Individual Disaster Assistance Programs
Framework for Fraud Prevention, Detection, and Prosecution Gao ID: GAO-06-954T July 12, 2006Federal agencies spend billions of dollars annually to aid victims of natural and other disasters and acts of terrorism. Managers of federal disaster assistance programs face a dual challenge--delivering aid as quickly as possible while at the same time ensuring that relief payments go only to those who are truly in need. Due to the very nature of the government's need to quickly provide assistance to disaster victims, federal disaster relief programs are vulnerable to significant risk of improper payments and fraudulent activities. On February 13, 2006, and on June 14, 2006, GAO testified concerning extensive fraud, waste, and abuse in the Individuals and Household Program (IHP), a component of the Federal Emergency Management Agency's (FEMA) disaster assistance programs. GAO identified significant internal control weaknesses that resulted in FEMA making tens of thousands of Expedited Assistance payments that were based on bogus registration data. GAO also found numerous other internal control failures in FEMA's IHP disaster assistance program, resulting in an estimate that FEMA made $600 million to $1.4 billion in improper and potentially fraudulent payments to registrants. The purpose of this testimony is to establish a framework for preventing, detecting, and prosecuting disaster assistance fraud.
Recent GAO audits have illustrated the importance of an effective fraud, waste, and abuse prevention system in federal disaster assistance programs. GAO's Standards for Internal Control in the Federal Government provide a framework for internal control that can be used to minimize fraudulent, wasteful, and abusive activity regardless of whether dealing with the effects of natural disasters like hurricanes Katrina and Rita, or coping with the destruction left by the terrorist attacks of September 11, 2001. A well-designed fraud prevention system should consist of three crucial elements: (1) upfront preventive controls, (2) detection and monitoring, and (3) investigations and prosecutions. Upfront preventive controls can help screen out the majority of fraud, and are the most effective and efficient means to minimize fraud, waste, and abuse. Detection and monitoring, and aggressive prosecution of individuals committing fraud, while also crucial elements of an effective system, are less effective and generally cost more. Audit work has long confirmed that upfront preventive controls are most effective when they require validation of data provided by disaster registrants against other government or third-party sources, and physical inspections when possible. Preventive controls should also include procedures designed to identify problem registrants prior to payments. Training personnel on fraud awareness and potential fraud schemes is also an integral component in preventive controls. Collectively, these preventive controls can help improve program integrity and safeguard tax dollars. An effective fraud deterrence program must also include resources to continually monitor and detect potential fraud, and aggressively investigate and prosecute individuals who received assistance fraudulently. Monitoring and detection include data-mining for suspicious registrations and payment usage, and setting up fraud hotlines. Finally, program integrity is enhanced by investigating and prosecuting individuals who take advantage of program weaknesses. However, the high costs of prosecutions highlight our conclusion that upfront preventive controls are most effective in preventing fraud, and that lessons learned from detection and prosecutions should be used to improve preventive controls.
GAO-06-954T, Individual Disaster Assistance Programs: Framework for Fraud Prevention, Detection, and Prosecution
This is the accessible text file for GAO report number GAO-06-954T
entitled 'Individual Disaster Assistance Programs: Framework for Fraud
Prevention, Detection, and Prosecution' which was released on July 12,
2006.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Testimony:
Before the Subcommittee on Management, Integration, and Oversight,
Committee on Homeland Security, U.S. House of Representatives:
United States Government Accountability Office:
GAO:
For Release on Delivery Expected at 2:00 p.m. EST:
Wednesday, July 12, 2006:
Individual Disaster Assistance Programs:
Framework for Fraud Prevention, Detection, and Prosecution:
Statement of Gregory D. Kutz, Management Director Forensic Audits and
Special Investigations:
GAO-06-954T:
GAO Highlights:
Highlights of GAO-06-954T, a testimony before the Subcommittee on
Management, Integration, and Oversight, Committee on Homeland Security,
U.S. House of Representatives
Why GAO Did This Study:
Federal agencies spend billions of dollars annually to aid victims of
natural and other disasters and acts of terrorism. Managers of federal
disaster assistance programs face a dual challenge”delivering aid as
quickly as possible while at the same time ensuring that relief
payments go only to those who are truly in need. Due to the very nature
of the government‘s need to quickly provide assistance to disaster
victims, federal disaster relief programs are vulnerable to significant
risk of improper payments and fraudulent activities.
