish it as a specific fraud risk management control activity. Accordingly, the strategy does not identify which DOD entity has the authority to ensure that fraud-related data-analytics activities are planned and implemented. The strategy does not establish clear roles and responsibilities for all entities with data-analytics roles. It also does not provide timelines for designing and implementing data-analytics activities. As a result, DOD is missing an opportunity to provide direction in areas that are critical to achieving its data-analytics goals and managing fraud risks.
GAO analyses demonstrate how information from investigative case data on alleged and adjudicated procurement fraud could help inform DOD's fraud risk management consistent with leading practices in GAO's Fraud Risk Framework, despite existing data limitations (see fig.).
Examples of Data Collected by the Department of Defense That Could Help Inform Its Fraud Risk Management
For example, Defense Criminal Investigative Organizations (DCIO) collect data that describe the extent of detected alleged fraud through the number and types of cases investigated. Using these data, GAO found that the number of alleged and adjudicated procurement fraud cases closed from fiscal years 2015 through 2021 ranged from 444 for the Naval Criminal Investigative Service (NCIS) to 1,165 for the Defense Criminal Investigative Service, a component of the DOD Office of Inspector General (OIG) (see fig.). Such information could help DOD identify and assess risks as part of its fraud risk profile. Specifically, information on the number and types of cases investigated could help DOD (1) identify procurement fraud risks and the likelihood and impact of those risks and (2) prioritize the fraud risks.
Information from Analyses of Investigative Data from Alleged and Adjudicated Procurement Fraud Cases Closed from Fiscal Years 2015 through 2021
DCIOs also collect data describing the number and types of investigated offenses and offenses for which remedies were pursued. For example, GAO found that the most prevalent investigated offense in the 444 NCIS cases identified was false, fictitious, or fraudulent claims. GAO also found that this was the most prevalent offense for which remedies were pursued in the NCIS cases. This information could help DOD take actions, such as enhancing its fraud-awareness trainings to provide details on how these frauds were detected, to aid in preventing similar future fraud.
Information about adjudicated offenses can help DOD better understand the impact of procurement fraud risks, including the financial and reputation impacts. With this information, DOD would be better able to determine its fraud risk tolerance.
GAO's analyses revealed that investigative data on alleged and adjudicated procurement fraud cases were not always complete and could not always be readily analyzed, for various reasons. For example, some investigative data lacked a structured data field identifying cases as involving alleged or adjudicated procurement fraud, requiring analysis of narrative fields. Being able to readily identify such cases would facilitate DOD's fraud risk management.
DOD does not have plans to obtain and analyze relevant information from adjudicated procurement fraud cases. Without obtaining such information, DOD may not fully assess its fraud risks or design and implement data-analytics activities to prevent or detect these risks.
Why GAO Did This Study
DOD is the largest contracting agency in the federal government—with contract obligations of $414.5 billion in fiscal year 2022 for a wide range of goods and services. In 2021, GAO found that DOD had taken initial steps to combat fraud risks but had not implemented a comprehensive approach.
GAO was asked to broadly review DOD's fraud risk management as related to contracting. This report examines (1) if DOD's fraud risk management strategy provides the needed direction for fraud-related data-analytics activities and (2) the extent to which analyses of DOD investigative data on alleged and adjudicated procurement fraud cases can help inform fraud risk management.
GAO analyzed DOD's fraud risk management strategy against leading practices. GAO also analyzed investigative data for fiscal years 2015 through 2021 for closed, unsealed, unclassified cases. GAO compared DOD's practices related to the usability of investigative data for fraud risk management and the use of investigative information with federal internal control standards and leading practices for fraud risk management. GAO also selected a nongeneralizable sample of eight cases, two from each DCIO, for illustrative information regarding the cases investigated.
