Introduction

Background

1.1 Fraud can happen in any organization. Fraud in a federal government organization can cause the loss of public money or property, hurt employee morale, and undermine Canadians’ confidence in public services. Therefore, federal organizations must manage their fraud risks.

1.2 Fraud can be committed by individuals inside or outside an organization. The following are examples:

• an employee misusing his or her influence in a business transaction to gain a direct or indirect benefit,
• a vendor intentionally billing for services not rendered,
• a beneficiary of a grant falsifying application information,
• an employee accepting a bribe to influence a decision, and
• an employee providing sensitive information to an external party for money or a tangible benefit.

1.3 There is no reliable estimate of the monetary effect of fraud on the Government of Canada. However, a 2016 global study by the Association of Certified Fraud Examiners indicated that all types of organizations around the world suffer significant losses due to fraud.

1.4 Federal organizations must make sure they effectively manage risk to ensure that their information, assets, and organizational integrity are protected. They are also responsible for making sure staff are aware of their organization’s code of values and ethics.

1.5 The Treasury Board of Canada Secretariat’s role is to encourage management excellence in government organizations. It provides guidance, tools, and expertise to federal organizations to help them implement a risk-informed management approach.

Focus of the audit

1.6 This audit focused on fraud risk management in five federal organizations:

• Canadian Food Inspection Agency,
• Global Affairs Canada,
• Health Canada,
• Indigenous and Northern Affairs Canada, and
• Public Services and Procurement Canada.

We chose these organizations because of their different sizes and types of operations.

1.7 This audit examined whether the selected organizations had mechanisms in place to appropriately manage the risk of fraud. Specifically, this audit focused on whether these organizations had

• governance processes to direct, evaluate, and monitor fraud risks;
• an assessment approach to identify fraud risks and mitigating actions;
• selected controls (policies, procedures, processes, and activities) to address specific fraud risks; and
• activities to investigate and manage allegations of fraud.

1.8 The audit also examined whether the Treasury Board of Canada Secretariat provided support to federal organizations to manage their risks, including fraud risks, and monitored the implementation of its relevant policies and directives.

1.9 This audit is important because the risk of fraud is inherent in all federal government programs, and Canadians expect federal government organizations to minimize the chances of fraud happening in their programs.

1.10 We did not examine all controls in place at the selected organizations. We did not examine controls aimed at managing the risk of fraud committed strictly by parties outside federal organizations. We also did not try to identify specific cases of fraudulent activity.

1.11 More details about the audit objective, scope, approach, and criteria are in About the Audit at the end of this report.

Findings, Recommendations, and Responses

Fraud risk management

Overall message

1.12 Overall, we found that the five federal organizations we looked at had ways to manage their fraud risks. For example, they managed fraud risks by ensuring the organization’s risk governance, conducting risk assessments, providing training on values and ethics and conflicts of interest, managing conflicts of interest, justifying sole-source contracts and contract amendments, and analyzing procurement data.

1.13 We found that all the organizations we looked at demonstrated the importance of managing their risk of fraud, as evidenced by some good practices we saw in risk governance and risk assessment. However, we were concerned that the organizations did not always implement fraud risk controls. For example, few employees had received mandatory training on values and ethics and conflicts of interest, many conflicts of interest declared by employees took too long to resolve, and standard controls, such as justifications for sole-source contracts, were sometimes not implemented.

1.14 We also found that the Treasury Board of Canada Secretariat supported and monitored how federal organizations managed their overall risks. However, it did not monitor how federal organizations managed fraud risks or provide specific guidance about fraud risks, as some other countries did.

1.15 These findings matter because good fraud risk management with appropriate controls helps an organization reduce its exposure to losses from fraud.

Federal organizations identified fraud risks and mitigating measures, but not all completed a fraud risk assessment

1.16 We found that all five federal organizations had governance structures in place, including independent audit committees and values and integrity offices, to oversee their management of risks, including fraud risks. We also found that only the Canadian Food Inspection Agency, Global Affairs Canada, and Indigenous and Northern Affairs Canada completed a fraud risk assessment.

1.17 Our analysis supporting this finding presents what we examined and discusses the following topics:

• Governance
• Identification of fraud risks and mitigation measures

1.18 This finding matters because effective governance is needed by an organization to identify, assess, document, and mitigate its risks, including fraud risks. It is the starting point for how an organization can put in place effective controls to prevent and detect fraud.

