Federal response to unauthorized grant disbursements
The Department of Health and Human Services (HHS) has been advised to bolster its controls over the grant payment system, following the discovery of fraudulent transactions that led to the unauthorized withdrawal of $7.8 million in grant funds.
Assistant Inspector General Tamara Lilly, of the HHS Office of Inspector General (OIG), has outlined specific recommendations to improve the Program Support Center’s (PSC) controls over its Payment Management System (PMS). These recommendations include:
- Developing standard operating procedures (SOPs) that specify how to identify and address risks and vulnerabilities in the PMS.
- Enhancing controls to prevent exploitation by bad actors withdrawing grant funds improperly.
The recommendations emphasize the need for formal processes to detect, mitigate, and respond to fraud risks within the grant payment system, to avoid future improper payments and vulnerabilities.
Lilly underscored the importance of risk assessment, implementing controls, staff training, and regular verification in preventing fraud. She also urged the PSC to assess its risk of fraud, implement all required cybersecurity controls, and conduct regular verifications.
The Office of Audit Services will continue to monitor the PSC's progress and receive updates to ensure they continue on the right path. They encourage all entities to assess their risks, implement controls, and regularly verify their effectiveness.
The PSC has already begun implementing corrective actions since the fraud was detected in January 2024. The diverted funds, totaling $7.8 million, were intended to advance the health and well-being of the people served by HHS programs.
It was found that bad actors gained access to the PSC's payment system by using fake grant recipient email addresses to request access. Once they gained access, the bad actors masqueraded as grant recipients and requested bank account changes, then diverted grant payments to their own bank accounts.
The HHS Office of Inspector General relies on OMB circulars, memos, the GAO's Green Book, and NIST publications for guidance in their audits. The National Institutes of Standards and Technologies publications provide detailed information on cybersecurity controls to mitigate specific system issues.
The GAO's Green Book provides guidance for establishing a solid internal control structure for any entity. The OIG found that the PSC did not have effective internal controls to prevent fraudulent transactions.
It is everyone's responsibility, including the leadership, employees, and grantees, to implement policies and procedures to prevent fraud and report any detected issues in a timely manner.
Sources:
[1] HHS OIG Press Release
[3] HHS OIG Report
- The federal workforce, particularly within the Department of Health and Human Services (HHS), must reimagine its strategies to prevent fraud in the grant payment system, as demonstrated by the case of $7.8 million unauthorized withdrawal.
- In light of the industry-wide importance of safeguarding financial resources, it is crucial for both businesses and the federal workforce to heed the recommendations for improved controls, as outlined by the Office of Inspector General (OIG) in the case of the HHS's Payment Management System (PMS).
