-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-06-954T		

TITLE:     Individual Disaster Assistance Programs: Framework 
for Fraud Prevention, Detection, and Prosecution

DATE:   07/12/2006 
				                                                                         
-----------------------------------------------------------------  

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-06-954T

     

     * Summary
     * Fraud, Waste, and Abuse Prevention Controls
          * Data Validation
          * System Edit Controls
          * Fraud Training and Field Testing
     * Detection and Monitoring
          * Data-mining
          * Accountability and Proper Use of Relief Payments
          * Fraud Hotlines
     * Investigations and Prosecution of Offenders
     * Concluding Comments
     * Contacts and Acknowledgements
          * Order by Mail or Phone

Testimony

Before the Subcommittee on Management, Integration, and Oversight,
Committee on Homeland Security, U.S. House of Representatives

United States Government Accountability Office

GAO

For Release on Delivery Expected at 2:00 p.m. EST

Wednesday, July 12, 2006

INDIVIDUAL DISASTER ASSISTANCE PROGRAMS

Framework for Fraud Prevention, Detection, and Prosecution

Statement of Gregory D. Kutz, Management Director Forensic Audits and
Special Investigations

GAO-06-954T

Mr. Chairman and Members of the Committee:

Thank you for the opportunity to discuss fraud prevention and detection
related to the federal government's efforts to provide assistance to
individuals and households in the aftermath of disasters.1 Effective fraud
prevention in relief programs is an important issue, regardless of whether
dealing with the effects of natural disasters like hurricanes Katrina and
Rita, or coping with the destruction left by the terrorist attacks of
September 11, 2001. Agencies are faced with many challenges in the
aftermath of a disaster and must devote resources not only to distributing
money and relief quickly to victims, but must also minimize fraud, waste,
and abuse to ensure only legitimate victims receive assistance.

On February 13, 2006,2 and then again on June 14, 2006,3 we testified
concerning extensive fraud, waste, and abuse related to hurricanes Katrina
and Rita in the Individuals and Household Program (IHP), a component of
the broader disaster assistance program from the Federal Emergency
Management Agency (FEMA). The February testimony focused on control
weaknesses that resulted in FEMA making tens of thousands of Expedited
Assistance (EA) payments that were based on bogus registration data. Our
June 14, 2006, testimony discussed breakdowns in internal controls, in
particular the lack of controls designed to prevent bogus registrations,
which resulted in an estimated $600 million to $1.4 billion in improper
and potentially fraudulent payments. Based on these findings we have made
recommendations to FEMA to develop effective systems and controls to
minimize the opportunity for fraud, waste, and abuse when FEMA decides to
provide assistance in the future. Crucial internal controls and control
weaknesses we identified during our work on hurricane disaster relief, and
requirements in the Comptroller General's Standards for Internal Control
in the Federal Government,4 are directly relatable to controls over any
individual assistance program, regardless of the cause of the disaster. My
testimony today will focus on the importance of fraud prevention controls,
fraud detection efforts, and the aggressive pursuit and prosecution of
individuals who commit fraud against the government in a time of disaster.

1 In the aftermath of a disaster, the federal government typically
activates numerous programs to help disaster victims. Examples of programs
include individual assistance, public assistance, and hazard mitigation.
Individual assistance provides financial and other direct assistance to
individuals and households. Public assistance provides grants to states,
local governments, and non profit organizations to provide services such
as debris removal and housing accommodations to disaster victims. Hazard
mitigation provides grants for long-term hazard mitigation projects.

2 GAO, Expedited Assistance for Victims of Hurricanes Katrina and Rita:
FEMA's Control Weaknesses Exposed the Government to Significant Fraud and
Abuse, GAO-06-403T , (Washington, D.C.: Feb. 13, 2006).

3 GAO, Hurricanes Katrina and Rita Disaster Relief: Improper and
Potentially Fraudulent Individual Assistance Payments Estimated to Be
Between $600 Million and $1.4 Billion, GAO-06-844T , (Washington, D.C.:
June. 14, 2006).