1.19 Our recommendations in these areas of examination appear at paragraphs 1.29 and 1.30.

1.20 What we examined. We examined whether the selected organizations had fraud risk governance processes in place and whether the organizations conducted periodic assessments of their fraud risks. We also examined whether the assessments included best practices that the Institute of Internal Auditors, American Institute of Certified Public Accountants, and Association of Certified Fraud Examiners recommend be included in a fraud risk assessment (Exhibit 1.1).

1.21 Governance. Effective fraud risk management starts with a governance structure that sends a message that fraud will not be tolerated. All members of an organization, including its audit committee members, its senior management, and its employees, must know how they can contribute to effective fraud risk management.

1.22 We found that the selected federal organizations had governance structures in place that contributed to fraud risk management. For example, all organizations had independent audit committees, values and integrity offices, values and ethics codes that included conflict of interest and post-employment, units to investigate fraud allegations, and risk-based internal audit plans. Also, we found that all organizations regularly discussed their approaches to fraud risk management with their audit committees.

1.23 We found that all organizations had some additional elements of governance in place. For example, Health Canada had an Ombudsman, Integrity and Resolution Office that was responsible for informal conflict management, internal disclosure, and values and ethics services. The Office was a confidential way for employees to discuss and resolve work-related issues. As another example, Indigenous and Northern Affairs Canada had a National Centre for Allegations and Complaints. The Centre ensured that allegations and complaints about funding provided by the Department were examined properly and that appropriate action was taken.

1.24 Identification of fraud risks and mitigation measures. Organizations can identify where they are vulnerable to fraud and what controls they can put in place to mitigate their fraud risks by completing a fraud risk assessment.

1.25 We found that three of the five federal organizations we looked at—the Canadian Food Inspection Agency, Global Affairs Canada, and Indigenous and Northern Affairs Canada—each conducted a fraud risk assessment. However, we found that some best practices (Exhibit 1.1) were missing from the assessments.

1.26 For example, Indigenous and Northern Affairs Canada did not identify all the potential inherent fraud risks because it assessed the risk of internal fraud only. The Canadian Food Inspection Agency and Global Affairs Canada did not create a response plan to address the identified residual fraud risks by identifying mitigating controls. In addition, none of the organizations evaluated whether all of the identified controls were operating effectively and efficiently.

1.27 While both Health Canada and Public Services and Procurement Canada had fraud risk management frameworks in place, neither completed a fraud risk assessment.

1.28 Public Services and Procurement Canada did not conduct a fraud risk assessment, but it documented and identified fraud risks through other means. However, it did not match those risks to the controls intended to mitigate them. We found that it put in place controls to mitigate some of the fraud risks it had identified. For example, it implemented an Integrity Framework that addressed the risk of conducting business with unethical suppliers.

1.29 Recommendation. The Canadian Food Inspection Agency, Global Affairs Canada, and Indigenous and Northern Affairs Canada should ensure that their current fraud risk assessments are reviewed and updated periodically, following best practices.

The Canadian Food Inspection Agency’s response. Agreed. The Canadian Food Inspection Agency will review the current formal fraud risk assessment and update it periodically, incorporating best practices. The first review will be completed by December 2017.

Global Affairs Canada’s response. Agreed. Global Affairs Canada will take steps to ensure that a fraud risk assessment is reviewed and updated annually, including verifying whether controls are operating effectively and efficiently. The actions associated with this recommendation will be completed by December 2017.

Indigenous and Northern Affairs Canada’s response. Agreed. Indigenous and Northern Affairs Canada will review its current formal fraud risk assessment and update it periodically, incorporating best practices, beginning 1 September 2017.

1.30 Recommendation. Health Canada and Public Services and Procurement Canada should conduct a fraud risk assessment that considers all areas of their organizations and follows best practices.

Health Canada’s response. Agreed. Health Canada is in the process of conducting a comprehensive fraud risk assessment, to be completed by 31 March 2018.

Public Services and Procurement Canada’s response. Agreed. The risk of fraud was included as one of the departmental risks in Public Services and Procurement Canada’s 2017–18 Departmental Plan, demonstrating the Department’s consolidation efforts for documentation of fraud risk management activities, including risk assessment. In addition, using best practices on risk management from the Treasury Board of Canada Secretariat, as well as the Canadian Standards OrganizationCSA Group and the International Organization for Standardization, a department-wide fraud risk assessment and mapping of existing and future fraud risk management controls are being conducted through the 2017–19 Departmental Risk Profile.

