Guide on Managing Fraud Risks at the Office of the Auditor General of Canada

Table of Contents

Introduction

Fraud can happen in any organization. Fraud in a federal government organization can cause the loss of public money or property, hurt employee morale, and undermine Canadians’ confidence in public services. Therefore, federal organizations must manage their fraud risks.

A proactive approach to managing fraud risk is one of the best steps organizations can take to mitigate exposure to fraudulent activities. Although it is most likely not possible or economical to completely eliminate all fraud risk, organizations can take proactive and constructive steps to reduce their exposure. The combination of effective fraud risk governance, a thorough fraud risk assessment, and strong fraud prevention and detection measures, along with coordinated and timely investigations and corrective actions, can significantly mitigate fraud risks.

The Office of the Auditor General (OAG) developed a comprehensive Fraud Risk Management Framework inspired by Managing the Business Risk of Fraud: A Practical Guide, issued by the Institute of Internal Auditors, the American Institute of Certified Public Accountants, and the Association of Certified Fraud Examiners. This Framework guides the OAG in implementing best practices to identify, address, and manage its fraud risks.

This guide clarifies how the different components and key players contribute, directly or indirectly, to the fraud risk management of the OAG. Further details are provided in the annexes; for example, roles and responsibilities (Annex A).

Fraud Risk Management Framework at the Office of the Auditor General of Canada

Managing internal and external fraud risks at the OAG

Overview of the Fraud Risk Management Framework of the Office of the Auditor General of Canada
Text version

This chart provides an overview of the Fraud Risk Management Framework at the Office of the Auditor General of Canada. It shows how the Office manages internal and external fraud risks.

The chart first defines fraud risk and fraud and provides examples of fraud. Fraud risk is the risk of various types of fraud an organization could face from internal and/or external sources. Fraud is an intentional act by one or more individuals among employees, management, those charged with governance (internal), or third parties (external) involving the use of deception to obtain an unjust or illegal advantage. The three primary categories of internal fraud are corruption, asset misappropriation, and financial statement fraud. The following are examples of fraud:

  • Employees misusing influence in transactions for benefit (internal)
  • Vendors billing for goods/services not received (external)
  • Employees accepting bribes or benefits to act (internal)
  • Employees providing sensitive information to outside parties for gain (internal)

The definitions and examples are the introduction to the Office’s Fraud Risk Management Framework, the first four parts of which are then listed.

The first part of the framework consists of the governance over fraud risks, which involves a governance structure that sends a message that fraud is not tolerated. This part includes the following sections:

  • 1.1: Oversight
  • 1.2: Internal Specialist, Values and Ethics
  • 1.3: Values and ethics code
  • 1.4: Conflict of interest and post-employment guidance
  • 1.5: Risk-based internal audit plan
  • 1.6: Process to investigate fraud allegations
  • 1.7: Fraud Prevention Policy

The second part consists of the fraud risk assessment, which is a process to identify and address vulnerabilities to internal/external fraud. This part includes the following sections:

  • 2.1: Conduct a Fraud Risk Assessment that includes best practices
  • 2.1.1: Identify fraud risks without considering controls (that is, inherent)
  • 2.1.2: Assess likelihood and impact of identified fraud risks
  • 2.1.3: Map controls that mitigate the identified risks (preventive/detective)
  • 2.1.4: Evaluate whether controls are working effectively
  • 2.1.5: Evaluate residual fraud risks
  • 2.1.6: Considering risk tolerance, respond to residual fraud risks
  • 2.1.7: Periodically review the Fraud Risk Assessment

The third part consists of controls to prevent and detect fraud, which involves the design and implementation of processes, procedures, and activities to address identified fraud risks. This part includes the following sections:

  • 3.1: Fraud prevention
  • 3.1.1: Training on values, ethics, and conflicts of interest, and targeted fraud training, delivered on time
  • 3.1.2: Conflict of interest (COI): Mitigate conflicts of interest
  • 3.1.2.1: Effective management of the declarations of COI
  • 3.1.2.2: Employee declarations done whether or not employees have a conflict of interest
  • 3.1.2.3: Service standards to respond to declared conflicts of interest
  • 3.1.2.4: Reporting
  • 3.1.3: Controls designed to prevent fraudulent activities
  • 3.2: Fraud detection
  • 3.2.1: Mechanism to report fraud (see Section 4.1)
  • 3.2.2: Controls designed to detect fraudulent activities

The fourth part consists of investigations of fraud allegations, which involves a thorough approach to manage fraud allegations and investigations. This part includes the following sections:

  • 4.1: Mechanism to report fraud
  • 4.2: Formal approach to address allegations of fraud
  • 4.2.1: Assessment of the allegations of fraud
  • 4.2.2: Investigation of the allegations of fraud
  • 4.2.3: Monitoring of the allegations of fraud
  • 4.2.4: Corrective actions
  • 4.2.5: Reporting on the allegations of fraud

All four parts connect to the fifth, and final, part of the framework, which is the continuous improvement of the Fraud Risk Management Framework.

1. Governance over fraud risks

The Office of the Auditor General of Canada’s (OAG’s) governance over fraud risk management is an important part of the Fraud Risk Management Framework. It provides a message that fraud is not tolerated, through the seven elements described below.

1.1 Oversight

The Executive Committee is involved in key aspects of fraud risk management, such as determining the OAG’s risk tolerance for fraud and discussing fraud risks and related assessment in the context of the annual Fraud Risk Assessment (Section 2). The Executive Committee also receives the following key annual reports:

The OAG has an independent audit committee. The Audit Committee plays an active role in the oversight of the OAG Fraud Risk Management Framework, including values and ethics, conflicts of interest, assessment of fraud risks and related controls, fraud allegations, and investigations. The Audit Committee receives updates and reports on the same topics as those listed above that are presented to the Executive Committee.

