Audit of fraud management

Project 6B296
Date: October 2018


Table of contents

Executive summary

The objective of this audit was to examine the effectiveness of Fisheries and Oceans Canada’s fraud risk management framework. The audit focused on the Department’s governance and oversight of fraud-related risks, the process for identifying, assessing and managing fraud-related risks, internal controls to prevent and detect fraud, and the process for reporting wrongdoing and conducting administrative investigations.

The audit was carried out in the National Capital Region through the review of Departmental documents, and interviews with Departmental officials and selected representatives from all DFO and CCG regions and sectors. The audit did not include testing of the design or operating effectiveness of internal controls or testing of financial transactions.

Why this audit is important

Fraud is an intentional act to deceive to obtain an illegal advantage, personal gain or benefit that can occur in, and significantly impact, any organization. When fraud or other wrongdoing occurs in a federal government organization, it can undermine Canadians’ confidence in public administration and lead to the loss of assets, funds, information, and reputation.

Although there is no estimate of the monetary effect of fraud on the Government of Canada, a 2018 Global Study by the Association of Certified Fraud Examiners reported that all types of organizations suffer significant losses due to fraud. For this reason, federal government organizations must effectively manage the risk of fraud, both internal and external, to help ensure that organizational assets, information, employees, and reputation are protected.

Managing fraud-related risks is a shared responsibility between senior management and employees. Senior management is responsible for establishing and communicating an effective fraud risk management framework. They are also responsible for helping ensure that employees are aware of and adhere to organizational policies guiding expected behavior, including a code of values and ethics and disclosing conflicts of interest. Employees are responsible for ensuring their conduct and behavior respect organizational policies, along with being vigilant to report fraud, wrongdoing and other misconduct.

The implementation of a successful fraud risk management framework requires effective oversight, communication, coordination, monitoring and reporting among many operational areas to help deter, prevent and detect fraud and fraud-related risks. This is particularly true for Fisheries and Oceans Canada given the Department’s decentralized organizational and geographically disbursed operational structure.

Key findings

Governance

The Department has established a governance process to oversee fraud-related risks through the monitoring of administrative investigations, as well as the development of a suite of policies to guide employee behavior and accountability on values and ethics, conflict of interest, and disclosure of wrongdoing. There are opportunities for more frequent senior management communication on fraud, wrongdoing, values and ethics and conflict of interest, along with a process to monitor employee acknowledgment of the Values and Ethics Code and compliance with conflict of interest disclosure requirements.

Risk assessment

There is an opportunity to improve the Department’s approach to identifying and managing fraud-related risks by regularly updating the Department’s fraud risk assessment and identifying high risk operational areas and financial transactions vulnerable to fraud.

Control and monitoring activities

The Department has implemented some controls and processes to monitor selected financial transactions. There is an opportunity to improve the effectiveness of these controls by developing a data-driven, risk-based approach and methodology for the sampling and testing of high-risk financial transactions. There is also an opportunity to improve awareness of fraud-related risks in Departmental training on values and ethics, conflict of interest, use of acquisition cards and financial delegation.

Administrative investigations

The Department has established a confidential process for employees to report fraud, wrongdoing and other breaches of the Departmental Values and Ethics Code, and established a central group responsible for planning, conducting and reporting administrative investigations. The Department is also implementing measures to improve the effectiveness and efficiency of investigations through a process review and resource plan.

Conclusion

The audit concluded that the Department has implemented some elements of an effective fraud risk management framework. Specifically, the Department has implemented a governance process to oversee fraud-related risks, a policy suite which establishes behavioral and accountability expectations for all employees, and a confidential process for employees to report wrongdoing.

The audit identified opportunities to improve the Department’s fraud risk management practices in the following areas:

  • More frequent senior management communication of the Department’s position on fraud, wrongdoing, values and ethics, and conflict of interest.
  • Updating the Department’s fraud risk assessment on a regular basis to identify high-risk operational areas and financial transactions vulnerable to fraud, wrongdoing, and conflict of interest.
  • Improving existing data and risk-based approaches and methodologies over account verification to test and monitor internal control effectiveness over high-risk financial transactions on a continuous basis.
  • More frequent communication and promotion of Departmental training on values and ethics, conflict of interest, use of acquisition cards and financial delegation training to raise awareness of fraud-related risks.