Many employees did not receive mandatory training on values and ethics and conflicts of interest

1.31 We found that all of the selected federal organizations had training programs for their employees on values and ethics and conflicts of interest. However, the organizations did not make sure their employees received training that was mandatory, and few employees were trained.

1.32 Our analysis supporting this finding presents what we examined and discusses the following topic:

• Training

1.33 This finding matters because training on values and ethics, resolving conflicts of interest, and the consequences of committing fraud creates a culture where ethical conduct is expected. Training also helps employees be aware of their role in preventing and detecting fraud.

1.34 Our recommendation in this area of examination appears at paragraph 1.39.

1.35 What we examined. We examined whether the selected federal organizations trained their employees on values and ethics, conflicts of interest, and fraud.

1.36 Training. We found that all five federal organizations had employee training programs on values and ethics and conflicts of interest. However, many employees did not receive the training, even though it was mandatory. When it was required, fewer than 20 percent of Health Canada and Public Services and Procurement Canada employees received the training. At the Canadian Food Inspection Agency, 34 percent of employees received the required training.

1.37 We could not calculate the percentage of Global Affairs Canada employees who received the training because the Department did not have the information we needed to make the calculation. In the case of Indigenous and Northern Affairs Canada, it made its training mandatory toward the end of the audit period; therefore, we were unable to assess its monitoring.

1.38 We found that some of the organizations we looked at also gave fraud training to some of their employees, even though it was not required by the Government of Canada. For example, Global Affairs Canada included fraud awareness in the training given to consular officers with management responsibilities before the officers were posted abroad. Also, Indigenous and Northern Affairs Canada has been providing fraud awareness training with an emphasis on construction fraud since July 2016.

1.39 Recommendation. The Canadian Food Inspection Agency, Global Affairs Canada, Health Canada, Indigenous and Northern Affairs Canada, and Public Services and Procurement Canada should

• identify operational areas at higher risk for fraud and develop targeted training for employees in these areas, and
• ensure that employees are taking mandatory training in a timely manner.

The Canadian Food Inspection Agency’s response. Agreed. The Canadian Food Inspection Agency is committed to increasing employee awareness through regular reminder communications. The Agency will also conduct a needs assessment by June 2017 to identify the best approach for mitigating areas of higher risk for fraud. This assessment will consider the need for additional training or other products to mitigate fraud risks.

Global Affairs Canada’s response. Agreed. Global Affairs Canada will take steps to identify operational areas at higher risk for fraud, the nature of those risks, and measures to mitigate those risks. In parallel, Global Affairs Canada is working with departmental experts on the development of targeted training on fraud awareness for employees. Global Affairs Canada will develop a training strategy and communications plan to promote values and ethics training in the workplace. The actions associated with this recommendation will be completed by September 2017.

Health Canada’s response. Agreed. Health Canada currently has specialized training for regulators that promotes values and ethics and right-doing. Health Canada has increased its communication and monitoring efforts to ensure that mandatory training is taken in a timely manner.

Indigenous and Northern Affairs Canada’s response. Agreed. Indigenous and Northern Affairs Canada will identify areas at high risk for fraud, continue providing targeted fraud training to employees, and ensure that mandatory values and ethics training is completed as required. The actions associated with this recommendation will be completed by 1 September 2017.

Public Services and Procurement Canada’s response. Agreed. Public Services and Procurement Canada currently offers mandatory online training on values and ethics. Recently, a new online values and ethics quiz was developed and will be rolled out to all new employees. In addition, an online course on how to identify and report fraud and wrongdoing has been developed and is in the process of being rolled out.

As it concerns occupational areas at higher risk for fraud, procurement officers as a special group in our Acquisitions Program have been identified, and training exists for them that includes the topic of fraud. The Department will continue to identify occupational areas at higher risk for fraudulent practices and determine training needs, as necessary.

To ensure accurate tracking of employee completion rates, the Department will implement a new learning management system in April 2017.

