Skip to main content
(G A O website.)

TEMPORARY ASSISTANCE FOR NEEDY FAMILIES:

Additional Actions Needed to Strengthen Fraud Risk Management

GAO-25-107290. Published: Jan 28, 2025. Publicly Released: Jan 28, 2025.

TEMPORARY ASSISTANCE FOR NEEDY FAMILIES

Additional Actions Needed to Strengthen Fraud Risk Management

Report to Congressional Requesters

January 2025

GAO-25-107290

United States Government Accountability Office

Highlights

View GAO‑25‑107290. For more information, contact Seto J. Bagdoyan at (202) 512-6722 or BagdoyanS@gao.gov.

Highlights of GAO‑25‑107290, a report to congressional requesters

January 2025

TEMPORARY ASSISTANCE FOR NEEDY FAMILIES

Additional Actions Needed to Strengthen Fraud Risk Management

Why GAO Did This Study

Since 1996, the TANF block grant has provided $16.5 billion annually in federal funding to states to help support low-income families and address community needs. Recent information from state auditors and the U.S. Department of Justice highlight concerns about whether vulnerabilities in TANF create opportunities for program participants and others to misuse or divert funds.

GAO was asked to review TANF spending. This report examines the extent to which HHS identified and assessed TANF fraud risks. It is part of a series of reports reviewing TANF, see GAO-25-107235.    

GAO reviewed HHS’s fraud risk assessment for TANF and related policies, plans, and methodologies. GAO also interviewed HHS officials. GAO compared this information against leading practices for fraud risk management. GAO independently identified TANF fraud risks by reviewing court cases; state single audit reports; and prior GAO reports. GAO also interviewed state and local officials, including auditors, from eight states selected based on geography and variation in poverty level.

What GAO Recommends

GAO is making seven recommendations to HHS, including to develop clear guidance and standard procedures for regular risk assessments, communicate with state and local stakeholders, and improve the Fraud Risk Assessment Portal design. HHS concurred with five recommendations and did not fully concur with two on the portal. GAO maintains these are valid, as discussed in the report.

What GAO Found

In July 2024, the U.S. Department of Health and Human Services (HHS) completed its first Temporary Assistance for Needy Families (TANF) fraud risk assessment using its Fraud Risk Assessment Portal. It identified and assessed 21 fraud risks. GAO categorized these 21 fraud risks into nine broad categories.

Categories Describing the Temporary Assistance for Needy Families (TANF) Fraud Risks Identified and Assessed by the U.S. Department of Health and Human Services

 

However, HHS’s process for assessing risks is not fully consistent with leading practices for fraud risk management, as outlined below.

Lack of clear guidance or procedures on planning and conducting regular TANF fraud risk assessments. HHS has not established clear guidance or procedures related to planning and conducting regular TANF fraud risk assessments. Specifically, HHS does not have clear and finalized guidance to ensure these assessments occur regularly. Also, HHS does not have standard procedures for conducting TANF fraud risk assessments.

Relevant state or local stakeholders not involved in the TANF fraud risk assessment process. HHS did not engage directly with state and local TANF agencies, or their respective Offices of Inspectors General or auditors, to identify TANF fraud risks while conducting the program’s fraud risk assessment. According to HHS officials, their ability to require these stakeholders to provide information on TANF fraud risks is limited. The Social Security Act prohibits oversight activities of state TANF programs beyond what is explicitly outlined in law. However, HHS is not prohibited from requesting input from stakeholders.

Likelihood, impact, and tolerance of identified fraud risks, and additional risks are not assessed or determined. HHS’s Fraud Risk Assessment Portal—used to conduct the assessments—is not designed to assess the likelihood or impact or determine tolerance of fraud risks identified. Additionally, the portal is not designed to assess additional fraud risks facing a program, such as TANF.  

Having a process for assessing fraud risks that is fully consistent with leading practices can help HHS ensure that its managers are aware of evolving fraud risks and are efficiently and effectively managing them.

 

 

 

Abbreviations

ACF

Administration for Children and Families

EBT

electronic benefit transfer

Fraud Risk Framework

A Framework for Managing Fraud Risks in Federal Programs

HHS

U.S. Department of Health and Human Services

OIG

Office of Inspector General

OMB

Office of Management and Budget

TANF

Temporary Assistance for Needy Families

 

This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately.

 

Letter

January 28, 2025

The Honorable Jason Smith
Chairman
Committee on Ways and Means
House of Representatives

The Honorable Darin LaHood
Chairman
Subcommittee on Work and Welfare
Committee on Ways and Means
House of Representatives

Since 1996, the Temporary Assistance for Needy Families (TANF) block grant—administered by the U.S. Department of Health and Human Services (HHS)—has provided $16.5 billion annually in federal funding to states. States may use TANF funds to provide direct cash assistance—including cash payments on electronic benefit transfer (EBT) cards— designed to meet a family’s ongoing basic needs. Additionally, states may use TANF funds to provide other services, called “non-assistance.” Non-assistance can be used to support a broad set of programs to tackle poverty, reduce child welfare involvement, and address the specific needs of communities.[1] In addition to federal TANF funds, states collectively spend approximately $15 billion of their own funds on this program annually, referred to as maintenance of effort funds.

In January 2021, the Council of the Inspectors General on Integrity and Efficiency reported that grant programs—such as TANF—face an increased risk of fraud, waste, and mismanagement because of limited visibility and control over expenditures at the award recipient and subrecipient levels.[2] Further, recent information from state auditors and the U.S. Department of Justice highlight concerns about whether vulnerabilities in TANF create opportunities for program participants and others to misuse or divert TANF funds, thereby preventing the achievement of the program’s purpose, objectives, and goals.

For example, in May 2020 and October 2021, the Mississippi State Auditor announced that multiple individuals affiliated with that state’s TANF program potentially misspent, converted to personal use, or wasted more than $77 million of TANF grant funds.[3] Additionally, in April 2024, the U.S. Department of Justice announced that, between June 2022 and February 2024, criminal enterprises allegedly stole more than $181 million in California public assistance benefits that included TANF cash assistance provided to program beneficiaries through EBT cards.[4]

You asked us to review TANF spending. As part of a series of reports reviewing various aspects of TANF, this report focuses on fraud risk management by HHS.[5] Specifically, this report examines the extent to which HHS has identified and assessed TANF fraud risks.[6]

To address our objective, we reviewed HHS’s July 2024 fraud risk assessment for TANF and documentation of HHS’s policies, plans, and methodologies for its fraud risk management activities. We also interviewed HHS officials about these activities. We compared this information with selected leading practices in GAO’s A Framework for Managing Fraud Risks in Federal Programs (Fraud Risk Framework).[7] Specifically, we selected leading practices from the Assess component of the Fraud Risk Framework because identifying and assessing fraud risks are key initial steps in prioritizing a program’s fraud risks for developing efficient and effective fraud risk management activities.[8]

As part of assessing HHS’s effort to identify TANF fraud risks, we conducted our own analysis to identify TANF fraud risks. Specifically, we reviewed adjudicated and ongoing federal, state, and local TANF fraud-related court cases and related press releases from January 2015 through September 2024.[9] We also reviewed state single audit reports for fiscal years 2022 and 2023 and relevant prior GAO reports.[10] In addition, we reviewed postings on an e-commerce website that appeared to be used to sell EBT cards.[11] We identified examples of TANF fraud schemes and analyzed those schemes to determine the five key characteristics of a federal fraud scheme—(1) federal program, (2) participant, (3) activity, (4) mechanism, and (5) impact—outlined in GAO’s Antifraud Resource.[12] We also interviewed or requested written responses about known TANF fraud risks and related cases from HHS; the HHS Office of Inspector General (OIG); and state and local officials, including auditors, that manage or oversee TANF from eight selected states.[13] We also obtained similar information from the American Institute of Certified Public Accountants; the National Association of State Auditors, Comptrollers and Treasurers; and the Association of Local Government Auditors.