The Audit Committee Charter reflects the responsibilities of the Audit Committee regarding fraud risk management.

1.2 Internal Specialist, Values and Ethics

The OAG’s Internal Specialist, Values and Ethics, is responsible for responding to questions from employees on values and ethics, and conflicts of interest (COI). The Internal Specialist also receives and manages exception reports where threats to independence and objectivity have been identified in the audit-specific Independence Confirmation and reviews matters declared through the OAG’s annual Confidential Declaration process. Each year, the Internal Specialist, Values and Ethics, provides a report to the Executive Committee and to the Audit Committee.

Further details on mitigating conflicts of interest are provided in Section 3.1.2 of this guide.

1.3 Values and ethics code

The OAG has its own Code of Values, Ethics and Professional Conduct. This code sets out expectations with respect to values, ethics, conflicts of interest, and professional conduct for employees, consultants, and contractors. All those who perform work for or on behalf of the Office are required to comply with this code and the Values and Ethics Code for the Public Sector.

The Human Resources group has responsibility for this code and is supported by Legal Services.

1.4 Conflict of interest and post-employment guidance

The OAG’s Code of Values, Ethics and Professional Conduct contains guidance on conflicts of interest and post-employment (see Section 1.3).

1.5 Risk-based internal audit plan

The OAG’s risk-based internal audit plan is developed annually by the Practice Review and Internal Audit (PRIA) group. The plan covers a three-year period. Fraud risks are considered during that process, in accordance with the Institute of Internal Auditors standards. In addition, an assessment of fraud risks is conducted when planning each internal audit engagement.

1.6 Process to investigate fraud allegations

The OAG has established a process to investigate fraud allegations. This process and the key players are detailed in Section 4 of this guide.

1.7 Fraud Prevention Policy

The OAG’s Fraud Prevention Policy can be found in Annex D.

The objectives of this policy include

The Chief Financial Officer is responsible for the policy, including assessing the effectiveness and application of the policy, with assistance from the Internal Specialist for Fraud.

2. Fraud Risk Assessment

2.1 Conduct a Fraud Risk Assessment that includes best practices:

The Fraud Risk Assessment (FRA) is a process that allows organizations to identify and address internal and external fraud vulnerabilities. At the Office of the Auditor General of Canada (OAG), the FRA is integrated in the annual corporate risk assessment process, which is a key element of the annual strategic planning exercise. The FRA is the responsibility of the Chief Financial Officer (CFO) and the Internal Specialist for Fraud.

The Internal Specialist for Fraud assists the service and practice leaders in their risk assessments, and reviews the risk assessment of each service and practice to ensure that the key fraud risks have been properly identified, assessed, and addressed when required. The Internal Specialist for Fraud also assesses the OAG’s control environment with regard to fraud risks, using the OAG Fraud Prevention and Detection Scorecard (Annex C.2). As part of those procedures, the Internal Specialist for Fraud reports results and conclusions to the CFO, who certifies the adequacy of the Office’s FRA (Annex C) and reports to the Audit Committee and to the Executive Committee.

The OAG Fraud Risk Assessment approach incorporates the best practices described in sections 2.1.1 to 2.1.7, which is inspired by Managing the Business Risk of Fraud: A Practical Guide (issued by the Institute of Internal Auditors, the American Institute of Certified Public Accountants, and the Association of Certified Fraud Examiners).

2.1.1 Identify fraud risks without considering controls (that is, inherent)

The population of inherent fraud risks that could apply to the OAG is identified. This process includes the explicit consideration of all types of fraud schemes and scenarios; incentives, pressures, and opportunities to commit fraud; and information technologyIT fraud risks specific to the organization.

2.1.2 Assess likelihood and impact of identified fraud risks

The relative likelihood and potential significance of identified fraud risks are assessed based on historical information, known fraud schemes, and discussions with individuals involved in business processes.

2.1.3 Map controls that mitigate the identified risks (preventive/detective)

The fraud risks and schemes are mapped to relevant controls.

2.1.4 Evaluate whether controls are working effectively

The relevant controls identified are evaluated for design effectiveness and tested periodically within a reasonable time frame to validate operating effectiveness, in order to determine if they are reducing the inherent fraud risks.

2.1.5 Evaluate residual fraud risks

The residual risks are identified, after consideration of effective controls.

2.1.6 Considering risk tolerance, respond to residual fraud risks

Taking into consideration the organization’s risk tolerance to fraud, a fraud risk response is developed, usually in the form of an action plan. The response should address the residual fraud risks and would consider the cost versus the benefits of implementing controls or specific fraud detection procedures.

2.1.7 Periodically review the Fraud Risk Assessment

The Fraud Risk Assessment is reviewed annually during the strategic planning exercise and results are reported as part of that process.

3. Controls to prevent and detect fraud

The controls to prevent and detect fraud represent the processes, procedures, and activities addressing identified fraud risks. These controls are designed and implemented to reduce fraud risks.

As part of the Office of the Auditor General of Canada’s (OAG’s) annual Fraud Risk Assessment, specific controls to reduce fraud risk are identified. The design and implementation of those controls are also tested periodically. The identification and testing of controls is a key step to determine whether current controls are sufficient and appropriate to prevent and detect fraud and to take corrective actions, as necessary.

Sections 3.1 and 3.2 highlight some examples of fraud prevention and fraud detection controls.

3.1 Fraud prevention

3.1.1 Training on values, ethics, and conflicts of interest, and targeted fraud training, delivered on time

All employees at the OAG must take training on values, ethics, and conflicts of interest within a specific time frame. This helps to ensure that employees understand the ethical behaviour expected of them, and the potential conflicts of interest and independence threats that they may face. The Code of Values, Ethics and Professional Conduct is a key element of the Fraud Risk Management Framework. Mandatory training on these aspects helps the OAG provide a strong tone from the top. On an ongoing basis, the Office reassesses its need for mandatory training, considering different factors, including risks.

