Earlier this month the U.S. Government Accountability Office (“GAO”) released a report titled “Department of Energy: Use of Leading Practices Could Help Manage the Risk of Fraud and Other Improper Payments” (GAO-17-235) (the “Report”). As the title suggests, GAO assessed the Department of Energy’s (“DOE”) internal controls to manage “the risk of fraud and improper payments.” GAO found that DOE had not employed certain “leading practices” to combat fraud – like creating a “dedicated entity to lead fraud risk management activities” and using “specific control activities, such as data analytics” – and offered six recommendations for improvement. Although DOE disagreed with certain findings in the Report, the agency represented that it either already has implemented or is implementing the majority of GAO’s recommendations. Here is our assessment of the Report.
In response to a 2014 request from Senator Claire McCaskill (D-Missouri), GAO conducted a review of “DOE’s processes, programs, and practices for managing its risk of fraud.” In its review, GAO examined:
(1) “DOE’s approach to managing its risk of fraud and other improper payments and challenges, if any, that may limit the effectiveness of this approach,”
(2) “the extent to which DOE’s approach incorporates leading practices, such as the use of data analytics,” and
(3) “the application of data analytics in identifying potential indicators of fraud or other improper payments associated with selected DOE contracts.”
GAO’s Report was made public on May 1, 2017.
The conclusions in the Report harken back to a July 2015 GAO guide (GAO-15-593SP) intended to “help federal program managers combat fraud and ensure integrity in government agencies and programs.” In that guide, GAO “identified leading practices for managing fraud risks and organized them into a conceptual framework called the Fraud Risk Framework.” Examples of “leading practices” included the “use of data analytics to prevent and detect fraud.” Additionally, pursuant to the Fraud Reduction and Data Analytics Act of 2015, passed in July 2016, the Director of the Office of Management and Budget (“OMB”) was tasked with (a) “establish[ing] guidelines for agencies to establish” fraud controls that incorporate the leading practices identified in the GAO guide and (b) convening a working group related to this effort.
Based on its assessment that DOE has “not used leading practices in its approach to managing its risk of fraud and other improper payments,” GAO recommended that DOE take six actions to improve its internal controls:
(1) implement a “DOE-wide invoice review policy,”
(2) form a “dedicated entity within DOE to design and oversee fraud risk management activities,”
(3) carry out “fraud risk assessments that are tailored to each program” and develop a “fraud risk profile,”
(4) develop an “antifraud strategy” focused on “addressing . . . prioritized fraud risks,”
(5) implement “specific” fraud prevention and detection “control activities” like “fraud awareness training and data analytics,” and
(6) “require contractors to maintain sufficiently detailed transaction-level cost data that are reconcilable with amounts charged to the government.”
DOE agreed “in principle” with GAO’s first five recommendations, and noted that it either has implemented or is in the process of implementing these recommendations. However, with respect to the second recommendation that DOE form a dedicated entity to design and oversee fraud risk management activities, DOE indicated that it “will have to consider the costs/benefits and need for a separate organization before implementing a dedicated entity.”
DOE did not agree with GAO’s sixth recommendation that DOE require contractors to maintain more detailed cost data. But DOE indicated that it was willing to “discuss the merits of government-wide guidance for applying data-analytics to contract cost” with the OMB working group. DOE noted, however, that if the OMB working group “determines there is a need for contractors to retain and provide additional data to support data-analytical procedures, any proposed new requirement should be discussed with the FAR Council.” DOE also cautioned that “[a]ny new requirement necessitating significant changes to contractors’ financial systems could impose significant costs on those contractors, and increased costs would have to be considered when proposing such new requirements.”
Finally, DOE “expressed concern with the accuracy and characterization” of certain statements made in the Report. Among other things, DOE indicated that it already has in place a “robust” OMB Circular A-123 compliant internal control program (including use of data analytics) and utilizes “established invoice review procedures.” Furthermore, DOE noted that its Office of the Inspector General (“OIG”) employs “multiple audit oversight activities with respect to DOE management and operating (M&O) contracts.”
- Costly Changes to Cost Data Requirements?
As DOE noted, any new requirements imposed on contractors to maintain more detailed cost data would inevitably lead to increases in contractor costs – and the DOE itself would ultimately bear a large share of the burden of these cost increases under its cost reimbursement contracts. The GAO Report did not address this expense, the impact of the change on the DOE or other agencies, or the complexity and difficulty of imposing such cost data requirements across the entire DOE contactor base. We would not expect DOE to change its disagreement with this GAO recommendation.
- What About the DOE OIG?
GAO determined that DOE has “not created a structure with a dedicated antifraud entity to lead fraud risk management activities,” and concluded that “[w]ithout a dedicated entity within DOE to design and oversee fraud risk management activities, DOE is missing an opportunity to create a structure that is more conducive to fraud risk management.” Although the Report acknowledged that DOE’s Office of the Chief Risk Officer “may include fraud risk management” responsibilities, GAO did not appear to consider the capability of the DOE OIG to serve/lead this function and the interplay between a new dedicated antifraud entity and the DOE OIG. One of the stated purposes of the OIG is to “[w]ork with the Department, prosecutors and others to hold recipients and overseers of Department funds accountable for actions that result in fraud, waste, and/or abuse,” and the OIG routinely works with the Department of Justice on False Claims Act investigations and qui tam matters. Although the report offers criticism of the DOE OIG, it does not make clear why a separate entity is needed. Creating a potential separate fraud-fighting entity in parallel to the OIG would not only be inefficient, but could lead to jurisdictional confusion, and appears unlikely to result in better fraud enforcement and prevention.
- Was the GAO Report Premature?
GAO noted that “DOE officials told us that they plan to meet the requirements of the Fraud Reduction and Data Analytics Act of 2015 but should not be expected to implement private industry leading practices prior to the issuance of OMB guidance.” (Emphasis added). Thus, the GAO review seems somewhat premature, if the DOE will be implementing new processes after OMB guidance is issued.
- Ultimate Impact?
Even if the Report’s recommendations are not adopted by the DOE, the Report will likely have some impact. When the Report was released publicly, Sen. McCaskill sent a critical letter to Secretary Rick Perry requesting that DOE “provide a detailed response” and explain how it would address the GAO’s findings and recommendations. DOE is unlikely to ignore the suggestion that its fraud controls are inadequate, and its response to Sen. McCaskill’s letter may provide insight into future changes in its fraud-fighting controls and processes.