We conducted this performance audit from January 2024 to January 2025 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Background

TANF Funding and Purposes

The Office of Family Assistance, within HHS’s Administration for Children and Families (ACF), administers the TANF block grant funds that are provided annually to state recipients. State recipients administer TANF funds through various forms of TANF cash assistance and non-assistance. State recipients may also distribute funds to subrecipients such as local agencies, nonprofit organizations, and other contracted organizations. State or local OIGs and auditors are responsible for overseeing how the state recipients and subrecipients spend these funds.

State recipients and subrecipients are generally allowed to spend TANF funds on assistance or non-assistance as long as these services meet at least one of TANF’s four purposes: (1) provide assistance to needy families so that children may be cared for in their own homes or the homes of relatives; (2) end dependence of needy parents on government benefits by promoting job preparation, work, and marriage; (3) prevent and reduce out-of-wedlock pregnancies; and (4) encourage the formation and maintenance of two-parent families.[14] Spending intended to meet the first two purposes must be for those in financial need.[15]

TANF funding expenditures generally fall into two categories: assistance and non-assistance.

·         Assistance expenditures include cash, payments, and vouchers designed to meet a family’s ongoing basic needs. Examples of expenditures include monthly cash payments to qualifying low-income families, foster care maintenance payments, and certain subsidies for adoption and guardianship. Assistance expenditures also include expenditures for supportive services, such as child care, provided to families who are not employed.

Most states disburse TANF assistance payments to eligible beneficiaries through EBT cards. The EBT cards can be used to withdraw cash and then make purchases with the cash. Some states restrict where the cards can be used and what can be purchased with the withdrawn cash. Federal law also restricts where the EBT cards can be used, but it does not prohibit what can be purchased with the withdrawn cash.

·         Non-assistance expenditures include those for child care for families who are employed, as well as work-related, education, and training activities for individuals and families regardless of employment status. They may also include pre-Kindergarten and Head Start; nonrecurrent short-term benefits, such as emergency housing payments; child welfare services; other services for children and youth; and services for the prevention of out-of-wedlock pregnancies and the promotion of fatherhood and two-parent family formation and maintenance.

According to our analysis of TANF expenditure data for fiscal year 2022, the most recent fiscal year data available when we conducted our analysis, states reported spending a total of $13.8 billion on non-assistance expenditures and $7.9 billion on assistance expenditures, and $4.3 billion on expenditures in categories that contain both assistance and non-assistance.[16]

Fraud Risk Management

The objective of fraud risk management is to ensure program integrity by continuously and strategically mitigating both the likelihood and effects of fraud. Effectively managing fraud risks helps to ensure that federal programs’ services fulfill their intended purpose, that funds are spent effectively, and that assets are safeguarded. Federal agency managers are responsible for managing fraud risks and implementing practices for combatting those risks.

GAO’s Fraud Risk Framework provides a comprehensive set of key components, overarching concepts, and leading practices that serve as a guide for agency managers to use when developing efforts to combat fraud in a strategic, risk-based way.[17] As depicted in figure 1, the Fraud Risk Framework describes leading practices within four components: (1) Commit, (2) Assess, (3) Design and Implement, and (4) Evaluate and Adapt.

Figure 1: The Four Components of GAO’s Fraud Risk Framework and Selected Leading Practices

This report focuses on Component 2 (Assess) of the Fraud Risk Framework. This component includes leading practices for planning regular fraud risk assessments and assessing risks to determine a fraud risk profile. According to the Fraud Risk Framework, effectively assessing fraud risks involves documenting the key findings and conclusions from an assessment of all fraud risks facing the program, including the fraud risks’ perceived likelihood and impact, managers’ risk tolerance, and the prioritization of those fraud risks. The summation of these findings is known as the program’s fraud risk profile.

As required under the Fraud Reduction and Data Analytics Act of 2015 and its successor provisions in the Payment Integrity Information Act of 2019, the leading practices in GAO’s Fraud Risk Framework are incorporated into the Office of Management and Budget’s (OMB) guidelines for agency controls.[18] Specifically, OMB’s Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control, directs executive agencies to adhere to the Fraud Risk Framework’s leading practices as part of their efforts to effectively design, implement, and operate an internal control system that addresses fraud risks.[19]

Additionally, in October 2022, OMB issued a Controller Alert reminding agencies that they must establish financial and administrative controls to identify and assess fraud risks.[20] In addition, the alert reminded agencies that they should adhere to the leading practices in the Fraud Risk Framework to effectively design, implement, and operate an internal control system that addresses fraud risks.

In 2016, HHS designated the Office of the Assistant Secretary for Financial Resources as the entity to lead HHS’s fraud risk management activities across all HHS programs, including TANF. In 2022, HHS’s Office of the Assistant Secretary for Financial Resources began working with HHS divisions, including those in ACF, to prioritize fraud risk assessments for certain HHS programs. According to HHS officials, TANF was prioritized because it is susceptible to significant improper payments and does not provide an improper payment estimate.[21] ACF’s Enterprise Risk Management Division is responsible for conducting fraud risk assessments for ACF’s federal programs, including TANF.

HHS developed the Fraud Risk Assessment Portal—a custom automated web tool that was built to allow HHS to work with its operating divisions, such as ACF for TANF—to create, maintain, and complete fraud risk assessments. The portal allows divisions to create profiles for programs and guides them to answer questions to determine any inherent program risks. Then, the portal automatically identifies prepopulated fraud risks that the program may be susceptible to and allows for division representatives to outline how and when they will respond to those fraud risks. According to HHS officials, the TANF fraud risk assessment was one of three initial fraud risk assessments performed in the portal for ACF programs.

HHS Identified and Assessed TANF Fraud Risks, but Processes Are Not Fully Consistent with Leading Practices

HHS Identified and Assessed TANF Fraud Risks

In July 2024, HHS completed its first TANF fraud risk assessment using the Fraud Risk Assessment Portal. It identified and assessed 21 TANF fraud risks and documented its assessment in a fraud risk profile. HHS officials told us that they focused on TANF fraud risks that were (1) frequently reflected in state single audit report findings, (2) illustrated in major court cases of alleged and adjudicated fraud, or (3) included in other HHS programs’ fraud risk assessments. As shown in figure 2, we categorized these 21 fraud risks into nine broad categories and identified hypothetical examples of the risks.[22] See appendix I for the 21 TANF fraud risks HHS identified and assessed.

Figure 2: Fraud Risk Categories and Hypothetical Examples Associated with Temporary Assistance for Needy Families (TANF)

The schemes described in adjudicated fraud cases further demonstrate how TANF funds can be vulnerable to fraud risks identified by HHS. These fraud risks include billing fraud, misuse of award funds, and misrepresentation by applicants (see fig. 3).