Statement of conformance

This audit was conducted in conformance with the International Standards for the Professional Practice of Internal Auditing as supported by the results of the Quality Assurance and Improvement Program of Fisheries and Ocean Canada’s Internal Audit Directorate.

Introduction

This audit was initiated in accordance with the Risk-Based Audit Plan 2017– 2020 for Fisheries and Oceans Canada (DFO). This is the first fraud-related audit conducted by DFO’s Internal Audit Directorate (IAD). In fiscal year 2014-15, IAD contracted an external firm to conduct a fraud risk assessment to identify gaps and weaknesses in Departmental internal controls to mitigate risks and develop a management action plan to address assessment findings. The assessment was conducted according to a methodology consistent with the COSO Integrated Framework as it is recognized across both government and industry as the accepted standard from which to assess an organization’s risk management practices and processes. The risk assessment results and management action plan were approved by the Departmental Audit Committee (DAC) in March 2015.

Audit objective

The objective of this audit was to examine the effectiveness of Fisheries and Oceans Canada’s fraud risk management framework. The audit focused on the Department’s governance and oversight of fraud and fraud-related risks, the process for identifying, assessing and managing fraud related risks, internal controls to prevent and detect fraud, and the process for reporting wrongdoing and conducting administrative investigations.

Audit scope and approach

The scope of the audit examined whether the Department has a governance process to oversee and monitor fraud risks, a Department-wide approach to identify, assess and manage fraud and fraud- related risks, internal controls to prevent and detect potential fraud in Departmental financial transactions, a confidential disclosure process, and a process to conduct administrative investigations. See Appendix A for Lines of Enquiry and Audit Criteria.

The audit was carried out in the National Capital Region (NCR) through the review of Departmental documents, and interviews with Departmental officials within the NCR and selected representatives from all DFO and CCG regions and sectors. The audit did not include testing of the design or operating effectiveness of internal controls, testing of financial transactions, or review of conflict of interest or administrative investigation files. See Appendix B for Recommendations and Management Action Plans.

Audit findings

1. Governance

The audit examined whether the Department has set the tone for organizational governance and culture by communicating expectations and demonstrating a commitment to ethical values and managing fraud risk.

Departmental committees

The audit examined whether the Department has established committees with a defined role and mandate to oversee fraud, risk management and control that meet regularly and receive sufficient, complete and timely information to oversee, and make decisions related to, managing fraud risks.

The audit found that the Department currently has two committees responsible for the oversight and management of serious and high-risk cases of wrongdoing, including fraud and other misconduct. The National Case Management Oversight Committee (NCMOC) is a Senior Executive Committee responsible for examining trends, lessons learned and mitigation measures arising from incidents and investigations. The NCMOC terms of reference and membership were recently revised and approved, and Committee meetings will begin in Fall 2018. The National Case Management Advisory Committee (NCMAC) is a Senior Director Committee responsible for providing guidance and recommendations on high-risk cases and incidents to the NCMOC. Established in December 2017, the Committee has met on a monthly basis. The audit also found a good reporting practice whereby the Departmental Audit Committee is provided with annual briefings on the status of workplace well-being initiatives, including values and ethics activities, as well as a status report on administrative investigations.

Fraud risk management program

The audit examined whether the Department has developed and communicated a fraud risk management program to all employees, including policies and guidance, to help ensure they are aware of their responsibilities with regard to values and ethics, code of conduct, and conflict of interest.

The audit found that, in comparison to recognized fraud risk management program practices in both government and industry sectors, the Department has implemented some practices, including a governance process consisting of two oversight committees and a suite of policies to guide employee behavior and accountability on values and ethics, conflict of interest, and the disclosure of wrongdoing. Missing elements from the Department’s program include a fraud policy, an updated fraud risk assessment, and a risk-based and data-driven continuous monitoring and reporting model.