Processes to manage conflicts of interest had weaknesses

1.40 We found that Public Services and Procurement Canada adequately managed employee declarations of conflict of interest, but the other four federal organizations did not. They either took too long to resolve conflicts of interest or did not have an adequate approach to make sure that measures to mitigate conflicts of interest were in place.

1.41 Our analysis supporting this finding presents what we examined and discusses the following topics:

• Management of employee declarations of conflict of interest
• Employee declarations in high-risk areas

1.42 This finding matters because government organizations need to make sure their staff conduct their work without conflicts of interest. Weak management of conflicts of interest could leave the government vulnerable to fraud.

1.43 Our recommendations in these areas of examination appear at paragraphs 1.54 and 1.55.

1.44 What we examined. We examined how the five federal organizations managed employee declarations of conflict of interest and whether they were resolved in a timely manner. We also examined whether the organizations regularly required employees in high-risk areas to declare whether or not they were in a conflict of interest.

1.45 Management of employee declarations of conflict of interest. The values and ethics codes of all five selected federal organizations stated employee responsibilities regarding conflicts of interest. When employees join a federal organization, they must sign a letter of employment stating that they have read the code and will make a declaration any time they feel they are in a conflict of interest.

1.46 We found that all organizations had logs to track and manage conflict of interest declarations, but the logs were missing key information. For example, some logs did not indicate whether a file was open or closed or whether the case was determined to be a conflict of interest or not, which would help an organization properly manage the declared conflict.

1.47 We found that Public Services and Procurement Canada was the only one of the five organizations we examined that established a service standard for responding to a declared conflict of interest by an employee. Its standard was to respond within 60 days. It also tracked its actual performance against that standard. During the period covered by the audit, the Department responded, on average, to declared conflicts of interest in 79 days. We also found that Public Services and Procurement Canada was the only one of the five organizations we examined that assigned a priority rating to the conflict of interest declarations it received, which helped it identify which declared conflicts had to be resolved first.

1.48 The Canadian Food Inspection Agency and Health Canada did not calculate how long it took to respond to a declared conflict of interest, even though its logs had the information it needed to make the calculation. Based on information in the logs over the three-year period ending 31 March 2016, we calculated an average response time of 185 days for the Canadian Food Inspection Agency and 104 days for Health Canada. We were unable to calculate the number of days it took Global Affairs Canada and Indigenous and Northern Affairs Canada to respond because their logs did not have the information we needed to make the calculation.

1.49 If an organization takes too long to respond to a declared conflict of interest, such as we found at the Canadian Food Inspection Agency, it could operate with an employee making decisions in an area where that employee has a conflict of interest without measures to mitigate the conflict. Also, it could be interpreted by employees as a sign that the organization does not consider conflicts of interest to be a real risk.

1.50 We found that the Canadian Food Inspection Agency, Health Canada, Indigenous and Northern Affairs Canada, and Public Services and Procurement Canada informed the manager or supervisor of the measures required to mitigate an employee’s conflict of interest. Global Affairs Canada did not; the Department left it up to the employee who had the conflict of interest to inform his or her manager about the conflict and the mitigating measures. This approach increased the possibility that the mitigating measures were not put in place.

1.51 Through our examination of case files, we found one manager at Indigenous and Northern Affairs Canada who was not aware of an employee’s potential conflict of interest and the measures that had been recommended to mitigate the conflict. This meant that the manager could not monitor the potential conflict of interest to make sure it did not become a real conflict of interest. Also, some files we examined at Indigenous and Northern Affairs lacked any evidence that the recommended measures had been put in place to mitigate the conflicts of interest.

1.52 We also found that the offices responsible for managing conflicts of interest at Health Canada and Public Services and Procurement Canada had a process to follow up on the implementation of mitigation measures for certain types of conflict of interest cases. However, the three other organizations did not.

1.53 Employee declarations in high-risk areas. In the 2010 Fall Report of the Auditor General of Canada, Chapter 4—Managing Conflict of Interest, we recommended that federal organizations identify areas at high risk for conflict of interest and require employees in these areas to report regularly whether or not they were in a conflict of interest. In this audit, we found that in 2014, Health Canada identified one group of employees who were at high risk for having conflicts of interest, and the Department had them declare whether or not they had conflicts of interest. We also found that procurement officers at Public Services and Procurement Canada were required to submit an attestation about whether or not they had a conflict of interest for each contract they managed for the Department. However, we found that the other three organizations did not regularly require employees in high-risk areas to declare whether or not they were in a conflict of interest.