Figure 3: Illustrative Examples of Billing Fraud, Misuse of Award Funds, and Misrepresentation with Temporary Assistance for Needy Families (TANF)

HHS’s Processes for Assessing TANF Fraud Risks Are Not Fully Consistent with Leading Practices

While HHS has completed a TANF fraud risk assessment in its Fraud Risk Assessment Portal, its processes for assessing fraud risks are not fully consistent with leading practices in the Fraud Risk Framework. Specifically, HHS does not have clear guidance and procedures for planning and conducting regular fraud risk assessments. Also, it does not involve relevant state and local stakeholders in the risk assessment process. In addition, HHS’s Fraud Risk Assessment Portal is not designed to assess the likelihood and impact of each fraud risk identified or to determine the related risk tolerance. Further, the portal is not designed to assess additional fraud risks that have been identified.

HHS Has Not Established Clear Guidance or Procedures for Planning and Conducting Regular TANF Fraud Risk Assessments

HHS has not established clear guidance or procedures related to planning and conducting regular fraud risk assessments for TANF. Specifically, HHS does not have clear and finalized guidance to ensure that TANF fraud risk assessments occur regularly or are updated when changes occur in the program or environment. Also, HHS does not have standard procedures for conducting TANF fraud risk assessments.

Lack of clear, finalized guidance for performing regular TANF fraud risk assessments. HHS’s guidance on performing fraud risk assessments does not clearly establish a process to ensure that HHS regularly assesses TANF fraud risks or reevaluates and updates existing assessments if the program or environment changes. When we reviewed HHS’s draft guidance documents—specifically the Fraud Risk Implementation Plan—we noted inconsistencies that made it unclear whether fraud risk assessments are required to be performed regularly. One sentence in the plan states that divisions, such as ACF’s Enterprise Risk Management Division that conducts fraud risk assessments for TANF, are “required” to assess fraud risks on an annual basis to support HHS’s enterprise-level risk assessments. However, another sentence in this plan states that divisions are “encouraged” to assess their fraud risks on an annual basis to support the enterprise-level risk assessments.

When asked about this discrepancy, HHS officials told us that they plan to encourage programs, such as TANF, to conduct fraud risk assessments annually. However, officials further stated that they do not require regular fraud risk assessments, including for TANF, due to workload challenges associated with conducting the assessments and challenges with balancing other activities and priorities across the agency. These officials also noted that although they encourage HHS divisions to perform fraud risk assessments annually, some programs may need to be prioritized over others based on indications of fraud or fraud risks impacting the programs and the size of the programs. An official from ACF’s Enterprise Risk Management Division described the division’s plan to conduct fraud risk assessments on a 3-year cycle, unless warranted more frequently,

such as when a program is deemed susceptible to fraud based on a survey regarding fraud risk. However, this plan is not documented.[23]

Additionally, HHS’s two documents that provide guidance on fraud risk management have not been finalized. The Fraud Risk Management Implementation Plan was created in 2021, and the Fraud Risk Assessment Portal Methodology was created in 2022 and updated in 2023. Both remain in draft form as of November 2024.[24] According to HHS officials, although these documents are labeled as draft, they are essentially considered finalized. These officials explained that they have not finalized these documents, since they will be updated as HHS’s fraud risk assessment process across the agency further matures and adapts. As a result, HHS officials did not have a date for when they expect to finalize these guidance documents.

Leading Practices for Planning Regular Fraud Risk Assessments That Are Tailored to the Program

Leading practices in GAO’s Fraud Risk Framework include planning regular fraud risk assessments that are tailored to the program. Specifically, the leading practices call for

·       tailoring fraud risk assessments to its programs;

·       planning to conduct fraud risk assessments at regular intervals;

·       identifying tools, methods, and sources for gathering information on fraud risks; and

·       involving relevant stakeholders in the assessment process.

 

Source: GAO.   |  GAO‑25‑107290

Leading practices in fraud risk management call for agencies to plan regular fraud risk assessments that are tailored to their programs. According to the Fraud Risk Framework, the frequency can range from 1 to 5 years. While the leading practices call for fraud risk assessments to be conducted at regular intervals, the Fraud Risk Framework also notes that they should be conducted when there are changes to the program or operating environment. Fraud risk assessments are supposed to be iterative and not meant to be onetime exercises.

Clear, finalized guidance on fraud risk management that includes plans to assess fraud risks regularly and when there are changes to the program or operating environment can help ensure that ongoing fraud risk management activities are carried out effectively for HHS programs, including TANF.

Lack of standard procedures for conducting TANF fraud risk assessments. HHS does not have standard operating procedures tailored to TANF that describe the process for conducting fraud risk assessments and the roles and responsibilities for those involved. HHS officials explained that ACF’s Enterprise Risk Management Division—which is responsible for conducting fraud risk assessments for ACF’s programs, including TANF—was recently established and has a small number of staff who are working on other procedures that have been prioritized for development.

In addition, according to HHS officials, the TANF fraud risk assessment was one of the three initial fraud risk assessments conducted in the Fraud Risk Assessment Portal. Therefore, the fraud risk assessment process within HHS is maturing. HHS officials explained that they are continuing to assess what worked well and what did not during these initial assessments, including how to identify fraud risks. These factors will be considered when HHS officials draft the standard operating procedures for conducting regular fraud risk assessments, including for TANF. HHS officials did not specify when they plan to draft these standard operating procedures. According to HHS officials, HHS is currently prioritizing developing standard operating procedures for coordinating with the HHS OIG Office of Investigations. For example, these procedures will document how HHS will process information received from the HHS OIG hotline, among other things. While not directly related to performing fraud risk assessments, these procedures could help HHS identify TANF fraud and take action.

A leading practice in the Fraud Risk Framework is for managers to tailor the approach for conducting fraud risk assessments to the program being assessed. This can include documenting standard control activities that inform the specific approach taken for identifying and assessing fraud risks facing a particular program, including how often the agency will conduct regular fraud risk assessments and how the agency will involve relevant stakeholders. Control activities for managing fraud risks include standard policies, procedures, techniques, mechanisms, and roles and responsibilities for identifying and assessing fraud risks.

Developing and documenting standard operating procedures that detail how regular fraud risk assessments tailored to TANF will be conducted, and the roles and responsibilities for those HHS entities involved, can help ensure that such assessments are consistent, efficient, and effective.

HHS Did Not Involve Relevant State or Local Stakeholders in the TANF Fraud Risk Assessment Process

HHS did not involve relevant stakeholders from state and local agencies when it conducted its first TANF fraud risk assessment in the Fraud Risk Assessment Portal. According to HHS officials, the agency has no plans to regularly do so. Specifically, HHS officials told us that they did not engage directly with state and local recipient or subrecipient TANF agencies, or their respective OIGs or auditors, for the purpose of identifying TANF fraud risks while they conducted the program’s fraud risk assessment. HHS officials told us their ability to require state and local stakeholders to provide information on TANF fraud risks is limited. Specifically, the Social Security Act prohibits oversight activities of state TANF programs beyond what is explicitly outlined in the law.[25] Generally, HHS can only collect certain financial and other data in accordance with section 411 of the act.[26]

While HHS is not statutorily prohibited from requesting input from state and local stakeholders, HHS officials explained that they do not request states to provide information about TANF fraud risks, since they would not be able to require states to comply. HHS officials also told us that they are mindful about asking for too much data from states, as they do not want to overburden them.