Recommendations
GAO is making 11 recommendations to DOD and the DOD OIG. This includes DOD establishing data analytics as a method for fraud risk management and providing the direction needed on data analytics in its strategy. It also includes improving the usability of investigative data by DOD for fraud risk management and obtaining and analyzing information from adjudicated procurement fraud cases. Additionally, it includes a recommendation to DOD OIG that it collaborate, as appropriate, on the development of leading practices towards improving the usability of investigative data by DOD for fraud risk management purposes. DOD agreed with some, but not all of the recommendations. DOD OIG agreed with all applicable recommendations. GAO continues to believe that all of the recommendations are warranted and should be implemented in a timely fashion, as discussed in this report.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Defense | The Secretary of Defense should ensure that the Under Secretary of Defense (Comptroller) revises DOD's Fraud Risk Management Strategy to establish data analytics as a method for preventing, detecting, and responding to fraud. (Recommendation 1) |
DOD did not agree with this recommendation when our report was published in February 2024. In May 2024, DOD indicated that it plans to implement this recommendation and plans to publish a revised Fraud Risk Management Strategy in September 2024.
|
| Department of Defense | The Secretary of Defense should ensure that the Under Secretary of Defense (Comptroller) identifies and documents in DOD's Fraud Risk Management Strategy which entity has the necessary authority to ensure that fraud-related data-analytics activities are planned and implemented. (Recommendation 2) |
DOD did not agree with this recommendation when our report was published in February 2024. In May 2024, DOD indicated that it plans to implement this recommendation and plans to publish a revised Fraud Risk Management Strategy in September 2024.
|
| Department of Defense | The Secretary of Defense should ensure that the Under Secretary of Defense (Comptroller) revises DOD's Fraud Risk Management Strategy to clarify and document roles and responsibilities related to data-analytics activities. (Recommendation 3) |
DOD did not agree with this recommendation when our report was published in February 2024. In May 2024, DOD indicated that it plans to implement this recommendation and plans to publish a revised Fraud Risk Management Strategy in September 2024.
|
| Department of Defense | The Secretary of Defense should ensure that the Under Secretary of Defense (Comptroller) incorporates and documents timelines for designing and implementing data-analytics activities into DOD's Fraud Risk Management Strategy. (Recommendation 4) |
DOD did not agree with this recommendation when our report was published in February 2024. In May 2024, DOD indicated that it plans to implement this recommendation and plans to publish a revised Fraud Risk Management Strategy in September 2024.
|
| Department of Defense | The Inspector General of DOD should improve the usability of its procurement fraud investigative data for fraud risk management purposes. Specific actions should include ensuring that data in structured fields are complete, accessible, and readily subject to analysis and aggregation. (Recommendation 5) |
DOD Office of the Inspector General (OIG) concurred with this recommendation and plans to implement it by May 2026. To implement this recommendation, DOD OIG indicated that it plans to (1) identify best practices for investigative data in structured fields within case management systems; (2) update and create structured fields in investigative records and conduct quality reviews to ensure the data is accurate and complete; (3) update case management system to ensure the data in the structured fields are accessible to the appropriate users; (4) coordinate with DOD OIG Data Analytics Team to analyze and aggregate investigative data to identify and share trends within the DOD and federal oversight community.
|
| Department of the Air Force | The Secretary of the Air Force, in collaboration with the Inspector General of DOD and the other military departments, should improve the usability of its respective procurement fraud investigative data by DOD for fraud risk management purposes. Specific actions should include ensuring that data in structured fields are complete, accessible, and readily subject to analysis and aggregation. (Recommendation 6) |
DOD partially concurred, and DOD OIG concurred, with this recommendation. DOD indicated that it plans to partially implement this recommendation by November 2024. The Air Force Office of Special Investigations (AFOSI) agreed that data in structured fields of their case management system should be complete, accessible, and readily subject to analysis and aggregation. Additionally, AFOSI indicated that it has implemented changes to the new case management system to better capture fraud investigations data including adding data fields to capture fraud schemes and updating disposition fields for user ease. The Secretary of the Air Force, Inspector General, commented that not all data in structured fields should be required to be completed and that not all fields are relevant to every case or case type. AFOSI indicated that those fields determined to be essential will be made a "required" field for agents to open or close an investigation in AFOSI's new case management system and that certain fields may only be required to open a case, while others required to close a case. We agree that not all fields may be relevant for every case. However, based on our analyses, we believe completing a structured field to indicate its irrelevancy with respect to a certain data point would provide additional insight and improve usability for fraud risk management purposes.
