Guide on Managing Fraud Risks at the Office of the Auditor General of Canada

Table of Contents

Introduction
Fraud Risk Management Framework at the Office of the Auditor General of Canada
1. Governance over fraud risks
2. Fraud Risk Assessment
- 2.1 Conduct a Fraud Risk Assessment that includes best practices
3. Controls to prevent and detect fraud
- 3.1 Fraud prevention
- 3.2 Fraud detection
  - 3.2.1 Mechanism to report fraud
  - 3.2.2 Controls designed to detect fraudulent activities
4. Investigations of fraud allegations
- 4.1 Mechanism to report fraud
- 4.2 Formal approach to address allegations of fraud
5. Continuous improvement of the Fraud Risk Management Framework
Fraud Risk Management Tools

Introduction

Fraud can happen in any organization. Fraud in a federal government organization can cause the loss of public money or property, hurt employee morale, and undermine Canadians’ confidence in public services. Therefore, federal organizations must manage their fraud risks.

A proactive approach to managing fraud risk is one of the best steps organizations can take to mitigate exposure to fraudulent activities. Although it is most likely not possible or economical to completely eliminate all fraud risk, organizations can take proactive and constructive steps to reduce their exposure. The combination of effective fraud risk governance, a thorough fraud risk assessment, and strong fraud prevention and detection measures, along with coordinated and timely investigations and corrective actions, can significantly mitigate fraud risks.

The Office of the Auditor General (OAG) developed a comprehensive Fraud Risk Management Framework inspired by Managing the Business Risk of Fraud: A Practical Guide, issued by the Institute of Internal Auditors, the American Institute of Certified Public Accountants, and the Association of Certified Fraud Examiners. This Framework guides the OAG in implementing best practices to identify, address, and manage its fraud risks.

This guide clarifies how the different components and key players contribute, directly or indirectly, to the fraud risk management of the OAG. Further details are provided in the annexes; for example, roles and responsibilities (Annex A).

Fraud Risk Management Framework at the Office of the Auditor General of Canada

Managing internal and external fraud risks at the OAG

Overview of the Fraud Risk Management Framework of the Office of the Auditor General of Canada

Text version

This chart provides an overview of the Fraud Risk Management Framework at the Office of the Auditor General of Canada. It shows how the Office manages internal and external fraud risks.

The chart first defines fraud risk and fraud and provides examples of fraud. Fraud risk is the risk of various types of fraud an organization could face from internal and/or external sources. Fraud is an intentional act by one or more individuals among employees, management, those charged with governance (internal), or third parties (external) involving the use of deception to obtain an unjust or illegal advantage. The three primary categories of internal fraud are corruption, asset misappropriation, and financial statement fraud. The following are examples of fraud:

Employees misusing influence in transactions for benefit (internal)
Vendors billing for goods/services not received (external)
Employees accepting bribes or benefits to act (internal)
Employees providing sensitive information to outside parties for gain (internal)

The definitions and examples are the introduction to the Office’s Fraud Risk Management Framework, the first four parts of which are then listed.

The first part of the framework consists of the governance over fraud risks, which involves a governance structure that sends a message that fraud is not tolerated. This part includes the following sections:

1.1: Oversight
1.2: Internal Specialist, Values and Ethics
1.3: Values and ethics code
1.4: Conflict of interest and post-employment guidance
1.5: Risk-based internal audit plan
1.6: Process to investigate fraud allegations
1.7: Fraud Prevention Policy

The second part consists of the fraud risk assessment, which is a process to identify and address vulnerabilities to internal/external fraud. This part includes the following sections:

2.1: Conduct a Fraud Risk Assessment that includes best practices
2.1.1: Identify fraud risks without considering controls (that is, inherent)
2.1.2: Assess likelihood and impact of identified fraud risks
2.1.3: Map controls that mitigate the identified risks (preventive/detective)
2.1.4: Evaluate whether controls are working effectively
2.1.5: Evaluate residual fraud risks
2.1.6: Considering risk tolerance, respond to residual fraud risks
2.1.7: Periodically review the Fraud Risk Assessment

The third part consists of controls to prevent and detect fraud, which involves the design and implementation of processes, procedures, and activities to address identified fraud risks. This part includes the following sections:

3.1: Fraud prevention
3.1.1: Training on values, ethics, and conflicts of interest, and targeted fraud training, delivered on time
3.1.2: Conflict of interest (COI): Mitigate conflicts of interest
3.1.2.1: Effective management of the declarations of COI
3.1.2.2: Employee declarations done whether or not employees have a conflict of interest
3.1.2.3: Service standards to respond to declared conflicts of interest
3.1.2.4: Reporting
3.1.3: Controls designed to prevent fraudulent activities
3.2: Fraud detection
3.2.1: Mechanism to report fraud (see Section 4.1)
3.2.2: Controls designed to detect fraudulent activities

The fourth part consists of investigations of fraud allegations, which involves a thorough approach to manage fraud allegations and investigations. This part includes the following sections:

4.1: Mechanism to report fraud
4.2: Formal approach to address allegations of fraud
4.2.1: Assessment of the allegations of fraud
4.2.2: Investigation of the allegations of fraud
4.2.3: Monitoring of the allegations of fraud
4.2.4: Corrective actions
4.2.5: Reporting on the allegations of fraud

All four parts connect to the fifth, and final, part of the framework, which is the continuous improvement of the Fraud Risk Management Framework.

1. Governance over fraud risks

The Office of the Auditor General of Canada’s (OAG’s) governance over fraud risk management is an important part of the Fraud Risk Management Framework. It provides a message that fraud is not tolerated, through the seven elements described below.

1.1 Oversight

The Executive Committee is involved in key aspects of fraud risk management, such as determining the OAG’s risk tolerance for fraud and discussing fraud risks and related assessment in the context of the annual Fraud Risk Assessment (Section 2). The Executive Committee also receives the following key annual reports:

Report on values and ethics (Section 1.2)
Report on Fraud Risk Assessment (Section 2.1)
Report on mandatory training (Section 3.1.1)
Report on fraud allegations (Section 4.2.5)
Report on the adequacy and application of the Fraud Risk Management Framework (Section 5)

The OAG has an independent audit committee. The Audit Committee plays an active role in the oversight of the OAG Fraud Risk Management Framework, including values and ethics, conflicts of interest, assessment of fraud risks and related controls, fraud allegations, and investigations. The Audit Committee receives updates and reports on the same topics as those listed above that are presented to the Executive Committee.