The Fraud Risk Framework calls for agencies to involve relevant stakeholders in the fraud risk assessment process, including individuals responsible for the design and implementation of a program’s controls for mitigating fraud. The framework acknowledges that agencies may face legal limitations that restrict ways they can engage relevant state and local stakeholders to inquire about their fraud risks and the effectiveness of their mitigating controls. The framework offers alternative mechanisms that federal managers can use to encourage the sharing of fraud risk management information. Such alternative mechanisms could include HHS encouraging relevant stakeholders to voluntarily share such information on their TANF fraud risks through working groups, surveys, onsite visits, or other means. States can voluntarily share such information because they are already required to certify that they have controls for mitigating fraud and fraud risks, including abuse.[27] Further, federal regulations require state recipients of federal grant funds, including TANF, to disclose promptly in writing when they have credible evidence of fraud, conflict of interest, bribery, or gratuity violations, and failure to disclose can result in HHS pursuing certain remedies against the state.[28]

HHS officials told us they used other sources to identify fraud risks when conducting the TANF fraud risk assessment. These sources included performing internet searches for relevant media articles, reviewing states’ single audit reports and corrective action plans, and reviewing HHS OIG and GAO reports. While these sources may be useful, direct communication with relevant stakeholders—state and local TANF agencies—may provide more complete details on TANF fraud risks. For example, in our review, we identified a fraud risk that HHS did not include in its TANF fraud risk profile. We identified this fraud risk through our direct engagement with a state TANF agency and representatives from the state agency’s OIG. These stakeholders voluntarily shared information with us about an ongoing administrative case involving the potential diversion and misuse of commingled TANF funds. Additional details on the fraud risks we identified are presented later in this report.

Because state and local agencies administer TANF funds, they—and their respective OIGs or auditors—are important sources of information about TANF fraud risks. Developing and documenting a process to include direct and regular communication with state and local agencies, and their respective OIGs or auditors, about fraud risks in HHS’s fraud risk assessment process can allow HHS to more comprehensively understand the ways that TANF fraud could occur. This communication could also help HHS more efficiently and effectively mitigate and prioritize the most significant fraud risks facing TANF.

HHS’s Portal Is Not Designed to Assess the Likelihood or Impact or Determine Tolerance of Identified Fraud Risks, or to Assess Additional Risks

HHS’s Fraud Risk Assessment Portal is not designed to assess the likelihood or impact or determine the tolerance of fraud risks identified, or to assess additional fraud risks facing HHS programs, such as TANF. As a result, HHS did not complete these key elements of the fraud risk assessment process or assess the full range of fraud risks inherently facing TANF.

Likelihood, impact, and tolerance of fraud risks. HHS’s July 2024 fraud risk assessment identified 21 fraud risks facing TANF, but it did not assess the likelihood or impact or determine the risk tolerance for these risks because the Fraud Risk Assessment Portal is not designed to have the functionality for such an assessment or determination. As shown in figure 4, assessing the likelihood and impact of fraud risks is the second key element of the fraud risk assessment process outlined in the Fraud Risk Framework, and determining the fraud risk tolerance is the third key element.

Figure 4: Key Elements of the Fraud Risk Assessment Process

Assessing the likelihood and impact of each identified fraud risk, and then determining the related fraud risk tolerance, assists managers in prioritizing such risks when faced with limited resources and time. According to the Fraud Risk Framework, managers may conduct quantitative or qualitative assessments, or both, of the likelihood and impact of inherent fraud risks on the program’s objectives. For example, quantitative methods for analyzing a fraud risk’s likelihood can involve determining the quantity of fraud risks identified in adjudicated or alleged fraud schemes revealed in court cases, states’ single audit reports, and other sources that HHS relies upon to identify TANF fraud risks. Quantitative methods for assessing a fraud risk’s impact can involve determining the quantity of financial impacts revealed by these same sources, including actual or potential TANF dollars lost.

According to the Fraud Risk Framework, although quantitative techniques are generally more precise than qualitative methods, qualitative methods can also be used to assess the likelihood and impact of a particular fraud risk when an agency lacks sufficient resources or information to employ the quantitative methods. For example, effective managers could perform a qualitative assessment of the likelihood that a particular fraud risk could impact a program’s reputation or compliance with laws or regulations.

Instead of assessing the likelihood and impact for the 21 fraud risks identified, and then determining whether they fell within or above an established fraud risk tolerance, HHS examined the suitability of existing fraud controls. This type of examination is part of the fourth element of a fraud risk assessment process, as shown in figure 4.[29] Specifically, HHS determined that all 21 fraud risks identified involved controls that needed some improvements.[30] It did so based on determining whether controls were mitigating the TANF fraud risks to an acceptable or adequate level or if they needed some improvements or urgent action. This determination is documented as a vulnerability assessment, as shown in figure 5, and is reflected in HHS’s TANF fraud risk assessment profile.

Figure 5: Prioritization of Temporary Assistance for Needy Families (TANF) Fraud Risks

As shown in figure 5, HHS placed all 21 TANF fraud risks into the same category of needing some improvements to their mitigating controls. HHS did not first determine whether each of the fraud risks was likely to occur, resulted in financial or nonfinancial impacts, or exceeded an established fraud risk tolerance before determining that priority improvements to the mitigating controls were needed. Instead, HHS assesses a program’s overall exposure to fraud based on five inherent risk factors to determine an overall risk score and rating that is documented on the program’s fraud risk profile.[31] To manage fraud risks effectively and efficiently, and consistent with the Fraud Risk Framework, managers should examine mitigating controls and prioritize fraud risks after they have assessed the likelihood and impact of each fraud risk affecting the program’s objectives and determined whether those results for each fraud risk exceeded an established fraud risk tolerance, as reflected in figure 4.

HHS officials acknowledged that documenting the risk tolerance for each fraud risk is a best practice. However, HHS officials told us that the current design of the Fraud Risk Assessment Portal does not have the functionality to allow users to assess the likelihood and impact results or to determine the risk tolerance level for each fraud risk identified. According to HHS officials, allowing users to do so would involve entering too much detailed information into the portal. HHS officials also said that it would require too much work to determine the likelihood and impact for every fraud risk identified and assessed. However, this is inconsistent with HHS’s draft Fraud Risk Management Implementation Plan, which states that HHS will assess the likelihood and impact of each fraud risk to create a fraud risk profile.[32]

HHS officials also pointed out that it can be difficult to discern the financial impact of fraud because of the length of time it takes for allegations of fraud to be adjudicated. However, HHS officials stated that they relied upon ongoing court cases of alleged fraud and states’ single audit reports—not just adjudicated fraud cases—to identify and assess the 21 TANF fraud risks.

While we recognize that it can take time for allegations of fraud to be adjudicated, other sources—such as single audit findings that are reported annually—may provide more timely information about the quantitative financial impacts of identified TANF fraud risks. HHS officials said that they use single audit reports as a mechanism to identify weaknesses in internal controls that could lead to fraud schemes and related fraud risks. Further, there is a legal obligation for HHS to review state single audit reports within 6 months of acceptance of the single audit reporting package by the Federal Audit Clearinghouse. HHS is required by regulation to follow up on the single audit findings to ensure that the state recipients have taken appropriate and timely corrective action to address the impacts, including financial impacts.[33] In other ongoing work, we are reviewing how HHS follows up on TANF single audit findings. We anticipate issuing a report on the results of this ongoing work in early 2025.