1.54 Recommendation. The Canadian Food Inspection Agency, Global Affairs Canada, Health Canada, Indigenous and Northern Affairs Canada, and Public Services and Procurement Canada should ensure that logs used to track and manage declarations of conflict of interest and the related mitigation measures have sufficient and complete information to support the timely resolution of employee declarations of conflict of interest.

The Canadian Food Inspection Agency’s response. Agreed. The Canadian Food Inspection Agency is currently reviewing the Conflict of Interest Secretariat’s tracking and logging system to ensure critical data is captured for enhanced tracking and reporting capabilities. These activities will be completed by April 2017.

Global Affairs Canada’s response. Agreed. Global Affairs Canada has recently implemented a new case management system, which will improve tracking and reporting on all values and ethics cases, including conflicts of interest. The actions associated with this recommendation will be completed by March 2018.

Health Canada’s response. Agreed. Health Canada has added new tracking elements to its conflict of interest case management system to ensure sufficient information is captured to support timely resolution of employee declarations of conflict of interest.

Indigenous and Northern Affairs Canada’s response. Agreed. Indigenous and Northern Affairs Canada will review logs used to track and manage declarations of conflict of interest and the related mitigation measures to ensure they contain sufficient and complete information to support timely resolution of employee declarations of conflict of interest. The actions associated with this recommendation will be completed by 1 April 2017.

Public Services and Procurement Canada’s response. Agreed. Public Services and Procurement Canada has added a column to its conflict of interest tracking log, as of January 2017, to indicate the conflict of interest determination (none, real, potential, or apparent) resulting from the declaration.

1.55 Recommendation. The Canadian Food Inspection Agency, Global Affairs Canada, and Indigenous and Northern Affairs Canada should

• identify operational areas at high risk for conflict of interest and ensure that public servants occupying positions in those areas are regularly required to indicate whether or not they are in a conflict of interest, and
• follow up on the implementation of mitigating measures for conflicts of interest on a risk basis.

The Canadian Food Inspection Agency’s response. Agreed. The Canadian Food Inspection Agency currently requires all its employees to attest to the Conflict of Interest and Post-Employment Policy during their annual performance reviews. In addition, the Agency’s Conflict of Interest Secretariat will commence a review to identify areas of high risk for conflict of interest and to consider whether additional mechanisms are required to confirm whether or not there is a conflict of interest. These actions will be completed by March 2018.

Global Affairs Canada’s response. Agreed. Global Affairs Canada will identify areas of high risk and implement appropriate processes and mitigation measures. Global Affairs Canada will review and amend current practices for reporting and managing conflicts of interest, in order to ensure that effective monitoring and control measures are in place. The actions associated with this recommendation will be completed by January 2018.

Indigenous and Northern Affairs Canada’s response. Agreed. Indigenous and Northern Affairs Canada will follow up on the implementation of mitigating measures for conflicts of interest on a risk basis, identify areas of high risk, and ensure that employees regularly update their declarations. The actions associated with this recommendation will be completed by 1 September 2017.

Some controls that could manage the risk of fraud in procurement were not always applied

1.56 We found that all five federal organizations we examined had controls and review committees in place to prevent and detect selected inappropriate contracting practices to procure goods and services. However, the controls were not always applied, and review committees may not have always been involved when required. For example, some contracting practices were not justified as they should have been. Also, the organizations did not analyze their procurement data to help them identify all three types of inappropriate contracting practices that we tested.

1.57 Our analysis supporting this finding presents what we examined and discusses the following topics:

• Procurement controls
• Procurement review committees
• Procurement data

1.58 This finding matters because most of the selected federal organizations identified procurement conducted within their authority as a key risk area for internal fraud. The federal government spends billions of dollars each year in contracts for goods and services.

1.59 Our recommendation in this area of examination appears at paragraph 1.71.

1.60 What we examined. We examined whether the federal organizations had selected controls and review committees in place to manage the risk of fraud in the procurement of goods and services conducted within their authority and whether the controls were applied and review committees involved consistently. We examined whether organizations sufficiently and routinely analyzed contracting information to identify trends and signs of fraudulent behaviour or non-compliance and followed up on exceptions. We did not examine several key controls over procurement conducted by Public Services and Procurement Canada on behalf of other government departments as a common service provider or whether there were any incidents of procurement fraud in the selected organizations.