On February 13, 2006, and on June 14, 2006, GAO testified concerning
extensive fraud, waste, and abuse in the Individuals and Household
Program (IHP), a component of the Federal Emergency Management Agency‘s
(FEMA) disaster assistance programs. GAO identified significant
internal control weaknesses that resulted in FEMA making tens of
thousands of Expedited Assistance payments that were based on bogus
registration data. GAO also found numerous other internal control
failures in FEMA‘s IHP disaster assistance program, resulting in an
estimate that FEMA made $600 million to $1.4 billion in improper and
potentially fraudulent payments to registrants. The purpose of this
testimony is to establish a framework for preventing, detecting, and
prosecuting disaster assistance fraud.
What GAO Found:
Recent GAO audits have illustrated the importance of an effective
fraud, waste, and abuse prevention system in federal disaster
assistance programs. GAO‘s Standards for Internal Control in the
Federal Government provide a framework for internal control that can be
used to minimize fraudulent, wasteful, and abusive activity regardless
of whether dealing with the effects of natural disasters like
hurricanes Katrina and Rita, or coping with the destruction left by the
terrorist attacks of September 11, 2001.
The figure below illustrates that a well-designed fraud prevention
system should consist of three crucial elements: (1) upfront preventive
controls, (2) detection and monitoring, and (3) investigations and
prosecutions. The figure also shows that upfront preventive controls
can help screen out the majority of fraud, and are the most effective
and efficient means to minimize fraud, waste, and abuse. Detection and
monitoring, and aggressive prosecution of individuals committing fraud,
while also crucial elements of an effective system, are less effective
and generally cost more.
Figure: Program Designed to Minimize Fraud, Waste, and Abuse:
[See PDF for Image]
Source: GAO>
[End of Figure]
Audit work has long confirmed that upfront preventive controls are most
effective when they require validation of data provided by disaster
registrants against other government or third-party sources, and
physical inspections when possible. Preventive controls should also
include procedures designed to identify problem registrants prior to
payments. Training personnel on fraud awareness and potential fraud
schemes is also an integral component in preventive controls.
Collectively, these preventive controls can help improve program
integrity and safeguard tax dollars.
An effective fraud deterrence program must also include resources to
continually monitor and detect potential fraud, and aggressively
investigate and prosecute individuals who received assistance
fraudulently. Monitoring and detection include data-mining for
suspicious registrations and payment usage, and setting up fraud
hotlines. Finally, program integrity is enhanced by investigating and
prosecuting individuals who take advantage of program weaknesses.
However, the high costs of prosecutions highlight our conclusion that
upfront preventive controls are most effective in preventing fraud, and
that lessons learned from detection and prosecutions should be used to
improve preventive controls.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-954T].
To view the full product, including the scope and methodology, click on
the link above. For more information, contact Gregory Kutz at (202) 512-
7455 or kutzg@gao.gov.
[End of Section]
Mr. Chairman and Members of the Committee:
Thank you for the opportunity to discuss fraud prevention and detection
related to the federal government's efforts to provide assistance to
individuals and households in the aftermath of disasters.[Footnote 1]
Effective fraud prevention in relief programs is an important issue,
regardless of whether dealing with the effects of natural disasters
like hurricanes Katrina and Rita, or coping with the destruction left
by the terrorist attacks of September 11, 2001. Agencies are faced with
many challenges in the aftermath of a disaster and must devote
resources not only to distributing money and relief quickly to victims,
but must also minimize fraud, waste, and abuse to ensure only
legitimate victims receive assistance.
On February 13, 2006,[Footnote 2] and then again on June 14,
2006,[Footnote 3] we testified concerning extensive fraud, waste, and
abuse related to hurricanes Katrina and Rita in the Individuals and
Household Program (IHP), a component of the broader disaster assistance
program from the Federal Emergency Management Agency (FEMA). The
February testimony focused on control weaknesses that resulted in FEMA
making tens of thousands of Expedited Assistance (EA) payments that
were based on bogus registration data. Our June 14, 2006, testimony
discussed breakdowns in internal controls, in particular the lack of
controls designed to prevent bogus registrations, which resulted in an
estimated $600 million to $1.4 billion in improper and potentially
fraudulent payments. Based on these findings we have made
recommendations to FEMA to develop effective systems and controls to
minimize the opportunity for fraud, waste, and abuse when FEMA decides
to provide assistance in the future. Crucial internal controls and
control weaknesses we identified during our work on hurricane disaster
relief, and requirements in the Comptroller General's Standards for
Internal Control in the Federal Government,[Footnote 4] are directly
relatable to controls over any individual assistance program,
regardless of the cause of the disaster. My testimony today will focus
on the importance of fraud prevention controls, fraud detection
efforts, and the aggressive pursuit and prosecution of individuals who
commit fraud against the government in a time of disaster.