                                    Summary

The establishment of effective fraud prevention controls over the
registration and payment process, fraud detection and monitoring adherence
to those controls throughout the entire program life, and the aggressive
pursuit and prosecution of individuals committing fraud are crucial
elements of an effective fraud prevention program over any assistance
programs with defined eligibility criteria, including disaster assistance
programs. The very nature of the government's need to quickly provide
assistance to individuals adversely affected by disasters makes assistance
payments more vulnerable to applicants attempting to obtain benefits that
they are not entitled to receive. However, it is because of these known
vulnerabilities that the federal government, and more specifically FEMA,
needed to have had effective controls in place to minimize the
opportunities for individuals to defraud the government. Figure 1 provides
an overview of how prevention controls help to screen out the majority of
fraud, waste and abuse, and how detective controls and prosecution can
help to further minimize the extent to which a program is vulnerable to
fraud.

4 The Federal Managers' Financial Integrity Act of 1982 (FMFIA) required
that GAO issue standards for internal control in government resulting in
the issuance of Internal Control: Standards for Internal Control in the
Federal Government, GAO/AIMD-98-21 .3.1, (Washington, D.C.: November,
1999).

Figure 1: Program Designed to Minimize Fraud, Waste and Abuse

The results of our work serve to emphasize the fundamental concept that
fraud prevention is the most effective and efficient means to minimize
fraud, waste, and abuse. Preventive controls should be designed to
include, at a minimum, a requirement that data provided by registrants be
validated against other government or third-party sources to determine
whether registrants provided accurate information on their identity and
place of residence. Inspections and physical validation processes should
also be conducted whenever possible to confirm registration information
prior to payment. System edit checks designed to identify problem
registrants and claims (e.g., duplicates) before payments are made are
also critical. Finally, providing training on fraud awareness and
potential fraud schemes to all key government and contractor personnel is
important in stopping fraud before it gets into the program. Prior to
implementing any new controls, and well in advance of any disaster,
agencies must adequately field test the new controls to ensure that
controls are operating as intended and that legitimate victims are not
denied benefits. In addition, as fraud prevention controls are increased,
agencies must provide safety precautions to assist any disaster victims
who are inappropriately denied relief due to preventive controls.

Although more costly and less effective than preventive controls, fraud
detection and monitoring after payments have been made is also critical.
Key elements of the detection process include data-mining for fraudulent
and suspicious registrants, reviews to establish the accountability of
funds, and the establishment of hotlines to receive tips of potentials
fraud. For example, after the initial registration process, agencies need
a control system that includes continual monitoring, to include
data-mining registrations-similar to the data-mining we conducted-to
identify potentially fraudulent registrations in their claim system. Also,
control weaknesses identified through detection and monitoring should be
used to make improvements to preventive controls to reduce the risk for
fraud, waste, and abuse in the future.

Another element of a fraud prevention program is the aggressive
investigation and prosecution of individuals who committed fraud against
the federal government. The deterrent value of prosecuting those who
commit fraud sends the message that the government will not tolerate
individuals stealing assistance money, serving as a preventive measure for
future disasters. For hurricanes Katrina and Rita the Justice Department
has set up the Katrina Fraud Task Force, which has investigated and
convicted numerous individuals who received assistance fraudulently from
FEMA. Further, schemes identified through investigations and prosecution
can be used to improve the fraud prevention program.

                  Fraud, Waste, and Abuse Prevention Controls

Prevention is the most effective and efficient way to minimize fraud,
waste, and abuse in any federal program, including disaster assistance,
and is also a key element described in the Standards for Internal Control
in the Federal Government.5 The most crucial element of fraud prevention
is to substantially diminish the opportunity for fraudulent access into
the system through front end controls. Figure 2 displays how preventive
controls fit within a larger fraud, waste, and abuse prevention program.