Senior management communication

The audit examined whether senior management has communicated and demonstrated to employees a commitment to integrity and ethical values, and that these cannot be compromised.

The audit found that the Department has developed effective tools to communicate important leadership messaging from the Deputy Head, notably on workplace well-being, values and ethics, and mental health. The audit also found that senior management has generally communicated and demonstrated a commitment to integrity, ethical conduct, and intolerance towards wrongdoing and unacceptable behavior. There is an opportunity to increase senior management communication to employees of the Department’s position on fraud, wrongdoing, values and ethics, and conflict of interest. This would convey that senior management is committed to an ethical culture, and that incidents which breach the Values and Ethics Code are taken seriously.

Recommendation:

  • 1. The Assistant Deputy Minister of Human Resources and Corporate Services, in liaison with the Chief Financial Officer, should use existing communications tools to more frequently promote awareness of the Department’s policy positions on fraud, wrongdoing, values and ethics, and conflict of interest.

Management’s response:
Management agrees with the recommendation.

The Assistant Deputy Minister of Human Resources and Corporate Services and Chief Financial Officer will collaborate to:

  • update the Workplace Well-Being website and provide scenario-based guidance to employees on values and ethics, harassment, conflict of interest, fraud and risk; and,
  • develop and communicate fraud prevention tips.

The Assistant Deputy Minister of Human Resources and Corporate Services will:

  • review the Department’s Values and Ethics Code to ensure alignment with legislative amendments; and,
  • provide senior Departmental executives with a monthly report on the number of harassment incidents, including resolved cases.

2. Risk assessment

The audit examined whether the Department has performed comprehensive risk assessments to identify specific fraud schemes and risks, assess their likelihood and significance, evaluate existing fraud control activities, and implement actions to mitigate residual fraud risks.

Fraud risk assessment process

The audit examined whether the Department has established a process to regularly identify, assess, respond to, monitor and report on fraud risk as part of the Department-wide risk assessment process. The audit found that the Department has not undertaken an assessment since 2015 of potential fraud risks, or high risk operational areas and financial transactions vulnerable to fraud, wrongdoing, and conflict of interest. Regularly updating an organization’s fraud risk assessment is a recognized good practice within government and industry.

Fraud risk committees

The audit examined whether the Department has involved relevant committees and sectors in the fraud risk identification, assessment, and mitigation process including communicating fraud risk management and mitigation strategies. The audit found that fraud-related risks are discussed at senior management Operations Committee and the National Case Management Oversight and Advisory Committees.

Recommendation:
  • 2. The Chief Financial Officer should regularly review and update the Department’s fraud risk assessment to identify and assess potential high risk areas, fraud risk scenarios and vulnerabilities across operational areas and for financial transactions.

Management’s response:
Management agrees with the recommendation.

The Chief Financial Officer will update the Department’s integrated fraud risk assessment and action plan by March 2019 and every two years thereafter.

3. Control and monitoring activities

The audit examined whether the Department has developed and implemented preventive and detective fraud control activities to mitigate the risk of fraud events occurring or not being detected in a timely manner.

Fraud awareness and training

The audit examined whether the Department has established a process with regard to fraud, values and ethics, and conflict of interest to help ensure employee awareness and acknowledgment, and to provide required training. It also examined whether a process has been established for conflict of interest to be regularly declared, mitigated, monitored, and resolved in a timely manner.

The audit found that the Department has established a suite of policies to assist with employee awareness of their responsibilities for reporting wrongdoing, a Departmental Values and Ethics Code and conflict of interest guidelines. However, the audit found that there is no Departmental control or monitoring process to ensure that employees, particularly those in high-risk operational areas, have acknowledged reading and accepting to abide by the Values and Ethics Code and have completed conflict of interest disclosure requirements. Although there is no policy requirement, a process requiring regular values and ethics affirmation and conflict of interest disclosure is a good practice. The audit also found that the awareness and value of available Departmental training on values and ethics, conflict of interest, financial delegation could be improved through more frequent communication, promotion and focus on fraud-related risks.