Summary:
The establishment of effective fraud prevention controls over the
registration and payment process, fraud detection and monitoring
adherence to those controls throughout the entire program life, and the
aggressive pursuit and prosecution of individuals committing fraud are
crucial elements of an effective fraud prevention program over any
assistance programs with defined eligibility criteria, including
disaster assistance programs. The very nature of the government's need
to quickly provide assistance to individuals adversely affected by
disasters makes assistance payments more vulnerable to applicants
attempting to obtain benefits that they are not entitled to receive.
However, it is because of these known vulnerabilities that the federal
government, and more specifically FEMA, needed to have had effective
controls in place to minimize the opportunities for individuals to
defraud the government. Figure 1 provides an overview of how prevention
controls help to screen out the majority of fraud, waste and abuse, and
how detective controls and prosecution can help to further minimize the
extent to which a program is vulnerable to fraud.
Figure 1: Program Designed to Minimize Fraud, Waste and Abuse:
[See PDF for image]
Source: GAO.
[End of figure]
The results of our work serve to emphasize the fundamental concept that
fraud prevention is the most effective and efficient means to minimize
fraud, waste, and abuse. Preventive controls should be designed to
include, at a minimum, a requirement that data provided by registrants
be validated against other government or third-party sources to
determine whether registrants provided accurate information on their
identity and place of residence. Inspections and physical validation
processes should also be conducted whenever possible to confirm
registration information prior to payment. System edit checks designed
to identify problem registrants and claims (e.g., duplicates) before
payments are made are also critical. Finally, providing training on
fraud awareness and potential fraud schemes to all key government and
contractor personnel is important in stopping fraud before it gets into
the program. Prior to implementing any new controls, and well in
advance of any disaster, agencies must adequately field test the new
controls to ensure that controls are operating as intended and that
legitimate victims are not denied benefits. In addition, as fraud
prevention controls are increased, agencies must provide safety
precautions to assist any disaster victims who are inappropriately
denied relief due to preventive controls.
Although more costly and less effective than preventive controls, fraud
detection and monitoring after payments have been made is also
critical. Key elements of the detection process include data-mining for
fraudulent and suspicious registrants, reviews to establish the
accountability of funds, and the establishment of hotlines to receive
tips of potentials fraud. For example, after the initial registration
process, agencies need a control system that includes continual
monitoring, to include data-mining registrations--similar to the data-
mining we conducted--to identify potentially fraudulent registrations
in their claim system. Also, control weaknesses identified through
detection and monitoring should be used to make improvements to
preventive controls to reduce the risk for fraud, waste, and abuse in
the future.
Another element of a fraud prevention program is the aggressive
investigation and prosecution of individuals who committed fraud
against the federal government. The deterrent value of prosecuting
those who commit fraud sends the message that the government will not
tolerate individuals stealing assistance money, serving as a preventive
measure for future disasters. For hurricanes Katrina and Rita the
Justice Department has set up the Katrina Fraud Task Force, which has
investigated and convicted numerous individuals who received assistance
fraudulently from FEMA. Further, schemes identified through
investigations and prosecution can be used to improve the fraud
prevention program.
Fraud, Waste, and Abuse Prevention Controls:
Prevention is the most effective and efficient way to minimize fraud,
waste, and abuse in any federal program, including disaster assistance,
and is also a key element described in the Standards for Internal
Control in the Federal Government.[Footnote 5] The most crucial element
of fraud prevention is to substantially diminish the opportunity for
fraudulent access into the system through front end controls. Figure 2
displays how preventive controls fit within a larger fraud, waste, and
abuse prevention program.
Figure 2: Preventive Controls:
[See PDF for image]
Source: GAO.
