Skip to Highlights
Highlights

What GAO Found

The Social Security Administration (SSA) has taken steps to establish an organizational culture and structure conducive to fraud risk management in its disability programs, but its new antifraud office is still evolving. In recent years, SSA instituted mandatory antifraud training, established a centralized antifraud office to coordinate and oversee the agency's fraud risk management activities, and communicated the importance of antifraud efforts. These actions are generally consistent with GAO's Fraud Risk Framework, a set of leading practices that can serve as a guide for program managers to use when developing antifraud efforts in a strategic way. However, SSA's new antifraud office, the Office of Anti-Fraud Programs (OAFP), faced challenges establishing itself as the coordinating body for the agency's antifraud initiatives. For example, the OAFP has had multiple acting leaders, but SSA recently appointed a permanent leader of OAFP to provide accountability for the agency's antifraud activities.

SSA has taken steps to identify and address fraud risks in its disability programs, but it has not yet comprehensively assessed these fraud risks or developed a strategic approach to help ensure its antifraud activities effectively mitigate those risks. Over the last year, SSA gathered information about fraud risks, but these efforts generally have not been systematic and did not assess the likelihood, impact, or significance of all risks that were identified. SSA also has several prevention and detection activities in place to address known fraud risks in its disability programs such as fraud examination units, which review disability claims to help detect fraud perpetrated by third parties. However, SSA has not developed and documented an overall antifraud strategy that aligns its antifraud activities to its fraud risks. Leading practices call for federal program managers to conduct a fraud risk assessment and develop a strategy to address identified fraud risks. Without conducting a fraud risk assessment that aligns with leading practices and developing an antifraud strategy, SSA's disability programs may remain vulnerable to new fraud schemes, and SSA will not be able to effectively prioritize its antifraud activities.

SSA monitors its antifraud activities through the OAFP and its National Anti-Fraud Committee (NAFC), which serves as an advisory board to the OAFP, but the agency does not have effective performance metrics to evaluate the effect of such activities. The OAFP has responsibility for monitoring SSA's antifraud activities and establishing performance and outcome-oriented goals for them. It collects metrics to inform reports about its antifraud initiatives, and the NAFC receives regular updates about antifraud initiatives. However, the quality of the metrics varies across initiatives and some initiatives do not have metrics. Of the 17 initiatives listed in SSA's 2015 report on antifraud initiatives, 10 had metrics that did not focus on outcomes, and 4 did not have any metrics. For example, SSA lacks a metric to help monitor the effectiveness of its fraud examination units. Leading practices in fraud risk management call for managers to monitor and evaluate antifraud initiatives with a focus on measuring outcomes. Without outcome-oriented performance metrics, SSA may not be able to evaluate its antifraud activities, review progress, and determine whether changes are necessary.

Why GAO Did This Study

SSA's Disability Insurance (DI) and Supplemental Security Income (SSI) programs provide cash benefits to millions of Americans with disabilities who are unable to work. Collectively, payments from DI and SSI were about $200 billion in fiscal year 2015. Although the extent of fraud in these programs is unknown, recent high-profile cases have highlighted instances in which individuals fraudulently obtained millions of dollars in benefits. GAO was asked to review SSA's fraud risk management.

This report examines SSA's actions to manage fraud risks and the extent to which these actions align with leading practices for (1) establishing an organizational culture and structure conducive to fraud risk management, (2) identifying, assessing, and addressing fraud risks, and (3) monitoring and evaluating its antifraud activities. GAO reviewed SSA documents, such as training materials and operational guidance; and interviewed SSA officials at the agency's headquarters, its three fraud examination units, and selected state disability determination offices chosen for their proximity to antifraud initiatives. GAO assessed those actions against leading practices identified in its Fraud Risk Framework.

Skip to Recommendations

Recommendations

GAO recommends SSA (1) conduct a comprehensive fraud risk assessment for its disability programs, (2) develop a corresponding antifraud strategy, (3) develop outcome-oriented metrics for antifraud activities, and (4) review progress and change activities as necessary. SSA agreed with GAO's recommendations.