The Audit Committee Charter reflects the responsibilities of the Audit Committee regarding fraud risk management.

1.2 Internal Specialist, Values and Ethics

The OAG’s Internal Specialist, Values and Ethics, is responsible for responding to questions from employees on values and ethics, and conflicts of interest (COI). The Internal Specialist also receives and manages exception reports where threats to independence and objectivity have been identified in the audit-specific Independence Confirmation and reviews matters declared through the OAG’s annual Confidential Declaration process. Each year, the Internal Specialist, Values and Ethics, provides a report to the Executive Committee and to the Audit Committee.

Further details on mitigating conflicts of interest are provided in Section 3.1.2 of this guide.

1.3 Values and ethics code

The OAG has its own Code of Values, Ethics and Professional Conduct. This code sets out expectations with respect to values, ethics, conflicts of interest, and professional conduct for employees, consultants, and contractors. All those who perform work for or on behalf of the Office are required to comply with this code and the Values and Ethics Code for the Public Sector.

The Human Resources group has responsibility for this code and is supported by Legal Services.

1.4 Conflict of interest and post-employment guidance

The OAG’s Code of Values, Ethics and Professional Conduct contains guidance on conflicts of interest and post-employment (see Section 1.3).

1.5 Risk-based internal audit plan

The OAG’s risk-based internal audit plan is developed annually by the Practice Review and Internal Audit (PRIA) group. The plan covers a three-year period. Fraud risks are considered during that process, in accordance with the Institute of Internal Auditors standards. In addition, an assessment of fraud risks is conducted when planning each internal audit engagement.

1.6 Process to investigate fraud allegations

The OAG has established a process to investigate fraud allegations. This process and the key players are detailed in Section 4 of this guide.

1.7 Fraud Prevention Policy

The OAG’s Fraud Prevention Policy can be found in Annex D.

The objectives of this policy include

improving the knowledge and awareness of all OAG employees to the potential risks of fraud;
setting out responsibilities regarding the prevention, detection, and investigation of fraud;
sending a clear message that fraud will not be tolerated; and
assisting in promoting a climate of openness and a culture where employees feel able to raise concerns without fear of retaliation.

The Chief Financial Officer is responsible for the policy, including assessing the effectiveness and application of the policy, with assistance from the Internal Specialist for Fraud.

2. Fraud Risk Assessment

2.1 Conduct a Fraud Risk Assessment that includes best practices:

The Fraud Risk Assessment (FRA) is a process that allows organizations to identify and address internal and external fraud vulnerabilities. At the Office of the Auditor General of Canada (OAG), the FRA is integrated in the annual corporate risk assessment process, which is a key element of the annual strategic planning exercise. The FRA is the responsibility of the Chief Financial Officer (CFO) and the Internal Specialist for Fraud.

The Internal Specialist for Fraud assists the service and practice leaders in their risk assessments, and reviews the risk assessment of each service and practice to ensure that the key fraud risks have been properly identified, assessed, and addressed when required. The Internal Specialist for Fraud also assesses the OAG’s control environment with regard to fraud risks, using the OAG Fraud Prevention and Detection Scorecard (Annex C.2). As part of those procedures, the Internal Specialist for Fraud reports results and conclusions to the CFO, who certifies the adequacy of the Office’s FRA (Annex C) and reports to the Audit Committee and to the Executive Committee.

The OAG Fraud Risk Assessment approach incorporates the best practices described in sections 2.1.1 to 2.1.7, which is inspired by Managing the Business Risk of Fraud: A Practical Guide (issued by the Institute of Internal Auditors, the American Institute of Certified Public Accountants, and the Association of Certified Fraud Examiners).

2.1.1 Identify fraud risks without considering controls (that is, inherent)

The population of inherent fraud risks that could apply to the OAG is identified. This process includes the explicit consideration of all types of fraud schemes and scenarios; incentives, pressures, and opportunities to commit fraud; and information technologyIT fraud risks specific to the organization.

2.1.2 Assess likelihood and impact of identified fraud risks

The relative likelihood and potential significance of identified fraud risks are assessed based on historical information, known fraud schemes, and discussions with individuals involved in business processes.

2.1.3 Map controls that mitigate the identified risks (preventive/detective)

The fraud risks and schemes are mapped to relevant controls.

2.1.4 Evaluate whether controls are working effectively

The relevant controls identified are evaluated for design effectiveness and tested periodically within a reasonable time frame to validate operating effectiveness, in order to determine if they are reducing the inherent fraud risks.

2.1.5 Evaluate residual fraud risks

The residual risks are identified, after consideration of effective controls.

2.1.6 Considering risk tolerance, respond to residual fraud risks

Taking into consideration the organization’s risk tolerance to fraud, a fraud risk response is developed, usually in the form of an action plan. The response should address the residual fraud risks and would consider the cost versus the benefits of implementing controls or specific fraud detection procedures.

2.1.7 Periodically review the Fraud Risk Assessment

The Fraud Risk Assessment is reviewed annually during the strategic planning exercise and results are reported as part of that process.

3. Controls to prevent and detect fraud

The controls to prevent and detect fraud represent the processes, procedures, and activities addressing identified fraud risks. These controls are designed and implemented to reduce fraud risks.

As part of the Office of the Auditor General of Canada’s (OAG’s) annual Fraud Risk Assessment, specific controls to reduce fraud risk are identified. The design and implementation of those controls are also tested periodically. The identification and testing of controls is a key step to determine whether current controls are sufficient and appropriate to prevent and detect fraud and to take corrective actions, as necessary.

Sections 3.1 and 3.2 highlight some examples of fraud prevention and fraud detection controls.

3.1 Fraud prevention

3.1.1 Training on values, ethics, and conflicts of interest, and targeted fraud training, delivered on time

All employees at the OAG must take training on values, ethics, and conflicts of interest within a specific time frame. This helps to ensure that employees understand the ethical behaviour expected of them, and the potential conflicts of interest and independence threats that they may face. The Code of Values, Ethics and Professional Conduct is a key element of the Fraud Risk Management Framework. Mandatory training on these aspects helps the OAG provide a strong tone from the top. On an ongoing basis, the Office reassesses its need for mandatory training, considering different factors, including risks.

