A single instance of fraud can significantly undermine a federal agency’s mission not only by consuming already scarce resources but also by potentially disrupting delivery of services. Though management has the responsibility for establishing internal controls to mitigate fraud risk, some managers may view fraud prevention programs as a hindrance to efficiently providing services to constituents. However, when fraud risk management is aligned with an agency’s strategic goals, it saves taxpayer resources and facilitates the delivery of services.
The Office of Management and Budget (OMB) states that the government “ emphasized the importance of having appropriate risk management processes and systems to identify challenges early, to bring them to the attention of agency leadership, and to develop solutions.” The revised OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control and its appendices, requires managers to establish internal controls to help mitigate fraud risk. Specifically, an agency must perform an evaluation of fraud risks and use a risk-based approach to designing and implementing internal controls.
To assist managers in combatting fraud, the Government Accountability Office (GAO) has developed and compiled leading practices in “A Framework for Managing Fraud Risks in Federal Programs.” GAO’s framework considers control activities to prevent, detect, and respond to fraud, as well as the environment that affects a manager’s ability to mitigate fraud risks. The framework has four key components:
Commit: “Commit to combating fraud by creating an organizational culture and structure conducive to fraud risk management.” Tone at the top or senior-level commitment demonstrates integrity and sets the standard for behavior through all levels of a program. This commitment must be demonstrated through not only communication, but through behavior—the entity’s personnel take their cues from senior management, and lip service to fraud-fighting measures alone will not suffice. Defined roles and responsibilities, with the required authority and resources to effectively perform the role, are the infrastructure necessary for an anti-fraud program to permeate the organization.
Assess: “Plan regular fraud risk assessments and assess risks to determine a fraud risk profile.” As discussed in The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management – Integrated Framework, those in charge of governance must have a deep understanding of strategy to effectively assess the severity and impact of fraud risks that could derail that strategy. Thus, assessments should be tailored to the program; anti-fraud managers should plan what specific data will be gathered and understand the sources of that data, what tools will be used (i.e., surveys, discussions with control owners and senior management, analysis of historic control issues), types of likely fraud schemes that could affect the organization, and current trends in monitoring and detection at similarly situated entities. They must also determine the program’s risk tolerance through understanding the entity’s mission and strategy and document the risk profile. It is important for such risk assessments to be performed on a periodic basis—both as the organization changes and as the operating environment changes—because fraud risks are dynamic. As an example, cybersecurity was not as prevalent an issue in the past as it clearly is today.
Design and implement: “Design and implement a strategy with specific control activities to mitigate assessed fraud risks and collaborate to help ensure effective implementation.” This is where the bulk of an organization’s time, effort, and resources will be spent in the fight against fraud. After having assessed risks, those responsible for governance will need to understand existing anti-fraud measures to identify gaps where fraud risks are insufficiently mitigated and plan to fill those gaps. Once the organization identifies and plans remedial actions, it must document and communicate its anti-fraud strategy.
Evaluate and adapt: “Evaluate the outcomes using a risk-based approach and adapt activities to improve fraud risk management.” The mark of a mature and robust anti-fraud program is its personnel’s ability to learn from experience. Thus, those responsible for the program’s oversight should evaluate outcomes using a risk-based approach and adapt activities to improve fraud risk management. It is also important for organizations to avoid being myopic about fraud and learn lessons from other agencies, as well. Risks change, and governance personnel should consider how to improve their preventive and detective controls to better respond to actual instances of fraud.
Organizational awareness is the best way to ensure that controls are properly understood and receive appropriate focused. Individuals must understand the importance of controls both from a check-and-balance viewpoint and an efficiency and effectiveness viewpoint. The fight against fraud cannot be limited to anti-fraud specialists; rather, it must be perceived as part of an organization’s mission and culture.