The audit found a good practice in one region where a dedicated onboarding team meets with all new employees to discuss, explain, and ensure acknowledgement of their understanding of the Values and Ethics Code and completion of the conflict of interest disclosure form. The audit also found that there are Departmental conflict of interest guidelines and a process under the responsibility of the Workplace Well-Being Office to review, investigate and resolve allegations of potential conflict of interest. The audit did not examine conflict of interest cases, how they were carried out or whether they were conducted in a timely manner.

Identification of high-risk operational areas

The audit examined whether the Department has identified high-risk operational areas for fraud, wrongdoing, values and ethics breaches and conflict of interest.

The audit found that Department-wide there is awareness of high-risk operational areas and financial transactions that are more vulnerable to fraud. However, as noted previously, the Department has not undertaken an assessment of potential fraud risks, or high-risk operational areas and financial transactions vulnerable to fraud, wrongdoing, and conflict of interest since 2015.

Expenditure review

The audit examined whether the Department has identified and assessed the expenditure review process to manage fraud-related risks. Through process walkthroughs, the audit found that the Department has implemented some elements of a data-driven and risk-based process for reviewing acquisition card transactions. These include key word search scripts for selected transactions and a final review by the Accounting Hub prior to payment release.

The audit found opportunities to strengthen monitoring controls within the Chief Financial Officer (CFO) Sector and regional offices, where certain conditions are limiting the effectiveness of review processes and controls over acquisition card transactions. Within the CFO sector, one employee is responsible for reviewing an average of 20,000 monthly acquisition card transactions. Current sampling and follow-up capability is capped to approximately 10%, or 2,000 transactions. Also, transaction details on acquisition card statements are limited to vendor name. Having ‘type of expense’ level details with a listing of the goods and services purchased would expand the ability to conduct key word searches and identify potentially inappropriate expenses.

Accounting Hub and regional finance representatives are concerned that regional responsibility centre managers and administrative officers are not consistently aware of financial management policy requirements for reviewing acquisition card transactions. Regional finance representatives also indicated it would be beneficial to receive periodic trend reports on acquisition card and other high-risk financial transactions to support a more risk-based initial expenditure review process. This type of report could also improve oversight and accountability, and support annual regional internal control attestation.

Recommendations:

  • 3. The Chief Financial Officer should examine existing financial management tools and processes to improve:
    • Data and risk-based approaches and methodologies for testing high-risk transaction expenditure compliance with financial management policies on a continuous basis; and,
    • Awareness among Departmental responsibility centre managers and administrative officers of financial management policy compliance requirements to strengthen expenditure review processes and controls.
  • 4. The Assistant Deputy Minister of Human Resources and Corporate Services should use existing communications tools to more frequently promote awareness of the Departmental and other relevant training for employees. Training provided to employees on values and ethics, conflict of interest, and financial management responsibilities should also focus on raising awareness of fraud-related risks.

Management’s response:
Management agrees with the recommendations.

The Chief Financial Officer will:

  • review and update the account verification process; and,
  • deliver training as part of the implementation of the Department’s updated Delegation of Spending and Financial Authorities.

The Assistant Deputy Minister of Human Resources and Corporate Services will:

  • ensure that fraud and risk-based scenarios are included within existing conflict of interest training; and,
  • deliver regular communication on employee responsibility to adhere to the Departmental Values and Ethics Code.

4. Administrative investigations

The audit examined whether the Department has established a communications process to obtain information about potential fraud, and implemented a coordinated approach to investigations and corrective action, to appropriately address fraud in a timely manner.

Confidential communication and reporting channels

The audit examined whether the Department has established formal channels for employees to confidentially communicate and report suspected or actual wrongdoing including fraud.