The services and audit practices communicate their training needs to the Internal Specialist for Fraud. Those needs are considered, reassessed, and prioritized as part of the OAG Strategic Plan in Relation to Fraud. The Internal Specialist for Fraud will then communicate those needs to the Professional Development team, who will coordinate the procurement, development and delivery of targeted fraud training.

3.1.2 Conflict of interest: Mitigate conflicts of interest

3.1.2.1 Effective management of the declarations of conflicts of interest

The OAG has a comprehensive process in place to manage declarations of potential and actual conflicts of interest.

Human Resources (HR) is responsible for the annual Confidential Declaration process. HR ensures that employees complete their declaration forms annually.

The Internal Specialist, Values and Ethics, is responsible for assessing matters declared by employees, including potential conflicts of interest or threats to independence, through the annual Confidential Declaration process or the independence confirmation required for each audit assignment.

With respect to the annual Confidential Declaration, the Internal Specialist, Values and Ethics, logs the cases where employees have declared assets, liabilities, or other interests that they believe can give rise to a real or perceived conflict of interest. This log also identifies the cases where, based on risk, a follow-up on the implementation measures was done. The log supports the management of conflicts of interest and threats to independence or objectivity that are declared by OAG staff.

The Internal Specialist, Values and Ethics, reviews, approves, and logs exception reports prepared by audit staff and signed by the engagement leader. The log kept by the Internal Specialist, Values and Ethics, contains key information about each exception declared, including when the matter was declared and when the OAG management and the Internal Specialist, Values and Ethics, agreed to the identified mitigation strategy.

3.1.2.2 Employee declarations done whether or not employees have a conflict of interest

Each employee must complete the annual Confidential Declaration to confirm whether or not the employee has a conflict of interest. HR monitors the timely submission of those declarations and reports results to the Executive Committee and to the Audit Committee. When an employee has declared a real or perceived conflict of interest, HR provides the declaration form to the Internal Specialist, Values and Ethics, for review, further action, and follow-up where appropriate.

In addition, all audit team members must complete an Independence Confirmation form when they begin an audit assignment. If the audit team member identifies a threat to his or her independence or objectivity, an Exception Report must be completed, and mitigation measures must be identified that will reduce the threat to an acceptable level. The effective application of the Independence Confirmation process is monitored through regular practice reviews.

3.1.2.3 Service standards to respond to declared conflicts of interest

The OAG has service standards for the Internal Specialist, Values and Ethics, for responding in a timely manner to declared conflict of interest and exception reports. The performance against these standards is reported to the Executive Committee and to the Audit Committee by the Internal Specialist, Values and Ethics.

3.1.2.4 Reporting

Each year, the Internal Specialist, Values and Ethics, reports to the Executive Committee and to the Audit Committee on conflict-of-interest declarations and on threats to independence or objectivity.

3.1.3 Controls designed to prevent fraudulent activities

Under the responsibility of the Chief Financial Officer and the Comptroller, the OAG maintains a risk-based system of internal controls over financial management. These controls are assessed for design and operating effectiveness on a rotational basis. Control assessment work is performed by various key players, such as the external auditors and the Comptroller’s Group. In addition, the Practice Review and Internal Audit (PRIA) group conducts audits and considers fraud risks as part of its risk-based audit plans.

See Annex C.2 for examples of fraud prevention controls.

3.2 Fraud detection

3.2.1 Mechanism to report fraud

As indicated in the OAG’s Fraud Prevention Policy, the Office has an open-door policy for reporting suspected fraud. Section 4.1 of this guide describes how to report a suspected fraud at the OAG.

3.2.2 Controls designed to detect fraudulent activities

As mentioned in Section 3.1.3, the OAG maintains a risk-based system of internal controls over financial management. As part of this system, the Comptroller’s Group conducts data mining and data analytics activities, in collaboration with the data analytics team.

See Annex C.2 for examples of fraud detection controls.

4. Investigations of fraud allegations

Tips are the most popular fraud detection method, representing close to 40 percent of all fraud detection. Organizations need a thorough approach to manage and investigate fraud allegations, including those received through tips.

At the Office of the Auditor General of Canada (OAG), a mechanism is in place to solicit and receive information on potential fraud, and a formal approach is used to help ensure that potential fraud is addressed appropriately and in a timely manner.

4.1 Mechanism to report fraud

As mentioned in the OAG’s Fraud Prevention Policy, any suspected fraud must be reported immediately. The OAG promotes an open-door policy for reporting suspected fraud and has implemented secure, non-retaliating, and confidential channels for individuals to report suspected fraud. The OAG employees may report suspected fraud to any of the following:

Departmental Security Officer (DSO)
Legal Services
Chief Financial Officer
Human Resources managers
Internal Specialist, Values and Ethics
Chief Audit Executive
Senior Officer for disclosure
The Auditor General
Chair of the Audit Committee

The CFO is responsible for the coordination and the uniform application of the mechanism to report suspected fraud through the open-door approach.

4.2 Formal approach to address allegations of fraud

A formal approach has been established to assess, investigate, monitor, take corrective actions, and report on allegations of fraud.

The CFO manages all fraud allegations and oversees the investigation process, with the support of others, as needed. The CFO consults, as needed, the DSO, Legal Services, Human Resources, the Internal Specialist for Fraud, and the Internal Specialist, Values and Ethics. The CFO monitors compliance with the formal approach.

The approach is intended to provide a prompt, competent, and confidential evaluation, review, investigation (where necessary), and resolution of fraud allegations.

4.2.1 Assessment of the allegations of fraud

Fraud allegations are managed and assessed by the CFO, with the support of others as needed. The allegations are discussed in a manner that protects confidentiality. Depending on the severity of the fraud allegation, other internal services may need to be consulted.

4.2.2 Investigation of the allegations of fraud

Investigations of fraud allegations are conducted, when necessary, following the OAG Policy on Workplace Investigations. The CFO acts as the senior officer for fraud investigations as defined in that policy.

