We audited the California Department of Housing and Community Development (HCD) with the objective of evaluating HCD’s fraud risk management practices for its Emergency Solutions Grants Coronavirus Aid, Relief, and Economic Security Act (ESG CARES Act) program and assessing the maturity of its efforts to prevent, detect, and respond to fraud.  Fraudulent activity in the ESG CARES Act program can lead to significant financial losses, reputational damage to the grantee and the U.S. Department of Housing and Urban Development (HUD), breach of fiduciary duty, and most importantly, loss of funding assistance to intended beneficiaries.  A robust antifraud program will help ensure that pandemic grant funds are put toward their intended uses, funds are spent effectively, and assets are safeguarded. 

Congress provided $4 billion for the ESG CARES Act program, which represented a 1,379 percent increase to the regular 2020 annual ESG appropriation.  Given the influx of funding, we initiated a series of audits examining ESG CARES Act grantees’ fraud risk management practices and evaluating whether selected ESG CARES Act grantees are adequately prepared to prevent, detect, and respond to fraud. HCD was selected because it was authorized more than $319.5 million in ESG CARES Act program funds, a 2,505 percent funding increase from its formula ESG allocation for fiscal year 2020.  

HCD was not adequately prepared to prevent, detect, and respond to fraud due to the lack of focus it placed on fraud risks and establishing a robust fraud risk management framework.  Although HCD established a departmentwide enterprise risk management (ERM) framework, it was not robust enough to proactively identify fraud risks, and it was not developed with leading industry standards and best practices.[1]  This deficiency resulted in the lowest desired maturity goal state – ad hoc – for the organization’s antifraud initiatives.  HCD noted that it had limited resources to implement additional fraud risk measures. Further, HCD believed that it was not necessary to create a separate fraud risk management framework or build upon its existing ERM framework to incorporate fraud risk management practices. 

HCD’s management is responsible for managing fraud risk, including assessing the potential of fraud, and designing and implementing strategies to mitigate fraud risks.  Because it placed little emphasis on identifying fraud risks under its ERM framework and did not improve its antifraud practices to rise to a higher fraud risk management maturity level, it put more than $319.5 million in ESG CARES Act funds at an increased risk of fraud.  Although a well-designed fraud risk management framework is not infallible regarding fraud and risks of fraud, it is a powerful tool that can enhance management decision making, strengthen HCD’s reputation, and reinforce its commitment to safeguard HUD funding with regulators and the public.  

We recommend that HUD instruct HCD to (1) establish a separate fraud risk management framework or evaluate and build upon its ERM framework by incorporating fraud risk management practices and (2) obtain training or technical assistance on the implementation of fraud risk management practices. 

Chief Financial Officers Council’s Antifraud Playbook; the U.S. Government Accountability Office’s (GAO) Standards for Internal Control in the Federal Government, also known as the Green Book; and GAO’s A Framework for Managing Fraud Risks in Federal Programs