DOD Fraud Risk Management: Enhanced Data Analytics Can Help Manage Fraud Risks

What GAO Found

The Department of Defense (DOD) issued an updated fraud risk management strategy in August 2023. Contrary to leading practices, the strategy does not establish data analytics as a method for fraud risk management or provide the direction needed to conduct such data analytics. Data analytics are control activities that can be used to prevent and detect fraud. Data analytics can include a variety of techniques, such as data matching. Data matching can be used to verify key information to determine eligibility to receive federal contracts. For example, if an entity reports that it is a small business in order to receive federal contracts, DOD can use third-party data sources to verify that the entity actually meets requirements to qualify as a small business.

DOD's strategy refers generally to data analytics but does not establish it as a specific fraud risk management control activity. Accordingly, the strategy does not identify which DOD entity has the authority to ensure that fraud-related data-analytics activities are planned and implemented. The strategy does not establish clear roles and responsibilities for all entities with data-analytics roles. It also does not provide timelines for designing and implementing data-analytics activities. As a result, DOD is missing an opportunity to provide direction in areas that are critical to achieving its data-analytics goals and managing fraud risks.

GAO analyses demonstrate how information from investigative case data on alleged and adjudicated procurement fraud could help inform DOD's fraud risk management consistent with leading practices in GAO's Fraud Risk Framework, despite existing data limitations (see fig.).

Examples of Data Collected by the Department of Defense That Could Help Inform Its Fraud Risk Management

For example, Defense Criminal Investigative Organizations (DCIO) collect data that describe the extent of detected alleged fraud through the number and types of cases investigated. Using these data, GAO found that the number of alleged and adjudicated procurement fraud cases closed from fiscal years 2015 through 2021 ranged from 444 for the Naval Criminal Investigative Service (NCIS) to 1,165 for the Defense Criminal Investigative Service, a component of the DOD Office of Inspector General (OIG) (see fig.). Such information could help DOD identify and assess risks as part of its fraud risk profile. Specifically, information on the number and types of cases investigated could help DOD (1) identify procurement fraud risks and the likelihood and impact of those risks and (2) prioritize the fraud risks.

Information from Analyses of Investigative Data from Alleged and Adjudicated Procurement Fraud Cases Closed from Fiscal Years 2015 through 2021

DCIOs also collect data describing the number and types of investigated offenses and offenses for which remedies were pursued. For example, GAO found that the most prevalent investigated offense in the 444 NCIS cases identified was false, fictitious, or fraudulent claims. GAO also found that this was the most prevalent offense for which remedies were pursued in the NCIS cases. This information could help DOD take actions, such as enhancing its fraud-awareness trainings to provide details on how these frauds were detected, to aid in preventing similar future fraud.

Information about adjudicated offenses can help DOD better understand the impact of procurement fraud risks, including the financial and reputation impacts. With this information, DOD would be better able to determine its fraud risk tolerance.

GAO's analyses revealed that investigative data on alleged and adjudicated procurement fraud cases were not always complete and could not always be readily analyzed, for various reasons. For example, some investigative data lacked a structured data field identifying cases as involving alleged or adjudicated procurement fraud, requiring analysis of narrative fields. Being able to readily identify such cases would facilitate DOD's fraud risk management.

DOD does not have plans to obtain and analyze relevant information from adjudicated procurement fraud cases. Without obtaining such information, DOD may not fully assess its fraud risks or design and implement data-analytics activities to prevent or detect these risks.

Why GAO Did This Study

DOD is the largest contracting agency in the federal government—with contract obligations of $414.5 billion in fiscal year 2022 for a wide range of goods and services. In 2021, GAO found that DOD had taken initial steps to combat fraud risks but had not implemented a comprehensive approach.

GAO was asked to broadly review DOD's fraud risk management as related to contracting. This report examines (1) if DOD's fraud risk management strategy provides the needed direction for fraud-related data-analytics activities and (2) the extent to which analyses of DOD investigative data on alleged and adjudicated procurement fraud cases can help inform fraud risk management.

GAO analyzed DOD's fraud risk management strategy against leading practices. GAO also analyzed investigative data for fiscal years 2015 through 2021 for closed, unsealed, unclassified cases. GAO compared DOD's practices related to the usability of investigative data for fraud risk management and the use of investigative information with federal internal control standards and leading practices for fraud risk management. GAO also selected a nongeneralizable sample of eight cases, two from each DCIO, for illustrative information regarding the cases investigated.