4.2.3 Monitoring of the allegations of fraud

The monitoring of fraud allegations includes maintaining a log of the allegations with sufficient information to track the status and the outcome of allegations. As well, appropriate and sufficient information is kept on file to support the evaluation of unfounded allegations.

4.2.4 Corrective actions

Corrective actions are taken when appropriate, such as disciplinary actions.

As part of the formal approach for addressing fraud allegations, the identification of root causes may identify similar situations that exist elsewhere in the organization. In these cases, the CFO determines whether there is a need to enhance certain internal controls or re-engineer certain business processes to reduce or remove the opportunity for similar incidents in the future.

The CFO considers the potential impact of the corrective actions and the message it may send to the employees, the public, stakeholders, and others.

The CFO monitors the implementation of actions recommended to mitigate future incidents.

4.2.5 Reporting on the allegations of fraud

The CFO reports to the Executive Committee and to the Audit Committee on the management of fraud allegations, including key information such as the status and the outcome of the allegation, the resolution time, and the implementation of corrective actions.

5. Continuous improvement of the Fraud Risk Management Framework

The changing environment in which organizations operate requires an ongoing reassessment of fraud exposures and responses.

The Chief Financial Officer (CFO) is responsible for monitoring the Fraud Risk Management Framework and making improvements where needed. This is done on an ongoing basis (see Annex B).

The CFO is also responsible for assessing whether the Office of the Auditor General of Canada’s (OAG’s) Fraud Risk Management Framework is meeting its objectives and for making changes as necessary. This is done at least every three years.

The results of these assessments are communicated in a report to the Executive Committee and to the Audit Committee.

Fraud Risk Management Tools

The following are the main tools that the Office of the Auditor General of Canada (OAG) uses to manage its fraud risks.

Annex A: Roles and Responsibilities

This table outlines who is accountable as Lead (L) or Support (S) for each key element of the OAG Fraud Risk Management Framework. It does not list all parties who are or could be involved in each key element.

Section	Key elements of the Framework	Audit CommitteeAC	chief financial officerCFO	Internal Specialist for FraudISF	executive committeeEC	Practice Review and Internal AuditPRIA	managementMgmt	Internal Specialist, Values and EthicsISVE	Legal	Human ResourcesHR	Professional DevelopmentPD
Legend: AC: Audit Committee CFO: Chief Financial Officer DSO: Departmental Security Officer EC: Executive Committee HR: Human Resources ISF: Internal Specialist for Fraud ISVE: Internal Specialist, Values and Ethics Legal: Legal Services Mgmt: Management PD: Professional Development PRIA: Practice Review and Internal Audit
1.	Governance over fraud risks
1.1	Oversight	leadL			L
1.2	Internal Specialist, Values and Ethics							L
1.3	Values and ethics code								supportS	L
1.4	Conflict of interest and post-employment guidance								S	L
1.5	Risk-based internal audit plan					L
1.6	Process to investigate fraud allegations (see Section 4)		L	S
1.7	Fraud Prevention Policy (Annex D)		L	S					S
2.	Fraud Risk Assessment		L	S	S		S
3.	Controls to prevent and detect fraud
3.1	Fraud prevention
3.1.1	Training on values, ethics, and conflicts of interest, and targeted fraud training, delivered on time			S							L
3.1.2	Conflict of interest (COI): Mitigate conflicts of interest					S		L		L
3.1.3	Controls designed to prevent fraudulent activities		L	S		S	S			S
3.2	Fraud detection
3.2.1	Mechanism to report fraud (see Section 4.1)		L
3.2.2	Controls designed to detect fraudulent activities		L	S		S	S			S
4.	Investigations of fraud allegations
4.1	Mechanism to report fraud		L
4.2	Formal approach to address allegations of fraud		L	S
5.	Continuous improvement of the Fraud Risk Management Framework		L	S

Annex B: Monitoring work plan for the Internal Specialist for Fraud

This document serves as a work plan for the Internal Specialist for Fraud to monitor the proper application of the OAG Fraud Risk Management Framework.

This document shows

the various steps to fulfill responsibilities related to the framework as detailed in this guide,
who is responsible for fulfilling those steps, and
when the Internal Specialist will monitor them.