5 GAO/AIMD-98-21 .3.1.

Figure 2: Preventive Controls

Fraud prevention can be achieved by requiring that registrants provide
information in a uniform format, and validating that information against
external sources. In the current environment, agencies have at their
disposal a large number of data sources that they can use to validate the
identity and address of registrants. However, our work related to FEMA's
management of the IHP program for hurricanes Katrina and Rita found that
their limited use of a third-party validation process left room for
substantial fraud. Effective fraud prevention controls require that
agencies enter into data-sharing arrangements with organizations to
perform validation. System edit checks are also key to identifying and
rejecting fraudulent registrations before payments are disbursed. In
addition, an effective fraud prevention system is not complete without
adequate fraud awareness training of all personnel involved in the
distribution of relief. Finally, any new systems or processes need to be
field tested to ensure that the system is working properly prior to
implementation.

Data Validation

Prior to a disaster registrant gaining access to relief payments, key
registrant information must be validated. For this program, data such as
names, social security numbers (SSN), primary residences, citizenship
status, and any other information which determines eligibility must be
validated upfront, prior to agencies accepting the registration, or at
least prior to disbursements being made. Obtaining releases from
registrants which allow an agency to validate data with other sources such
as social security records, tax records, and other information is an
important step that can facilitate effective validation of data.

Depending on the turnaround time needed for a payment, agencies can chose
to validate records with federal government databases, or validate
information with third-party contractors who can confirm key information
with publicly available data from credit reports and other sources almost
instantaneously. When using these third-party sources it is also important
to at least periodically authenticate6 the data within the program with
the source of the information such as Social Security Administration (SSA)
or Internal Revenue Service (IRS) records. Regardless of the sources used,
all key data concerning a registration has to be validated to minimize the
risks to acceptable levels prior to the registrant being accepted in the
program. For example, because FEMA lacked basic identity validation
controls, they accepted thousands of IHP registrations from registrants
who provided social security numbers that had never been issued or
belonged to deceased individuals. In addition, because FEMA failed to
validate damaged address information, we found thousands of dollars were
paid to individuals for bogus damaged addresses.

For data to be properly validated, it should be recorded in a uniform
format. Once key data elements relating to disaster relief eligibility are
determined, our work has shown that it is important to record the
information in a format that will facilitate data validation with external
sources. Otherwise, agencies may be faced with thousands or tens of
thousands of registrations being rejected or placed in a manual review
status because data was not recorded accurately. This is also particularly
important when recording names, identity information, and addresses in
order to prevent registrants from getting multiple payments by changing
the spelling of their address or name. For example, data collected by
hotels providing lodging that was paid for by FEMA did not record
occupant's SSN or FEMA registration ID numbers. Thus, there were no common
data elements that could be used to ensure people already staying at FEMA
paid hotels did not also improperly receive rental assistance.

Within the federal government, many organizations such as SSA, United
States Postal Service (USPS), and IRS maintain information on disaster
assisted registrants. These are all data sources that we have used in
prior forensic work to identify fraudulent and improper payments. However,
proactive actions are necessary on the part of agencies responsible for
providing disaster assistance to enter into data-sharing agreements with
organizations that own the data. Agreements have to be in place prior to
any disaster occurring for agencies to take advantage of data-validation
sources. Also for tax information, consent must be requested from the
registrant at the time of registration.

6 For purposes of this testimony, data validation refers to the process of
comparing data provided by a registrant with publicly available data
(e.g., credit reports) or government databases to ensure accuracy. Data
authentication refers to the process of periodically authenticating data
that have been validated by third-party contractors with source databases
such as SSA or Internal Revenue Service records.