1.61 In each organization, we looked for signs of possible contract splitting, inappropriate contract amendments, and inappropriate sole-source contracting. Multiple contracts to the same supplier, amendments to contracts, and sole-source contracts are all accepted under the Treasury Board’s Contracting Policy. It is still important to monitor them, though, since in some cases, they can be used inappropriately—possibly even fraudulently. We chose these contracting practices because some of the five organizations identified them as specific internal fraud risks.

1.62 Procurement controls. We found that all the federal organizations had controls over procurement conducted within their authority to prevent and detect contract splitting, inappropriate contract amendments, and inappropriate sole-source contracting. However, these controls were not always applied, even when they were mandatory.

1.63 We found that some organizations monitored procurement controls through periodic compliance checks such as random sampling. We also found cases where monitoring controls did not identify that files were missing evidence about the procurement that should have existed.

1.64 We found that the five selected organizations gave their procurement officers the responsibility to challenge the procurement choices of an employee requesting a contract if they believed those choices were inappropriate. However, we found instances where there was no evidence that the procurement officer challenged a potential risk. For example, we identified several sole-source contracts—for similar values, awarded to the same vendor either on the same day, one right after another, or before the first one had ended—that were not challenged by a procurement officer.

1.65 As required by the Treasury Board’s Contracting Policy, procurement officers must ensure that justifications for contract amendments and sole-source contracts are documented. We found that Global Affairs Canada and the Canadian Food Inspection Agency always included justifications for contract amendments in their contract files we examined. However, justifications for contract amendments were not always in the files at the other three organizations. Similarly, we found that Global Affairs Canada and Health Canada documented the justification for all sole-source contracts we looked at. However, the other three organizations did not always document these justifications.

1.66 We also found that three of the organizations—the Canadian Food Inspection Agency, Health Canada, and Indigenous and Northern Affairs Canada—had mandatory checklists to prompt their procurement officers to identify signs of inappropriate contracting practices. However, the checklists were not always used or were incomplete at the Canadian Food Inspection Agency and Indigenous and Northern Affairs Canada.

1.67 We found some specific good practices. For example, Global Affairs Canada recommended that its procurement officers search the contracting history of particular vendors for signs of multiple contracts being awarded in a short period, and the Canadian Food Inspection Agency required that type of search for sole-source contracts.

1.68 Procurement review committees. We found that by the end of the period covered by the audit, all federal organizations had a departmental review committee. In general, the committees are responsible for reviewing procurements that are considered high risk, are over a certain dollar value, or deviate from government policy. While not all instances of non-compliance with contracting policy are fraudulent, they could be signs of potential fraud. We found instances where evidence of the review was missing from the contract file.

1.69 Procurement data. We found that there were limited proactive prevention and detection activities. For the three selected contracting practices, we found that none of the federal organizations sufficiently and routinely analyzed contracting data to identify trends and signs of fraudulent behaviour or non-compliance and followed up on exceptions. For example, signs could include

• many contracts awarded to the same vendor, each for a value less than specified thresholds;
• multiple contract amendments with a total value equal to a high percentage of the initial contract value; and
• many sole-source contracts awarded to the same vendor.

1.70 We also found that three of the organizations—the Canadian Food Inspection Agency, Health Canada, and Public Services and Procurement Canada—performed routine data analytics and data mining of procurement and contracting activities. However, these analytics were not used to identify signs of contract splitting, inappropriate contract amendments, and inappropriate sole-source contracting. Furthermore, even though some of the organizations had processes in place to improve the quality of their contracting data, their ability to mine this data was limited because of data quality problems that we found at all five organizations. The following are some examples:

• The reasons for a contract amendment were not well documented. In one case, amendments to a large construction contract were called “Printing Services.”
• The same company name was stored in different ways, such as “XXX Canada LimitedLTD” and “XXX Canada.”

1.71 Recommendation. The Canadian Food Inspection Agency, Global Affairs Canada, Health Canada, Indigenous and Northern Affairs Canada, and Public Services and Procurement Canada should ensure that contract files and contracting data are complete and accurate. They should also conduct data analytics and data mining to evaluate controls and identify signs of potential contract splitting, inappropriate contract amendments, and inappropriate sole-source contracting on a risk basis.

