Department of Energy: Use of Leading Practices Could Help Manage the Risk of Fraud and Other Improper Payments
Fast Facts
DOE's inadequate management and oversight of its contractors led us to designate its contract management as a High Risk area. For example, in November 2016, DOE contractors constructing a nuclear waste treatment plant agreed to pay a combined $125 million to settle a lawsuit alleging, among other things, that a contractor improperly used federal funds for lobbying purposes.
We found that DOE does not use leading practices for managing fraud risks—such as data analytics—that can help agencies detect fraudulent spending or other improper payments.
We made six recommendations aimed at reducing DOE's risk of fraud and improper payments.
Photo of the Department of Energy building
Highlights
What GAO Found
The Department of Energy (DOE) manages the risk of fraud and improper payments through its internal controls program, which includes, among other things, prepayment invoice reviews and post payment audits. However, several challenges limit the effectiveness of this approach. For example, DOE does not have a department-wide invoice review policy or well-documented procedures at five of the six sites with invoice review responsibilities. Consequently, DOE has no assurance that control activities at these sites are operating as intended. Time constraints also limit the effectiveness of invoice reviews. For example, some invoices can have numerous associated transactions and the reviews must be completed within a limited time frame before payment, which may be as short as 10 days.
DOE's approach to managing fraud risk does not incorporate leading practices such as creating a dedicated antifraud entity to lead fraud risk management activities; conducting regular fraud risk assessments that are tailored to the program; developing and documenting a strategy to mitigate assessed fraud risks; or designing and implementing specific control activities, such as data analytic activities, to prevent and detect fraud. By not implementing leading practices, DOE is missing an opportunity to organize and focus its resources in a way that would allow it to mitigate the likelihood and impact of fraud. Moreover, the Fraud Reduction and Data Analytics Act of 2015 establishes requirements aimed at improving federal agencies' controls and procedures for assessing and mitigating fraud risks through the use of data analytics. The legislation also directs the Office of Management and Budget (OMB) to, among other things, establish implementation guidelines that incorporate fraud risk management leading practices. DOE officials told GAO that they plan to meet the requirements of the act but should not be expected to implement private industry leading practices prior to the issuance of OMB guidance. Incorporating leading practices could also help DOE more effectively implement the act's requirements once OMB guidance is available.
It is not possible to fully employ data analytics as a tool to identify potential indicators of fraud or other improper payments at DOE because of limitations in contractor-maintained cost data. Much of the cost data maintained by the two DOE contractors GAO selected for data analytic purposes could not be used because these data did not include a complete universe of transactions that was reconcilable with amounts billed to DOE or did not contain details necessary to determine the nature of costs charged to DOE. Because DOE does not require its contractors to maintain sufficiently detailed transaction-level cost data that are reconcilable with amounts charged to DOE, it is not well positioned to employ data analytics as a fraud detection tool. Effective fraud risk managers collect and analyze data and identify fraud trends and use them to improve fraud risk management activities, according to leading practices that GAO has previously identified. Without the detailed data necessary to conduct such analysis, DOE is missing an opportunity to develop, refine, and improve its experience with data analytic tools and techniques, and better position itself to meet the requirements of the Fraud Reduction and Data Analytics Act.
Why GAO Did This Study
Over the past decade, incidents of fraud by DOE contractors have occurred. From 2003 through 2008, employees of one contractor at DOE's Hanford site in Washington state made hundreds of fraudulent purchases and solicited and received kickbacks. In another case, Hanford contractors agreed to pay a combined $125 million to settle disputed claims regarding federal dollars spent on nonnuclear-compliant parts. To help federal program managers combat fraud, in July 2015, GAO issued leading practices for managing fraud risks.
GAO was asked to review DOE's processes, programs, and practices for managing its risk of fraud. This report examines (1) DOE's approach to managing its risk of fraud and other improper payments and challenges, if any, that may limit the effectiveness of this approach; (2) the extent to which DOE's approach incorporates leading practices; and (3) the application of data analytics in identifying potential indicators of fraud or other improper payments associated with selected DOE contracts.
Recommendations
GAO is making six recommendations, including that DOE establish invoice review policies and procedures, employ leading practices such as data analytics to help manage fraud risk, and require that its contractors maintain sufficiently detailed cost data for reconciling with amounts charged. DOE generally concurred with five of GAO's six recommendations but did not agree to require contractors to maintain detailed data. GAO continues to believe that the recommendation is valid, as discussed in the report.