Section	Item	Done by	JanuaryJ	FebruaryF	MarchM	AprilA	MayM	JuneJ	JulyJ	AugustA	SeptemberS	OctoberO	NovemberN	As required or continuousAR/C
			Internal Specialist for Fraud—Monitoring Schedule by Month
Legend: AC: Audit Committee AR/C: As required or continuous CAE: Chief Audit Executive CFO: Chief Financial Officer EC: Executive Committee HR: Human Resources ISF: Internal Specialist for Fraud ISVE: Internal Specialist, Values and Ethics PD: Professional Development PRIA: Practice Review and Internal Audit
1.	Governance over fraud risks
1.1	Oversight
	Providing oversight of Fraud Risk Management Framework, including Fraud Risk Assessment	audit committeeAC	X
	Determining the risk tolerance to fraud	executive committeeEC										X
	Discussing fraud risks and the Fraud Risk Assessment	EC											X
1.2	Internal Specialist, Values and Ethics
	Reporting activities annually to the Audit Committee (in collaboration with human resourcesHR)	Internal Specialist, Values and EthicsISVE										X
1.3	Values and ethics code
	Ensuring that the values and ethics code is reviewed as required	HR												X
1.4	Conflict of interest and post-employment guidance (see Section 1.3)	HR												X
1.5	Risk-based internal audit plan	chief audit executiveCAE					X
1.6	Process to investigate fraud allegations is implemented (see Section 4)	chief financial officerCFO												X
1.7	Fraud Prevention Policy (Annex D)
	Periodic assessment of the effectiveness and application of the policy	CFO								X
	Policy review	CFO									X
2.	Fraud Risk Assessment
2.1	Conduct a Fraud Risk Assessment that includes best practices
	Assisting the service and practice leaders with the Fraud Risk Assessment process	CFO												X
	Reviewing annually the risk assessments of each service and practice leader to ensure that best practices are followed, as described in sections 2.1.1 to 2.1.7	CFO								X
	Ensuring follow-up on the status of the implementation of the remediation plans	CFO								X
	Assessing the OAG control environment with regard to fraud risks, using the Fraud Prevention and Detection Scorecard (Annex C.2)	CFO									X
	Compiling and concluding on the results of the Fraud Risk Assessment	CFO										X
	Certification on the adequacy of the Office’s Fraud Risk Assessment (Annex C)	CFO										X
	Reporting the compiled results and conclusions of the Fraud Risk Assessment to the Executive Committee	CFO										X
	Reporting the compiled results and conclusions of the Fraud Risk Assessment to the Audit Committee	CFO	X
3.	Controls to prevent and detect fraud
3.1	Fraud prevention
3.1.1	Training on values, ethics, and conflicts of interest, and targeted fraud training, delivered on time
	Monitoring timely participation in mandatory training on values and ethics and COI	professional developmentPD							X
	Reporting results to the Executive Committee	PD								X
	Reporting results to the Audit Committee	PD								X
	Reassessing the fraud training needs and priorities as part of the Strategic Plan in Relation to Fraud	ISF					X
3.1.2	Conflict of interest (COI): Mitigate conflicts of interest
3.1.2.1	Effective management of the declarations of COI
	Maintaining comprehensive log	ISVE								X
3.1.2.2	Employee declarations done whether or not employees have a conflict of interest
	Monitoring of annual declarations	HR								X
	Referring cases, including exceptions, to Internal Specialist, Values and Ethics	HR												X
	Reporting results to the Executive Committee	HR										X
	Reporting results to the Audit Committee	HR										X
	Monitoring of exception reports	ISVE												X
	Monitoring effective application of the Independence Confirmation process (practice reviews)	Practice Review and Internal AuditPRIA				X
3.1.2.3	Service standards to respond to declared COI
	Monitoring and reporting on performance against service standards	ISVE										X
3.1.2.4	Reporting
	Reporting on conflict-of-interest declarations and threats to independence and objectivity to the Executive Committee	ISVE										X
	Reporting on conflict of interest declarations and threats to independence and objectivity to the Audit Committee	ISVE										X
3.1.3	Controls designed to prevent fraudulent activities	CFO						X
	Performing control assessment work (Internal Control of Financial Reporting (ICFR))	CFO and Comptroller							X
	Ensuring internal audits include some control testing	PRIA			X
3.2	Fraud detection
3.2.1	Mechanism to report fraud (see Section 4.1)
3.2.2	Controls designed to detect fraudulent activities	CFO						X
	Performing control assessment work (ICFR)	CFO and Comptroller							X
	Ensuring internal audits include some control testing	PRIA			X
	Monitoring through data analytics and data mining	CFO and Comptroller								X
4.	Investigations of fraud allegations
4.1	Mechanism to report fraud
	Receiving allegations as part of the open-door approach in the Fraud Prevention Policy	CFO												X
	Coordination and monitoring of uniform application of the fraud reporting mechanism through the open-door approach	CFO		X
4.2	Formal approach to address allegations of fraud
4.2.1	Assessment of the allegations of fraud
	Ensuring that allegations of fraud are managed	CFO												X
	Ensuring that allegations of fraud are assessed and involve key players as necessary	CFO												X
	Ensuring that key players, such as the Internal Specialist for Fraud, the Departmental Security Officer, Legal Services, Human Resources, or the Internal Specialist, Values and Ethics, are involved when needed	CFO												X
4.2.2	Investigation of the allegations of fraud
	Ensuring that investigations of allegations of fraud are conducted following the Policy on Workplace Investigations	CFO												X
4.2.3	Monitoring of the allegations of fraud
	Monitoring of the allegations of fraud, including maintaining a log of the allegations with sufficient information to track the status and the outcome of allegations. As well, sufficient information is retained to justify the evaluation of unfounded allegations.	CFO												X
4.2.4	Corrective actions
	Ensuring that corrective actions are taken when appropriate (for example, disciplinary actions or enhancements to internal controls or processes to reduce or remove the opportunity for similar incidents in the future)	CFO												X
	Monitoring the implementation of actions recommended to mitigate future incidents	CFO												X
4.2.5	Reporting on the allegations of fraud
	Reporting to the Executive Committee and to the Audit Committee on the management of fraud allegations	CFO												X
5.	Continuous improvement of the Fraud Risk Management Framework
	Monitoring the Framework and making improvements where needed	CFO/ISF									X
	Assessing if the Fraud Risk Management Framework is meeting its objectives and making changes as necessary	CFO/ISF									X
	Communicating the results to the Executive Committee	CFO										X
	Communicating the results to the Audit Committee	CFO	X

Annex C: Annual Certification on the Adequacy of the Office’s Fraud Risk Assessment

This certification is completed each year by the Chief Financial Officer (CFO).

Context:

As part of the Office’s annual risk assessment process, each senior manager who is responsible for a function

certifies that he/she has identified, reviewed, and assessed strategic, compliance, and operational risks (including fraud risks) for his/her functional area;
establishes risk mitigation strategies for high and very high residual fraud risks; and
discusses the function’s risk and mitigation strategies with the responsible Assistant Auditor General.

As part of this process, the Internal Specialist for Fraud

assists the service and practice leaders with the Fraud Risk Assessment process;
reviews the fraud component of the risk assessment of each service and practice leader to ensure that it follows best practices and that it includes the key elements;
discusses the fraud risk assessments with the service and practice leaders as necessary; and
ensures follow-up on the status of the implementation of mitigation strategies.

The Internal Specialist for Fraud also assesses the OAG control environment for fraud risk management, using the Fraud Prevention and Detection Scorecard (Annex C.2).

As part of those procedures, the Internal Specialist for Fraud reports results to the CFO, who certifies the adequacy of the Office’s Fraud Risk Assessment.

Certification:

As the Internal Specialist for Fraud, I confirm that I have reviewed the Risk Assessment of each service and practice leader to ensure that the key fraud risks have been properly identified, assessed, and addressed when required. I have also assessed the control environment for fraud risk management.

As the CFO, I certify the adequacy of the Office’s Fraud Risk Assessment.

Key Observations and Conclusion:

1) Results of Fraud Risk Assessments:

2) Control Environment:

Signature
Internal Specialist for Fraud

Date

Signature
Chief Financial Officer

Date

Annex C1: Detailed Cumulative Fraud Risk Assessment

This Detailed Cumulative Fraud Risk Assessment supports the Annual Certification on the Adequacy of the Office’s Fraud Risk Assessment (Annex C).