The services and audit practices communicate their training needs to the Internal Specialist for Fraud. Those needs are considered, reassessed, and prioritized as part of the OAG Strategic Plan in Relation to Fraud, which includes the development and delivery of targeted fraud training, some of which may be mandatory.

Professional Development monitors the timely completion of mandatory training and reports results to the Executive Committee and to the Audit Committee.

3.1.2 Conflict of interest: Mitigate conflicts of interest

3.1.2.1 Effective management of the declarations of conflicts of interest

The OAG has a comprehensive process in place to manage declarations of potential and actual conflicts of interest.

Human Resources (HR) is responsible for the annual Confidential Declaration process. HR ensures that employees complete their declaration forms annually.

The Internal Specialist, Values and Ethics, is responsible for assessing matters declared by employees, including potential conflicts of interest or threats to independence, through the annual Confidential Declaration process or the independence confirmation required for each audit assignment.

With respect to the annual Confidential Declaration, the Internal Specialist, Values and Ethics, logs the cases where employees have declared assets, liabilities, or other interests that they believe can give rise to a real or perceived conflict of interest. This log also identifies the cases where, based on risk, a follow-up on the implementation measures was done. The log supports the management of conflicts of interest and threats to independence or objectivity that are declared by OAG staff.

The Internal Specialist, Values and Ethics, reviews, approves, and logs exception reports prepared by audit staff and signed by the engagement leader. The log kept by the Internal Specialist, Values and Ethics, contains key information about each exception declared, including when the matter was declared and when the OAG management and the Internal Specialist, Values and Ethics, agreed to the identified mitigation strategy.

3.1.2.2 Employee declarations done whether or not employees have a conflict of interest

Each employee must complete the annual Confidential Declaration to confirm whether or not the employee has a conflict of interest. HR monitors the timely submission of those declarations and reports results to the Executive Committee and to the Audit Committee. When an employee has declared a real or perceived conflict of interest, HR provides the declaration form to the Internal Specialist, Values and Ethics, for review, further action, and follow-up where appropriate.

In addition, all audit team members must complete an Independence Confirmation form when they begin an audit assignment. If the audit team member identifies a threat to his or her independence or objectivity, an Exception Report must be completed, and mitigation measures must be identified that will reduce the threat to an acceptable level. The effective application of the Independence Confirmation process is monitored through regular practice reviews.

3.1.2.3 Service standards to respond to declared conflicts of interest

The OAG has service standards for the Internal Specialist, Values and Ethics, for responding in a timely manner to declared conflict of interest and exception reports. The performance against these standards is reported to the Executive Committee and to the Audit Committee by the Internal Specialist, Values and Ethics.

3.1.2.4 Reporting

Each year, the Internal Specialist, Values and Ethics, reports to the Executive Committee and to the Audit Committee on conflict-of-interest declarations and on threats to independence or objectivity.

3.1.3 Controls designed to prevent fraudulent activities

Under the responsibility of the Chief Financial Officer and the Comptroller, the OAG maintains a risk-based system of internal controls over financial management. These controls are assessed for design and operating effectiveness on a rotational basis. Control assessment work is performed by various key players, such as the external auditors and the Comptroller’s Group. In addition, the Practice Review and Internal Audit (PRIA) group conducts audits and considers fraud risks as part of its risk-based audit plans.

See Annex C.2 for examples of fraud prevention controls.

3.2 Fraud detection

3.2.1 Mechanism to report fraud

As indicated in the OAG’s Fraud Prevention Policy, the Office has an open-door policy for reporting suspected fraud. Section 4.1 of this guide describes how to report a suspected fraud at the OAG.

3.2.2 Controls designed to detect fraudulent activities

As mentioned in Section 3.1.3, the OAG maintains a risk-based system of internal controls over financial management. As part of this system, the Comptroller’s Group conducts data mining and data analytics activities, in collaboration with the data analytics team and the Internal Specialist for Fraud.

See Annex C.2 for examples of fraud detection controls.

4. Investigations of fraud allegations

Tips are the most popular fraud detection method, representing close to 40 percent of all fraud detection. Organizations need a thorough approach to manage and investigate fraud allegations, including those received through tips.

At the Office of the Auditor General of Canada (OAG), a mechanism is in place to solicit and receive information on potential fraud, and a formal approach is used to help ensure that potential fraud is addressed appropriately and in a timely manner.

4.1 Mechanism to report fraud

As mentioned in the OAG’s Fraud Prevention Policy, any suspected fraud must be reported immediately. The OAG promotes an open-door policy for reporting suspected fraud and has implemented secure, non-retaliating, and confidential channels for individuals to report suspected fraud. The OAG employees may report suspected fraud to any of the following:

The CFO is responsible for the coordination and the uniform application of the mechanism to report suspected fraud through the open-door approach.

4.2 Formal approach to address allegations of fraud

A formal approach has been established to assess, investigate, monitor, take corrective actions, and report on allegations of fraud.

The CFO manages all fraud allegations and oversees the investigation process, with the support of the Internal Specialist for Fraud. The CFO consults, as needed, the DSO, Legal Services, Human Resources, and the Internal Specialist, Values and Ethics. The CFO monitors compliance with the formal approach.

The approach is intended to provide a prompt, competent, and confidential evaluation, review, investigation (where necessary), and resolution of fraud allegations.

4.2.1 Assessment of the allegations of fraud

Fraud allegations are managed and assessed by the CFO, with the support of others as needed. The allegations are discussed in a manner that protects confidentiality. Depending on the severity of the fraud allegation, other internal services may need to be consulted.

