HHS Aims To Implement Controls In Response to PMS Fraud Concerns

Jerry Ashworth
  • Single Audit Information Service Module
June 12, 2025 at 07:39:25 ET
Image Image

Although the Department of Health and Human Services (HHS) was unsure when it could take such steps “due to the posture of the federal government,” the agency agreed with a recent HHS Office of Inspector General (OIG) recommendation to implement a control environment for the Payment Management System (PMS) aimed at mitigating fraud risks in light of OIG’s finding that the system lacked controls to prevent $7.8 million in fraud.

PMS is one of the most widely used grants payment systems in the federal government, processing more than 499,000 transactions totaling some $860 billion in 2023. PMS provides grant payment and cash management services to all HHS agencies and several non-HHS agencies on a fee-for-service basis. OIG evaluated the systems’ controls in place from March 1, 2023, through March 31, 2024, to identify fraudulent transactions that occurred between those dates.

The Federal Managers’ Financial Integrity Act (Pub. L. 97-255) requires federal agencies to integrate risk management and internal control functions. The Standards for Internal Control in the Federal Government (i.e., the “Green Book”) (see ¶535 in the Module), published by the Government Accountability Office (GAO), requires managers to establish an internal control environment conducive to assessing risks and implementing mitigating controls. To help managers combat fraud and preserve integrity in government agencies and programs, GAO has developed A Framework for Managing Fraud Risks in Federal Programs. The framework identifies control activities to prevent, detect and respond to fraud, with an emphasis on prevention.

Audit Findings

OIG found that prior to March 2023, HHS’ Program Support Center (PSC), which operates PMS, had not designed and implemented effective internal controls, including policies and procedures, to prevent fraudulent PMS transactions. In addition, PSC did not conduct adequate risk management, nor did it implement all the required cybersecurity controls available to protect the system.

“Specifically, PSC had not implemented effective internal controls to communicate fraudulent activity to stakeholders timely,” according to the audit. “Further, PSC’s risk management related to its business practices and information systems did not assess the risk of fraud. Finally, PSC did not implement some required cybersecurity controls, including conducting required tests, reviews and approvals, and performing timely mitigation of identified system weaknesses.”

OIG stated that these internal control weaknesses occurred because PSC’s control environment did not facilitate fraud mitigation and did not incorporate sufficient oversight. In addition, PSC also had high vacancy and turnover rates that hindered its ability to effectively implement some manual controls.

The audit details four fraudulent withdrawals from PMS totaling about $644,000 that occurred in March 2023. Because PSC did not take adequate steps at the time to mitigate the fraud, another $7 million in fraudulent withdrawals occurred over the next nine months that were not prevented. OIG explained that “bad actors were able to gain access to PMS by masquerading as grant recipients and requesting account changes, including changes to recipients’ banking information.”

Since the fraudulent activity was discovered in 2024, PSC has initiated some corrective actions and begun to take steps to address workforce planning issues. In March 2024, it began sending a system-generated email to grant awarding agencies and grant recipients notifying them that an “identity-harvesting campaign” had been waged against grant recipients. These email communications did not: (1) refer to any specific incidents; (2) ask users to examine their individual grant accounts to verify accuracy; or (3) ask users to contact PMS if any inaccurate account information was identified.

“Notifying stakeholders and customers of risks and the opportunities to mitigate those risks as quickly as is feasible should be a primary action for fraud management within an organization,” OIG explained. “The emails would have been more effective had they provided additional details regarding the fraud activity to all PMS customers and asked them to verify their account information.”

PMS staff told OIG that, after they learned of the fraudulent withdrawals, they updated the system’s information technology (IT) contingency plan to require an emailed notification to HHS OIG in the event of grant-related fraudulent activity. However, according to OIG, the plan update did not address the need to communicate such activity to PSC leadership or the grant community.

OIG also found that while multiple governmentwide policies require PSC to implement credentialed vulnerability scans of PMS, it failed to establish these cybersecurity controls. “Unmitigated security risks in [PMS] could also result in bad actors migrating to and exploiting other systems connected to the system to potentially steal or destroy the other systems’ data,” OIG explained.

Recommendations and Response

PSC agreed with the following OIG recommendations:

  • implement a control environment that includes fraud mitigation, in accordance with GAO’s Green Book:
  • develop standard operating procedures that (1) specify how risk and vulnerabilities to PMS will be regularly assessed and tested, (2) include PMS information dissemination protocols that should be followed when a fraud incident is identified, and (3) specify verification processes for all bank accounts;
  • implement automated verification processes for bank account information changes;
  • finalize the bank account verification process with the Department of the Treasury for U.S.-based bank accounts;
  • conduct information system-level risk assessments that include integration of fraud risk in accordance with federal guidance for all PSC financial management systems; and
  • effectively implement controls for: (1) conducting required IT system vulnerability scans, reviews and approvals; and (2) performing timely mitigation of Payment System weaknesses.

“We are in the process of integrating these recommendations into our operational framework to further strengthen the PMS and ensure continued compliance with the highest standards of security and operational excellence,” PSC officials said.

For More Information

The OIG report is available at https://oig.hhs.gov/documents/audit/10333/A-18-24-03700.pdf.

THOMPSON GRANTS

COMPLIANCE

TRAINING

RESOURCES

HELP

CONTACT

Copyright © Thompson Grants, a division of CBIS. All rights reserved.