The audit found that the Department has established channels and guidance for employees to confidentially communicate and report suspected or actual wrongdoing, breaches of the Values and Ethics Code, and other workplace incidents. There appears to be a strong culture within the Department to report fraud, wrongdoing or other values and ethics breaches. There is, however, a decline in the level of confidence in the process as a result of the lengthy duration to complete investigations and incidents where employee confidentiality was not properly protected.

Investigation process and oversight

The audit examined whether the Department has established a process to review and report on investigations, resolution of instances of non-compliance, and allegations involving potential fraud and misconduct. It also examined whether the Department has designated a lead sector responsible for coordinating and overseeing investigations in a manner consistent with established investigation policies and procedures.

The audit found that the Department has a documented approach and process for planning, conducting and reporting administrative investigations. The responsibility for the coordination and oversight of administrative investigations resides within the Departmental Security Officer (DSO) – Investigations Unit. In fiscal year 2014-15, responsibility for the planning, conduct and reporting of administrative investigations transitioned from the regional offices and was centralized under the DSO. The audit found that this transition of responsibility has been challenging for all parties due to the lack of a resourcing plan to support an increased caseload within DSO, and has resulted in increased timelines to complete investigations.

The Office of the Departmental Security Officer is presently leading the following initiatives to improve the effectiveness and collaboration of the administrative investigations process:

  • a review of the investigations process, including roles and responsibilities, in consultation with the regional offices, and Departmental labour relations and union representatives; and,
  • implementation of recommendations resulting from an independent assessment of the Department’s security program, focussing on administrative investigation processes and resource capacity.

Conclusion

The audit concluded that the Department has implemented some elements of an effective fraud risk management framework. Specifically, the Department has implemented a governance process to oversee fraud related risks, a policy suite which establishes behavioral and accountability expectations for all employees, and a confidential process for employees to report wrongdoing.

The audit identified opportunities to improve the Department’s fraud risk management practices in the following areas:

  • more frequent senior management communication of the Department’s position on fraud, wrongdoing, values and ethics, and conflict of interest;
  • updating the Department’s fraud risk assessment on a regular basis to identify high-risk operational areas and financial transactions vulnerable to fraud, wrongdoing, and conflict of interest;
  • improving existing data and risk-based approaches and methodologies over account verification to test and monitor internal control effectiveness over high-risk financial transactions on a continuous basis; and,
  • more frequent communication and promotion of Departmental training on values and ethics, conflict of interest, use of acquisition cards and financial delegation training to raise awareness of fraud-related risks.

Appendix A: Lines of enquiry and audit criteria

The audit criteria were identified and selected from the following sources:

  • COSO – Committee of Sponsoring Organizations of the Treadway Commission’s “Internal Control – Integrated Framework
  • COSO “Enterprise Risk Management – Integrating with Strategy and Performance”, June 2017
  • COSO Fraud Risk Management Guide, September 2016
  • Office of the Auditor General Spring 2017 Report: “Managing the Risk of Fraud”
  • US Government Accountability Office: “A Framework for Managing Fraud Risks in Federal Programs”, July 2015
  • Audit Criteria related to the Management Accountability Framework: A Tool for Internal Auditors, March 2011, Office of the Comptroller General, Internal Audit Sector
  • Institute of Internal Auditors, The American Institute of Certified Public Accountants and the Association of Certified Fraud Examiners: “Managing the Business Risk of Fraud”

Line of enquiry 1 – Control environment (Governance)
Criterion 1.1: The Department has established committee(s) with a defined role and mandate to oversee fraud, risk management and control.

Criterion 1.2: The committee(s) meet regularly, receive(s) sufficient, complete and timely information to oversee and make decisions related to managing fraud risks.

Criterion 1.3: The Department has developed and communicated a fraud risk management program to all employees, including policies and guidance related to fraud, to help ensure they are aware of their responsibilities with regard to values and ethics, code of conduct, and conflict of interest.

Criterion 1.4: Senior management has communicated and demonstrated to all employees a commitment to ethical values and that these cannot be compromised.