Detailed Cumulative Fraud Risk Assessment spreadsheet

Text version

This spreadsheet is to be filled out when conducting a detailed cumulative fraud risk assessment. The spreadsheet includes the following categories:

Risk number
Scenario number
Scheme types
Function
Main activities/processes
Business owner
Original 2017 risk statement
Link to strategic objectives
Fraud risk scenario description
Inherent risk likelihood (low, medium, high, or very high)
Inherent risk impact (low, medium, high, or very high)
Inherent risk level (normal to very high)
Preventive controls
Detective controls
Corrective controls
Control effectiveness assessed
Residual risk level (normal to very high)
Rationale for residual risk level
Residual risk trend from previous year (stable, increasing, decreasing)
Residual risk response (accept, avoid, reduce, or share)
Risk response explanation
Residual risk response strategy—mandatory for high or very high residual risk levels

Scale to refer to when completing the Detailed Cumulative Fraud Risk Assessment spreadsheet

Text version

This table represents a risk assessment scale to refer to when completing the following four categories of the Detailed Cumulative Fraud Risk Assessment template: inherent risk likelihood, inherent risk impact, inherent risk level, and residual risk level.

The table indicates the following four risk likelihood levels—within the foreseeable future—based on probability or observed frequency:

Very high (likely or frequent)
High (probable)
Medium (possible—could occur occasionally)
Low (unlikely, though possible)

The table also indicates the following four risk impact levels—as a factor of potential severity, scope, and impacts on the operations of the Office of the Auditor General of Canada:

Very high
High
Medium
Low

In addition, the table indicates the following six overall risk levels, which are determined by where risk likelihood and risk impact levels intersect:

Very high—Mitigate and monitor (extensive senior management involvement)
High—Mitigate and monitor (inform senior management)
Elevated to high—Mitigate and monitor (inform senior management)
Elevated—Mitigate and monitor
Normal to elevated—Monitor, possible mitigation
Normal—Accept

The following are the overall risk levels for all 16 scenarios:

When the risk likelihood is low and the risk impact is very high, then the overall risk level is elevated.
When the risk likelihood is low and the risk impact is high, then the overall risk level is elevated.
When the risk likelihood is low and the risk impact is medium, then the overall risk level is normal to elevated.
When the risk likelihood is low and the risk impact is low, then the overall risk level is normal.
When the risk likelihood is medium and the risk impact is very high, then the overall risk level is high.
When the risk likelihood is medium and the risk impact is high, then the overall risk level is elevated to high.
When the risk likelihood is medium and the risk impact is medium, then the overall risk level is elevated.
When the risk likelihood is medium and the risk impact is low, then the overall risk level is normal to elevated.
When the risk likelihood is high and the risk impact is very high, then the overall risk level is very high.
When the risk likelihood is high and the risk impact is high, then the overall risk level is high.
When the risk likelihood is high and the risk impact is medium, then the overall risk level is elevated to high.
When the risk likelihood is high and the risk impact is low, then the overall risk level is elevated.
When the risk likelihood is very high and the risk impact is very high, then the overall risk level is very high.
When the risk likelihood is very high and the risk impact is high, then the overall risk level is very high.
When the risk likelihood is very high and the risk impact is medium, then the overall risk level is high.
When the risk likelihood is very high and the risk impact is low, then the overall risk level is elevated.

Annex C2: Fraud Prevention and Detection Scorecard

Context:

This tool supports the Annual Certification on the Adequacy of the Office’s Fraud Risk Assessment (Annex C).

It is inspired by Managing the Business Risk of Fraud: A Practical Guide (issued by the Institute of Internal Auditors, the American Institute of Certified Public Accountants, and the Association of Certified Fraud Examiners). It is used as a guide to assess the Office’s control environment over fraud risk. It is completed by the Internal Specialist for Fraud in consultation with other stakeholders as part of the annual Fraud Risk Assessment.

To assess the strength of the organization’s fraud prevention system, carefully assess each area below and score the area, factor, or consideration as follows:

Red: indicating that the area, factor, or consideration needs substantial strengthening and improvement to bring fraud risk down to an acceptable level.

Yellow: indicating that the area, factor, or consideration needs some strengthening and improvement to bring fraud risk down to an acceptable level.

Green: indicating that the area, factor, or consideration is strong and fraud risk has been reduced—at least—to a minimally acceptable level.

Each area, factor, or consideration scored either red or yellow should have a note associated with it that describes the action plan for bringing it to green on the next scorecard.

No.	Fraud prevention area, factor, or consideration	Score	Notes	Action item
P1	Our organizational culture—tone from the top—is as strong as it can possibly be and establishes a zero-tolerance environment with respect to fraud.
P2	Our organization’s top management consistently displays the appropriate attitude regarding fraud prevention and encourages free and open communication regarding ethical behaviour.
P3	Our code of conduct has specific provisions that address and prohibit inappropriate relationships whereby members of our Executive Committee or members of management could use their position for personal gain or other inappropriate purposes.
P4	We have done a rigorous fraud risk assessment using the COSO Enterprise Risk Management Integrated Framework and have taken specific actions to strengthen our prevention mechanisms as necessary.
P5	We have addressed the strengths and weaknesses of our internal control environment adequately and have taken specific steps to strengthen the internal control structure to help prevent the occurrences of fraud.
P6	We have assessed the alignment of authorities and responsibilities at all levels of organizational management and are not aware of any misalignments that might represent vulnerabilities to fraud.
P7	Our Audit Committee has taken a very proactive posture with respect to fraud prevention.
P8	Our Audit Committee is composed only of independent members and includes persons with financial accounting and reporting expertise.
P9	Our Audit Committee meets at least quarterly and devotes substantial time to assessing fraud risk and proactively implementing fraud prevention mechanisms.
P10	We have a strong internal audit function that operates independently of management. The charter of our internal audit function expressly states that the internal audit team will help prevent and detect fraud and misconduct.
P11	We have designated an individual with the authority and responsibility for overseeing and maintaining our fraud prevention programs and have given this individual the resources needed to manage our fraud prevention programs effectively. This individual has direct access to the Audit Committee.
P12	Our Human Resources function conducts background investigations with the specific objective of assuring that persons with inappropriate records or characters inconsistent with our corporate culture and ethics are identified and eliminated from the hiring process.
P13	Personnel involved in the financial reporting process have been assessed with regard to their competencies and integrity and have been found to be of the highest calibre.
P14	All our employees, vendors, and contractors have been made aware of our zero-tolerance policies related to fraud and are aware of the appropriate steps to take in the event that any evidence of possible fraud comes to their attention.
P15	We have a rigorous program for communicating our fraud prevention policies and procedures to all employees, vendors, contractors, and business partners.
P16	We have policies and procedures in place for authorization and approval of certain types of transactions and for certain values of transactions to help prevent and detect the occurrences of fraud.
P17	Our performance measurement and evaluation process includes an element specifically addressing ethics and integrity as well as adherence to the Values and Ethics Code for the Public Sector and the OAG’s Code of Values, Ethics and Professional Conduct.
P18	We have an effective whistleblower protection program in place, and its existence and procedures are known to all employees, vendors, contractors, and partners.
P19	We review the above fraud preventive mechanisms on an ongoing basis and document these reviews as well as the communication with the Audit Committee regarding areas that need improvement.
P20	We have a fraud response plan in place and know how to respond if a fraud allegation is made. The fraud response plan considers who should perform the investigation how the investigation should be performed when a voluntary disclosure to the government should be made how to determine the remedial action how to remedy control deficiencies identified how to administer disciplinary action

