DOD Fraud Risk Management: Actions Needed to Enhance Department-Wide Approach, Focusing on Procurement Fraud Risks
Fast Facts
The Department of Defense, which spent about $422 billion on contracts for goods and services in FY 2020, has been the target of contracting-related fraud schemes. For example, one contractor pleaded guilty to defrauding the department by overbilling. DOD is also vulnerable to other types of contract fraud and corruption.
One way DOD tried to fight fraud in FY 2020 was to tap its subject matter experts for a Fraud Reduction Task Force. But we found 11 of 59 DOD organizations hadn't designated task force representatives. We also found DOD could more thoroughly assess and report department-wide fraud risks. We recommended addressing these issues.
Highlights
What GAO Found
The Department of Defense (DOD) faces numerous types of procurement fraud schemes (see figure). For example, in January 2015, the owner of a contracting firm pleaded guilty to bribing DOD officials and defrauding DOD of tens of millions of dollars by overbilling for goods and services. To combat department-wide fraud risks, DOD has taken initial steps that generally align with GAO's Fraud Risk Framework. However, DOD has not finalized and implemented a comprehensive approach. For example:
- DOD created a Fraud Reduction Task Force—a cross-functional team represented by subject matter experts across the department—to prioritize fraud risks and identify solutions. But its membership is incomplete. A year after formation, 11 of DOD's 59 component organizations, including the Army, had not designated a Task Force representative. Filling vacant Task Force positions would further strengthen DOD's ability to manage its fraud risks.
- DOD uses its risk management program to assess and report fraud risks. But the policy governing the risk management program does not specifically require fraud risk assessments. As a result, DOD may not be identifying all fraud risks, and its control activities may not be appropriately designed or implemented.
- DOD officials told GAO that they share fraud risk information with agencies' risk management officials, but documentation of stakeholders' roles and responsibilities remains incomplete. Such documentation can help ensure these stakeholders understand their responsibilities.
Examples of Procurement Fraud Schemes DOD Faces
DOD has taken steps to ensure components plan for and assess fraud risks. But some selected components did not report procurement fraud risks, as required by DOD. DOD provides guidance, tools, and training to its components to conduct fraud risk assessments and to assess procurement fraud risks. However, GAO found that three of six selected components reported procurement fraud risks in their fiscal-year-2020 risk assessments, and that three—which obligated $180.1 billion in fiscal year 2020—did not. Because DOD consolidates reported procurement risks from the components' fraud risk assessments and uses this information to update the department-wide fraud risk profile, it cannot ensure that its fraud risk profile is complete or accurate.
Why GAO Did This Study
GAO was asked to review issues related to DOD's fraud risk management. DOD obligated $421.8 billion in fiscal year 2020 on contracts. GAO has long reported that DOD's procurement processes are vulnerable to waste, fraud, and abuse. In 2018, DOD reported to Congress that from fiscal years 2013-2017, over $6.6 billion had been recovered from defense-contracting fraud cases. In 2020, the DOD Office of Inspector General reported that roughly one-in-five of its ongoing investigations are related to procurement fraud. This report assesses the steps DOD took in fiscal year 2020 (1) to combat department-wide fraud risks and (2) to conduct a fraud risk assessment and ensure that DOD's component organizations reported procurement fraud risks.
GAO analyzed applicable DOD policy and documents and compared them with Fraud Risk Framework leading practices, interviewed DOD officials, and reviewed fiscal year 2020 fraud risk assessments from six DOD components. GAO selected the six based primarily on fiscal years 2014-2018 contract obligations.
Recommendations
GAO makes five recommendations, including that DOD fill all Task Force positions, update its policy to require fraud risk assessments, and ensure that components assess procurement fraud risks. DOD agreed with some, but not all of the recommendations. GAO continues to believe all the recommendations are warranted and should be implemented.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Defense | The Deputy Chief Financial Officer should ensure that cognizant DOD components designate representatives to the Fraud Reduction Task Force as expeditiously as possible. (Recommendation 1) |
Open – Partially Addressed
In March 2022, DOD officials told us that they have made progress in addressing this recommendation and that they expect to have the Fraud Reduction Task Force fully staffed by April 30, 2022. In June 2022, DOD officials provided us with a Fiscal Year 2022 roster for the Task Force, which listed representatives for 47 DOD components. In June 2023, DOD officials provided us with the latest Fraud Reduction Task Force roster. This roster listed 59 DOD components, but three components did not have a representative. In November 2023, DOD provided us with an updated roster. We are currently reviewing this roster to determine if DOD has assigned a representative to the Task Force from each DOD component. Filling the vacancies would further strengthen DOD's ability to effectively make fraud risk a management priority and ensure resources are available to develop action plans for mitigating fraud risks across the department.
