We audited New York City (NYC) Department of Social Services (DSS) with the objective of evaluating DSS’ fraud risk management practices for its Emergency Solutions Grants Coronavirus Aid, Relief, and Economic Security Act (ESG CARES Act) funded activities and assessed the maturity of its efforts to prevent, detect, and respond to fraud.  Fraud within activities funded by the ESG CARES Act can lead to significant financial losses, reputational damage to the grantee and the United States Department of Housing and Urban Development (HUD), breach of fiduciary duty, and most importantly, loss of funding assistance for individuals and families who are homeless or receiving homeless assistance or other homelessness prevention activities.  A robust antifraud program will help ensure that pandemic grant funds, as well as grant funds allocated through annual appropriations, are put toward their intended uses, and that funds are spent effectively, and assets are safeguarded. 

Congress provided $4 billion for the ESG CARES Act program, which represented a 1,379 percent increase to the regular 2020 annual ESG appropriation.  Given the influx of funding, we initiated a series of audits examining ESG CARES Act grantees’ fraud risk management practices and evaluated whether selected ESG CARES Act grantees were adequately prepared to prevent, detect, and respond to fraud.  The DSS was selected because it was authorized more than $383 million in ESG CARES Act program funds, a 2,518 percent funding increase from its formula ESG allocation for fiscal year 2020. 

New York City Department of Social Services can improve its fraud risk management practices for ESG CARES Act funded activities.  We found that DSS did have several antifraud activities that could be expanded to include ESG CARES Act funded activities; however, it had not developed a comprehensive and formal fraud risk management framework to include a complete fraud risk assessment, development of a fraud risk profile, an antifraud strategy, and establishment of a monitoring and evaluation process to assess the effectiveness of its antifraud activities.  Based on the Chief Financial Officers Council’s Antifraud Playbook, we determined that DSS’ fraud risk management maturity, as it related to its ESG CARES Act funds, was between the initial and operational maturity levels, which is lower than the goal state for organizations who have high fraud exposure.  This occurred because DSS believed its fraud risk management practices generally followed the GAO’s Framework, that these practices were embedded into its existing policies and procedures, and were sufficient.  

HUD relies on its grantees to implement fraud risk activities and antifraud controls to protect the funding provided to carry out its programs.  Without maturing its fraud risk management practices, DSS cannot effectively protect the $383 million of HUD’s ESG CARES Act and ESG annual funding against fraud risks.  If DSS were to incorporate best practices, it could achieve a higher maturity level which would better protect the funds used to provide critical assistance that vulnerable beneficiaries rely on as well as protect against negative effects that fraud can have on an agency.  

 We recommend that the Director of HUD’s New York City Office of Community Planning and Development require DSS to (1) evaluate and enhance its fraud risk management activities by incorporating fraud risk management practices, and (2) obtain training or technical assistance on the implementation of fraud risk management practices.