Recommendations for Executive Action
| Agency Affected Sort descending | Recommendation | Status |
|---|---|---|
| Department of Energy | To help DOE take a more strategic approach to managing improper payments and risk, including fraud risk, the Secretary of Energy should implement leading practices for managing the department's risk of fraud, including designing and implementing specific control activities, including fraud awareness training and data analytics, to prevent and detect fraud and other improper payments. |
Open – Partially Addressed
In its comments on the draft report in March 2017, DOE stated that it concurred in principle with the recommendation, but that it had implemented the recommendation. In our January 2021 report on DOE contractor fraud risk (GAO-21-44), we found that DOE's Office of the Chief Financial Officer offers annual training to DOE employees and contractors on fraud awareness. Additionally, we found that DOE plans to survey organizations about their current use of data analytics and plans widespread use of data analytics beginning in fiscal year 2022. As of October 2023, DOE is continuing to develop and implement its data analytics strategy.
|
| Department of Energy | To help ensure that necessary data are available to employ data analytics as a tool to perform contractor cost-surveillance activities, the Secretary of Energy should require contractors to maintain sufficiently detailed transaction-level cost data that are reconcilable with amounts charged to the government, including (1) cost data that, at a minimum, represent a full data population and (2) the details necessary to determine the nature of each cost transaction, with such identifiers as transaction date, dollar amount, item or service description, and transaction codes to indicate the type of cost represented (e.g., construction materials, property lease, and office supplies). |
Open
In its comments on the draft report in March 2017, DOE did not agree to implement this recommendation because officials believe that the recommendation establishes agency-specific requirements for DOE contractors that are more prescriptive than current federal requirements. In our January 2021 report on DOE contractor fraud risk (GAO-21-44), we found that DOE plans to survey organizations about their current use of data analytics and plans widespread use of data analytics beginning in fiscal year 2022. As of October 2023, DOE is continuing to develop and implement its data analytics strategy.
|
| Department of Energy | To allow DOE management to effectively monitor invoice reviews and have assurance that this control activity is operating as intended, the Secretary of Energy should establish a DOE-wide invoice review policy that includes requirements for sites to establish well-documented invoice review operating procedures. |
Closed – Implemented
In September 2023, DOE updated the Acquisition Guide to require the responsible invoice reviewing official to ensure that a list of items, including whether the costs are allowable and allocable under the contract, is addressed prior to the approval of every invoice. Additionally, DOE updated its Acquisition Guide to require the heads of contracting activities to maintain local policies and procedures for invoice review and approval.
|
| Department of Energy |
Priority Rec.
To help DOE take a more strategic approach to managing improper payments and risk, including fraud risk, the Secretary of Energy should implement leading practices for managing the department's risk of fraud, including creating a structure with a dedicated entity within DOE to design and oversee fraud risk management activities. |
Closed – Implemented
In its comments on a draft of the report in March 2017, DOE partially agreed with the recommendation. As of December 2020, DOE completed a charter indicating that it expanded the responsibilities of the agency's Department Internal Control and Assessment Review Council to include performing duties as the Senior Risk Management Council to oversee the fraud risk management process and take on other roles of the designated entity, with support from the Internal Control and Fraud Risk Management Division within the Office of the Chief Financial Officer. In May 2021, the Department Internal Control and Assessment Review Council/Senior Risk Management Council met to review DOE's fiscal year 2021 Consolidated Risk Profile and Management Priorities, a key task of the designated entity.
|
| Department of Energy | To help DOE take a more strategic approach to managing improper payments and risk, including fraud risk, the Secretary of Energy should implement leading practices for managing the department's risk of fraud, including conducting fraud risk assessments that are tailored to each program and use the assessments to develop a fraud risk profile |
Closed – Implemented
In DOE's fiscal year 2023 Enterprise Risk Management guidance, issued in December 2022, DOE added a list of 58 financial-related fraud risks to the Financial Management Assessment module of its internal control application. These 58 fraud risks are mapped to the department's Fraud Risk Profile. Reporting organizations are to identify relevant risks, perform risk assessments, and identify controls to mitigate those risks.
|
| Department of Energy | To help DOE take a more strategic approach to managing improper payments and risk, including fraud risk, the Secretary of Energy should implement leading practices for managing the department's risk of fraud, including developing and documenting an antifraud strategy that describes the programs' approaches for addressing the prioritized fraud risks identified during the fraud risk assessment. |
Closed – Implemented
In September 2023, DOE clarified that its December 2020 Fraud Risk and Data Analytics Framework, which we reviewed, serves as the department's antifraud strategy.
|