4.2.2 Investigation of the allegations of fraud

Investigations of fraud allegations are conducted, when necessary, following the OAG Policy on Workplace Investigations. The CFO acts as the senior officer for fraud investigations as defined in that policy.

4.2.3 Monitoring of the allegations of fraud

The monitoring of fraud allegations includes maintaining a log of the allegations with sufficient information to track the status and the outcome of allegations. As well, appropriate and sufficient information is kept on file to support the evaluation of unfounded allegations.

4.2.4 Corrective actions

Corrective actions are taken when appropriate, such as disciplinary actions.

As part of the formal approach for addressing fraud allegations, the identification of root causes may identify similar situations that exist elsewhere in the organization. In these cases, the CFO determines whether there is a need to enhance certain internal controls or re-engineer certain business processes to reduce or remove the opportunity for similar incidents in the future.

The CFO considers the potential impact of the corrective actions and the message it may send to the employees, the public, stakeholders, and others.

The CFO monitors the implementation of actions recommended to mitigate future incidents.

4.2.5 Reporting on the allegations of fraud

The CFO reports to the Executive Committee and to the Audit Committee on the management of fraud allegations, including key information such as the status and the outcome of the allegation, the resolution time, and the implementation of corrective actions.

5. Continuous improvement of the Fraud Risk Management Framework

The changing environment in which organizations operate requires an ongoing reassessment of fraud exposures and responses.

The Chief Financial Officer (CFO) and the Internal Specialist for Fraud are responsible for monitoring the Fraud Risk Management Framework and making improvements where needed. This is done on an ongoing basis (see Annex B).

The CFO, with the support of the Internal Specialist for Fraud, is also responsible for assessing whether the Office of the Auditor General of Canada’s (OAG’s) Fraud Risk Management Framework is meeting its objectives and for making changes as necessary. This is done at least every three years.

The results of these assessments are communicated in a report to the Executive Committee and to the Audit Committee.

Fraud Risk Management Tools

The following are the main tools that the Office of the Auditor General of Canada (OAG) uses to manage its fraud risks.

Annex A: Roles and Responsibilities

This table outlines who is accountable as Lead (L) or Support (S) for each key element of the OAG Fraud Risk Management Framework. It does not list all parties who are or could be involved in each key element.

Section Key elements of the Framework Audit CommitteeAC chief financial officerCFO Internal Specialist for FraudISF executive committeeEC Practice Review and Internal AuditPRIA managementMgmt Internal Specialist, Values and EthicsISVE Departmental Security OfficerDSO Legal Human ResourcesHR Professional DevelopmentPD

Legend:

AC: Audit Committee

CFO: Chief Financial Officer

DSO: Departmental Security Officer

EC: Executive Committee

HR: Human Resources

ISF: Internal Specialist for Fraud

ISVE: Internal Specialist, Values and Ethics

Legal: Legal Services

Mgmt: Management

PD: Professional Development

PRIA: Practice Review and Internal Audit

1. Governance over fraud risks
1.1 Oversight leadL L
1.2 Internal Specialist, Values and Ethics L
1.3 Values and ethics code supportS L
1.4 Conflict of interest and post-employment guidance S L
1.5 Risk-based internal audit plan L
1.6 Process to investigate fraud allegations (see Section 4) L S
1.7 Fraud Prevention Policy (Annex D) L S S
2. Fraud Risk Assessment L S S S
3. Controls to prevent and detect fraud
3.1 Fraud prevention
3.1.1 Training on values, ethics, and conflicts of interest, and targeted fraud training, delivered on time S L
3.1.2 Conflict of interest (COI): Mitigate conflicts of interest S L L
3.1.3 Controls designed to prevent fraudulent activities L S S S S
3.2 Fraud detection
3.2.1 Mechanism to report fraud (see Section 4.1) L
3.2.2 Controls designed to detect fraudulent activities L S S S S
4. Investigations of fraud allegations
4.1 Mechanism to report fraud L
4.2 Formal approach to address allegations of fraud L S
5. Continuous improvement of the Fraud Risk Management Framework L S

Annex B: Monitoring work plan for the Internal Specialist for Fraud

This document serves as a work plan for the Internal Specialist for Fraud to monitor the proper application of the OAG Fraud Risk Management Framework.

This document shows

Internal Specialist for Fraud—Monitoring Schedule by Month
Section Item Done by JanuaryJ FebruaryF MarchM AprilA MayM JuneJ JulyJ AugustA SeptemberS OctoberO NovemberN DecemberD As required or continuousAR/C

Legend:

