Key Takeaways:
- Fraud in government often stems from weak oversight, informal practices, and limited accountability — not just outright theft.
- The Fraud Risk Management Framework from the U.S. Government Accountability Office provides a structured, repeatable approach to identifying, prioritizing, and managing fraud risk.
- Effective fraud risk management is an ongoing, organization-wide effort that requires leadership commitment, regular assessment, and continuous monitoring.
—
Fraud is not a distant or abstract risk for state and local governments. It happens in state agencies, counties, cities, Tribal governments, and special districts — often in ways that are difficult to detect until real damage has already been done. From procurement abuses and payroll schemes to conflicts of interest and program misuse, fraud diverts public resources and erodes trust in government.
What makes fraud especially challenging for governments is that it doesn’t always involve outright theft. More often, it grows out of conditions such as improper influence, weak oversight, inadequate separation of duties, and informal practices that slowly create vulnerabilities. And while many organizations like to believe fraud is unlikely to happen “here” because of employee goodwill, experience shows that assuming good intentions is not a fraud prevention strategy.
The good news is that governments don’t have to start from scratch. A well-established framework exists to help agencies identify fraud risks, implement safeguards, and evaluate whether those safeguards are actually working.
The GAO’s Fraud Risk Management Framework
The Fraud Risk Management Framework, issued by the U.S. Government Accountability Office (GAO), provides a structured, practical approach for managing fraud risk across government programs. Although originally developed for federal programs, the framework is widely viewed as a leading practice and is highly applicable to state, local, Tribal, and special-purpose governments.
At its core, the framework helps organizations move from informal awareness of fraud to a disciplined, repeatable process for managing risk. It recognizes that fraud risk management is not a one-time exercise — it is an ongoing cycle that requires leadership commitment, regular reassessment, and continuous improvement.
The framework is built around four interrelated stages that reinforce one another.
Commit
The first — and often most difficult — step is committing to combating fraud. This is difficult for many governments because it requires leadership to acknowledge that fraud risk exists and to set a clear tone that managing risk is an organizational priority.
Senior leaders play a critical role by visibly supporting antifraud efforts and involving all levels of the organization. The framework also emphasizes the importance of assigning responsibility for fraud risk management to a specific individual or unit with the authority to act. Without clear ownership, even well-intended efforts can stall.
Importantly, this stage encourages governments to think broadly about fraud. Fraud risk is not limited to financial misappropriation. Conflicts of interest, hiring irregularities, improper influence, and misuse of authority all fall within the scope of fraud risk management.
Assess
Once a government commits, it must assess where it is vulnerable. Fraud risk assessments should be tailored to the specific programs, operations, and governance structure, and should involve relevant stakeholders across departments.
This stage focuses on identifying potential fraud schemes, evaluating their likelihood and impact, and determining how much risk the organization is willing to tolerate. It also includes reviewing existing controls to understand where gaps may exist. Common risk areas include procurement, cash handling, purchasing cards, payroll, grant programs, and access to financial systems — but governance and oversight risks are just as important.
The result of this process is a documented fraud risk profile that helps prioritize where attention and resources should be directed.
Design and Implement
With a clear understanding of risks, governments can then design and implement an antifraud strategy. This strategy should be documented and communicated across the organization. Focusing on preventive controls whenever possible can often be more efficient and effective than utilizing detective controls.
Controls may include policy changes, system restrictions, additional approvals, training, reporting mechanisms such as fraud hotlines, and clear procedures for responding to allegations. The framework encourages agencies to consider both the effectiveness and the cost of controls and to collaborate with stakeholders to support consistent implementation.
Evaluate and Adapt
The final stage closes the loop by reinforcing accountability and continuous improvement. Governments must evaluate whether their fraud risk management activities are producing the intended results. This can be done by management, internal auditors, or independent reviewers, using a risk-based approach.
Monitoring may include reviewing hotline data, analyzing investigation outcomes, tracking trends, and assessing whether controls are functioning as designed. Importantly, the framework emphasizes using this information to adapt — refining controls, updating risk assessments, and strengthening the organization’s overall antifraud posture.
Because fraud risks change over time, evaluation and adaptation are essential to keeping the framework effective.