Line of enquiry 2 – Risk assessment
Criterion 2.1: The Department has established a process to regularly identify, assess, respond to, monitor and report on fraud risk as part of the Department-wide risk assessment process.

Criterion 2.2: The Department has identified and assessed existing internal controls that are in place to manage fraud risks.

Criterion 2.3: The Department has involved relevant committees and sectors in the fraud risk identification, assessment, and mitigation process including communicating fraud risk.

Line of enquiry 3 – Control and monitoring activities
Criterion 3.1: The Department has designated a lead sector(s) responsible for the development, implementation, monitoring and reporting of control activities to allow for fraud risks to be mitigated to acceptable levels.

Criterion 3.2: The Department has established a process with regard to fraud, values and ethics, and conflict of interest to help ensure employee awareness and acknowledgment, and to provide required training.

Criterion 3.3: The Department has identified high-risk operational areas for values and ethics and conflict of interest, and established a process for conflict of interest to be regularly declared, mitigated, monitored, and resolved in a timely manner.

Line of enquiry 4 – Information and communication
Criterion 4.1: The Department has established formal channels for employees to confidentially communicate and report suspected or actual wrongdoing including fraud.

Criterion 4.2: The Department has established a process to review and report on investigations, resolution of instances of non-compliance and allegations involving potential fraud and misconduct.

Criterion 4.3: The Department has designated a lead sector responsible for coordinating and overseeing investigations in a manner consistent with established investigation policies and procedures.

Criterion 4.4: The Department has implemented a case management or tracking system to gather and monitor information on fraud allegations or non-compliance incidents, and to support decision-making and resolution of investigations.

Appendix B: Recommendations and management action plans

Recommendation Management action plan
  • 1. The Assistant Deputy Minister of Human Resources and Corporate Services, in liaison with the Chief Financial Officer, should use existing communications tools to more frequently promote awareness of the Department’s policy positions on fraud, wrongdoing, values and ethics, and conflict of interest.
Management agrees with the recommendation.

The Assistant Deputy Minister of Human Resources and Corporate Services and Chief Financial Officer will collaborate to:
  • update the Workplace Well-Being website and provide scenario-based guidance to employees on values and ethics, harassment, conflict of interest, fraud and risk; and,
  • develop and communicate fraud prevention tips.


The Assistant Deputy Minister of Human Resources and Corporate Services will:
  • review the Department’s Values and Ethics Code to ensure alignment with legislative amendments; and,
  • provide senior Departmental executives with a monthly report on the number of harassment incidents, including resolved cases.
  • 2. The Chief Financial Officer should regularly review and update the Department’s fraud risk assessment to identify and assess potential high risk areas, fraud risk scenarios and vulnerabilities across operational areas and for financial transactions.
Management agrees with the recommendation.

The Chief Financial Officer will update the Department’s integrated fraud risk assessment and action plan by March 2019 and every two years thereafter.
  • 3. The Chief Financial Officer should examine existing financial management tools and processes to improve:
    • data and risk-based approaches and methodologies for testing high-risk transaction expenditure compliance with financial management policies on a continuous basis; and,
    • awareness among Departmental responsibility centre managers and administrative officers of financial management policy compliance requirements to strengthen expenditure review processes and controls.
Management agrees with the recommendations.

The Chief Financial Officer will:
  • review and update the account verification process; and,
  • deliver training as part of the implementation of the Department’s updated Delegation of Spending and Financial Authorities.
  1. The Assistant Deputy Minister of Human Resources and Corporate Services should use existing communications tools to more frequently promote awareness of the Departmental and other relevant training for employees. Training provided to employees on values and ethics, conflict of interest, and financial management responsibilities should also focus on raising awareness of fraud-related risks.
Management agrees with the recommendations.

The Assistant Deputy Minister of Human Resources and Corporate Services will:
  • ensure that fraud and risk-based scenarios are included within existing conflict of interest training; and,
  • deliver regular communication on employee responsibility to adhere to the Departmental Values and Ethics Code.