AC: Audit Committee

AR/C: As required or continuous

CAE: Chief Audit Executive

CFO: Chief Financial Officer

EC: Executive Committee

HR: Human Resources

ISF: Internal Specialist for Fraud

ISVE: Internal Specialist, Values and Ethics

PD: Professional Development

PRIA: Practice Review and Internal Audit

1. Governance over fraud risks
1.1 Oversight
Providing oversight of Fraud Risk Management Framework, including Fraud Risk Assessment audit committeeAC X
Determining the risk tolerance to fraud executive committeeEC X
Discussing fraud risks and the Fraud Risk Assessment EC X
1.2 Internal Specialist, Values and Ethics
Reporting activities annually to the Audit Committee (in collaboration with human resourcesHR) Internal Specialist, Values and EthicsISVE X
1.3 Values and ethics code
Ensuring that the values and ethics code is reviewed as required HR X
1.4 Conflict of interest and post-employment guidance (see Section 1.3) HR X
1.5 Risk-based internal audit plan chief audit executiveCAE X
1.6 Process to investigate fraud allegations is implemented (see Section 4) chief financial officerCFO X
1.7 Fraud Prevention Policy (Annex D)
Periodic assessment of the effectiveness and application of the policy CFO X
Policy review CFO X
2. Fraud Risk Assessment
2.1 Conduct a Fraud Risk Assessment that includes best practices
Assisting the service and practice leaders with the Fraud Risk Assessment process internal specialist for fraudISF X
Reviewing annually the risk assessments of each service and practice leader to ensure that best practices are followed, as described in sections 2.1.1 to 2.1.7 ISF X
Ensuring follow-up on the status of the implementation of the remediation plans ISF X
Assessing the OAG control environment with regard to fraud risks, using the Fraud Prevention and Detection Scorecard (Annex C.2) ISF X
Compiling and concluding on the results of the Fraud Risk Assessment ISF X
Certification on the adequacy of the Office’s Fraud Risk Assessment (Annex C) CFO/ISF X
Reporting the compiled results and conclusions of the Fraud Risk Assessment to the Executive Committee CFO/ISF X
Reporting the compiled results and conclusions of the Fraud Risk Assessment to the Audit Committee CFO/ISF X
3. Controls to prevent and detect fraud
3.1 Fraud prevention
3.1.1 Training on values, ethics, and conflicts of interest, and targeted fraud training, delivered on time
Monitoring timely participation in mandatory training on values and ethics and COI professional developmentPD X
Reporting results to the Executive Committee PD X
Reporting results to the Audit Committee PD X
Reassessing the fraud training needs and priorities as part of the Strategic Plan in Relation to Fraud ISF X
3.1.2 Conflict of interest (COI): Mitigate conflicts of interest
3.1.2.1 Effective management of the declarations of COI
Maintaining comprehensive log ISVE X
3.1.2.2 Employee declarations done whether or not employees have a conflict of interest
Monitoring of annual declarations HR X
Referring cases, including exceptions, to Internal Specialist, Values and Ethics HR X
Reporting results to the Executive Committee HR X
Reporting results to the Audit Committee HR X
Monitoring of exception reports ISVE X
Monitoring effective application of the Independence Confirmation process (practice reviews) Practice Review and Internal AuditPRIA X
3.1.2.3 Service standards to respond to declared COI
Monitoring and reporting on performance against service standards ISVE X
3.1.2.4 Reporting
Reporting on conflict-of-interest declarations and threats to independence and objectivity to the Executive Committee ISVE X
Reporting on conflict of interest declarations and threats to independence and objectivity to the Audit Committee ISVE X
3.1.3 Controls designed to prevent fraudulent activities CFO X
Performing control assessment work (Internal Control of Financial Reporting (ICFR)) CFO and Comptroller X
Ensuring internal audits include some control testing PRIA X
3.2 Fraud detection
3.2.1 Mechanism to report fraud (see Section 4.1)
3.2.2 Controls designed to detect fraudulent activities CFO X
Performing control assessment work (ICFR) CFO and Comptroller X
Ensuring internal audits include some control testing PRIA X
Monitoring through data analytics and data mining CFO and Comptroller X
4. Investigations of fraud allegations
4.1 Mechanism to report fraud
Receiving allegations as part of the open-door approach in the Fraud Prevention Policy CFO X
Coordination and monitoring of uniform application of the fraud reporting mechanism through the open-door approach CFO X
4.2 Formal approach to address allegations of fraud
4.2.1 Assessment of the allegations of fraud
Ensuring that allegations of fraud are managed CFO X
Ensuring that allegations of fraud are assessed and involve key players as necessary CFO X
Ensuring that key players, such as the Internal Specialist for Fraud, the Departmental Security Officer, Legal Services, Human Resources, or the Internal Specialist, Values and Ethics, are involved when needed CFO X
4.2.2 Investigation of the allegations of fraud
Ensuring that investigations of allegations of fraud are conducted following the Policy on Workplace Investigations CFO X
4.2.3 Monitoring of the allegations of fraud
Monitoring of the allegations of fraud, including maintaining a log of the allegations with sufficient information to track the status and the outcome of allegations. As well, sufficient information is retained to justify the evaluation of unfounded allegations. CFO/ISF X
4.2.4 Corrective actions
Ensuring that corrective actions are taken when appropriate (for example, disciplinary actions or enhancements to internal controls or processes to reduce or remove the opportunity for similar incidents in the future) CFO X
Monitoring the implementation of actions recommended to mitigate future incidents CFO X
4.2.5 Reporting on the allegations of fraud
Reporting to the Executive Committee and to the Audit Committee on the management of fraud allegations CFO X
5. Continuous improvement of the Fraud Risk Management Framework
Monitoring the Framework and making improvements where needed CFO/ISF X
Assessing if the Fraud Risk Management Framework is meeting its objectives and making changes as necessary CFO/ISF X
Communicating the results to the Executive Committee CFO X
Communicating the results to the Audit Committee CFO X

Annex C: Annual Certification on the Adequacy of the Office’s Fraud Risk Assessment

This certification is completed each year by the Internal Specialist for Fraud and the Chief Financial Officer (CFO).

Context:

As part of the Office’s annual risk assessment process, each senior manager who is responsible for a function

As part of this process, the Internal Specialist for Fraud

The Internal Specialist for Fraud also assesses the OAG control environment for fraud risk management, using the Fraud Prevention and Detection Scorecard (Annex C.2).

As part of those procedures, the Internal Specialist for Fraud reports results to the CFO, who certifies the adequacy of the Office’s Fraud Risk Assessment.

Certification:

As the Internal Specialist for Fraud, I confirm that I have reviewed the Risk Assessment of each service and practice leader to ensure that the key fraud risks have been properly identified, assessed, and addressed when required. I have also assessed the control environment for fraud risk management.