Key Takeaways From the GAO’s Recent Technical Appendix
The GAO recently released a technical appendix that expands on how governments can evaluate their fraud risk management efforts in practice. Key themes include using surveys and data analysis to assess organizational culture, benchmarking structures against leading practices, and developing meaningful measures to evaluate outcomes — not just activities.
The appendix reinforces that fraud risk management is not solely a finance or audit function. It is an enterprise-wide responsibility that requires participation from leadership, program managers, and oversight functions alike.
Recent Fraud Cases Highlight the Stakes
Fraud is not limited to large agencies or complex programs — it can occur in cities, counties, and small towns alike. Recent examples demonstrate the variety of schemes and significant financial impact they can have on government resources:
- New York City Housing Authority (NYCHA): In February 2024, 70 current and former employees were charged with bribery and extortion, allegedly demanding over $2 million in corrupt payments from contractors in exchange for awarding more than $13 million in no-bid contracts. (Source: Department of Justice)
- Santa Cruz County, Arizona: Former County Treasurer Elizabeth Gutfahr embezzled and laundered approximately $38 million between 2014 and 2024, also failing to pay more than $13 million in personal income taxes. Funds were used for real estate, ranch operations, vehicles, and personal expenses. (Source: Department of Justice)
- Hatton and Mesa, Washington: Employees misappropriated public funds totaling $91,911 by exploiting weak internal controls, including unreviewed debit card purchases and overpayment for hours worked. In a separate abuse of authority, a Hatton employee also falsely obtained approximately $1.3 million in firefighting equipment. (Source: Washington State Auditor)
- Los Angeles County, California: Thirteen county employees stole a combined $437,383 in state unemployment benefits between 2020 and 2023 by filing false claims while receiving paychecks from the county. (Source: Los Angeles County)
- Chicago, Illinois: A lineman fraudulently obtained $17,890 in Paycheck Protection Program (PPP) funds by falsifying a loan application and IRS documentation, claiming to operate a lawn care business that did not exist. (Source: Chicago Office of Inspector General)
- Canton, Mississippi: Two former aldermen were sentenced to 46 months in federal prison for accepting bribes in exchange for directing $7.8 million in government contracts to a co-conspirator. (Source: Clarion Ledger)
These cases illustrate that fraud can affect governments of all sizes and types, and that the consequences are both financial and reputational.
Key Principles for Detecting and Preventing Fraud
Governments can take proactive steps to reduce fraud risk by establishing strong policies, controls, and oversight. Core principles include:
- Watch for red flags: Employees living beyond their means, working unusual hours, refraining from going on vacation, unwilling to share duties, or maintaining unusually close vendor relationships may signal potential fraud.
- Set the tone at the top: Leadership commitment to a culture of honesty, accountability, and fairness is essential to deterring fraudulent behavior.
- Conduct regular fraud risk assessments: Use the GAO Fraud Risk Management Framework to evaluate potential vulnerabilities, assess likelihood and impact, and prioritize risk mitigation strategies. Periodic reassessment is critical as new threats emerge on a regular basis.
- Implement an anti-fraud program: Include clear policies, such as whistleblower protection, a fraud hotline, investigation procedures, and processes for addressing employee misconduct, even when it doesn’t rise to criminal levels.
- Monitor continuously: Senior management and oversight bodies should regularly review anti-fraud activities to confirm controls are working effectively and fairly. Monitoring, evaluation, and adaptation create a repeating cycle of improvement.
Building a Sustainable Approach to Fraud Risk Management
Fraud risk is an organizational challenge that requires more than ad hoc controls or reactive investigations. The GAO’s Fraud Risk Management Framework offers governments a clear, proven roadmap for identifying vulnerabilities, strengthening controls, and evaluating whether those efforts are working. By approaching fraud risk as a continuous cycle rather than a one-time initiative, governments can better protect public resources and maintain public trust.
How MGO Can Help
MGO works with state agencies, counties, cities, Tribal governments, and special districts to assess fraud risk, design and evaluate anti-fraud controls, and support investigations, hotlines, and monitoring efforts. Our team helps you move from awareness to action — using established frameworks and practical experience to strengthen your fraud risk management approach. Reach out to our professionals today to start building a resilient fraud prevention strategy.