GAO Highlights Gaps in SBA’s Fraud Detection During COVID-19 Relief Programs
A newly released March 2025 report by the U.S. Government Accountability Office (GAO), authored by Seto J. Bagdoyan, sheds light on serious shortcomings in the Small Business Administration’s (SBA) approach to preventing and detecting fraud in its COVID-19 relief programs. The report, GAO-25-107267, titled “COVID-19 Relief: Improved Controls Needed for Referring Likely Fraud in SBA’s Pandemic Loan Programs,” reveals that the SBA’s core fraud detection processes were implemented only after a majority of the relief funds were already disbursed.
Between 2020 and 2022, the SBA distributed more than $1 trillion in loans and grants through the Paycheck Protection Program (PPP) and the COVID-19 Economic Injury Disaster Loan (EIDL) program. GAO’s audit focused on SBA’s four-step process for managing fraud risk—automated screening, data analytics (including machine learning), manual review, and referral of likely fraud to the SBA Office of Inspector General (OIG). While this process was conceptually sound, its phased and delayed implementation rendered it largely ineffective. By the time SBA applied these controls, over 55% of COVID-19 EIDL and 66% of PPP funds had already been approved, significantly diminishing the ability to prevent fraud before it occurred.
Even after the implementation of these controls, GAO and SBA’s financial auditors identified significant weaknesses. SBA’s automated screening systems failed to consistently detect applicants on the Treasury Department’s Do Not Pay list, leading to the approval of loans to deceased individuals and others legally barred from receiving federal funds. Similarly, reliance on self-certification and a lack of timely access to IRS tax data hindered SBA’s ability to confirm applicant legitimacy and eligibility.
The report also criticizes the data referral process to the SBA OIG, finding it to be flawed and disorganized. Of the roughly 3 million flagged cases referred to the OIG, about 2 million were considered “not actionable” due to insufficient or erroneous data. The lack of a structured and effective referral protocol impeded potential criminal investigations and enforcement actions. GAO recommends that SBA work collaboratively with its OIG to establish a clear, standardized, and effective referral process for potential fraud.
Further, GAO draws attention to several instances where artificial intelligence tools were used but misapplied. For example, SBA’s use of machine learning to categorize loan forgiveness applications occurred after the loans had already been disbursed. Though useful for prioritizing manual reviews, this retroactive approach did not prevent fraudulent disbursement. SBA’s failure to develop AI safeguards and a formal inventory of its AI use cases, as required by federal guidelines, left the agency vulnerable to risks such as bias, misclassification, and missed red flags.
Importantly, GAO’s findings have broader implications for how emergency relief programs should be structured in the future. The report reiterates the importance of implementing fraud controls proactively, rather than reactively, and calls for stronger inter-agency data-sharing agreements, especially with agencies like the Social Security Administration. Additionally, GAO highlights the necessity of modernizing IT systems, building internal fraud analytics capacity, and designing systems that can be quickly adapted during crises.
This audit stands as a cautionary tale about the pitfalls of rapid deployment without adequate oversight. While the urgency of pandemic relief justified a certain amount of risk-taking, the sheer volume of preventable fraud—estimated by the SBA’s OIG to exceed $200 billion—underscores the importance of balancing speed with accountability. Moving forward, the SBA must invest in stronger, more responsive controls and take GAO’s recommendations seriously to avoid similar vulnerabilities in future federal programs.
This blog post is a summary of publicly available information and is not guaranteed to be accurate, comprehensive, or up to date. It does not constitute legal advice or create an attorney-client relationship. Readers should consult official sources or professional advisors before making any decisions based on this content.