Federal Reports

We audited the City and County of Honolulu’s Department of Budget and Fiscal Services’ and Department of Community Services’ (City) fraud risk management practices for its Emergency Solutions Grants Coronavirus Aid, Relief, and Economic Security Act (ESG CARES Act) program with the objective of assessing the maturity of the City’s fraud risk management framework that encompasses control activities to prevent, detect, and respond to fraud. Fraudulent activity in the ESG CARES Act program can lead to significant financial losses; reputational damage to the grantee and the U.S. Department of Housing and Urban Development (HUD); breach of fiduciary duty; and, most importantly, loss of funding for individuals and families who are homeless or receiving homeless assistance or other homelessness prevention activities. Robust antifraud activities will help ensure that pandemic grant funds are put toward their intended uses and that funds are spent effectively and assets are safeguarded. HUD relies on its grantees to detect and prevent fraud, waste, and abuse.Congress provided $4 billion for the ESG CARES Act program, which represented a 1,379 percent increase to the regular 2020 annual ESG appropriation. Given the influx of fundings, we initiated a series of audits examining ESG CARES Act grantees’ fraud risk management practices and evaluating whether selected ESG CARES Act grantees are adequately prepared to prevent, detect, and respond to fraud. We selected the City to audit because it was authorized more than $25 million in ESG CARES Act program funds, a 3,640 percent funding increase from its formula ESG allocation for fiscal year 2020. Large influxes of funding on an emergency basis can pose additional challenges for grantees that must also ensure adequate controls over the funding. The City did not adequately develop a fraud risk management framework for the ESG CARES Act program to prevent, detect, and respond to fraud. The City’s approach to fraud risk management was reactive, not proactive, and it did not institute robust antifraud practices resulting in the lowest maturity level (ad hoc) for organizations’ antifraud initiatives. The City had implemented some specific fraud controls and activities but did not implement best practices, including (1) establish a dedicated antifraud component to design and oversee fraud risk management activities, (2) promote fraud awareness throughout its departments, (3) perform a fraud risk assessment or develop a process to regularly conduct such assessments, (4) consider the use of data analytic tools to identify potential fraud, (5) have a dedicated hotline for external entities to report fraud for the ESG CARES Act program, or (6) have a process to evaluate the effectives of fraud risk management activities. This condition occurred because the City was not aware of significant fraudulent activity for the program and HUD did not require a fraud risk management framework. As a result, the $25.6 million allocated to the City for the ESG CARES Act program is at an increased risk of fraud.We recommend that HUD instruct the City to (1) improve or enhance its antifraud efforts for the ESG program and incorporate fraud risk management practices that are consistent with fraud risk management best practices and (2) obtain training or technical assistance as needed on the implementation of fraud risk management best practices.

Evaluation of the FLRA's Compliance with the Federal Information Modernization Act of 2014 for Fiscal Yar 2024

Objective: To determine whether the Social Security Administration’s Enterprise Risk Management program complies with Office of Management and Budget Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control.

To combat money laundering in the United States, Congress enacted a series of laws, collectively referred to as the Bank Secrecy Act (BSA), requiring financial institutions in the U.S. to assist government agencies in detecting and preventing money laundering and other financial crimes. The BSA requires financial institutions to create “paper trails” by keeping records and filing reports on certain transactions to the U.S. Department of the Treasury’s Financial Crimes Enforcement Network.The BSA’s reporting and recordkeeping provisions apply to banks, savings and loans, and credit unions as well as other financial institutions, including money services businesses (MSBs). The Postal Service is classified as a MSB as it sells money orders, conducts Sure Money wire transfers (an electronic money transfer service), and sells gift cards. The BSA requires all MSBs to establish and maintain an effective written anti-money laundering program.

We concluded that the EPA achieved an overall maturity level of Level 3, Consistently Implemented, for the five security functions and nine domains outlined in the Office of Management and Budget's FY 2023 - 2024 Inspector General Federal Information Security Modernization Act of 2014 (FISMA) Reporting Metrics. This means that the EPA consistently implemented its information security policies and procedures, but quantitative and qualitative effectiveness measures are lacking. We identified that the EPA had deficiencies in three areas.

Our objective was to evaluate the effectiveness of the Defense Intelligence Agency’s (DIA’s) overall information security program based on DIA’s implementation of the Federal Information Security Modernization Act. We issued our results in a classified report on August 2, 2024.