Assessing the likelihood and impact of all identified TANF fraud risks and determining the related fraud risk tolerance before examining mitigating controls and prioritizing the risks can help HHS managers more efficiently and effectively manage TANF fraud risks. Doing so can inform them about which fraud risks have occurred more frequently and have the most significant financial impacts. Assessing likelihood and impact can also assist managers in prioritizing fraud risks for the purpose of strategically targeting ongoing and future corrective actions and limited resources and time toward those fraud risks needing immediate attention. For example, in performing this likelihood and impact assessment and then determining the risk tolerance for each TANF fraud risk, HHS might have determined that not all of the 21 fraud risks it identified actually needed corrective action improvements to their mitigating controls at this same time, or to the same extent. Doing so also could have helped HHS determine which of the corrective action improvements it needed to prioritize.

Additional fraud risks. By design, the Fraud Risk Assessment Portal’s functionality currently limits programs to fully assessing risks that have already been identified by HHS’s Office of the Assistant Secretary for Financial Resources as part of a standard list of 38 fraud risks. As a result of this design, HHS programs, such as TANF, are precluded from fully assessing any additional fraud risks inherently affecting the program’s objectives that it identified or that were communicated by others, including GAO. According to HHS’s methodology guidance for the Fraud Risk Assessment Portal, users could input fraud risks that they identify into the portal. However, given the way the portal is designed, these additional fraud risks identified would not be assessed. Specifically, as the portal is designed, the user would not be able to use it to perform a vulnerability assessment of the effectiveness of the controls used to mitigate the additional fraud risks identified.

HHS officials told us that it is possible for them to update the functionality of the Fraud Risk Assessment Portal or have HHS managers override the portal to allow users to assess the additional fraud risks identified and the mitigating controls for HHS programs, including TANF. However, HHS officials expressed concerns about expanding the standard list of fraud risks included in the portal. For example, one concern they raised was creating additional work in the fraud risk assessment process, including the need to review all the additional fraud risks identified across HHS programs, such as TANF. Another concern HHS officials raised was that such an update could affect their ability to maintain a standardized fraud risk assessment template with standard fraud risks in the portal for all HHS programs.

According to the Fraud Risk Framework, a robust fraud risk profile—derived from the fraud risk assessment process—would include information about all identified fraud risks that can inherently affect a program’s objectives. We analyzed TANF fraud risks and identified additional risks that HHS did not formally assess and document in its TANF fraud risk profile.

Specifically, we identified three additional fraud risks through our review of federal court documentation, state single audit reports, prior GAO reports, and results of searches on an e-commerce website, and through our outreach to state and local TANF agencies. The first two fraud risks that we identified demonstrate opportunities for beneficiaries or state employees to exploit control vulnerabilities involving EBT cards.[34] The third fraud risk that we identified demonstrates opportunities for TANF subrecipients to exploit control vulnerabilities involving commingled TANF funds. The first and third fraud risks we identified were not among HHS’s standard list of 38 fraud risks listed in the Fraud Risk Assessment Portal.

·         Risk of fraudulent EBT card misuse by beneficiaries. We identified the first of the three additional fraud risks by reviewing prior GAO reports and conducting searches on an e-commerce website.[35] This fraud risk shows opportunities to exploit vulnerabilities with EBT cards. For example, we found postings on an e-commerce website, which is readily accessible to the public, that appeared to be used to sell EBT cards. According to these postings, the EBT cards ranged in value from $100 to over $5,000. While the postings did not provide details on the source of the funds, EBT cards being sold reflects opportunities for potentially fraudulent misuse of TANF cash assistance benefits, as depicted in figure 6.[36] We plan to refer these postings to the HHS OIG for further investigation, as appropriate.

Figure 6: Hypothetical Fraud Risk Examples of Beneficiary Misuse of Electronic Benefit Transfer (EBT) Card Funds

·         Risk of EBT card fraud by state employees. We identified the second of the three additional fraud risks by reviewing federal court case documentation and state single audit reports. We previously reported that state single audit findings can indicate areas of TANF fraud risk.[37] Figure 7 shows an example of single audit findings characterized as a material weakness and an adjudicated court case that both reflect the risk of EBT card fraud with TANF funds by state employees.

Figure 7: Example of the Risk of Electronic Benefit Transfer (EBT) Card Fraud by State Employees

·         Risk associated with opaque accounting practices by subrecipient. We identified the third of the three additional fraud risks through outreach to state and local TANF agencies. This fraud risk relates to opaque accounting practices and opportunities for TANF subrecipients to exploit control vulnerabilities involving the inability to determine or track whether commingled TANF funds were used for TANF purposes. During our outreach to state TANF agencies, one state agency contacted its OIG for additional information about cases of potentially fraudulent misuse or diversion of TANF funds. That OIG shared information on an ongoing case involving a subrecipient spending hundreds of thousands of dollars in commingled TANF and non-TANF funds allegedly without documenting, tracking, or providing an accounting that the TANF funds were used for their specific intended purposes, as depicted in figure 8.

Figure 8: Fraud Risk Example Associated with Opaque Accounting Practices by a Temporary Assistance for Needy Families (TANF) Subrecipient

Note: State officials told GAO that this case was being handled administratively within a state agency Office of Inspector General. This case was still ongoing as of December 18, 2024.


HHS officials told us that they identified additional TANF fraud risks that could inherently affect TANF’s objectives, including some of those we identified, but they chose not to assess those fraud risks because they focused on areas where there is a higher risk of fraud. However, HHS officials did not formally document why certain identified fraud risks were not assessed.

According to the Fraud Risk Framework, managers who effectively assess internal and external fraud risks attempt to fully consider the specific fraud risks the program inherently faces, such as fraud risks related to misappropriation of assets, corruption, contracting, grant-making, beneficiary payments, and other areas. Managers may also consider factors that are specific to fraud risks, including opportunities to commit fraud. In addition, as described above, a robust fraud risk profile—derived from the fraud risk assessment process—would include information about all fraud risks that may affect a program.

Updating the design of HHS’s Fraud Risk Assessment Portal and requiring users to fully assess any additional identified fraud risks that TANF faces—including those shared by state and local stakeholders and others, such as the three we identified—would result in more informed, efficient, and effective assessment of TANF fraud risks. This includes fully documenting an assessment of all fraud risks that may affect a program, including those HHS is willing to accept as a low risk of fraud for TANF.

Conclusions

Effectively managing TANF fraud risks helps to ensure that program funds fulfill their intended purpose and are safeguarded from fraudulent misuse or diversion. HHS has taken some initial steps to manage fraud risks facing TANF in alignment with leading practices. For example, in July 2024, HHS finalized the assessment of 21 fraud risks in its Fraud Risk Assessment Portal. However, additional actions related to guidance, processes, and capabilities—for consistency with leading practices and to account for the legal and resource limitations HHS might face—can further strengthen HHS’s fraud risk management activities. Taking these actions can also help provide HHS with efficient and effective ways to mitigate vulnerabilities that can enable participants and others to fraudulently misuse and divert TANF funds away from those in need.

Recommendations for Executive Action

We are making the following seven recommendations to HHS.

