How Can There Be Such “Massive” Fraud At, Say, USAID, With Such Oversight?"
Understanding Audit and Internal Review Processes
One of my old professors from Le Moyne College , posted this question in a thread on one of my Facebook posts and I thought it is an important enough topic that it deserved its own article, and it is going to be a multi-article answer.
I invite subscribers to this substack, and others, to offer their views as well.,
"I was under the impression that federal agencies and those that contract with the Federal Government have bi-yearly or at least periodic audits by nonpartisan accountants. My father-in-law was an auditor assigned to monitor the GE operation in Cicero.
How can there be such “massive” fraud at, say, USAID, with such oversight?"
*****************************************************************
Answer Part One
There will always be some level of fraud, or at least the opportunity to commit fraud, if an agency has a culture that can allow it to happen or they lack adequate internal controls to prevent and detect fraud.
There is no MASSIVE fraud at USAID, but there was fraud that I had personally seen occur and dealt with when I worked there that ties into the culture of the agency.
The types of an "audit" that I have been involved in over my career are:
1. The Annual Financial Managers Financial Integrity Act (FMFIA) review process, mandated by the Financial Managers Financial Integrity Act of 1982, requires "ongoing evaluations and reports of the adequacy of the systems of internal accounting and administrative control of each executive agency, and for other purposes." In this process we would do an internal self-assessment followed up with an inspection by an external team.
My subject area was "Procurement and Assistance.' I would work the internal assessment and participate as a member of external evaluation teams.
2. In 1994, I was tasked to review a major EPA Information Technology Support Contract to determine if there were any potential fraud issues. This is always a challenging task because anybody who would be foolish enough to document their fraud in a contract file deserves to be caught. And the fraud indicators were not something one would glean by just doing a read of the many, many contract file folders. You had to really dig into the minutia, find threads, and pull them to see where they led to. And they did lead to a fraudulent real estate scheme to buy and refurbish a building owned by a Congressman that put an earmark in EPAs budget to allow this to happen.
Never in my career did I have more people - the lead Contracts attorney who had this contract in his portfolio, contracting officers who had managed the contract over time, managers, etc. - more interested in my work and what I was finding. I brushed them off and said it would all be in a report to the Director. I briefed/submitted the report but never heard what happened to it.
Tangentially related to this, EPA had a huge IT support contract called MOSES. The files for this contract were in multiple piles on a desk that reached to the ceiling. Auditors found that the contractor had billed for (buried in their overhead) "Masters Tickets" and "Reindeer Suits." Of course Congress was all over this and was conducting hearings on it, wanting to know why the Contracting Officer did not find these items in their billings.
My new boss at the EPA came to my cube on what was my 2nd or 3rd day on the job. He said to grab my blazer and walk with him. We walked the two or three blocks to one of the House Office buildings, and went into an oversight hearing where they were digging into this issue. Even though he was not a member of the committee, EPA-Opponent John Dingell (D-MICH) came in as a "guest" to do his pro forma assault on the agency because they threatened the livelihood of the auto industry in his district.
It was during this hearing that my boss leaned over to me and said:
"If you want to be successful with me, make sure you are never called out by name in a Congressional hearing!"
So do contracts get audited? Maybe and that depends on a lot of factors like contract size, contract risk, other issues with a company on other contracts.
3. And that leads to my third experience as a plank-holder member of the Naval Sea Systems Command's Procurement Performance Management Assessment Program (PPMAP). It is a program used by the US Navy to evaluate and improve the quality of its procurement processes. It is a performance-based program that encourages continuous improvement.
But there is an inherent problem with the program in the sense that the 18 field activities and headquarters offices we were tasked to review kept calling it an "audit" when it was in no way an audit by any stretch of the definition.
How so? For something to be "audited" findings, a methodology had to be applied across a large enough sample set that would allow an auditor to generalize these findings across the organization.
And where would these findings come from? Deep dive reviews of contract files. and therein lies the challenge. These reviews would happen every three years, and in the interim the activity being inspected would have generated 3,000, 4,000, and even 5,000+ contracting actions of all types. They would be new open market awards, sole-source awards, Section 8(a) Awards, Seaport-E Awards, modifications, GSA Schedule awards, etc. etc.