|
| Department of Defense | The Comptroller should update DOD Instruction 5010.40 to include fraud-risk-assessment and reporting requirements. Specifically, the instruction should:
|
Open
In March 2022, DOD officials told us that they were working on addressing this recommendation. They said that the Comptroller and the Office of the Chief Management Office (OCMO) were responsible for this Instruction. However, as the OCMO position has been repealed, its duties have been redistributed primarily to the Office of the Director, Administration and Management (ODA&M), and DOD Instruction 5010.40 needs to be updated to reflect these changes as well as to address our recommendation. In July 2023, DOD officials told us that they are in the process of updating DOD Instruction 5010.40 and plan to have it finalized by September 30, 2023. As of October 2023, the Instruction had not been finalized. To fully implement this recommendation, DOD would need to update the Instruction. Doing so would make fraud-risk-reporting requirements explicit in policy. We will continue to monitor the Department's efforts to address our recommendation.
|
| Department of Defense | The Comptroller should update its Statement of Assurance Execution Handbook to clarify that components should report all fraud risks, including fraud risks that are not categorized as a material weakness or a significant deficiency. (Recommendation 3) |
Open – Partially Addressed
In July 2023, DOD officials told us that they continue to disagree with this recommendation and are not planning any further action. However, our review of the Fiscal Year 2023 Statement of Assurance Execution Handbook indicates that DOD has taken steps to address this recommendation, but there is some ambiguity about which fraud risks should be included in the risk assessment template. Specifically, one section of the Fiscal Year 2023 Handbook instructs components to provide supporting documentation to support the low-risk rating if no fraud risks are identified in the fraud risk assessment. But another section of the Handbook instructs components to compile the most significant risks, including fraud. In October 2023, DOD officials told us that components are to identify all fraud risks, not only ones that components deem the most significant. They said that they are in the process of updating the Fiscal Year 2024 Statement of Assurance Handbook accordingly to clarify this. To fully address this recommendation, we will review the Fiscal Year 2024 Handbook to see if it explicitly states that components are to report all fraud risks in the risk assessment template.
|
| Department of Defense | The Comptroller should determine and document the fraud-risk-management roles and responsibilities of all oversight officials, including department-wide Assessable Unit Senior Accountable Officials and their Action Officers and the Defense Business Council, and the chain of accountability for implementing DOD's fraud-risk-management approach. (Recommendation 4) |
Open
DOD did not concur with this recommendation, and in July 2023, DOD officials told us that no action is planned to address this recommendation. As discussed in this report, DOD officials told us fraud risk information is shared with Assessable Unit Senior Accountable Officials and their Action Officers, as well as the Defense Business Council. However, these entities are not referenced in DOD's fraud-risk management guidance. As we found, it is not clear what these entities' roles and responsibilities are as they relate to DOD's fraud-risk management approach and how accountability is maintained. This absence of documentation does not align with Federal Internal Control Standards. Specifically, these standards note that documentation provides a means to retain organizational knowledge and mitigate the risk of having that knowledge limited to a few personnel, as well as a means to communicate that knowledge as needed to external parties, such as external auditors. We continue to believe that this recommendation is warranted and will continue to monitor the Department's efforts to address our recommendation. Furthermore, in March 2022, Comptroller officials told us that the Comptroller and the Office of the Director, Administration and Management (ODA&M) share the Department's responsibilities for fraud risk management; ODA&M is the Department's lead for Enterprise Risk Management and Comptroller is responsible for risks that affect the financial statements. Comptroller officials said that they do not second guess what the components report. However, the DOD Fiscal Year 2020 Fraud Risk Management Strategy designates states that the Comptroller is responsible for overseeing fraud risk management activities across the Department. In June 2022, DOD officials told us that The Fraud Risk Management Strategy and associated policies are being updated to better align with actual practice.
|
| Department of Defense | The Comptroller should direct components, as part of the annual statement of assurance process, to plan and conduct regular fraud risk assessments that align with leading practices in the Fraud Risk Framework. Specifically, the assessment process should include: (1) identifying inherent procurement fraud risks, (2) assessing the likelihood and effect of these risks, (3) determining fraud risk tolerance, (4) examining the suitability of existing fraud controls, and (5) compiling and documenting the fraud risk profile. (Recommendation 5) |
Open – Partially Addressed
In July 2023 DOD officials told us that they have made progress in implementing this recommendation. The Fiscal Year 2023 Statement of Assurance Execution Handbook instructs components to evaluate their fraud risk management environment using the GAO Fraud Risk Management Framework Assessment template and to develop corrective action plans to mitigate any identified gaps. It also instructs components to report fraud risks using the Risk Assessment template. In October 2023, DOD provided us with the Fiscal Year 2023 risk assessment templates for our six selected components-(1) Defense Contract Management Agency, (2) Defense Logistics Agency, (3) Department of the Navy, (4) Department of the Air Force, (5) Department of the Army, and (6) Washington Headquarters Services. Our review of these assessments found that five of our six selected components included procurement fraud risks in their assessments, which is up from three of six at the time of our engagement. The Department of the Army did not include procurement fraud risks in its assessment. We also found that the risk assessment template does not include a fraud risk tolerance. To fully address our recommendation, DOD will also need to ensure that components fraud risk assessments are aligned with the leading practices in the Fraud Risk Framework, including assessing inherent procurement fraud risks and determining fraud risk tolerance. Ensuring that all fraud risks are reported by all components would better position DOD to manage its fraud risks. We will continue to monitor the Department's efforts to address our recommendation.
|