In 2021, the Department of Justice suffered from a significant data breach. The fraudsters used a backdoor approach by firstly breaching their email supplier, Microsoft 365. After the cyber attackers were successful, they gained access to over 80% of the employee email accounts in the New York Office, as well as some accounts in other locations. The GAO fraud risk strategy exists to guide Federal Agencies and prevent attacks like the above from happening.
Learn how Trustpair ultimately prevents and detects payment fraud both in the private and public sectors with automated account validation.
What’s the GAO Fraud Risk Framework?
The US Government has an Office for Accountability, known as GAO. This department is responsible for assisting Congress, and supporting general legislative tasks.
In 2015, they released a fraud risk framework to turn the focus away from chasing fraudsters, and instead on preventing incidents from occurring in the first place. This fraud risk framework is important since it aims to break down the full formula for managing fraud risks, detecting suspicious behavior, and thus preventing fraud events.
Just like most fraud risk activities, there are three core principles of the GAO plan:
- Prevention: creating barriers to access by malicious cybercriminals
- Detection: monitoring activities for ‘normal’ and anomalous results
- Response: acknowledgement and action after suspicious activity is detected
Who is the GAO guide aimed at?
The GAO framework is specifically designed to target Federal agencies under the CFO Act. This involves 24 different entities, of which twenty have allowed their own fraud departments. For example, the Department of Commerce, Department of Defense and Small Business Administration are all included.
In fact, in 2024, the US Patent and Trademark Office (USPTO) was highlighted as one agency underperforming in the fight against fraud.
Under the 2020 Trademark Modernization Act, GAO found that there were too many opportunities for false and inaccurate information to be approved into the Trademark database. As such, the government office told the Patent and Trademark Office to strengthen its defenses, with a particular focus on risk management practices.
What are the steps of the GAO Fraud Risk Strategy?
There are four parts to include in the Fraud Risk Framework model:
- Commit
- Assess
- Design and Implement
- Evaluate and Adapt
Commit
The first stage of these recommendations is unusual compared to others; it sets out the overall attitude towards fraud. One of the key challenges these days is that many organizations don’t give enough resources or attention towards fighting fraud. Most often, that’s because combating fraud isn’t valued by stakeholders or managers.
Therefore, the GAO fraud risk framework highlights the need for buy-in from the very top of the organization. With an intentional commitment towards fighting fraud, leaders can set the tone within their organization, and ensure that they take a structured approach towards risk. It also acts as a fraud deterrence measure, since employees know that leaders will take any suspicious activity seriously.
Moreover, a commitment to defining responsibilities means that the appropriate people should be granted access to the right resources. By deeming fraud risks as important, it sets an ongoing culture that should ripple throughout the business. It’s likely that by prioritizing security, organizations will find it easier to protect their operations.
Assess
Risk management also involves regular risk assessments under the GAO program. Specifically, the focus should be on tailoring risk assessments to your business scenarios, in order to provide the most relevant risk data.
The gov office advises that these examinations should identify both:
- The likelihood of risk occurrence
- The impact of risk occurrence
Thanks to regular fraud risk assessments, this step also gives teams the breathing room to assess how well their previous and current fraud measures are working, using analytics. For example, employees may spot that their encryption needs to be renewed, and automate this renewal to reduce the risk of fraud.
Design and Implement
The risk assessment will then feed into how teams within Federal agencies design their anti-fraud strategy. The previous findings within the risk assessment should help design the plan, which will lead to rigorous development.
GAO makes it clear that the initial focus should be on preventative measures, such as the segregation of duties or access controls. That’s because it’s typically much more cost-effective than the ‘pay and chase’ scenario after a fraud event occurs.
As for detective controls, methods like Trustpair’s continuous account monitoring helps to detect suspicious activity. By performing fraud risk management on third parties, for example, companies can detect changes in their supplier details and move on a cautious basis.
Evaluate and Adapt
Finally, a true risk-based approach to fraud requires regular evaluation of success measures. What matters, though, is using the success measures to your advantage to better protect your company and prevent further financial fraud attempts.
GAO recommends that a leading government agency should aim to improve their three core actions (that’s prevention, detection and response) by regularly monitoring the outcome of previous actions. By tracking the data in real-time, teams can accurately analyze their risk-based strategy, and ensure their efforts are successful.
A summary of the GAO fraud risk framework
The GAO fraud risk framework is a set of recommendations that aim to protect Federal Agencies against fraud. Leading practices for the government recommendations include using data analytics, and identifying false inaccurate data. Trustpair helps to prevent payment fraud through continuously monitoring third party account data.