As the CFO, I certify the adequacy of the Office’s Fraud Risk Assessment.

Key Observations and Conclusion:

1) Results of Fraud Risk Assessments:

2) Control Environment:

Signature
Internal Specialist for Fraud

Date

Signature
Chief Financial Officer

Date

Annex C1: Detailed Cumulative Fraud Risk Assessment

This Detailed Cumulative Fraud Risk Assessment supports the Annual Certification on the Adequacy of the Office’s Fraud Risk Assessment (Annex C).

Detailed Cumulative Fraud Risk Assessment spreadsheet
Text version

This spreadsheet is to be filled out when conducting a detailed cumulative fraud risk assessment. The spreadsheet includes the following categories:

  • Risk number
  • Scenario number
  • Scheme types
  • Function
  • Main activities/processes
  • Business owner
  • Original 2017 risk statement
  • Link to strategic objectives
  • Fraud risk scenario description
  • Inherent risk likelihood (low, medium, high, or very high)
  • Inherent risk impact (low, medium, high, or very high)
  • Inherent risk level (normal to very high)
  • Preventive controls
  • Detective controls
  • Corrective controls
  • Control effectiveness assessed
  • Residual risk level (normal to very high)
  • Rationale for residual risk level
  • Residual risk trend from previous year (stable, increasing, decreasing)
  • Residual risk response (accept, avoid, reduce, or share)
  • Risk response explanation
  • Residual risk response strategy—mandatory for high or very high residual risk levels
Scale to refer to when completing the Detailed Cumulative Fraud Risk Assessment spreadsheet
Text version

This table represents a risk assessment scale to refer to when completing the following four categories of the Detailed Cumulative Fraud Risk Assessment template: inherent risk likelihood, inherent risk impact, inherent risk level, and residual risk level.

The table indicates the following four risk likelihood levels—within the foreseeable future—based on probability or observed frequency:

  • Very high (likely or frequent)
  • High (probable)
  • Medium (possible—could occur occasionally)
  • Low (unlikely, though possible)

The table also indicates the following four risk impact levels—as a factor of potential severity, scope, and impacts on the operations of the Office of the Auditor General of Canada:

  • Very high
  • High
  • Medium
  • Low

In addition, the table indicates the following six overall risk levels, which are determined by where risk likelihood and risk impact levels intersect:

  • Very high—Mitigate and monitor (extensive senior management involvement)
  • High—Mitigate and monitor (inform senior management)
  • Elevated to high—Mitigate and monitor (inform senior management)
  • Elevated—Mitigate and monitor
  • Normal to elevated—Monitor, possible mitigation
  • Normal—Accept

The following are the overall risk levels for all 16 scenarios:

  • When the risk likelihood is low and the risk impact is very high, then the overall risk level is elevated.
  • When the risk likelihood is low and the risk impact is high, then the overall risk level is elevated.
  • When the risk likelihood is low and the risk impact is medium, then the overall risk level is normal to elevated.
  • When the risk likelihood is low and the risk impact is low, then the overall risk level is normal.
  • When the risk likelihood is medium and the risk impact is very high, then the overall risk level is high.
  • When the risk likelihood is medium and the risk impact is high, then the overall risk level is elevated to high.
  • When the risk likelihood is medium and the risk impact is medium, then the overall risk level is elevated.
  • When the risk likelihood is medium and the risk impact is low, then the overall risk level is normal to elevated.
  • When the risk likelihood is high and the risk impact is very high, then the overall risk level is very high.
  • When the risk likelihood is high and the risk impact is high, then the overall risk level is high.
  • When the risk likelihood is high and the risk impact is medium, then the overall risk level is elevated to high.
  • When the risk likelihood is high and the risk impact is low, then the overall risk level is elevated.
  • When the risk likelihood is very high and the risk impact is very high, then the overall risk level is very high.
  • When the risk likelihood is very high and the risk impact is high, then the overall risk level is very high.
  • When the risk likelihood is very high and the risk impact is medium, then the overall risk level is high.
  • When the risk likelihood is very high and the risk impact is low, then the overall risk level is elevated.

Annex C2: Fraud Prevention and Detection Scorecard

Context:

This tool supports the Annual Certification on the Adequacy of the Office’s Fraud Risk Assessment (Annex C).

It is inspired by Managing the Business Risk of Fraud: A Practical Guide (issued by the Institute of Internal Auditors, the American Institute of Certified Public Accountants, and the Association of Certified Fraud Examiners). It is used as a guide to assess the Office’s control environment over fraud risk. It is completed by the Internal Specialist for Fraud in consultation with other stakeholders as part of the annual Fraud Risk Assessment.

To assess the strength of the organization’s fraud prevention system, carefully assess each area below and score the area, factor, or consideration as follows:

Minus sign in a red circle

Red: indicating that the area, factor, or consideration needs substantial strengthening and improvement to bring fraud risk down to an acceptable level.

Exclamation point in a yellow circle

Yellow: indicating that the area, factor, or consideration needs some strengthening and improvement to bring fraud risk down to an acceptable level.

Check  mark in a green circle

Green: indicating that the area, factor, or consideration is strong and fraud risk has been reduced—at least—to a minimally acceptable level.

Each area, factor, or consideration scored either red or yellow should have a note associated with it that describes the action plan for bringing it to green on the next scorecard.

No.

Fraud prevention area, factor, or consideration

Score

Notes

Action item

P1

Our organizational culture—tone from the top—is as strong as it can possibly be and establishes a zero-tolerance environment with respect to fraud.

P2

Our organization’s top management consistently displays the appropriate attitude regarding fraud prevention and encourages free and open communication regarding ethical behaviour.

P3

Our code of conduct has specific provisions that address and prohibit inappropriate relationships whereby members of our Executive Committee or members of management could use their position for personal gain or other inappropriate purposes.