[End of figure]
Fraud prevention can be achieved by requiring that registrants provide
information in a uniform format, and validating that information
against external sources. In the current environment, agencies have at
their disposal a large number of data sources that they can use to
validate the identity and address of registrants. However, our work
related to FEMA's management of the IHP program for hurricanes Katrina
and Rita found that their limited use of a third-party validation
process left room for substantial fraud. Effective fraud prevention
controls require that agencies enter into data-sharing arrangements
with organizations to perform validation. System edit checks are also
key to identifying and rejecting fraudulent registrations before
payments are disbursed. In addition, an effective fraud prevention
system is not complete without adequate fraud awareness training of all
personnel involved in the distribution of relief. Finally, any new
systems or processes need to be field tested to ensure that the system
is working properly prior to implementation.
Data Validation:
Prior to a disaster registrant gaining access to relief payments, key
registrant information must be validated. For this program, data such
as names, social security numbers (SSN), primary residences,
citizenship status, and any other information which determines
eligibility must be validated upfront, prior to agencies accepting the
registration, or at least prior to disbursements being made. Obtaining
releases from registrants which allow an agency to validate data with
other sources such as social security records, tax records, and other
information is an important step that can facilitate effective
validation of data.
Depending on the turnaround time needed for a payment, agencies can
chose to validate records with federal government databases, or
validate information with third-party contractors who can confirm key
information with publicly available data from credit reports and other
sources almost instantaneously. When using these third-party sources it
is also important to at least periodically authenticate[Footnote 6] the
data within the program with the source of the information such as
Social Security Administration (SSA) or Internal Revenue Service (IRS)
records. Regardless of the sources used, all key data concerning a
registration has to be validated to minimize the risks to acceptable
levels prior to the registrant being accepted in the program. For
example, because FEMA lacked basic identity validation controls, they
accepted thousands of IHP registrations from registrants who provided
social security numbers that had never been issued or belonged to
deceased individuals. In addition, because FEMA failed to validate
damaged address information, we found thousands of dollars were paid to
individuals for bogus damaged addresses.
For data to be properly validated, it should be recorded in a uniform
format. Once key data elements relating to disaster relief eligibility
are determined, our work has shown that it is important to record the
information in a format that will facilitate data validation with
external sources. Otherwise, agencies may be faced with thousands or
tens of thousands of registrations being rejected or placed in a manual
review status because data was not recorded accurately. This is also
particularly important when recording names, identity information, and
addresses in order to prevent registrants from getting multiple
payments by changing the spelling of their address or name. For
example, data collected by hotels providing lodging that was paid for
by FEMA did not record occupant's SSN or FEMA registration ID numbers.
Thus, there were no common data elements that could be used to ensure
people already staying at FEMA paid hotels did not also improperly
receive rental assistance.
Within the federal government, many organizations such as SSA, United
States Postal Service (USPS), and IRS maintain information on disaster
assisted registrants. These are all data sources that we have used in
prior forensic work to identify fraudulent and improper payments.
However, proactive actions are necessary on the part of agencies
responsible for providing disaster assistance to enter into data-
sharing agreements with organizations that own the data. Agreements
have to be in place prior to any disaster occurring for agencies to
take advantage of data-validation sources. Also for tax information,
consent must be requested from the registrant at the time of
registration.
Finally, whenever possible, registration data and specific loss claims
should be validated by a physical inspection of the disaster damage
prior to payment. In some cases, as with the massive destruction caused
by Hurricane Katrina, physical inspections in a timely manner are not
possible, and therefore acceptance of data must be done through
electronic verification. However, within the FEMA IHP program we found
significant fraud related to expedited assistance payments that were
made prior to any physical inspection being performed. In the cases we
found, many fraudulent registrations could have been identified and
rejected if inspections were performed because they would have seen
that properties did not even exist, as we found when performing our own
inspections. For example, FEMA failed to perform physical inspections
on our undercover registrations, which used completely bogus property
addresses and vacant lots. Had a physical inspection been performed,
FEMA could have identified the fraudulent information and denied the
expedited and rental assistance payments.
