This is part one of a two-part conversation with Linda Miller, a principal at Grant Thornton, where she leads the Fraud Risk Mitigation and Analytics Practice. Miller previously served as as Assistant Director with the Forensic Audits and Investigative Service at GAO for 10 years. She led development of A Framework for Managing Fraud Risks in Federal Programs, the first-ever guidance to help federal program managers proactively manage fraud risk and help prevent fraud. Her efforts led to the passage of the Fraud Reduction and Data Analytics Act.
Your work in public sector fraud risk goes back to the early 2000s when you worked for the General Accountability Office. How did you become involved in the anti-fraud, waste and abuse effort, and what was the environment then?
In the beginning, it was a slow evolution. Everybody knows that fraud in government programs is bad. Any agency will talk about having a zero tolerance and being very serious about stopping fraud, waste and abuse. But in reality, most federal agencies, if you talk to them about what they are doing to address fraud, they will say “You need to talk to the Inspector General. They do fraud.”
In reality, the Inspector General comes in after the fact to investigate and prosecute fraud but it’s the program managers who are really responsible for preventing fraud. They know how a fraudster might circumvent or override a given control to commit fraud.
Statutes around fraud, waste and abuse really began with the Improper Payments Elimination Act of 2002 (IPIA), which has been amended four times [including the Improper Payments Elimination and Recovery Act of 2010, or IPERA]. Those laws put a concerted focus on agencies addressing improper payments.
Most federal agencies look at improper payments as purely compliance. So, the IPERA laws have not done a lot to move the needle. The goal is to identify as few high-risk programs as possible, because if you have a high-risk program, you have to do statistical sampling and other things that require resources that you don’t want to be spending. They look for the easy way out. If you ask, many of them will admit that it’s just a paper exercise.
Everything accelerated in 2015 when GAO issued the Framework for Managing Fraud Risks in Federal Programs. We decided to write the Fraud Risk Framework because we were doing data matching and finding examples of fraud. For example, we would match records and determine that the Social Security Administration was paying benefits to deceased individuals. That’s helpful, but the agencies didn’t necessarily know what the breakdown in controls was that was enabling that fraud to happen. They needed to know why and how to change it. There were no leading practices to help them do that.
After we wrote the Framework, Congress decided to draft a bill requiring agencies to implement it. In July 2016, Congress passed the Fraud Reduction and Data Analytics Act (FRDAA), which requires agencies to follow the practices outlined in the GAO Framework. The GAO Framework and FRDAA made agencies think proactively about managing fraud. What really helps agencies carry out the law is GAO auditing agencies, evaluating whether they are proactively managing fraud risks, and making recommendations. GAO has been helpful in adding oversight, so agencies conform to the law.
How much did The Fraud Reduction and Data Analytics Act, enacted in 2016, change things?
IPERA was really focused on payments that are inaccurate or fraudulent. But FRDAA tells agencies to think about all fraud risks—both financial and nonfinancial, such as safety and security implications. That was new for agencies.
Across government, there is a reluctance to admit there is a problem with fraud. Denial is almost ubiquitous in companies and government, alike. There is a fear of bad publicity, even though fraud is well known by the public.
People think, “If there’s fraud in my program, I must be doing something wrong, and I’m going to be blamed.” So, when an oversight body comes to them, they say there’s no fraud. And because fraud is deceptive, unless and until it is caught, no one can prove otherwise.
In the past couple of years, we’ve done an analysis on fraud reporting in Annual Financial Reports and found very few agencies reporting proactive efforts to build fraud risk management programs, but just statements like, “The GAO fraud framework is good,” and “Fraud is bad, and we should stop it.”
Is the language around the word, “fraud,” important to the goals here?
Yes. Fraud is defined as a criminal act. That’s why we call it fraud risk, meaning the vulnerability for fraud or negligence. That’s important as many agencies are quick to go to the definition as a way to say there is little actual fraud, rather than think about where the vulnerabilities to fraud may lie.
In GAO’s fraud framework, we identify instances where fraud tolerance is higher. One example is a post-emergency environment. Fraud is notoriously high in post disaster scenarios, but you are also dealing with a situation where people have just become homeless, so your tolerance for fraud is going to be higher given how dire the situation is. That’s why the disaster arena is a specific vulnerability. If they acknowledge the risk, agencies can increase anti-fraud controls once the emergency is over and be better prepared before the next disaster.
The problem with everyone being fearful of the word “fraud” is that if no one talks about it, no one knows about it. It matters that they don’t use the word. Outside of analytics, fraud awareness is the most important effort agencies can undertake to reduce their fraud risk. Last year, we wrote the Governmentwide Anti-Fraud Playbook for Treasury. There are 17 interactive plays; one is “Fraud is not a four-letter word.” It’s all about fraud awareness.
The Payment Integrity and Information Act of 2018, which has gone through the Senate and is now in the House, holds real promise in that it puts more teeth into fraud analytics requirements. It consolidates IPERA and FRDAA as well as other laws, and has a new data quality/data analytics piece that makes data sharing easier and removes some of the barriers to doing analytics.
To learn more about how Tableau can help your organization reduce financial risks and improve outcomes with the power of your data, visit our Public Sector for Finance Analytics page.