The Canadian Food Inspection Agency’s response. Agreed. The Canadian Food Inspection Agency will continue to perform monthly validations to ensure the accuracy and completeness of its procurement files, data, and reporting. Procurement records, including the accuracy of related financial coding, are now being reviewed and validated on a monthly basis. The Agency is also reviewing how best to increase the use of data analytics to evaluate procurement and contracting controls and identify possible areas of concern. Identified opportunities to increase the data analytics will be implemented by March 2018.

Global Affairs Canada’s response. Agreed. Global Affairs Canada will ensure that its procurement officers are appropriately trained in order to ensure that contract files and contracting data are complete and accurate. Furthermore, Global Affairs Canada will take steps to improve system data integrity and introduce automated tools for analyzing procurement data to detect potential fraudulent activities. The actions associated with this recommendation will be completed by September 2017.

Health Canada’s response. Agreed. Health Canada currently performs risk-based data analytics as part of its procurement performance management framework but agrees that these measures can be enhanced. Health Canada’s data analytics, data mining, and other practices will be modified by 31 March 2018 to improve data quality and to better detect potential contract splitting, abuse of amendments, and inappropriate sole-source contracting.

Indigenous and Northern Affairs Canada’s response. Agreed. Indigenous and Northern Affairs Canada will ensure contract files are complete and will explore opportunities to better utilize data analytics and data mining to detect red flags and potential procurement fraud risks. This work began on 1 February 2017 and will be completed by 30 June 2017.

Public Services and Procurement Canada’s response. Agreed. Public Services and Procurement Canada will continue its initiative to improve data quality through measures that ensure complete information is captured in the departmental financial and materiel management system. The Department has implemented risk-based reviews of contracts through a monitoring program to detect anomalies and ensure corrective action is taken where appropriate.

Federal organizations conducted internal investigations of fraud allegations, but information used to track the status of allegations was incomplete

1.72 We found that all five federal organizations had one or more internal groups to manage allegations of fraud. However, the logs these internal groups kept on the allegations could not be relied on to answer basic questions, such as whether or not an allegation was founded and whether or not an investigation was closed.

1.73 Our analysis supporting this finding presents what we examined and discusses the following topic:

• Managing allegations of fraud

1.74 This finding matters because federal organizations need a thorough approach to manage internal investigations to make sure they are handled well. The results of these investigations can help organizations fix weaknesses in their controls.

1.75 Our recommendation in this area of examination appears at paragraph 1.80.

1.76 What we examined. We examined whether the selected federal organizations

• had a group to manage allegations of fraud;
• had an approach to coordinate, monitor, investigate, and report on such allegations; and
• took corrective actions to help mitigate future incidents.

1.77 Managing allegations of fraud. We found that all five federal organizations established one or more groups to manage allegations of fraud and conduct internal investigations as needed. We also found that they all had policies and guidelines that outlined investigation processes and roles and responsibilities.

1.78 We noted that all the organizations used either a log or a file management system to manage allegations and investigations. However, problems with the information in the logs at the Canadian Food Inspection Agency, Global Affairs Canada, and Indigenous and Northern Affairs Canada limited the logs’ usefulness. The problems we found included allegations identified as open, even though the comments indicated that measures had been taken to resolve the allegations, and allegations that were not identified as either founded or unfounded.

1.79 We found that the investigation groups we examined reported the results of their investigations to senior management or a senior committee. However, it was not always clear how or whether the recommendations or systemic corrective measures were implemented.

1.80 Recommendation. The Canadian Food Inspection Agency, Global Affairs Canada, and Indigenous and Northern Affairs Canada should maintain a comprehensive and complete log that captures and tracks the status of all allegations, where appropriate, including where corrective measures were implemented to prevent fraud.

The Canadian Food Inspection Agency’s response. Agreed. The Canadian Food Inspection Agency is currently implementing a centralized function for the coordination, management, and reporting for any instances of fraud activity. A tracking system will be used to capture and monitor the status of suspected fraud cases and their related corrective action plans. These actions will be completed by March 2018.

Global Affairs Canada’s response. Agreed. Global Affairs Canada has recently implemented a new case management system, which will improve tracking and reporting on internal investigations, including tracking of the status of allegations. The actions associated with this recommendation will be completed by March 2018.

