Sneak Preview: HHS Aims To Implement Controls In Response to PMS Fraud Concerns
(The following is excerpted from a recent Thompson Grants Compliance Expert article.) Although the Department of Health and Human Services (HHS) was unsure when it could take such steps “due to the posture of the federal government,” the agency agreed with a recent HHS Office of Inspector General (OIG) recommendation to implement a control environment for the Payment Management System (PMS) aimed at mitigating fraud risks in light of OIG’s finding that the system lacked controls to prevent $7.8 million in fraud.
PMS is one of the most widely used grants payment systems in the federal government, processing more than 499,000 transactions totaling some $860 billion in 2023. PMS provides grant payment and cash management services to all HHS agencies and several non-HHS agencies on a fee-for-service basis. OIG evaluated the systems’ controls in place from March 1, 2023, through March 31, 2024, to identify fraudulent transactions that occurred between those dates.
The Federal Managers’ Financial Integrity Act (Pub. L. 97-255) requires federal agencies to integrate risk management and internal control functions. The Standards for Internal Control in the Federal Government (i.e., the “Green Book”) (see ¶535 in the Module), published by the Government Accountability Office (GAO), requires managers to establish an internal control environment conducive to assessing risks and implementing mitigating controls. To help managers combat fraud and preserve integrity in government agencies and programs, GAO has developed A Framework for Managing Fraud Risks in Federal Programs. The framework identifies control activities to prevent, detect and respond to fraud, with an emphasis on prevention.
OIG found that prior to March 2023, HHS’ Program Support Center (PSC), which operates PMS, had not designed and implemented effective internal controls, including policies and procedures, to prevent fraudulent PMS transactions. In addition, PSC did not conduct adequate risk management, nor did it implement all the required cybersecurity controls available to protect the system.
(The full version of this story has now been made available to all for a limited time here.)
Join us for our following Thompson Grants event:
Thompson Grants Virtual Workshop: Audits 2025 | July 17, 2025 | Virtual Event