The Secretary of HHS should finalize its key guidance documents on fraud risk management—the Fraud Risk Management Implementation Plan and the Fraud Risk Assessment Portal Methodology—and clearly establish a process for conducting fraud risk assessments for HHS programs, including TANF, at regular intervals and when there are changes to the program or its operating environment. (Recommendation 1)

The Secretary of HHS should develop and document standard operating procedures for conducting regular fraud risk assessments tailored to TANF. This should include the roles and responsibilities of HHS entities involved in the process. (Recommendation 2)

The Secretary of HHS should develop a process for direct and regular communication with state and local agencies, and their respective OIGs or auditors, about TANF fraud risks that includes an approach for soliciting information from these entities and document this process in its standard operating procedures for conducting fraud risk assessments tailored to TANF. (Recommendation 3)

The Secretary of HHS should update the design of HHS’s Fraud Risk Assessment Portal to have the functionality to allow users to assess the likelihood and impact of each fraud risk identified in a program, such as TANF; determine the related fraud risk tolerance; and include those results in the portal as part of their fraud risk assessments. (Recommendation 4)

As part of finalizing HHS’s key guidance documents on fraud risk management, the Secretary of HHS should require users to assess the likelihood and impact of each fraud risk identified in a program, such as TANF; determine the related fraud risk tolerance; and include those results in the Fraud Risk Assessment Portal as part of their fraud risk assessments. (Recommendation 5)

The Secretary of HHS should update the design of HHS’s Fraud Risk Assessment Portal to have the functionality to allow for the regular assessment of any additional fraud risks facing TANF, including those identified by GAO. (Recommendation 6)

As part of finalizing HHS’s key guidance documents on fraud risk management, the Secretary of HHS should require users to regularly assess any additional fraud risks facing TANF. (Recommendation 7)

Agency Comments and Our Evaluation

We provided a draft of this report to HHS for review and comment. In its written comments, reproduced in appendix II, HHS concurred with five recommendations (Recommendations 1, 2, 3, 6, and 7) and described its plans for implementing them. HHS did not concur with one recommendation (Recommendation 4) and partially concurred with the remaining recommendation (Recommendation 5), as discussed below. We maintain that all of the recommendations are warranted to ensure efficient and effective fraud risk management for TANF.

HHS did not concur with the fourth recommendation, to update its Fraud Risk Assessment Portal to allow users to assess the likelihood and impact of each fraud risk identified in a program, determine related tolerance, and include those results in the portal. Specifically, HHS stated that its nonconcurrence relates to adding this specific functionality to the portal. HHS stated that it plans to require program offices to assess the likelihood, impact, and tolerance for each fraud risk. However, such an assessment would occur outside of the portal. In its comments, HHS stated that this approach is driven by a desire to ensure consistency, comparability, and repeatability across HHS programs within the portal.

HHS partially concurred with the fifth recommendation to finalize its guidance and require users to assess the likelihood and impact of each fraud risk identified, determine related tolerance, and include those results in the portal. In its comments, HHS agreed with the recommended approach to assess each fraud risk individually. However, HHS stated that it advises programs to assess the likelihood and impact of each fraud risk outside of the portal. HHS noted that it will finalize its guidance to reflect this approach. HHS maintains that this approach enables divisions to evaluate risk levels, prioritize resources, and address actionable vulnerabilities efficiently.

HHS’s position, as expressed in its comments on the fourth and fifth recommendations, that these individual risk-level assessments would be conducted outside of the portal is inconsistent with the purpose of the portal. As discussed in the report, according to HHS’s guidance, the portal was built to allow users to create, maintain, and complete fraud risk assessments. Also, during our review, HHS officials told us that the purpose of the portal as a tool is to aggregate information from various sources to provide a holistic approach to addressing fraud risks. Therefore, it is unclear why, in its comments, HHS is stating that key aspects of fraud risk assessments should be conducted outside the portal.  

We appreciate HHS’s commitment to implementing robust fraud risk management processes. However, given the portal’s existence and purpose, we continue to believe that the portal and guidance should be updated so that fraud risk assessments are conducted and fully documented in the Fraud Risk Assessment Portal. Doing so can help HHS ensure that it maintains documentation in a centralized location for managers to use to prioritize risks when faced with limited resources and time. 

HHS also provided technical comments, which we incorporated into this report as appropriate. However, we note that in one comment, HHS stated that it believed its assessment of the cross-charging fraud risk included an assessment of the fraud risk we identified as being associated with opaque accounting practices by subrecipients. However, these are two different fraud risks, involving different participants. Specifically, the cross-charging fraud risk that HHS assessed involves state recipients and expenses that are included in the financial reporting for TANF, even though these expenses are actually related to a different program. The fraud risk that we identified—and that HHS did not assess—involves opaque accounting practices by TANF subrecipients and opportunities for the subrecipients to exploit control vulnerabilities involving the inability to determine or track whether commingled TANF funds were used for TANF purposes. Therefore, we clarified the distinction between the risks by specifying in appendix I that the cross-charging fraud risk identified and assessed by HHS involved state recipients.

In addition, we provided relevant excerpts from the draft of this report to state officials, as appropriate, for review and technical comment. We made technical clarifications in this report as appropriate.

We are sending copies of this report to the appropriate congressional committees, the Secretary of HHS, and other interested parties. In addition, the report is available at no charge on the GAO website at https://www.gao.gov.

If you or your staff have any questions about this report, please contact me at (202) 512-6722 or BagdoyanS@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made key contributions to this report are listed in appendix III.

Seto J. Bagdoyan
Director, Forensic Audits and Investigative Service

Appendix I: Temporary Assistance for Needy Families Fraud Risks Identified and Assessed by the U.S. Department of Health and Human Services

In July 2024, the U.S. Department of Health and Human Services (HHS) completed its first Temporary Assistance for Needy Families (TANF) fraud risk assessment using the Fraud Risk Assessment Portal. It identified and assessed 21 TANF fraud risks and documented its assessment in a fraud risk profile. Table 1 presents the fraud risks documented in the TANF fraud risk profile and related descriptions provided by HHS.

Table 1: The 21 Temporary Assistance for Needy Families (TANF) Fraud Risks Identified and Assessed by the U.S. Department of Health and Human Services (HHS) and Documented in Its TANF Fraud Risk Profile

HHS-identified and assessed fraud risk

HHS description of identified and assessed fraud risk

1

Denial of service extortion

A criminal disables the critical computer systems used by a program until a ransom is paid.

2

Ineligible beneficiary or client/patient

An individual makes false statements or submits fake documentation in order to enroll in a program or to obtain benefits.

3

Fictitious activities

A signed or certified programmatic report describes fictitious, duplicated, or overstated program activities or results.

4

Unreported program losses or misconduct

Major losses due to fraud, waste, and abuse and other serious misconduct are not disclosed in programmatic or financial reporting, as required by program compliance rules.

5

Unallowable activities

A signed or certified financial report includes expenses for activities with no connection to the program.

6

Fake bidding by contractors

A contractor submits fake bids from other purported vendors to give the false impression that its bid is the best to ensure that it receives an award.

7

Procurement bribery or kickbacks

An individual with procurement authority receives bribes or kickbacks in exchange for steering an award to a contractor or subcontractor.

8

Cross-charging

State recipient expenses are included in the financial reporting for a program, even though these expenses are actually related to a different program.

9

Illegal personal use of property

An individual uses property that was acquired for a program for unauthorized personal benefit or monetary gain. Examples include motor vehicles, medical equipment, mail systems, computers, and buildings.

10

Inflated expenses

Expenses included in a financial report are fictitious or overstated and cannot be adequately supported.

11

Bid-rigging by contractors

Multiple contractors collude to avoid competitive bidding controls by agreeing on bid prices to ensure that a specific contractor receives the award. The winning contractor can use the other bidders as subcontractors to funnel funds to them for their participation.