Indigenous and Northern Affairs Canada’s response. Agreed. Indigenous and Northern Affairs Canada is currently working to develop a comprehensive log to track the status of all allegations, including systemic corrective measures implemented. The actions associated with this recommendation will be fully implemented by 30 September 2017.

Guidance on risk management did not specifically address fraud risk management

1.81 We found that the Treasury Board of Canada Secretariat supported and monitored how federal organizations manage their overall risks. However, it did not monitor fraud risk management in federal organizations or provide specific guidance about fraud risks.

1.82 Our analysis supporting this finding presents what we examined and discusses the following topics:

• Guidance on risk management
• Monitoring of fraud risk management

1.83 This finding matters because a lack of guidance on fraud risks can lead to inconsistent approaches to managing fraud risks across government.

1.84 Our recommendation in this area of examination appears at paragraph 1.91.

1.85 What we examined. We examined whether the Treasury Board of Canada Secretariat had developed clear policies, guidance, and tools on assessing and managing fraud risks as part of its guidance and support on overall departmental risks. We also examined whether the Secretariat monitored how federal government organizations managed their risk of fraud.

1.86 Guidance on risk management. We found that the Treasury Board of Canada Secretariat provided guidance, tools, and expertise to support federal organizations in managing their risks. The Secretariat had a Framework for the Management of Risk to support organizations in risk management. However, this and the other guidance and policies we examined, such as the Policy on Internal Audit and the Policy on Internal Control, did not mention fraud risks or fraud risk management.

1.87 The Secretariat has been working to streamline and modernize Treasury Board policies, but it had no plans to develop guidance on fraud risk management as part of that initiative’s first phase.

1.88 We found that in 2015, the Treasury Board of Canada Secretariat provided advice on financial fraud management to existing internal control working groups. This was done to increase awareness of financial fraud risks and the tools that are publicly available to identify, manage, and mitigate these risks.

1.89 We noted that other countries issued formal guidance to government departments on fraud risk management. The following are some examples:

• In the United Kingdom, the Treasury in 2011 issued Tackling Internal Fraud, a guide that provides managers in government organizations with advice on how to manage the risk of fraud. It expands on the list of departmental responsibilities outlined in the guide Managing Public Money.
• The Australian government has a Fraud Control Framework, which requires “that government entities put in place a comprehensive fraud control program that covers prevention, detection, investigation and reporting strategies.” The framework’s guidance states that agencies must undertake a fraud risk assessment at least once every two years, or more frequently if the risk of fraud is deemed to be high.

1.90 Monitoring of fraud risk management. We found that the Treasury Board of Canada Secretariat, through its Management Accountability Framework, monitored the implementation of its risk management guidance by federal organizations. The guidance does not mention fraud risks, and the Secretariat did not monitor how organizations were managing fraud risks.

1.91 Recommendation. To help improve fraud risk management at federal organizations, the Treasury Board of Canada Secretariat should

• increase awareness of the importance of managing fraud risks by supporting senior management in implementing fraud risk management, and
• consider issuing specific guidance on managing fraud risks and how its implementation could be monitored.

The Treasury Board of Canada Secretariat’s response. Agreed. The Treasury Board of Canada Secretariat will continue to work with departments and agencies to ensure that they have a clear understanding of the importance of managing and monitoring fraud risks. The Treasury Board Policy on Internal Control requires compliance with internal control over financial reporting, including specific requirements for safeguarding financial resources against fraud. The Treasury Board also directs departments to comply with the Institute of Internal Auditors’ standards, including specific standards on assessing fraud management. The Secretariat will issue updates to its guidance on the management of fraud risks, as needed, and will continue to support senior management in increasing awareness, identification, and mitigation of fraud risks.

Conclusion

1.92 We concluded that in the areas we examined, the selected federal organizations did not appropriately manage all of their fraud risks. We did, however, see a number of good practices in all the organizations we examined. Overall, the organizations had appropriate governance structures to help them manage their risk of fraud, but some organizations did not use a strong enough approach to assess those risks, and none of the organizations made sure that the specific controls we looked at worked as they should have. For example, the organizations did not make sure that all their employees received mandatory training in values and ethics.

1.93 We also concluded that the Treasury Board of Canada Secretariat developed guidance for departments and agencies to help them assess and manage overall departmental risks. However, the Secretariat did not provide specific guidance on fraud risk management or monitor how departments and agencies managed their risk of fraud.