Recommendations for Executive Action

Agency Affected Recommendation Status
Social Security Administration The Commissioner (or Acting Commissioner) of SSA should direct the OAFP to lead a comprehensive fraud risk assessment that is consistent with leading practices, and develop a plan for regularly updating the assessment.
Closed - Implemented
In fiscal year 2018, the Social Security Administration (SSA) completed a fraud risk assessment of its disability programs and developed a fraud risk profile. Furthermore, in April 2019, SSA finalized an Enterprise Fraud Risk Management Strategy, which includes a business process and long-term schedule for conducting fraud risk assessments and establishing fraud risk profiles for multiple fraud risk areas, including SSA's disability programs. According to that document, SSA plans to reassess fraud risks to its disability programs in 2023 and every three years thereafter. In accordance with leading practices, SSA's process for assessing fraud risks described in these documents includes, among other things, involving relevant stakeholders in the assessment process, identifying specific fraud risks, assessing the inherent likelihood and impact of each risk, identifying existing controls in place to mitigate each risk, and assessing the residual likelihood and impact of each risk. According to the Enterprise Fraud Risk Mitigation Strategy, SSA's National Anti-Fraud Committee reviews the risk assessment and determines which risks require additional mitigation, based on SSA's risk tolerance. By taking these steps, SSA will be better positioned to implement antifraud controls to mitigate risks to its disability programs.
Social Security Administration The Commissioner (or Acting Commissioner) of SSA should direct the OAFP to develop, document, and implement an antifraud strategy that is aligned to its assessed fraud risks.
Closed - Implemented
In fiscal year 2018, the Social Security Administration's (SSA) National Anti-Fraud Committee (NAFC) reviewed each of the risks in SSA's Disability Fraud Risk Assessment and identified risks that required additional mitigation. Those risks, and the associated new mitigation strategies, form the basis of SSA's Disability Fraud Risk Profile, which SSA finalized in fiscal year 2019. Specifically, for each identified risk, the Disability Fraud Risk Profile includes an assigned risk owner, risk response, mitigation owner, proposed mitigation strategy, and timeframe to implement. SSA provided documentation that it has completed implementing several of the mitigation strategies outlined in the risk profile and has taken steps to implement others. By taking these steps, SSA can better ensure that its antifraud control activities are aligned with its most significant fraud risks.
Social Security Administration The Commissioner (or Acting Commissioner) of SSA should direct the OAFP to work with components responsible for implementing antifraud initiatives to develop outcome-oriented metrics, including baselines and goals, where appropriate for antifraud activities.
Closed - Implemented
In fiscal year 2019, SSA finalized a Disability Fraud Risk Profile that outlines risks the National Anti-Fraud Committee determined to require additional mitigation. For each risk, the profile includes, among other things, an assigned mitigation owner, proposed mitigation strategy, and timeframe to implement the proposed mitigation strategy. According to SSA officials, SSA considered outcome-oriented metrics for its Disability Fraud Risk Profile, but determined that such metrics are generally not appropriate for disability fraud risk mitigation strategies because of the hidden nature of disability fraud and a lack of reliable data related to the specific risks. Because of this, according to SSA officials, SSA uses time-driven metrics to assess implementation of disability fraud risk mitigation strategies. According to SSA officials, SSA began incorporating metrics into its fraud risk assessments for other programs and fraud risk areas and these metrics then become the baselines for future fraud risk assessments. Furthermore, SSA officials noted that as it continues to enhance its analytics capabilities and works with other components to improve controls, it will continue to identify metrics within its assessments and consider how it can use that information to mature its programs. By taking these steps, SSA can better ensure that its antifraud control activities are implemented and working as intended.
Social Security Administration The Commissioner (or Acting Commissioner) of SSA should direct the OAFP to review progress toward meeting goals on a regular basis, and recommend that the NAFC make changes to control activities or take other corrective actions on any initiatives that are not meeting goals.
Closed - Implemented
In fiscal year 2019, SSA finalized a Disability Fraud Risk Profile that outlines risks the National Anti-Fraud Committee determined to require additional mitigation. For each risk, the profile includes, among other things, an assigned mitigation owner, proposed mitigation strategy, and timeframe to implement the proposed mitigation strategy. According to SSA officials and documentation provided by SSA, the Office of Anti-Fraud Programs reviews progress on identified mitigation strategies by requiring each mitigation owner to provide an implementation plan for the proposed mitigation strategy and to provide quarterly status updates on any unimplemented mitigations. According to documentation provided by SSA, this process helps ensure SSA is making sufficient progress and is able to promptly identify any mitigations that may require further consideration. By taking these steps, SSA can better ensure that its antifraud control activities are implemented and working as intended.

Full Report

GAO Contacts