P4

We have done a rigorous fraud risk assessment using the COSO Enterprise Risk Management Integrated Framework and have taken specific actions to strengthen our prevention mechanisms as necessary.

P5

We have addressed the strengths and weaknesses of our internal control environment adequately and have taken specific steps to strengthen the internal control structure to help prevent the occurrences of fraud.

P6

We have assessed the alignment of authorities and responsibilities at all levels of organizational management and are not aware of any misalignments that might represent vulnerabilities to fraud.

P7

Our Audit Committee has taken a very proactive posture with respect to fraud prevention.

P8

Our Audit Committee is composed only of independent members and includes persons with financial accounting and reporting expertise.

P9

Our Audit Committee meets at least quarterly and devotes substantial time to assessing fraud risk and proactively implementing fraud prevention mechanisms.

P10

We have a strong internal audit function that operates independently of management. The charter of our internal audit function expressly states that the internal audit team will help prevent and detect fraud and misconduct.

P11

We have designated an individual with the authority and responsibility for overseeing and maintaining our fraud prevention programs and have given this individual the resources needed to manage our fraud prevention programs effectively. This individual has direct access to the Audit Committee.

P12

Our Human Resources function conducts background investigations with the specific objective of assuring that persons with inappropriate records or characters inconsistent with our corporate culture and ethics are identified and eliminated from the hiring process.

P13

Personnel involved in the financial reporting process have been assessed with regard to their competencies and integrity and have been found to be of the highest calibre.

P14

All our employees, vendors, and contractors have been made aware of our zero-tolerance policies related to fraud and are aware of the appropriate steps to take in the event that any evidence of possible fraud comes to their attention.

P15

We have a rigorous program for communicating our fraud prevention policies and procedures to all employees, vendors, contractors, and business partners.

P16

We have policies and procedures in place for authorization and approval of certain types of transactions and for certain values of transactions to help prevent and detect the occurrences of fraud.

P17

Our performance measurement and evaluation process includes an element specifically addressing ethics and integrity as well as adherence to the Values and Ethics Code for the Public Sector and the OAG’s Code of Values, Ethics and Professional Conduct.

P18

We have an effective whistleblower protection program in place, and its existence and procedures are known to all employees, vendors, contractors, and partners.

P19

We review the above fraud preventive mechanisms on an ongoing basis and document these reviews as well as the communication with the Audit Committee regarding areas that need improvement.

P20

We have a fraud response plan in place and know how to respond if a fraud allegation is made. The fraud response plan considers

  • who should perform the investigation
  • how the investigation should be performed
  • when a voluntary disclosure to the government should be made
  • how to determine the remedial action
  • how to remedy control deficiencies identified
  • how to administer disciplinary action

No.

Fraud detection area, factor, or consideration

Score

Notes

Action item

D1

We have integrated our fraud detection system with our fraud prevention system in a cost-effective manner.

D2

Our fraud detection processes and techniques pervade all levels of responsibility within our organization, from the Audit Committee, to managers at all levels, to employees in all areas of operations.

D3

Our fraud detection policies include communicating to employees, vendors, and stakeholders that a strong fraud detection system is in place, but certain critical aspects of these systems are not disclosed to maintain the effectiveness of hidden controls.

D4

We use mandatory vacation periods or job rotation assignments for employees in key finance and accounting control positions.

D5

We periodically reassess our risk assessment criteria as our organization grows and changes to make sure we are aware of all possible types of fraud that may occur.

D6

Our fraud detection mechanisms place increased focus on areas in which we have concluded that preventive controls are weak or are not cost-effective.

D7

We focus our data analysis and continuous auditing efforts based on our assessment of the types of fraud schemes to which organizations like ours are susceptible.

D8

We take steps to ensure that our detection processes, procedures, and techniques remain confidential so that ordinary employees—and potential fraud perpetrators—do not become aware of their existence.

D9

We have comprehensive documentation of our fraud detection processes, procedures, and techniques so that we maintain our fraud detection vigilance over time and as our fraud detection team changes.

D10

Our detective controls include a well-publicized and well-managed fraud hotline.

D11

Our fraud hotline program provides anonymity to individuals who report suspected wrongdoing.

D12

Our fraud hotline program includes assurance that employees who report suspected wrongdoing will not face retaliation. We monitor for retaliation after an issue has been reported.

D13

Our fraud hotline uses a case management system to log all calls and their follow-up to resolution, is tested periodically by our internal auditors, and is overseen by the Audit Committee.

D14

Our information systems/IT process controls include controls specifically designed to detect fraudulent activity, as well as errors, and include reconciliation, independent review, physical inspections/counts, analysis, audits, and investigations.

D15

Our internal audit team’s charter includes emphasis on conducting activities designed to detect fraud.

D16

Our internal auditors participate in the Fraud Risk Assessment process and plan fraud detection activities based on the results of this risk assessment.

D17

Our internal auditors report to the Audit Committee and focus appropriate resources on assessing management’s commitment to fraud detection.

D18

Our internal audit team is adequately funded, staffed, and trained to follow professional standards, and our internal audit personnel possess the appropriate competencies to support the group’s objectives.

D19

Our internal audit function performs risk-based assessments to understand motivation and where potential manipulation may take place.

D20

Our internal audit personnel are aware of, and are trained in, the tools and techniques of fraud detection, response, and investigation as part of their continuing education program.

D21

Our data analysis programs focus on journal entries and unusual transactions, and transactions occurring at the end of a period or those that were made in one period and reversed in the next.

D22

Our data analysis programs identify journal entries posted to revenue or expense accounts that improve net income or otherwise serve to meet analysts’ expectations or incentive compensation targets.

