Waste, fraud, and abuse | Norman...

Politicians in the US (at least on one side of the aisle) love to talk about “waste, fraud, and abuse”.

How big is it? Google AI tells us:

Estimates of the financial impact of waste, fraud, and abuse within the United States government and in specific sectors like healthcare reveal a significant drain on resources.

General Estimates of Government-Wide Waste, Fraud, and Abuse:

• • Fraud: The Government Accountability Office (GAO) estimates that the federal government loses between $233 billion and $521 billion annually due to fraud.
  • Improper Payments: Federal improper payment estimates have totaled approximately $2.8 trillion since FY 2003. This includes overpayments and payments lacking sufficient documentation, with overpayments accounting for a large portion of the reported improper payments.
  • FY24 Improper Payments: In fiscal year 2024, 16 agencies reported an estimated $162 billion in improper payments, with 75% of this amount concentrated in five program areas, including Medicare.

Healthcare Sector (Medicare and Medicaid):

• • Significant Losses: Fraud, waste, and abuse in the healthcare industry lead to substantial financial losses, estimated to be billions of dollars annually.
  • Medicare FWA: The Federal Department of Health and Human Services (HHS) spends approximately $830 billion annually on Medicare, with an estimated $30 to $110 billion attributed to fraud, waste, or abuse (FWA).
  • HCFAC Program Success: The Health Care Fraud and Abuse Control (HCFAC) Program, a joint effort by HHS and the Department of Justice (DOJ), has seen success in recovering funds. Over the last three years, they returned $4 for every $1 invested in recovery efforts.
  • AI for Fraud Detection: AI and machine learning models have been developed and successfully implemented for fraud detection, such as one used by CMS that identifies over $1 billion worth of suspect claims annually.

Specific Programs:

• • Pandemic Unemployment Insurance (UI): Estimates suggest that 11 to 15 percent of total benefits paid during the pandemic were fraudulent, totaling between $100 billion and $135 billion. The Department of Labor (DOL) Office of Inspector General (OIG) estimates that at least $191 billion in pandemic UI payments could have been improperly paid, with a significant portion potentially being fraud.

Note: While these estimates highlight the significant impact of waste, fraud, and abuse, they are often challenging to pinpoint precisely. The House Committee on the Budget notes that not all improper payments are due to fraud, and estimates may be conservative, particularly for newer and less documented programs.

Are these figures realistic?

Actual recoveries and prosecutions are minimal compared to the estimates.

Look at the estimate for Medicare FWA:

The Federal Department of Health and Human Services (HHS) spends approximately $830 billion annually on Medicare, with an estimated $30 to $110 billion attributed to fraud, waste, or abuse (FWA).

That’s 3.6% to 13.25%. A lot at the top end, with a mean of 8.425%.

It’s worth our consideration in audit planning.

Can we make a difference?

Again from Google AI:

On June 25, 2025, the Office of the Inspector General (“OIG”) of the U.S. Department of Health and Human Services (“HHS”) released a short video containing the highlights of the Medicaid Fraud Control Units (“MFCUs”) Annual Report for Fiscal Year 2024 (“2024 Annual Report”).

MFCUs—which investigate and prosecute statewide Medicaid provider fraud, and beneficiary abuse and neglect—recovered $1.4 billion in FY 2024, which equates to $3.46 for every $1 spent. Criminal recoveries were the highest amount in the past 10 years, $961 million, and more than double the rolling 5-year average. HHS OIG attributes this massive increase to the California MFCU, which recovered $513 million on its own.

So we have $30-$110 billion in estimated FWA, of which $1.4 billion was recovered.

$1.4 billion is a lot of money. But what about the rest of the $30-$110 billion?

There are possibilities:

• The estimate is way off.
• The MFCUs only looked at fraud and most of the number is waste. That would be consistent with what DOGE has reported: a lot of what they consider waste and next to no fraud.
• The MFCUs are inept or underfunded.
• A combination of the above.

Makes you wonder.

X

I want to make some assertions based on my experience.

1. Corporations suffer more from waste than either fraud or abuse, and there may be more abuse than fraud.
2. Risk and audit practitioners pay more attention to fraud than either waste or abuse.

I don’t think we spend enough time thinking about and addressing waste and abuse, especially waste, when the possibility to add value is greater there than in fraud.

