Report 1—Managing the Risk of Fraud
Audit at a Glance Report 1—Managing the Risk of Fraud
What we examined (see Focus of the audit)
Fraud can happen in any organization. Fraud in a federal government organization can cause the loss of public money or property, hurt employee morale, and undermine Canadians’ confidence in public services. Therefore, federal organizations must manage their fraud risks.
This audit examined whether the selected organizations had mechanisms in place to appropriately manage the risk of fraud.
The audit also examined whether the Treasury Board of Canada Secretariat provided support to federal organizations to manage their risks, including fraud risks, and monitored the implementation of its relevant policies and directives.
Why we did this audit
This audit is important because the risk of fraud is inherent in all federal government programs, and Canadians expect federal government organizations to minimize the chances of fraud happening in their programs.
What we concluded
We concluded that in the areas we examined, the selected federal organizations did not appropriately manage all of their fraud risks. We did, however, see a number of good practices in all the organizations we examined. Overall, the organizations had appropriate governance structures to help them manage their risk of fraud, but some organizations did not use a strong enough approach to assess those risks, and none of the organizations made sure that the specific controls we looked at worked as they should have. For example, the organizations did not make sure that all their employees received mandatory training in values and ethics.
We also concluded that the Treasury Board of Canada Secretariat developed guidance for departments and agencies to help them assess and manage overall departmental risks. However, the Secretariat did not provide specific guidance on fraud risk management or monitor how departments and agencies managed their risk of fraud.
What we found
Fraud risk management
Overall, we found that the five federal organizations we looked at had ways to manage their fraud risks. For example, they managed fraud risks by ensuring the organization’s risk governance, conducting risk assessments, providing training on values and ethics and conflicts of interest, managing conflicts of interest, justifying sole-source contracts and contract amendments, and analyzing procurement data.
We found that all the organizations we looked at demonstrated the importance of managing their risk of fraud, as evidenced by some good practices we saw in risk governance and risk assessment. However, we were concerned that the organizations did not always implement fraud risk controls. For example, few employees had received mandatory training on values and ethics and conflicts of interest, many conflicts of interest declared by employees took too long to resolve, and standard controls, such as justifications for sole-source contracts, were sometimes not implemented.
We also found that the Treasury Board of Canada Secretariat supported and monitored how federal organizations managed their overall risks. However, it did not monitor how federal organizations managed fraud risks or provide specific guidance about fraud risks, as some other countries did.
These findings matter because good fraud risk management with appropriate controls helps an organization reduce its exposure to losses from fraud.
Recommendation. The Canadian Food Inspection Agency, Global Affairs Canada, and Indigenous and Northern Affairs Canada should ensure that their current fraud risk assessments are reviewed and updated periodically, following best practices.
Recommendation. Health Canada and Public Services and Procurement Canada should conduct a fraud risk assessment that considers all areas of their organizations and follows best practices.
Recommendation. The Canadian Food Inspection Agency, Global Affairs Canada, Health Canada, Indigenous and Northern Affairs Canada, and Public Services and Procurement Canada should:
- identify operational areas at higher risk for fraud and develop targeted training for employees in these areas, and
- ensure that employees are taking mandatory training in a timely manner.
Recommendation. The Canadian Food Inspection Agency, Global Affairs Canada, Health Canada, Indigenous and Northern Affairs Canada, and Public Services and Procurement Canada should ensure that logs used to track and manage declarations of conflict of interest and the related mitigation measures have sufficient and complete information to support the timely resolution of employee declarations of conflict of interest.
Recommendation. The Canadian Food Inspection Agency, Global Affairs Canada, and Indigenous and Northern Affairs Canada should:
- identify operational areas at high risk for conflict of interest and ensure that public servants occupying positions in those areas are regularly required to indicate whether or not they are in a conflict of interest, and
- follow up on the implementation of mitigating measures for conflicts of interest on a risk basis.
Recommendation. The Canadian Food Inspection Agency, Global Affairs Canada, Health Canada, Indigenous and Northern Affairs Canada, and Public Services and Procurement Canada should ensure that contract files and contracting data are complete and accurate. They should also conduct data analytics and data mining to evaluate controls and identify signs of potential contract splitting, inappropriate contract amendments, and inappropriate sole-source contracting on a risk basis.
Recommendation. The Canadian Food Inspection Agency, Global Affairs Canada, and Indigenous and Northern Affairs Canada should maintain a comprehensive and complete log that captures and tracks the status of all allegations, where appropriate, including where corrective measures were implemented to prevent fraud.
Recommendation. To help improve fraud risk management at federal organizations, the Treasury Board of Canada Secretariat should:
- increase awareness of the importance of managing fraud risks, by supporting senior management in implementing fraud risk management; and
- consider issuing specific guidance on managing fraud risks and how its implementation could be monitored.
Entity Responses to Recommendations
The audited entities agree with our recommendations, and have responded (see List of Recommendations).
|Report of the||Auditor General of Canada|
|Type of product||Performance audit|
|Completion date||6 March 2017|
|Tabling date||16 May 2017|
For more information