No.	Fraud detection area, factor, or consideration	Score	Notes	Action item
D1	We have integrated our fraud detection system with our fraud prevention system in a cost-effective manner.
D2	Our fraud detection processes and techniques pervade all levels of responsibility within our organization, from the Audit Committee, to managers at all levels, to employees in all areas of operations.
D3	Our fraud detection policies include communicating to employees, vendors, and stakeholders that a strong fraud detection system is in place, but certain critical aspects of these systems are not disclosed to maintain the effectiveness of hidden controls.
D4	We use mandatory vacation periods or job rotation assignments for employees in key finance and accounting control positions.
D5	We periodically reassess our risk assessment criteria as our organization grows and changes to make sure we are aware of all possible types of fraud that may occur.
D6	Our fraud detection mechanisms place increased focus on areas in which we have concluded that preventive controls are weak or are not cost-effective.
D7	We focus our data analysis and continuous auditing efforts based on our assessment of the types of fraud schemes to which organizations like ours are susceptible.
D8	We take steps to ensure that our detection processes, procedures, and techniques remain confidential so that ordinary employees—and potential fraud perpetrators—do not become aware of their existence.
D9	We have comprehensive documentation of our fraud detection processes, procedures, and techniques so that we maintain our fraud detection vigilance over time and as our fraud detection team changes.
D10	Our detective controls include a well-publicized and well-managed fraud hotline.
D11	Our fraud hotline program provides anonymity to individuals who report suspected wrongdoing.
D12	Our fraud hotline program includes assurance that employees who report suspected wrongdoing will not face retaliation. We monitor for retaliation after an issue has been reported.
D13	Our fraud hotline uses a case management system to log all calls and their follow-up to resolution, is tested periodically by our internal auditors, and is overseen by the Audit Committee.
D14	Our information systems/IT process controls include controls specifically designed to detect fraudulent activity, as well as errors, and include reconciliation, independent review, physical inspections/counts, analysis, audits, and investigations.
D15	Our internal audit team’s charter includes emphasis on conducting activities designed to detect fraud.
D16	Our internal auditors participate in the Fraud Risk Assessment process and plan fraud detection activities based on the results of this risk assessment.
D17	Our internal auditors report to the Audit Committee and focus appropriate resources on assessing management’s commitment to fraud detection.
D18	Our internal audit team is adequately funded, staffed, and trained to follow professional standards, and our internal audit personnel possess the appropriate competencies to support the group’s objectives.
D19	Our internal audit function performs risk-based assessments to understand motivation and where potential manipulation may take place.
D20	Our internal audit personnel are aware of, and are trained in, the tools and techniques of fraud detection, response, and investigation as part of their continuing education program.
D21	Our data analysis programs focus on journal entries and unusual transactions, and transactions occurring at the end of a period or those that were made in one period and reversed in the next.
D22	Our data analysis programs identify journal entries posted to revenue or expense accounts that improve net income or otherwise serve to meet analysts’ expectations or incentive compensation targets.
D23	We have systems designed to monitor journal entries for evidence of possible management override efforts intended to misstate financial information.
D24	We use data analysis, data mining, and digital analysis tools to (a) identify hidden relationships among people, organizations, and events; (b) identify suspicious transactions; (c) assess the effectiveness of internal controls; (d) monitor fraud threats and vulnerabilities; and (e) consider and analyze large volumes of transactions on a real-time basis.
D25	We use continuous auditing techniques to identify and report fraudulent activity more rapidly, including Benford’s Law analysis to examine expense reports, general ledger accounts, and payroll accounts for unusual transactions, amounts, or patterns of activity that may require further analysis.
D26	We have systems in place to monitor employee email for evidence of potential fraud.
D27	Our fraud detection documentation identifies the individuals and services responsible for designing and planning the overall fraud detection process designing specific fraud detective controls implementing specific fraud detective controls monitoring specific fraud detective controls and the overall system of these controls for realization of the process objective receiving and responding to complaints related to possible fraudulent activity investigating reports of fraudulent activity communicating information about suspected and confirmed fraud to appropriate parties periodically assessing and updating the plan for changes in technology, processes, and organization
D28	We have established measurement criteria to monitor and improve compliance with fraud detective controls, including the number of, and loss amounts from, known fraud schemes committed against the organization number and status of fraud allegations received by the organization that required investigations number of fraud investigations resolved number of employees who have signed the corporate ethics statement number of employees who have completed ethics training required by the Office number of whistleblower allegations received number of messages supporting ethical behaviour delivered to employees by executives number of vendors who have signed the Office’s Code of Values, Ethics and Professional Conduct number of fraud audits performed by internal auditors
D29	We periodically assess the effectiveness of our fraud detection processes, procedures, and techniques; document these assessments; and revise our processes, procedures, and techniques as appropriate.