Finally, whenever possible, registration data and specific loss claims
should be validated by a physical inspection of the disaster damage prior
to payment. In some cases, as with the massive destruction caused by
Hurricane Katrina, physical inspections in a timely manner are not
possible, and therefore acceptance of data must be done through electronic
verification. However, within the FEMA IHP program we found significant
fraud related to expedited assistance payments that were made prior to any
physical inspection being performed. In the cases we found, many
fraudulent registrations could have been identified and rejected if
inspections were performed because they would have seen that properties
did not even exist, as we found when performing our own inspections. For
example, FEMA failed to perform physical inspections on our undercover
registrations, which used completely bogus property addresses and vacant
lots. Had a physical inspection been performed, FEMA could have identified
the fraudulent information and denied the expedited and rental assistance
payments.

System Edit Controls

Disaster relief programs must also have a network of system pre-payment
edit checks in place to ensure that obviously false or duplicate
information is not used to receive disaster relief payments. System edit
checks can be performed before or after a registration is accepted into
the system, but to be an effective preventive control, they must be
performed prior to the distribution of a payment. Edit checks should
include items such as ensuring that the same SSN was not used on multiple
registrations, or that the registrant provides a verifiable physical
address for which the disaster damaged is based on. In the case of FEMA's
IHP program, we found the lack of effective system edit checks allowed
numerous individuals to fraudulently register numerous times and receive
multiple payments using the same name, social security number, or address.
In one case, the lack of controls allowed an individual to register eight
times using the same name and SSN and receive multiple disaster assistance
payments. In addition, accepting applications with obviously inaccurate
data exposed FEMA to the risk that disbursements would be made based on
obviously false data. For example, we found during our work that FEMA paid
millions of dollars in IHP payments to individuals who used a Post Office
Box as their damaged physical address in order to receive assistance. In
those cases system edits should have identified the Post Office Box as an
invalid physical address and forced the applicant to provide a valid
street address for the damage property in order to be considered for
disaster assistance.

Results of our work also showed that agencies must follow through and
accurately implement-and not short-change-existing system edit checks to
provide assurance that the program is protected. We found in the course of
our work that FEMA had designed controls that may have prevented some
fraudulent payments. However, our work also indicated that these controls
were circumvented, for example, when FEMA designed scripts to override
system edit checks that had identified registrations as potential
duplicates, in an effort to disburse funds as quickly as possible.
Adhering to existing control procedures is therefore also crucial when
maintaining effective fraud prevention.

Fraud Training and Field Testing

Beyond the uniform recording and validation of data, other controls,
including a well-trained work force that is aware of the potential for
fraud, can help prevent fraud. Personnel involved in a disaster program,
including government employees and call center and inspection contractors,
should receive training about the potential for fraud within the program
and the likely types of fraud they could encounter. Fraud awareness
training with frontline personnel is crucial because they are part of the
first line of defense and therefore play a key role in fraud prevention.
If the personnel accepting registrations and performing physical
inspections of properties and documents are aware of fraud indicators and
suspicious activities, they will help to identify potentially fraudulent
activity as soon as it occurs. Where possible, incentives can be provided
to contractors not just to process registrations and claims quickly, but
also to prevent fraud.

In addition, when implementing any new controls, it is important to field
test all systems prior to putting them in place. As stated in a recent
testimony on the IHP program, FEMA acknowledged that they had instituted
several new processes that had not been tested. Weaknesses in these new
processes, including the lack of validation controls over key data
elements, resulted in our findings of approximately $1 billion dollars in
potential fraud in the IHP program. On top of reducing the risk of
untested controls allowing substantial fraud, field-testing also helps to
ensure that new controls do not improperly deny benefits to valid
registrants. A safety net for those registrants who are wrongly denied
disaster relief due to preventive controls should always be in place to
ensure they receive assistance. This process should include staff who are
adequately trained to expeditiously handle exceptions.

                            Detection and Monitoring

Even with effective preventive controls, there is substantial residual
risk that fraudulent registrants are likely to gain access to a disaster
relief program and begin to receive payments. Therefore, after a
registrant has successfully passed through upfront controls and begun to
receive payments, our work at FEMA illustrated that agencies must continue
their efforts to monitor the execution of the disaster relief program.
Detection and monitoring efforts are addressed in the Standards for
Internal Control in the Federal Government7 and include such activities as
data-mining registrations, which have received payments, ensuring
accountability over funds and monitoring how the disaster assistance is
being spent, and establishing mechanisms to identify the existence of
fraud. Figure 3 provides a perspective on how these controls fit into an
overall fraud prevention program.