D23

We have systems designed to monitor journal entries for evidence of possible management override efforts intended to misstate financial information.

D24

We use data analysis, data mining, and digital analysis tools to (a) identify hidden relationships among people, organizations, and events; (b) identify suspicious transactions; (c) assess the effectiveness of internal controls; (d) monitor fraud threats and vulnerabilities; and (e) consider and analyze large volumes of transactions on a real-time basis.

D25

We use continuous auditing techniques to identify and report fraudulent activity more rapidly, including Benford’s Law analysis to examine expense reports, general ledger accounts, and payroll accounts for unusual transactions, amounts, or patterns of activity that may require further analysis.

D26

We have systems in place to monitor employee email for evidence of potential fraud.

D27

Our fraud detection documentation identifies the individuals and services responsible for

  • designing and planning the overall fraud detection process
  • designing specific fraud detective controls
  • implementing specific fraud detective controls
  • monitoring specific fraud detective controls and the overall system of these controls for realization of the process objective
  • receiving and responding to complaints related to possible fraudulent activity
  • investigating reports of fraudulent activity
  • communicating information about suspected and confirmed fraud to appropriate parties
  • periodically assessing and updating the plan for changes in technology, processes, and organization

D28

We have established measurement criteria to monitor and improve compliance with fraud detective controls, including the

  • number of, and loss amounts from, known fraud schemes committed against the organization
  • number and status of fraud allegations received by the organization that required investigations
  • number of fraud investigations resolved
  • number of employees who have signed the corporate ethics statement
  • number of employees who have completed ethics training required by the Office
  • number of whistleblower allegations received
  • number of messages supporting ethical behaviour delivered to employees by executives
  • number of vendors who have signed the Office’s Code of Values, Ethics and Professional Conduct
  • number of fraud audits performed by internal auditors

D29

We periodically assess the effectiveness of our fraud detection processes, procedures, and techniques; document these assessments; and revise our processes, procedures, and techniques as appropriate.

Annex D: Fraud Prevention Policy

1. Effective date

This Policy is effective on 19 April 2018.

2. Application

This Policy applies to any alleged or detected fraud, involving employees of the Office of the Auditor General of Canada (OAG) as well as consultants, vendors, contractors, and outside parties with a business relationship with the OAG. Any investigative activities required will be conducted without regard to the suspected individual’s length of service, position/title, or relationship to the OAG.

Fraud is defined as an intentional act by one or more individuals among employees, management, those charged with governance (internal), or third parties (external) involving the use of deception to obtain an unjust or illegal advantage. The three primary categories of internal fraud are corruption, asset misappropriation, and financial statement fraud.

Examples of fraud include but are not limited to

3. Policy statement

The OAG is committed to

The OAG has developed a comprehensive Fraud Risk Management Framework that guides the organization in implementing best practices to identify, address, and manage its fraud risks. This policy is part of the Framework under Section 1. Governance over fraud risks.

4. Policy objective

The purpose of this Policy is to

5. Roles and responsibilities

Auditor General’s responsibilities:

Chief Financial Officer’s responsibilities:

Chief Audit Executive’s responsibilities:

Managers’ responsibilities:

Employees’ responsibilities (including managers):

6. Mechanism to report fraud

Any suspected fraud must be reported immediately. The OAG promotes an open-door policy with regard to reporting suspected fraud and has implemented secure, non-retaliating, and confidential channels for individuals to report suspected fraud. OAG employees may report suspected fraud to any of the following:

The CFO manages all fraud allegations and oversees the investigation process (if necessary) with the support of the Internal Specialist for Fraud. The CFO consults when needed with the DSO, Legal Services, Human Resources, and the Internal Specialist, Values and Ethics.

This policy does not preclude an employee to present a complaint to the Senior Integrity Officer in accordance with the Public Servants Disclosure Protection Act.

7. Formal approach to address allegations of fraud

The OAG has established a formal approach to assess, investigate, monitor, take corrective actions, and report on allegations of fraud. (Refer to the Guide on Managing Fraud Risks at the Office of the Auditor General of Canada and the Policy on Workplace Investigations for details.)

Appropriate disciplinary measures, up to termination of employment, will be taken by the OAG as a result of a fraudulent action. As well, a decision regarding referral of the investigation results to the appropriate law enforcement and/or regulatory agencies for independent investigation will be made by the CFO in consultation with Legal Services and senior management and management of the appropriate services, as will final decisions on disposition of the case.

A fraud investigation under this policy does not preclude the OAG Practice Review and Internal Audit function to initiate an audit.

8. Non-retaliation

Employees will not be penalized or disciplined for making a complaint in good faith. Disciplinary action will be taken against anyone who takes any reprisal against a person who reports, in good faith, an incident of alleged or detected fraud.

9. Communication

This policy shall be made available on the OAG Intranet.

10. Policy compliance and review

Adherence of OAG employees to this policy will be monitored by, including but not limited to, investigation, audit, and/or review of records.

The CFO, with the assistance of the Internal Specialist for Fraud, in consultation with stakeholders, will review and update this policy at a minimum every three years, or earlier if needed. Any changes to the policy must be approved by the Executive Committee.

11. Inquiries

Inquiries regarding this policy shall be directed to the CFO or to the Internal Specialist for Fraud.

12. References

Federal Legislation

Criminal Code

Federal Accountability Act

Financial Administration Act

Public Servants Disclosure Protection Act

Treasury Board of Canada Secretariat

Directive on Internal Audit

Directive on Public Money and Receivables

Policy on Financial Management

Policy on Government Security

Values and Ethics Code for the Public Sector

OAG

Code of Values, Ethics and Professional Conduct

Guide on Managing Fraud Risks at the Office of the Auditor General of Canada

Policy on Workplace Investigations (under review)