In order to be able to have an audit finding that is generalizable to the activity as a whole, you have to have an adequately sized sample set. If you have 3,000 actions, you will have to review 196 files, 5,000 would be 384 files. This is being done by a sub team of 3, maybe 4 people that have three days to complete their task, maybe 6 if the review is going ten days.
This is just not doable, not only just because of volume. We may have selected a file that is reported as a single action in the FPDS-NG reporting system but may actually be ten separate actions combined into one for administrative convenience. That means in that one file you would be reviewing ten discrete actions. This would lead to a finding that \staff needs to do a better job in describing the actions when entered into the system.
I had to come up with a different methodology to attack the challenge, including finding a way that would not inadvertently overrepresent a type of action. I would pull the data dump down from the system for all actions. I would then run an Excel script to break down each action type into its own worksheet. The I would run a random number generator to select the sample size required for each action type and make the selections.
It was after this step that the ability to use it as a generalizable “audit” finding breaks down.
We would have to take the list and make a value judgement about which files to include, including asking the local head of contracts if there were any on that list that they felt required special attention, or if there were any not on the list they felt needed attention.
So yes we would find one-off issues in the files, maybe a couple of repeats. But there was no way to say that these were audit findings that could be generalized to a whole office. I would always couch the out-brief and the written report with a disclaimer that the findings did not necessarily represent an audit finding requiring immediate remedial action, but that they happened enough that further review might be necessary to assess the risk and prevalence in their processes. Nonetheless, the offices treated them as true audit reports and would go off in all kinds of directions to make policy and procedure changes that were not needed and added zero value to the procurement process. And this happens across the government day after day, week after week, etc.
Did we ever find fraud in the files? Nope. In fact, before one inspection trip. The Inspector General’s office called my team lead, asking him to call them immediately if we found any fraud in the files. His answer was “No, that is not what we are doing in these inspections, and it would break the bond of trust we have to have for our review program to be effective. Plus, it is very rare to find evidence of fraud in a contract file review.”
This is akin to when I accepted a job with a USEPA lab in 1994 to oversee their extramural (Contract, Grant, and Cooperative agreement) funding programs. The position was created in response to a scathing audit and related criminal investigation of the lab that was hiring me. Shortly before leaving DC, the IG investigator called me and asked me to go to lunch with her. At lunch she basically said she wanted me to be her “snitch” and let her know anytime I found something the least suspicious.
I told her “Absolutely not” for the same reasons my NAVSEA Team Lead to the IG. I then went into detail with her about her report and that 75-80% of it was total BS because these were things that happened because of ignorance on the part of the employees and controls that had broken down in the parts of the agency (Procurement, grants office, finance office) that would have stopped them from foolish acts. The remainder would be dealt with as needed with my boss, not the IG. I emphasized that this was essential so that they could trust me enough to come to me with questions or requests for advice on the best path forward.
My biggest mistake when I arrived on site for this job, and this is something I think back on a lot, was not sitting all the staff and scientists down into a room and telling them about this lunch and what I told the IG. A such, they always considered me a “spy from Washington” that was using up salary dollars they could have used to hire another scientist or a couple of lab techs.
Bottom line is that audits do not happen as often as you would think and I will cover an example or two in depth, considering what about when you DO find evidence of potential fraud, waste, and abuse in contract files and documentation?
That will be Part 2.
This matches my experience with the FDA. They have an impossible job; too many companies that need audits, too few auditors, and too little time at each audited facility. My first few audit experiences (as an auditee) were terrifying, not least because our company training included 'the FDA are not your friend' warnings. Over time I learned to appreciate their technical competence both as auditors (a difficult job) and their ability to understand a LOT of the technical engineering documents they reviewed. I really get that their job is to keep the public safe AND as an added bonus, their audits generally resulted in us developing better procedures for the work we did; win win win. The other bit is that for all the audits the FDA does, the number of enforcement actions taken are small which is an indication that most companies are doing the right thing most of the time, albeit because the FDA is watching over their shoulders! What's going on now with Muskrat and is dodgy DOGE is a travesty.