Figure 3: Detection and Monitoring Controls

Data-mining of registration data within the program should be done to look
for suspicious information after payments have been made. Along with
data-mining efforts, proper accountability controls over the distribution
of funds and the monitoring of fund usage is key to obtaining reasonable
assurance that relief payments are being used to mitigate the effects of a
disaster. Also, setting up hotlines to identify potential frauds is an
important activity that should be in place when distributing disaster
funds. Finally, any lessons learned from detection and monitoring efforts
should be used to improve preventive controls to reduce the risk for
fraud, waste, and abuse in the future.

7 GAO/AIMD-98-21 .3.1.

Data-mining

Despite effective preventive controls, there is still risk for fraud,
waste, and abuse within disaster programs once payments are made.
Therefore, it is important that program managers continuously data mine
registrations for suspicious activity. A robust data-mining program can
include many different efforts. Examples of fraud indicators include but
are not limited to searching for anomalies like those found at FEMA,
including multiple payments sent to the same address or bank account.
Abnormalities such as numerous residents in a damaged apartment building
all relocating to the same location may also suggest fraud. Comparing
recipient data against other government assistance programs such as
databases containing information on Red Cross or FEMA paid for hotel rooms
can help to identify duplication of benefits between programs. However,
due to the difficulties of collecting overpayments, system edit checks
that occur prior to payments being made are preferable to data-mining
after payments have occurred.

The data-mining we performed on FEMA's IHP program showed how important
constant monitoring and detection can be. We searched for and found
examples where the same individual received several rental assistance
checks from FEMA while at the same time residing in a hotel room paid for
by FEMA. We also found instances where multiple family members from the
same household registered numerous times and received duplicate payments.
Using external databases of federal and state prisoners, we found
instances where prisoners had fraudulently registered for and received
disaster relief payments while incarcerated. As shown by our examples,
data-mining efforts should be done in a manner that uses creative
solutions to search for potential fraud using all available data sources.
To the extent that data-mining identifies systematic fraud, that
intelligence should be fed back into the fraud prevention process and
system edits so that for future disasters the fraud is detected before
money is disbursed.

Accountability and Proper Use of Relief Payments

When part of the disaster assistance comes in the form of cash or a cash
equivalent such as a debit card, our work at FEMA shows that it is crucial
for agencies to maintain strict accountability over who has received the
assistance. This can be achieved by obtaining signatures of release from
an agency official and, if appropriate, from the issuing bank official,
along with a signature of acceptance from the relief recipient. Agencies
should also be able to link each distribution of cash to a specific
applicant. In the case of FEMA and their distribution of debit cards,
adequate accountability was not maintained, resulting in more than $1
million worth of debit cards being distributed without a record of who
received them.

In addition, depending on the type of assistance provided and the means in
which the assistance was distributed, it can be important for an agency to
monitor the usage of disaster relief funds. Our review of FEMA's IHP
program found that almost all money was distributed via check or EFT,
which did not allow us to review whether the money was spent on
disaster-related needs. A small amount, approximately $80 million, of IHP
money was distributed via debit cards, which allowed us to see whether
funds were being used appropriately. In this case, the vast majority of
debit card money was still withdrawn as cash, but the remaining amount
appeared to have been used for disaster-related needs. However, we did
find a small number of purchases for nondisaster items such as football
tickets, alcohol, massage parlor services, and adult videos. By monitoring
these types of uses and contacting and possibly penalizing those who
misuse funds, agencies may be able to ensure that disaster funds are used
to help mitigate losses and not for inappropriate items.

