Departments are required by law to develop and maintain governance structures, controls, and processes to safeguard resources and assets. A robust fraud risk framework helps to ensure that programs fulfill their intended purpose and that funds are spent effectively. HUD relies on public housing authorities (PHAs) to detect and prevent fraud, waste, and abuse in its housing programs. Therefore, we audited the New York City Housing Authority’s (NYCHA) fraud risk management maturity with the objective of assessing its fraud risk management practices for preventing, detecting, and responding to fraud when administering HUD‐funded programs. We chose NYCHA because it is HUD’s largest PHA, administering billions of dollars in HUD funding and because its programs receive over 25 percent of HUD’s rental assistance funding nationwide.
We found that NYCHA has established several antifraud controls, but its processes to mitigate fraud risks are largely reactive. NYCHA is actively taking steps to formalize a more proactive fraud risk management approach and is progressing toward a more mature antifraud program. We assessed NYCHA’s antifraud efforts against established best practices to determine the maturity of its fraud risk management practices, and found it to be at an “initial” maturity level. We found NYCHA does not have a comprehensive strategy or framework for identifying and responding to fraud risks. Specifically, it did not (1) assess fraud risks across NYCHA or develop a process to regularly conduct assessments to identify and rank fraud risks, (2) develop a response plan for fraud risks based on a fraud risk assessment, and (3) implement a process to monitor and evaluate the effectiveness of fraud risk management activities.
Due to the size and complexity of NYCHA, as well as its high fraud risk exposure, it should aim for a higher fraud risk maturity level. Without a comprehensive fraud risk management framework or antifraud strategy, HUD funding will continue to be at an increased risk of fraud, and NYCHA will not be positioned to understand how it can best improve its programs to detect fraud or potential fraud. Further, since HUD has not issued formal guidance to PHAs regarding its expectation of PHAs in assisting HUD with its responsibility to implement fraud risk management activities over HUD programs, it is likely that many PHAs have not implemented formal fraud risk management programs. As a result, HUD is missing a critical control using leading practices that could detect and prevent fraud and minimize fraud risk at the PHA level in the Office of Public and Indian Housing programs that spend approximately $38.5 billion annually on voucher and public housing programs, representing over 50 percent of HUD’s budget.
Recommendations
Public and Indian Housing
- Status2025-FO-1001-001-AOpenClosed
Develop a strategy to comprehensively assess and respond to fraud risks across NYCHA. The strategy should identify who within NYCHA is responsible for designing and overseeing activities to prevent and detect fraud. The strategy should also include how NYCHA will (1) assess fraud risks across NYCHA methodically and periodically, (2) create response plans for fraud risks that are identified, and (3) monitor and evaluate the effectiveness of fraud risk management activities. The strategy should also designate fraud risk responsibilities across NYCHA.
- Status2025-FO-1001-001-BOpenClosed
Based on the strategy, (1) complete an assessment of fraud risks across NYCHA, (2) create response plans for fraud risks that are identified, and (3) develop procedures to monitor and evaluate the effectiveness of fraud risk management activities.
- Status2025-FO-1001-001-COpenClosed
Assess whether HUD’s other extra-large PHAs have mature fraud risk management programs and use the assessment to develop a strategy to reduce the fraud risk exposure to HUD. The strategy should include working with extra-large PHAs to implement appropriate fraud mitigation activities.
- Status2025-FO-1001-001-DOpenClosed
Work with HUD’s Chief Risk Officer to issue a notice to all PHAs explaining that PHAs are responsible for fraud risk management and play a role in fulfilling HUD’s requirement to identify and mitigate fraud risks. This notice should clearly indicate that PHAs should implement fraud risk management, which includes (1) completing an assessment of fraud risks, (2) creating response plans for fraud risks that are identified, and (3) developing procedures to monitor and evaluate the effectiveness of fraud risk management activities.