System Edit Controls:
Disaster relief programs must also have a network of system pre-payment
edit checks in place to ensure that obviously false or duplicate
information is not used to receive disaster relief payments. System
edit checks can be performed before or after a registration is accepted
into the system, but to be an effective preventive control, they must
be performed prior to the distribution of a payment. Edit checks should
include items such as ensuring that the same SSN was not used on
multiple registrations, or that the registrant provides a verifiable
physical address for which the disaster damaged is based on. In the
case of FEMA's IHP program, we found the lack of effective system edit
checks allowed numerous individuals to fraudulently register numerous
times and receive multiple payments using the same name, social
security number, or address. In one case, the lack of controls allowed
an individual to register eight times using the same name and SSN and
receive multiple disaster assistance payments. In addition, accepting
applications with obviously inaccurate data exposed FEMA to the risk
that disbursements would be made based on obviously false data. For
example, we found during our work that FEMA paid millions of dollars in
IHP payments to individuals who used a Post Office Box as their damaged
physical address in order to receive assistance. In those cases system
edits should have identified the Post Office Box as an invalid physical
address and forced the applicant to provide a valid street address for
the damage property in order to be considered for disaster assistance.
Results of our work also showed that agencies must follow through and
accurately implement--and not short-change--existing system edit checks
to provide assurance that the program is protected. We found in the
course of our work that FEMA had designed controls that may have
prevented some fraudulent payments. However, our work also indicated
that these controls were circumvented, for example, when FEMA designed
scripts to override system edit checks that had identified
registrations as potential duplicates, in an effort to disburse funds
as quickly as possible. Adhering to existing control procedures is
therefore also crucial when maintaining effective fraud prevention.
Fraud Training and Field Testing:
Beyond the uniform recording and validation of data, other controls,
including a well-trained work force that is aware of the potential for
fraud, can help prevent fraud. Personnel involved in a disaster
program, including government employees and call center and inspection
contractors, should receive training about the potential for fraud
within the program and the likely types of fraud they could encounter.
Fraud awareness training with frontline personnel is crucial because
they are part of the first line of defense and therefore play a key
role in fraud prevention. If the personnel accepting registrations and
performing physical inspections of properties and documents are aware
of fraud indicators and suspicious activities, they will help to
identify potentially fraudulent activity as soon as it occurs. Where
possible, incentives can be provided to contractors not just to process
registrations and claims quickly, but also to prevent fraud.
In addition, when implementing any new controls, it is important to
field test all systems prior to putting them in place. As stated in a
recent testimony on the IHP program, FEMA acknowledged that they had
instituted several new processes that had not been tested. Weaknesses
in these new processes, including the lack of validation controls over
key data elements, resulted in our findings of approximately $1 billion
dollars in potential fraud in the IHP program. On top of reducing the
risk of untested controls allowing substantial fraud, field-testing
also helps to ensure that new controls do not improperly deny benefits
to valid registrants. A safety net for those registrants who are
wrongly denied disaster relief due to preventive controls should always
be in place to ensure they receive assistance. This process should
include staff who are adequately trained to expeditiously handle
exceptions.
Detection and Monitoring:
Even with effective preventive controls, there is substantial residual
risk that fraudulent registrants are likely to gain access to a
disaster relief program and begin to receive payments. Therefore, after
a registrant has successfully passed through upfront controls and begun
to receive payments, our work at FEMA illustrated that agencies must
continue their efforts to monitor the execution of the disaster relief
program. Detection and monitoring efforts are addressed in the
Standards for Internal Control in the Federal Government[Footnote 7]
and include such activities as data-mining registrations, which have
received payments, ensuring accountability over funds and monitoring
how the disaster assistance is being spent, and establishing mechanisms
to identify the existence of fraud. Figure 3 provides a perspective on
how these controls fit into an overall fraud prevention program.
Figure 3: Detection and Monitoring Controls:
[See PDF for image]
Source: GAO.
[End of figure]
Data-mining of registration data within the program should be done to
look for suspicious information after payments have been made. Along
with data-mining efforts, proper accountability controls over the
distribution of funds and the monitoring of fund usage is key to
obtaining reasonable assurance that relief payments are being used to
mitigate the effects of a disaster. Also, setting up hotlines to
identify potential frauds is an important activity that should be in
place when distributing disaster funds. Finally, any lessons learned
from detection and monitoring efforts should be used to improve
preventive controls to reduce the risk for fraud, waste, and abuse in
the future.
Data-mining:
Despite effective preventive controls, there is still risk for fraud,
waste, and abuse within disaster programs once payments are made.