12

Ghost beneficiary

Fictitious beneficiaries are added to a program’s registration records or included in programmatic reporting in order to exaggerate program participation.

13

Ineligible grantee or subrecipient

An individual makes false statements or submits fake documentation about an agency or organization so that it can begin to receive program funds through a grant or cooperative agreement.

14

Research misconduct

Program personnel fabricate, falsify, or plagiarize research data or reports.

15

Inflated invoice for contractor services

A contractor submits an invoice for payment that lists services that were not actually provided or were included on another invoice.

16

Phishing for payment

A criminal sends a deceptive email message or fake invoice to program personnel to induce them to authorize a transfer of program funds to a fictitious individual or company.

17

Unqualified contractor

A company or individual falsely claims to be a qualified supplier of specified goods or services in order to obtain program funds, with no intention to supply the goods or services with the required specifications.

18

Identity theft

Beneficiary or employee personal identity or health information maintained by the program is stolen or misused.

19

Procurement conflict of interest

An individual with procurement authority has an ownership or financial interest in a contractor seeking award.

20

Double-charging

The same expenses are included in the financial reporting for multiple programs in order to obtain a higher reimbursement.

21

Duplicate benefits

A beneficiary makes false statements in order to receive duplicate benefits from the same program or multiple programs offering the same services.

Source: GAO analysis of HHS documents.  |  GAO‑25‑107290

Note: These fraud risks are presented in the order in which they appear in HHS’s TANF Fraud Risk Profile.

Appendix II: Comments from the U.S. Department of Health and Human Services

Appendix III: GAO Contact and Staff Acknowledgments

GAO Contact

Seto J. Bagdoyan, (202) 512-6722, BagdoyanS@gao.gov

Staff Acknowledgments

In addition to the contact named above, Gabrielle Fagan (Assistant Director), Flavio Martinez (Analyst in Charge), Isaac Fifelski, Lisa Fisher, and Zakariya Rahimi made significant contributions to this report. Also contributing to this report were Maria McMullen and James Murphy.

GAO’s Mission

The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony

The fastest and easiest way to obtain copies of GAO documents at no cost is through our website. Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. You can also subscribe to GAO’s email updates to receive notification of newly posted products.

Order by Phone

The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, https://www.gao.gov/ordering.htm.

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.

Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information.

Connect with GAO

Connect with GAO on Facebook, Flickr, X, and YouTube.
Subscribe to our RSS Feeds or Email Updates. Listen to our Podcasts.
Visit GAO on the web at https://www.gao.gov.

To Report Fraud, Waste, and Abuse in Federal Programs

Contact FraudNet:

Website: https://www.gao.gov/about/what-gao-does/fraudnet

Automated answering system: (800) 424-5454 or (202) 512-7700

Congressional Relations

A. Nicole Clowers, Managing Director, ClowersA@gao.gov, (202) 512-4400, U.S. Government Accountability Office, 441 G Street NW, Room 7125, Washington, DC 20548

Public Affairs

Sarah Kaczmarek, Managing Director, KaczmarekS@gao.gov, (202) 512-4800, U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, DC 20548

Strategic Planning and External Liaison

Stephen J. Sanford, Managing Director, spel@gao.gov, (202) 512-4707
U.S. Government Accountability Office, 441 G Street NW, Room 7814, Washington, DC 20548



[1]TANF was established by the Personal Responsibility and Work Opportunity Reconciliation Act of 1996. Pub. L. No. 104-193, 110 Stat. 2105. TANF non-assistance services include work, education, and training activities; child care; refundable tax credits; child welfare services; pre-Kindergarten and Head Start classes; and out-of-wedlock pregnancy prevention.  

[2]Council of the Inspectors General on Integrity and Efficiency, The IG Community’s Joint Efforts to Protect Federal Grants from Fraud, Waste, and Abuse (Jan. 2021). State TANF agencies are grant award recipients. TANF subrecipients can include local agencies, nonprofit organizations, and other contracted organizations.

[3]Mississippi Office of the State Auditor, Press Releases (May 4, 2020; Oct. 12, 2021).

[4]U.S. Department of Justice, Southern District of California, Press Release (Apr. 4, 2024).

[5]This report is one of several recent and ongoing GAO reviews covering various aspects of TANF. See GAO, Temporary Assistance for Needy Families: Preliminary Observations on State Budget Decisions, Single Audit Findings, and Fraud Risks, GAO‑24‑107798 (Washington, D.C., Sept. 24, 2024); and Temporary Assistance for Needy Families: Enhanced Reporting Could Improve HHS Oversight of State Spending, GAO‑25‑107235 (Washington, D.C.: Dec. 12, 2024).  In other ongoing work, we are reviewing how HHS follows up on TANF single audit findings, data collected and used on services provided with TANF non-assistance funds, and child welfare spending under TANF. We anticipate issuing reports on the results of this ongoing work later in 2025.

[6]Fraud and fraud risk are distinct concepts. Fraud involves obtaining a thing of value through willful misrepresentation characterized by making material false statements of fact based on actual knowledge, deliberate ignorance, or reckless disregard of falsity. A fraud risk exists when individuals have an opportunity to engage in fraudulent activity. The existence of fraud risks does not necessarily indicate that fraud exists or will occur. However, fraud risks are often present when fraud does occur.   

[7]GAO, A Framework for Managing Fraud Risks in Federal Programs (Fraud Risk Framework), GAO‑15‑593SP (Washington, D.C.: July 28, 2015).

[8]As detailed later in this report, the Fraud Risk Framework contains four components: (1) Commit, (2) Assess, (3) Design and Implement, and (4) Evaluate and Adapt. Within the four components, there are overarching concepts and leading practices.

[9]We selected this time frame to generally align with the period since the Fraud Risk Framework was published in July 2015. For the purposes of this review, we defined adjudication as the legal or administrative process of resolving a dispute that includes a formal, fact-finding process, due process, and a formal determination of the facts. We considered ongoing TANF court cases to be potential fraud detected by the government but not adjudicated as fraud.

[10]In addition to federal oversight, states are expected to provide their own oversight for TANF assistance and non-assistance expenditures through their single audits. Single audits are independent reviews of federal award recipients, including state agencies. According to the Single Audit Act and the Office of Management and Budget’s (OMB) implementing guidance, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards, states must spend up to a certain threshold of federal funds each year to undergo a single audit and must submit the information to the Federal Audit Clearinghouse within a designated time frame. The Single Audit Act is codified, as amended, at 31 U.S.C. §§ 7501-06, and implementing OMB guidance is reprinted in 2 C.F.R. part 200, subpart F. In April 2024, OMB issued revisions to 2 C.F.R. § 200.501, raising the annual threshold of expenditures triggering a single audit or program-specific audit from $750,000 to $1 million, effective October 1, 2024. 89 Fed. Reg. 30,046 (Apr. 22, 2024). We limited our review to single audit reports from fiscal years 2022 and 2023, which were the most recently available when we began our work that would identify whether there have been recurring findings since 2015.

[11]This e-commerce website is readily accessible to the general public. We searched for the term “EBT” to identify such postings on this website.

[12]GAO, GAO Fraud Ontology Version 1.0 (Washington, D.C.: Jan. 10, 2022), https://gaoinnovations.gov/antifraud_resource/howfraudworks. GAO designed the Antifraud Resource to serve a wide range of users and needs. Among other things, it provides an overview of fraud concepts, case examples of fraud schemes, and a glossary of terms.