|
| Department of the Army | The Secretary of the Army, in collaboration with the Inspector General of DOD and the other military departments, should improve the usability of its respective procurement fraud investigative data by DOD for fraud risk management purposes. Specific actions should include ensuring that data in structured fields are complete, accessible, and readily subject to analysis and aggregation. (Recommendation 7) |
DOD and DOD OIG concurred with this recommendation and plan to implement it by December 2025. The Army Criminal Investigation Division stated that it is replacing its ALERTS case management system with a more intuitive and comprehensive case management system. The Army Criminal Investigation Division indicated, among other things, that the new case management system will have standardized data fields to more accurately capture fraud investigative data and would have additional data fields to allow for more accurate analysis and reporting.
|
| Department of the Navy | The Secretary of the Navy, in collaboration with the Inspector General of DOD and the other military departments, should improve the usability of its respective procurement fraud investigative data by DOD for fraud risk management purposes. Specific actions should include ensuring that data in structured fields are complete, accessible, and readily subject to analysis and aggregation. (Recommendation 8) |
In February 2024, DOD did not concur and DOD OIG concurred with this recommendation. In May 2024, DOD indicated that it partially concurs with our recommendation. The Naval Criminal Investigative Service (NCIS) did not provide an estimated date by which this recommendation would be partially implemented. NCIS agreed that improving the quality of the data in their case management system and ensuring that the data are readily subject to analysis and aggregation would improve its usability by DOD for fraud risk management purposes. However, NCIS indicated that the prioritization of enhancements to its case management system to ensure that data in structured fields are complete, accessible, and readily subject to analysis and aggregation must be balanced with available resourcing, level of difficulty to accomplish, and higher priority enhancements. NCIS indicated that it would collaborate with DOD OIG and the Defense Criminal Investigative Organizations to identify cost-effective, user-efficient, and meaningful improvements to the usability of procurement fraud-related investigative data.
|
| Department of Defense | The Comptroller should collaborate with the Inspector General of DOD and the Secretaries of the Navy, Air Force, and Army, respectively, to obtain and analyze relevant information from adjudicated procurement fraud cases. (Recommendation 9) |
DOD and DOD OIG concurred with this recommendation and plan to implement it by November 2025. In May 2024, DOD officials told us that DOD has established a Confirmed Fraud Working Group consisting of members of the military criminal investigative organizations and the Risk Management Internal Control Program. According to DOD officials, the Confirmed Fraud Working Group will work to collect and analyze adjudicated confirmed fraud cases to identify root causes, lessons learned, and other relevant information. According to DOD officials, the Confirmed Fraud Working Group will use this information to improve upon existing internal controls and identify areas where new controls can be established to hinder the causes of financial fraud against DOD.
|
| Department of Defense | The Secretary of Defense should ensure that the Under Secretary of Defense (Comptroller) revises DOD's Fraud Risk Management Strategy to obtain and analyze relevant information from adjudicated procurement fraud cases from the Defense Criminal Investigative Organizations. (Recommendation 10) |
DOD concurred with this recommendation and plans to implement it by September 2024. DOD officials indicated that the Under Secretary of Defense (Comptroller) will revise the Fraud Risk Management Strategy by September 2024.
|
| Department of Defense | The Inspector General of DOD should collaborate, as appropriate, with the military departments and relevant stakeholders, on the development of leading practices towards improving the usability of their respective procurement fraud investigative data by DOD for fraud risk management purposes. (Recommendation 11) |
DOD OIG concurred with this recommendation and plans to implement it by December 2026. DOD OIG indicated that it will perform an evaluation, or add relevant steps to a future planned evaluation, associated with improving the usability of Military Department and DOD OIG procurement fraud investigative data.
|