January 22, 2026
Fighting fraud in government is not just a technical challenge — it is a leadership responsibility. That is the central message Rebecca Shea, Director of Forensic Audits and Investigative Services at the Government Accountability Office, delivers during her conversation on Fed Gov Today. Shea explains that while data analytics and controls matter, agencies that succeed in reducing fraud start by building the right culture and structure.
Shea points to GAO’s Fraud Risk Management Framework, issued in 2015, as the required “how-to guide” for agencies. The framework is not optional. It supports internal control standards known as the Green Book, aligns with the Payment Integrity Act, and is reinforced through Office of Management and Budget guidance. Together, these requirements make fraud risk management a core responsibility across government.
The framework consists of four components: commit, assess, design and implement, and evaluate and adapt. Shea describes these elements as a continuous cycle rather than a one-time exercise. The first step, commit, focuses on culture and structure. Agencies must set a clear tone at the top and throughout the organization that combating fraud matters. Leaders need to promote awareness and accountability while ensuring someone is clearly responsible for managing fraud risk activities. Without a designated individual or group advocating for resources, training, and assessments, fraud prevention efforts often get lost among competing priorities.
The second component, assess, involves regular fraud risk assessments and the development of a fraud risk profile. Shea explains that this process looks at inherent risks, existing controls, and an agency’s tolerance for fraud risk. While similar to other forms of risk management, fraud risk management operates at both enterprise and program levels. Agencies cannot dismiss program-level fraud risks simply because they do not rise to the enterprise level. Every risk must be managed appropriately where it occurs.
Design and implement, the third component, is where agencies put strategy into action. Shea describes this as the “meat” of internal controls. Agencies develop anti-fraud strategies informed by their risk assessments, deploy controls such as data analytics, and work collaboratively with offices of inspectors general. Importantly, success looks different depending on the program. Financial programs may measure savings and prevented losses, while non-financial programs, such as passport issuance, focus on national security risks avoided and improper actions prevented.
The final component, evaluate and adapt, ensures agencies are not investing in controls that fail to deliver results. Shea emphasizes measuring outcomes, whether financial, operational, or cultural. Culture, she notes, is difficult to measure but not impossible. Employee surveys, process reviews, and control testing can reveal gaps between leadership messaging and day-to-day realities. She also highlights emerging tools, including natural language processing, as new ways to assess whether agency communications truly reinforce an anti-fraud culture.
Looking ahead, Shea says GAO continues to examine how well agencies align with these leading practices. GAO looks for evidence of testing, adaptation, and growing maturity — especially in the area of deterrence. Deterrence, she notes, is the hardest outcome to measure but the most powerful. When agencies demonstrate strong controls, accountability, and follow-through, they send a clear message: the U.S. government is not an easy target for fraud.