Fraud Hotlines

To detect existing fraud and prevent new cases in the future, agencies
should also set up mechanisms to identify and investigate existing cases.
The use of hotlines where individuals can anonymously call and report
potential fraud can provide valuable investigation leads. The Department
of Homeland Security (DHS) Office of Inspector General set up one such
hotline specifically dedicated to fraud related to hurricanes Katrina and
Rita. Similar hotlines are useful within any disaster relief program to
help identify any fraudulent activity not caught by controls. In
conjunction with fraud identified through data-mining or hotline tips,
agencies should have in place teams ready to investigate leads, not only
for future prosecution, but also to provide suggestions for how the fraud
can be prevented in the future.

                  Investigations and Prosecution of Offenders

The final aspect of a program designed to reduce fraud in a disaster
assistance program is the investigation and aggressive prosecution of
individuals who have fraudulently received disaster assistance. Suspicious
cases identified through preventive, detective, and monitoring controls,
along with hotline tips, should be referred to investigators for further
review. In the course of our work performed on IHP fraud for hurricanes
Katrina and Rita, we identified tens of thousands of potentially
fraudulent registrations. We have already referred thousands of those
cases to FEMA and the Katrina Fraud Task force for further investigation
and expect to refer others for additional investigation and possible
prosecution. While the criminal investigative process is general a lengthy
process, we are aware that several individuals that we referred have
already been indicted. This included one individual indicted for
fraudulently obtaining over $25,000 from FEMA based on bogus
registrations. Figure 4 displays how investigations and prosecutions fit
into an overall fraud prevention program.

Figure 4: Investigations and Prosecutions

While investigations and prosecution can be the most visible means to deal
with fraudsters, they are also the most costly and should not be used in
place of other more effective controls. Instead, agencies need to focus on
prevention before money is spent. Still, by successfully prosecuting
fraudsters, agencies can deter others who are thinking of taking advantage
of disaster programs. In the end, investigations and prosecutions are a
necessary part of an overall fraud prevention and deterrence program, but
should be a last resort when all other controls have failed. In addition,
knowledge from these investigations and prosecutions should be fed back
into the fraud prevention process to better handle future disasters and
enhance existing fraud prevention and detection programs.

                              Concluding Comments

Managers of federal disaster assistance programs face a dual
challenge-delivering aid as quickly as possible while at the same time
ensuring that relief payments go only to those who are truly in need. To
meet this dual challenge, managers must recognize that fraud prevention
and the rapid distribution of assistance are not conflicting mandates;
instead, both can be accomplished if effective controls are in place and
operating as intended. Of the controls discussed today, fraud prevention
controls are the most useful and cost-effective means of reducing the loss
of money due to fraud, because payments, once out the door, have proven
extremely difficult to recover. Implementing an effective system of fraud
prevention controls including upfront controls, post payment detection and
monitoring, and prosecuting those who have exploited control weaknesses
are crucial to building the American taxpayer's confidence that federal
disaster assistance is given to those in need.

Mr. Chairman and members of the Committee, this concludes my statement. I
would be pleased to answer any questions that you or other members of the
Committee have at this time.

                         Contacts and Acknowledgements

For further information about this testimony please contact Gregory Kutz
at (202) 512-7455 or [email protected] . Contact points for our Offices of
Congressional Relations and Public Affairs may be found on the last page
of this testimony.

Major contributors to this testimony include Jennifer Costello, Jason
Kelly, John Kelly, Sun Kim, John Ledford, Jennifer Leone, Barbara Lewis,
Jonathan Meyer, John Ryan, and Tuyet-Quan Thai

(192218)

This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.

GAO's Mission

The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony

The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site ( www.gao.gov ). Each weekday, GAO posts newly
released reports, testimony, and correspondence on its Web site. To have
GAO e-mail you a list of newly posted products every afternoon, go to
www.gao.gov and select "Subscribe to Updates."

