International Journal of Government Auditing – Autumn 2015

GAO issues framework for managing fraud risks in federal programs

Supreme Audit Institutions (SAIs) can play an important role in overseeing the management of public funds and identifying opportunities for government managers to improve their efforts to deliver program and constituent services. In the United States, prior reviews by the U.S. Government Accountability Office (GAO) have highlighted opportunities for managers of U.S. federal programs to take a more strategic, risk-based approach to managing fraud risks. To help managers combat fraud and preserve integrity in government agencies and programs, GAO issued a Framework for Managing Fraud Risks in Federal Programs in July 2015.

Managers of government programs have the ultimate responsibility for overseeing how government funds are spent. However, they may perceive a conflict between their program’s mission, such as efficiently disbursing funds or providing services to beneficiaries, and taking actions to safeguard taxpayer dollars from improper use.

Too often, program managers are left trying to recoup money after inappropriate payments have been made, rather than proactively managing fraud risks in order to prevent fraud from occurring in the first place. Proactively managing fraud risks can help facilitate the program’s mission and strategic goals by ensuring that taxpayer dollars and government services serve their intended purposes.

The Fraud Risk Management Framework

GAO’s Fraud Risk Management Framework (the Framework) focuses on taking a strategic, risk-based approach to assessing and addressing fraud risks, using extensive stakeholder input. It provides a comprehensive set of leading practices that serve as a guide for program managers to use when developing or enhancing their fraud risk management efforts. The Framework complements existing efforts in the United States, including internal control standards and legislation focused on addressing improper payments. However, the Framework is fraud-specific and is intended to better assist managers with addressing nonfinancial fraud risks, in addition to financial fraud risks, which has been difficult to do historically.

To develop the Framework, GAO sought input from a variety of sources through interviews, focus groups, and an extensive literature review. In particular, GAO interviewed three other SAIs, the World Bank, and the Organisation for Economic Co-Operation and Development, and sought input from dozens of other antifraud experts in the U.S. public, private and nonprofit sectors.

To validate its findings, GAO asked program managers to review the leading practices to ensure their feasibility and applicability.

The Framework encompasses control activities to prevent, detect, and respond to fraud, with an emphasis on prevention. In addition, it recognizes the structures and environmental factors that may influence managers’ efforts to mitigate fraud risks.

For example, budgetary constraints can affect managers’ ability to pursue certain resource-intensive activities. Fraud can take many forms, some programs are more vulnerable to fraud than others, and managers’ expertise to combat fraud varies. The Framework recognizes differences in these factors and is flexible to allow managers to tailor the practices to fit their programs.

Graph: THe Fraud Risk Management Framework

The Framework consists of four components and describes leading practices within each component. In addition, the Framework highlights the importance of monitoring and incorporating feedback. These ongoing practices apply to all four components of the Framework.

The Four Components and Select Leading Practices

Commit—Commit to combating fraud by creating an organizational culture and structure conducive to fraud risk management.

As part of this component, effective managers of fraud risks demonstrate a senior-level commitment to combat fraud and involve all levels of the program in setting an antifraud tone.

"Proactively managing fraud risks can help facilitate the program’s mission and strategic goals by ensuring that taxpayer dollars and government services serve their intended purposes."
In addition, managers designate an entity within the program office to lead fraud risk management activities and ensure the entity has defined responsibilities and the necessary authority to serve its role.

Assess—Plan regular fraud risks assessments to determine a fraud risk profile.

This component includes leading practices for managers to plan and conduct an assessment of fraud risks. For instance, as part of the process, managers assess the likelihood and impact of fraud risks, determine their tolerance for fraud risks, and examine whether existing controls effectively address fraud risks. In addition, effective managers document the results of this process in a “fraud risk profile.”

Design and Implement—Design and implement a strategy with specific control activities to mitigate assessed fraud risks and collaborate to help ensure effective implementation.

As part of this component, effective managers of fraud risks develop, document, and communicate a strategy to address the fraud risks they have identified. In particular, managers focus on prevention, consider the benefits and costs of controls to prevent and detect potential fraud, and develop a plan for responding to fraud when it occurs.

This component also includes leading practices for designing and implementing data-analytics activities, fraud-awareness initiatives, reporting mechanisms (such as hotlines), and employee-integrity activities (such as standards of conduct).

Finally, this component highlights the importance of collaborating with stakeholders both inside and outside of the program and creating incentives to help ensure the antifraud strategy will be effective.

Evaluate and Adapt—Evaluate outcomes using a risk-based approach and adapt activities to improve fraud risk management.

This component includes leading practices for managers to monitor and evaluate the effectiveness of all components of the Framework. In particular, effective managers collect and analyze data to monitor fraud trends and identify potential control deficiencies, focus on outcomes of fraud risk management activities, and use the results of monitoring and evaluation to improve fraud prevention, detection, and response.

How Can SAIs Use the Framework?

While the primary target audience of the Framework is managers in the U.S. federal government, the practices and concepts described may be applicable to managers of other entities, including managers of government programs in other countries. SAIs can use the Framework to develop their own fraud risk management guidance or incorporate the practices and concepts described into their efforts to assess fraud risk management within their own countries.

SAIs can also use guidance from other SAIs, such as the Australian National Audit Office’s Fraud Control in Australian Government Entities: Better Practice Guide, to help enhance fraud risk management within their own government’s programs.

Graph: Key Elements of the Fraud Risk Assesment Process

For more information:

A Framework for Managing Fraud Risks in Federal Programs (GAO-15-593SP) is available on GAO’s website at www.gao.gov/products/GAO-15-593SP.

To learn more, please contact Steve Lord at LordS@gao.gov