Therefore, it is important that program managers continuously data mine
registrations for suspicious activity. A robust data-mining program can
include many different efforts. Examples of fraud indicators include
but are not limited to searching for anomalies like those found at
FEMA, including multiple payments sent to the same address or bank
account. Abnormalities such as numerous residents in a damaged
apartment building all relocating to the same location may also suggest
fraud. Comparing recipient data against other government assistance
programs such as databases containing information on Red Cross or FEMA
paid for hotel rooms can help to identify duplication of benefits
between programs. However, due to the difficulties of collecting
overpayments, system edit checks that occur prior to payments being
made are preferable to data-mining after payments have occurred.
The data-mining we performed on FEMA's IHP program showed how important
constant monitoring and detection can be. We searched for and found
examples where the same individual received several rental assistance
checks from FEMA while at the same time residing in a hotel room paid
for by FEMA. We also found instances where multiple family members from
the same household registered numerous times and received duplicate
payments. Using external databases of federal and state prisoners, we
found instances where prisoners had fraudulently registered for and
received disaster relief payments while incarcerated. As shown by our
examples, data-mining efforts should be done in a manner that uses
creative solutions to search for potential fraud using all available
data sources. To the extent that data-mining identifies systematic
fraud, that intelligence should be fed back into the fraud prevention
process and system edits so that for future disasters the fraud is
detected before money is disbursed.
Accountability and Proper Use of Relief Payments:
When part of the disaster assistance comes in the form of cash or a
cash equivalent such as a debit card, our work at FEMA shows that it is
crucial for agencies to maintain strict accountability over who has
received the assistance. This can be achieved by obtaining signatures
of release from an agency official and, if appropriate, from the
issuing bank official, along with a signature of acceptance from the
relief recipient. Agencies should also be able to link each
distribution of cash to a specific applicant. In the case of FEMA and
their distribution of debit cards, adequate accountability was not
maintained, resulting in more than $1 million worth of debit cards
being distributed without a record of who received them.
In addition, depending on the type of assistance provided and the means
in which the assistance was distributed, it can be important for an
agency to monitor the usage of disaster relief funds. Our review of
FEMA's IHP program found that almost all money was distributed via
check or EFT, which did not allow us to review whether the money was
spent on disaster-related needs. A small amount, approximately $80
million, of IHP money was distributed via debit cards, which allowed us
to see whether funds were being used appropriately. In this case, the
vast majority of debit card money was still withdrawn as cash, but the
remaining amount appeared to have been used for disaster-related needs.
However, we did find a small number of purchases for nondisaster items
such as football tickets, alcohol, massage parlor services, and adult
videos. By monitoring these types of uses and contacting and possibly
penalizing those who misuse funds, agencies may be able to ensure that
disaster funds are used to help mitigate losses and not for
inappropriate items.
Fraud Hotlines:
To detect existing fraud and prevent new cases in the future, agencies
should also set up mechanisms to identify and investigate existing
cases. The use of hotlines where individuals can anonymously call and
report potential fraud can provide valuable investigation leads. The
Department of Homeland Security (DHS) Office of Inspector General set
up one such hotline specifically dedicated to fraud related to
hurricanes Katrina and Rita. Similar hotlines are useful within any
disaster relief program to help identify any fraudulent activity not
caught by controls. In conjunction with fraud identified through data-
mining or hotline tips, agencies should have in place teams ready to
investigate leads, not only for future prosecution, but also to provide
suggestions for how the fraud can be prevented in the future.
Investigations and Prosecution of Offenders:
The final aspect of a program designed to reduce fraud in a disaster
assistance program is the investigation and aggressive prosecution of
individuals who have fraudulently received disaster assistance.
Suspicious cases identified through preventive, detective, and
monitoring controls, along with hotline tips, should be referred to
investigators for further review. In the course of our work performed
on IHP fraud for hurricanes Katrina and Rita, we identified tens of
thousands of potentially fraudulent registrations. We have already
referred thousands of those cases to FEMA and the Katrina Fraud Task
force for further investigation and expect to refer others for
additional investigation and possible prosecution. While the criminal
investigative process is general a lengthy process, we are aware that
several individuals that we referred have already been indicted. This
included one individual indicted for fraudulently obtaining over
$25,000 from FEMA based on bogus registrations. Figure 4 displays how
investigations and prosecutions fit into an overall fraud prevention
program.