[13]We selected these eight states for diversity in geographic region and percentage of state residents under the federal poverty level. We divided states into four Census regions—Northeast, South, Midwest, and West—and within each region, we selected the state with the greatest percentage and median percentage of population below the federal poverty line. The eight selected states also varied in the amount of TANF funds received and the proportion of funds spent on assistance versus non-assistance. We selected the following eight states: Illinois, Massachusetts, Mississippi, New Mexico, New York, Ohio, Texas, and Wyoming. Two of these eight states, New York and Ohio, administer TANF at the county level. We selected one county in each of these two states that received among the largest amounts of TANF funds in fiscal year 2022.

 

[14]42 U.S.C. § 601.

[15]Financial eligibility is determined by the income and resource standards established by each state in its TANF plan. 45 C.F.R. § 263.2(b)(3).

[16]In addition to providing services, TANF funds can be transferred for use under two other HHS block grants—the Child Care and Development Fund and the Social Services Block Grant. Section 404(d) of the Social Security Act establishes a state’s authority to transfer TANF funds to these other block grants. The total amount transferred to these block grants cannot exceed 30 percent of the federal TANF award amount. Transferred funds are subject to the rules of the program to which they are transferred. States report expenditures quarterly to HHS by category. Two categories used for state expenditure reporting to HHS in Form ACF 196R—Child Care and Work Supports—contain expenditures that could be considered assistance or non-assistance, depending on the population served. See GAO‑25‑107235.

[18]The Fraud Reduction and Data Analytics Act of 2015, enacted in June 2016, required OMB to establish guidelines for federal agencies to create controls to identify and assess fraud risks and to design and implement antifraud control activities. Pub. L. No. 114-186, 130 Stat. 546 (2016). The Fraud Reduction and Data Analytics Act of 2015 was replaced in March 2020 by the Payment Integrity Information Act of 2019, which required these guidelines to remain in effect, subject to modification by OMB, as necessary, and in consultation with GAO. Pub. L. No. 116-117, § 2(a), 134 Stat. 113, 131-132 (2020), codified at 31 U.S.C. § 3357.   

[19]Office of Management and Budget, Management’s Responsibility for Enterprise Risk Management and Internal Control, OMB Circular A‑123 (Washington, D.C.: July 15, 2016).   

[20]Office of Management and Budget, Establishing Financial and Administrative Controls to Identify and Assess Fraud Risk, [Controller Alert] CA-23-03 (Washington, D.C.: Oct. 17, 2022).   

[21]TANF is one of the ACF programs that OMB determined to be susceptible to significant improper payments. Improper payments and fraud are related, but distinct, terms. Understanding the relationships and distinctions between improper payments and fraud is important to more effectively address the associated root causes and mitigate the impacts of each. GAO, Improper Payments and Fraud: How They Are Related but Different, GAO‑24‑106608 (Washington, D.C.: Dec. 7, 2023). 

[22]We grouped the 21 fraud risks identified and assessed by HHS into nine broader fraud risk categories using terms outlined in GAO’s Antifraud Resource. GAO, GAO Fraud Ontology Version 1.0.

[23]HHS officials also told us that while they do not have formal plans for conducting TANF fraud risk assessments regularly, they plan to monitor sources for indicators of fraud or fraud risks impacting TANF to determine if another TANF fraud risk assessment is necessary. These sources might include federal requirements or recommendations by GAO, state single audit reports, improper payment assessments, HHS’s enterprise risk management assessments, and reviews of ongoing HHS OIG or state investigations involving potential TANF fraud.

[24]These draft documents apply to all HHS divisions administering various HHS programs, including TANF.

[25]42 U.S.C. § 617 states that no officer or employee of the federal government may regulate the conduct of states under the TANF provisions of the Social Security Act or enforce any such provision, except to the extent expressly provided for in the act.

[26]42 U.S.C. § 611.

[27]For example, section 402 of the Social Security Act requires states to self-certify annually to HHS that they have established and are enforcing standards and procedures to ensure against program fraud and abuse, including standards and procedures concerning nepotism, conflicts of interest among individuals responsible for the administration and supervision of TANF, kickbacks, and the use of political patronage. 42 U.S.C. § 602(a)(6).

[28]2 C.F.R. § 200.113.   

[29]Fraud risk tolerance reflects the significance of a particular fraud risk that is based on an initial assessment of the fraud risk’s likelihood and impact.

[30]According to HHS officials, the existing control activities include, but are not limited to, training provided to state TANF agencies to help address the 21 fraud risks, as well as corrective action steps that state TANF agencies take to address single audit findings related to those fraud risks.

[31]As described in the Fraud Risk Assessment Portal Methodology, the five inherent risk factors are (1) the location of award recipient, (2) maturity of a program or a significant funding surge, (3) amount of funding received, (4) level of public interest in the program, and (5) the program’s history of fraud risk management. 

[32]As we mentioned earlier in this report, the Fraud Risk Framework states that effectively assessing fraud risks involves documenting in a fraud risk profile the key findings and conclusions from an assessment of all fraud risks facing the program, including the fraud risks’ perceived likelihood and impact and managers’ risk tolerance of those fraud risks.

[33]Further, OMB’s guidance requires HHS, the federal awarding agency of TANF funds to, among other things, ensure that single audits are completed, and reports are received, in a timely manner.

[34]While HHS identified and assessed the risk of identity theft—specifically as it relates to EBT card fraud by external parties—in its 2024 TANF fraud risk assessment, it did not assess these two fraud risks that demonstrate opportunities for beneficiaries or state employees to exploit control vulnerabilities involving EBT cards. See app. I for the 21 TANF fraud risks HHS identified and assessed.   

[35]In 2012, we reported that states that prohibit certain types of TANF assistance purchases generally do not have ways to track what items recipients buy with their TANF EBT cards, partially due to the lack of information in transaction data on specific goods or services purchased. States were also challenged in attempting to track the spending of cash withdrawn with cards. As we reported then, with no controls on how or where individuals spend withdrawn cash, a recipient could withdraw money at an authorized location and use it at certain locations or for certain purchases restricted by some states. See GAO, TANF Electronic Benefit Cards: Some States Are Restricting Certain TANF Transactions, but Challenges Remain, GAO‑12‑535 (Washington, D.C.: July 20, 2012). As described earlier in this report, most states disburse TANF assistance payments through EBT cards. The EBT cards can be used to withdraw cash and then make purchases with the cash. Some states restrict where the cards can be used and what can be purchased with the withdrawn cash. Federal law also restricts where the EBT cards can be used, but it does not prohibit what can be purchased with the withdrawn cash.

[36]EBT cards can be used to deliver multiple benefits—such as TANF cash assistance and the U.S. Department of Agriculture’s Supplemental Nutrition Assistance Program—using a single card. Also, we could not confirm whether these postings were made by TANF beneficiaries, beneficiaries from other programs, or third-party individuals.   

[37]GAO, Temporary Assistance for Needy Families: Preliminary Observations on State Budget Decisions, Single Audit Findings, and Fraud Risks, GAO‑24‑107798 (Washington, D.C.: Sept. 24, 2024). Since single audits are an important oversight tool for ensuring that a federal award recipient has adequate internal controls in place, findings from these audits, such as material weaknesses, can indicate areas of fraud risk in TANF. A material weakness is a deficiency, or combination of deficiencies, in internal control over compliance, such that there is a reasonable possibility that material noncompliance with a compliance requirement will not be prevented, or detected and corrected, on a timely basis.