While the Association of Fraud Examiners routinely estimates (in their annual Report to the Nations) that organizations lose 5% of revenue to fraud every year, I have never seen an organization where frauds that amount to that level were identified.

Frauds happen, but at 5% of revenue?

Again turning to Google AI:

The percentage of fraud cases that are actually discovered varies significantly depending on the type of fraud and the methods used for detection. Some estimates suggest that only a small percentage of frauds are found through audits, with one source stating it’s around 3%.

To me, that implies that either we are awful at detecting frauds, or the level of fraud is overblown.

But either way the level of waste and abuse is seriously overlooked.

Some examples:

• At one of my companies, when revenues were dropping and profits were hard to find, the CEO engineered a 10% across-the-board (regardless of risk and my related comments) headcount reduction. The board of directors gave him a million-dollar bonus for doing that (even though the company continued to bleed revenues, market share, and profits). WASTE AND ABUSE
• That CEO then approved a million-dollar upgrade to the executive office suite. WASTE AND ABUSE
• At that same company, the CEO of the largest business unit took his leadership team to Singapore, where not only did they hold meetings at one of the best and most expensive hotels, but they all stayed there in luxury as well. This was a violation of the company’s travel policy, which had contracts with nice but less expensive hotels in Singapore. But that executive didn’t care and nobody challenged him. Entitled arrogance. WASTE AND ABUSE
• Fragmentation of that company’s operations and leadership meant that they had fragmented IT systems (with every imaginable ERP that didn’t talk to each other) and IT leadership (every geography had its own CIO). WASTE
• When I was talking to the internal audit team at Cisco (a huge technology company) about the use of analytics in audit risk assessment and more, they told me the company had purchased pretty much every business analytics solution (each function wanted their own), with duplicate data warehouses, etc. WASTE
• When I was with Tosco Corporation, they acquired the Circle K business headquartered in Phoenix. Corporate management hired PwC to assess the Circle K culture. I never knew why, especially as much of the work was performed by junior consultants led by a manager from the audit side. I can only think that the PwC partner must been an excellent salesperson, because no insights were obtained and no actions taken. WASTE
• When I was discussing the integration of the internal audit functions with the Circle K CAE, he told me that the CIO had awarded a bonus to the IT project team for a recently completed financial system implementation. The condition for the bonus, according to targets set at the beginning of the year, was “completion”. The CAE found that the users were complaining because there were no reports, not even a general ledger trial balance. The bonuses had been paid, and the CAE was unable to get them clawed back because (according to the CIO) the system specifications didn’t identify any reports. The users said the system was not complete, but the CIO said it was. WASTE and probably ABUSE
• When we did an operational review in Human Resources at Home Savings of America, we found that one or two members of staff in Salary Administration were seriously overworked, while others were idle most of the day. I call that WASTE
• My team performed an audit of the sales contract review process and found that the two attorneys in London were so busy doing reviews that the executives were going to outside counsel for legal advice. My team found a way to improve the efficiency of the legal review process, reducing the cost of outside legal services. WASTE.

I am not sure that enough internal audit attention is paid to waste and abuse. I am talking about payments, for example, that had all the authorizations specified by corporate policies. Controls were followed. But the purchases should not have been made, they were bad business.

I also don’t think we spend enough time on efficiency.

Some internal auditors are excellent at asking if there is a better way to do something, even coming up with ideas and suggestions.

But others seem to think this is not our job.

It is.

If we know that there is a better way and the current practices are inefficient, we should make sure the appropriate level of management (and the board if necessary) know.

In fact, one of the things we should do is identify and share best practices when we see them. When I started at Tosco, my team was interviewed for the company newsletter. The editor asked them (without me present) what internal audit did. One of them, Debra Davies, said that we are like bees that go from flower to flower spreading pollen. In other words, we share great practices in one area with people in another.

People talk about internal auditing being the internal consultant.

I think that’s a great idea.

Once we have fulfilled our primary mission of providing assurance on the management of the more significant risks to the achievement of enterprise objectives, we should see where else we can add value.

An operational audit that uses techniques like Value Chain Analysis and Six Sigma can deliver huge value.

Actually, one that uses common sense is usually sufficient.

Where we see inefficiencies, waste, or abuse there is an opportunity for internal audit to make a difference.

Don’t say, “that’s not my job”.

What say you?