Figure 4: Investigations and Prosecutions:
[See PDF for image]
Source: GAO.
[End of figure]
While investigations and prosecution can be the most visible means to
deal with fraudsters, they are also the most costly and should not be
used in place of other more effective controls. Instead, agencies need
to focus on prevention before money is spent. Still, by successfully
prosecuting fraudsters, agencies can deter others who are thinking of
taking advantage of disaster programs. In the end, investigations and
prosecutions are a necessary part of an overall fraud prevention and
deterrence program, but should be a last resort when all other controls
have failed. In addition, knowledge from these investigations and
prosecutions should be fed back into the fraud prevention process to
better handle future disasters and enhance existing fraud prevention
and detection programs.
Concluding Comments:
Managers of federal disaster assistance programs face a dual challenge-
-delivering aid as quickly as possible while at the same time ensuring
that relief payments go only to those who are truly in need. To meet
this dual challenge, managers must recognize that fraud prevention and
the rapid distribution of assistance are not conflicting mandates;
instead, both can be accomplished if effective controls are in place
and operating as intended. Of the controls discussed today, fraud
prevention controls are the most useful and cost-effective means of
reducing the loss of money due to fraud, because payments, once out the
door, have proven extremely difficult to recover. Implementing an
effective system of fraud prevention controls including upfront
controls, post payment detection and monitoring, and prosecuting those
who have exploited control weaknesses are crucial to building the
American taxpayer's confidence that federal disaster assistance is
given to those in need.
Mr. Chairman and members of the Committee, this concludes my statement.
I would be pleased to answer any questions that you or other members of
the Committee have at this time.
Contacts and Acknowledgements:
For further information about this testimony please contact Gregory
Kutz at (202) 512-7455 or kutz@gao.gov. Contact points for our Offices
of Congressional Relations and Public Affairs may be found on the last
page of this testimony.
Major contributors to this testimony include Jennifer Costello, Jason
Kelly, John Kelly, Sun Kim, John Ledford, Jennifer Leone, Barbara
Lewis, Jonathan Meyer, John Ryan, and Tuyet-Quan Thai:
FOOTNOTES
[1] In the aftermath of a disaster, the federal government typically
activates numerous programs to help disaster victims. Examples of
programs include individual assistance, public assistance, and hazard
mitigation. Individual assistance provides financial and other direct
assistance to individuals and households. Public assistance provides
grants to states, local governments, and non profit organizations to
provide services such as debris removal and housing accommodations to
disaster victims. Hazard mitigation provides grants for long-term
hazard mitigation projects.
[2] GAO, Expedited Assistance for Victims of Hurricanes Katrina and
Rita: FEMA's Control Weaknesses Exposed the Government to Significant
Fraud and Abuse, GAO-06-403T, (Washington, D.C.: Feb. 13, 2006).
[3] GAO, Hurricanes Katrina and Rita Disaster Relief: Improper and
Potentially Fraudulent Individual Assistance Payments Estimated to Be
Between $600 Million and $1.4 Billion, GAO-06-844T, (Washington, D.C.:
June. 14, 2006).
[4] The Federal Managers' Financial Integrity Act of 1982 (FMFIA)
required that GAO issue standards for internal control in government
resulting in the issuance of Internal Control: Standards for Internal
Control in the Federal Government, GAO/AIMD-98-21.3.1, (Washington,
D.C.: November, 1999).
[5] GAO/AIMD-98-21.3.1.
[6] For purposes of this testimony, data validation refers to the
process of comparing data provided by a registrant with publicly
available data (e.g., credit reports) or government databases to ensure
accuracy. Data authentication refers to the process of periodically
authenticating data that have been validated by third-party contractors
with source databases such as SSA or Internal Revenue Service records.
[7] GAO/AIMD-98-21.3.1.
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site (www.gao.gov). Each weekday, GAO posts
newly released reports, testimony, and correspondence on its Web site.
To have GAO e-mail you a list of newly posted products every afternoon,
go to www.gao.gov and select "Subscribe to Updates."
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office 441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Gloria Jarmon, Managing Director, JarmonG@gao.gov (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125
Washington, D.C. 20548:
Public Affairs:
Paul Anderson, Managing Director, AndersonP1@gao.gov (202) 512-4800
U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, D.C. 20548:
