GAO’s Warning Shot on Federal Awards: Documentation Gaps That Elevate Fraud, Waste, and Abuse Risk

GAO’s December 2025 report (GAO-26-107444) is best read as a governance and internal-control critique with direct downstream consequences for the contractor and assistance-recipient community. GAO evaluated federal award oversight across five programs that collectively sit within an environment of substantial new appropriations—about $227 billion provided to the five agencies under recent statutes—and asked a straightforward question: do agencies have documented policies and procedures that operationalize key requirements and leading practices to prevent fraud, waste, and abuse in awards (including grants, contracts, and loans)? GAO’s answer is that only the Federal Communications Commission’s Universal Service Program for Schools and Libraries (E-Rate) had documented procedures covering all nine identified requirements and leading practices; the other four programs GAO reviewed did not always incorporate them in documented policies and procedures.

The analytic frame matters. GAO anchored its nine items in the federal internal-control architecture—control environment, risk assessment, control activities, information and communication, and monitoring—and drew from GAO’s Fraud Risk Framework and OMB authorities such as Circular A-123, Appendix C (payment integrity), and the uniform guidance audit regime in 2 C.F.R. part 200. This is not a “best practices” suggestion box; GAO emphasizes that documentation is a necessary element of an effective internal control system, and OMB has reinforced agency expectations to adhere to Fraud Risk Framework leading practices.

Several findings carry practical implications for federal contractors and other award recipients because they predict where agencies will tighten administration. First, GAO highlights core risk-assessment discipline: E-Rate’s administrator documented both an entity-level risk profile and a program-specific fraud risk profile (including severity scoring) and set a cadence for fraud risk assessments, while other programs lacked program-level fraud risk profiles and/or documented schedules for periodic fraud risk assessments. Second, GAO flags missing “antifraud strategy” documentation in two programs: DOE’s H2Hubs and HHS’s Health Center Program. In both cases, officials described ongoing efforts or general agency policies, but GAO found the absence of a documented, program-tailored antifraud strategy (including articulated control activities) to be a control-design weakness. Third, GAO is explicit that agencies cannot contract away accountability: even where DOE characterized awardees as responsible for fraud-related policies, GAO reiterates that program managers retain primary responsibility for enhancing program integrity—an important signal that agencies may move toward more standardized recipient controls, more prescriptive award terms, and more direct monitoring. Finally, GAO underscores that monitoring and audit tools—risk-based monitoring, single audits, and recovery audits—must be considered and documented, citing (for example) Commerce’s lack of proactive evaluation of recovery audits for CHIPS as a missed opportunity to identify and recover overpayments as disbursements scale.

For federal contractors (and especially entities operating as pass-throughs, consortium leads, subrecipients, or hybrid recipients/contractors), the lesson is anticipatory compliance. Where agencies adopt GAO’s recommendations and close documentation gaps, recipients should expect: (1) increased front-end due diligence tied to fraud-risk profiles, (2) more frequent and better-instrumented monitoring, (3) stronger audit follow-up expectations, and (4) higher evidentiary demands to demonstrate allowability, reasonableness, internal controls, and fraud-awareness training. This is also a competitive differentiator: firms that can credibly map their internal controls and antifraud posture to the same five-component internal control model GAO used will be better positioned as agencies sharpen oversight.

Disclaimer: This article is for general informational purposes only, reflects a summary of a GAO report, and does not constitute legal advice. Readers should consult qualified counsel and the applicable solicitation/award terms, statutes, regulations, and agency guidance for advice on specific facts and compliance obligations.