Annex D: Fraud Prevention Policy

1. Effective date

This Policy is effective on 19 April 2018.

2. Application

This Policy applies to any alleged or detected fraud, involving employees of the Office of the Auditor General of Canada (OAG) as well as consultants, vendors, contractors, and outside parties with a business relationship with the OAG. Any investigative activities required will be conducted without regard to the suspected individual’s length of service, position/title, or relationship to the OAG.

Fraud is defined as an intentional act by one or more individuals among employees, management, those charged with governance (internal), or third parties (external) involving the use of deception to obtain an unjust or illegal advantage. The three primary categories of internal fraud are corruption, asset misappropriation, and financial statement fraud.

Examples of fraud include but are not limited to

misusing influence in transactions for benefit;
misappropriation of funds, supplies, or other assets;
impropriety with intent in the handling or reporting of money or financial transactions;
disclosing confidential and proprietary information to outside parties for benefit;
accepting or seeking anything of material value from audited entities, contractors, vendors, or persons providing services/materials to the OAG;
destruction, removal, or inappropriate use of records, furniture, fixtures, and equipment; and/or
accepting bribes or benefits to act.

3. Policy statement

The OAG is committed to

establishing a zero-tolerance environment with respect to fraud;
consistently displaying the appropriate attitude regarding fraud prevention and encouraging free and open communication regarding ethical behaviour; and
maintaining an open-door approach to reporting suspected fraud.

The OAG has developed a comprehensive Fraud Risk Management Framework that guides the organization in implementing best practices to identify, address, and manage its fraud risks. This policy is part of the Framework under Section 1. Governance over fraud risks.

4. Policy objective

The purpose of this Policy is to

improve the knowledge and awareness of all OAG employees to the potential risks of fraud;
set out responsibilities regarding the prevention, detection, and investigation of fraud;
send a clear message that fraud will not be tolerated; and
assist in promoting a climate of openness and a culture where employees feel able to raise concerns without fear of retaliation.

5. Roles and responsibilities

Auditor General’s responsibilities:

Under s.16.4 (1) (b) of the Financial Administration Act, Deputy Heads, in their role as accounting officers, are accountable before committees of Parliament for the measures taken to maintain systems of internal control in their departments.
The Treasury Board Policy on Financial Management requires Deputy Heads to ensure that a risk-based departmental system of internal control over financial management, which includes managing the risk of fraud, is established, monitored, and maintained.
Under s.16.1 of the Financial Administration Act, Deputy Heads are responsible for ensuring an internal audit capacity appropriate to the needs of the department. Furthermore, under s.4.1.2 of the Policy on Internal Audit, they are responsible for ensuring that internal audits are carried out in accordance with the Institute of Internal Auditors’ International Professional Practices Framework (IPPF). The IPPF includes specific references in the standards pertaining to internal audit’s role regarding fraud.

Chief Financial Officer’s responsibilities:

In support of Deputy Heads, the Treasury Board Policy on Financial Management requires that Chief Financial Officers (CFOs):
- establish, monitor, and maintain a risk-based system of internal control over financial management;
- provide reasonable assurance that financial resources are safeguarded against material loss; and
- take prompt corrective action when control weaknesses and material unmitigated risks are identified, including the risk of fraud.
The CFO, with the assistance of the Internal Specialist for Fraud, is responsible for proper application of the OAG Fraud Prevention Policy.

Chief Audit Executive’s responsibilities:

Under Section 4.1.1 of the Directive on Internal Audit, chief audit executives are responsible for applying the IPPF in the department, which includes the standards pertaining to fraud management.

Managers’ responsibilities:

Each manager must be familiar with the types of fraud risks within his or her area of responsibility and be alert for any indication of fraud.

Employees’ responsibilities (including managers):

Report cases of suspected fraud promptly and appropriately.
Be familiar with and comply with the OAG’s Code of Values, Ethics and Professional Conduct.
Act in good faith and on the basis of reasonable belief in reporting alleged fraud activity.

6. Mechanism to report fraud

Any suspected fraud must be reported immediately. The OAG promotes an open-door policy with regard to reporting suspected fraud and has implemented secure, non-retaliating, and confidential channels for individuals to report suspected fraud. OAG employees may report suspected fraud to any of the following:

Departmental Security Officer (DSO)
Legal Services
Chief Financial Officer
Human Resources managers
Internal Specialist, Values and Ethics
Chief Audit Executive
Senior Officer for disclosure
The Auditor General
Chair of the Audit Committee

The CFO manages all fraud allegations and oversees the investigation process (if necessary) with the support of the Internal Specialist for Fraud. The CFO consults when needed with the DSO, Legal Services, Human Resources, and the Internal Specialist, Values and Ethics.

This policy does not preclude an employee to present a complaint to the Senior Integrity Officer in accordance with the Public Servants Disclosure Protection Act.

7. Formal approach to address allegations of fraud

The OAG has established a formal approach to assess, investigate, monitor, take corrective actions, and report on allegations of fraud. (Refer to the Guide on Managing Fraud Risks at the Office of the Auditor General of Canada and the Policy on Workplace Investigations for details.)

Appropriate disciplinary measures, up to termination of employment, will be taken by the OAG as a result of a fraudulent action. As well, a decision regarding referral of the investigation results to the appropriate law enforcement and/or regulatory agencies for independent investigation will be made by the CFO in consultation with Legal Services and senior management and management of the appropriate services, as will final decisions on disposition of the case.

A fraud investigation under this policy does not preclude the OAG Practice Review and Internal Audit function to initiate an audit.

8. Non-retaliation

Employees will not be penalized or disciplined for making a complaint in good faith. Disciplinary action will be taken against anyone who takes any reprisal against a person who reports, in good faith, an incident of alleged or detected fraud.

9. Communication

This policy shall be made available on the OAG Intranet.

10. Policy compliance and review

Adherence of OAG employees to this policy will be monitored by, including but not limited to, investigation, audit, and/or review of records.

The CFO, with the assistance of the Internal Specialist for Fraud, in consultation with stakeholders, will review and update this policy at a minimum every three years, or earlier if needed. Any changes to the policy must be approved by the Executive Committee.