Order by Mail or Phone

The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to:

U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
D.C. 20548

To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061

To Report Fraud, Waste, and Abuse in Federal Programs

Contact:

Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: [email protected]
Automated answering system: (800) 424-5454 or (202) 512-7470

Congressional Relations

Gloria Jarmon, Managing Director, [email protected] (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125 Washington,
D.C. 20548

Public Affairs

Paul Anderson, Managing Director, [email protected] (202) 512-4800 U.S.
Government Accountability Office, 441 G Street NW, Room 7149 Washington,
D.C. 20548

www.gao.gov/cgi-bin/getrpt?GAO-06-954T.

To view the full product, including the scope

and methodology, click on the link above.

For more information, contact Gregory Kutz at (202) 512-7455 or
[email protected].

Highlights of GAO-06-954T, a testimony before the Subcommittee on
Management, Integration, and Oversight, Committee on Homeland Security,
U.S. House of Representatives

July 12, 2006

INDIVIDUAL DISASTER ASSISTANCE PROGRAMS

Framework for Fraud Prevention, Detection, and Prosecution

Federal agencies spend billions of dollars annually to aid victims of
natural and other disasters and acts of terrorism. Managers of federal
disaster assistance programs face a dual challenge-delivering aid as
quickly as possible while at the same time ensuring that relief payments
go only to those who are truly in need. Due to the very nature of the
government's need to quickly provide assistance to disaster victims,
federal disaster relief programs are vulnerable to significant risk of
improper payments and fraudulent activities.

On February 13, 2006, and on June 14, 2006, GAO testified concerning
extensive fraud, waste, and abuse in the Individuals and Household Program
(IHP), a component of the Federal Emergency Management Agency's (FEMA)
disaster assistance programs. GAO identified significant internal control
weaknesses that resulted in FEMA making tens of thousands of Expedited
Assistance payments that were based on bogus registration data. GAO also
found numerous other internal control failures in FEMA's IHP disaster
assistance program, resulting in an estimate that FEMA made $600 million
to $1.4 billion in improper and potentially fraudulent payments to
registrants. The purpose of this testimony is to establish a framework for
preventing, detecting, and prosecuting disaster assistance fraud.

Recent GAO audits have illustrated the importance of an effective fraud,
waste, and abuse prevention system in federal disaster assistance
programs. GAO's Standards for Internal Control in the Federal Government
provide a framework for internal control that can be used to minimize
fraudulent, wasteful, and abusive activity regardless of whether dealing
with the effects of natural disasters like hurricanes Katrina and Rita, or
coping with the destruction left by the terrorist attacks of September 11,
2001.

The figure below illustrates that a well-designed fraud prevention system
should consist of three crucial elements: (1) upfront preventive controls,
(2) detection and monitoring, and (3) investigations and prosecutions. The
figure also shows that upfront preventive controls can help screen out the
majority of fraud, and are the most effective and efficient means to
minimize fraud, waste, and abuse. Detection and monitoring, and aggressive
prosecution of individuals committing fraud, while also crucial elements
of an effective system, are less effective and generally cost more.

Program Designed to Minimize Fraud, Waste, and Abuse

Audit work has long confirmed that upfront preventive controls are most
effective when they require validation of data provided by disaster
registrants against other government or third-party sources, and physical
inspections when possible. Preventive controls should also include
procedures designed to identify problem registrants prior to payments.
Training personnel on fraud awareness and potential fraud schemes is also
an integral component in preventive controls. Collectively, these
preventive controls can help improve program integrity and safeguard tax
dollars.

An effective fraud deterrence program must also include resources to
continually monitor and detect potential fraud, and aggressively
investigate and prosecute individuals who received assistance
fraudulently. Monitoring and detection include data-mining for suspicious
registrations and payment usage, and setting up fraud hotlines. Finally,
program integrity is enhanced by investigating and prosecuting individuals
who take advantage of program weaknesses. However, the high costs of
prosecutions highlight our conclusion that upfront preventive controls are
most effective in preventing fraud, and that lessons learned from
detection and prosecutions should be used to improve preventive controls.
*** End of document. ***