Fraud Risk Assessment
April 2, 2015
[ PDF version ]
Per the approved Privy Council Office (PCO) 2014-17 Risk Based Audit Plan (RBAP), Audit and Evaluation Division (AED) has conducted this department-wide preliminary fraud risk assessment (FRA). This is the first FRA conducted by AED at PCO. It was not conducted as an assurance audit, therefore it did not include detailed testing of internal controls. Rather, the intent of this FRA is to inform senior management about existing high level PCO control mechanisms as they pertain to fraud and fraud management, and to identify any residual risk(s) of fraud after these control mechanisms are considered.
This fraud risk assessment was approved by the Clerk as part of PCO’s 2014-17 RBAP.
The objectives of this preliminary fraud risk assessment are to:
- Provide senior management with information on the potential exposures to fraud (fraud risks) within PCO;
- Identify and document high-level PCO controls which could prevent, detect or respond to a fraud situation; and
- Assess these high level controls to identify areas where improvements may be warranted.
The scope of this assessment was department-wide in nature and encompassed:
- Fraud risks within various areas of PCO and across the department as a whole; and
- Components of PCO’s high level management control framework that would apply to fraud prevention, detection and response.
Senior management establishes governance mechanisms, risk management strategies and internal controls to ensure the effective stewardship and management of public funds, assets and other types of property, including data. This includes protecting assets and resources from wrongdoing, including fraud.
AED conducts audits, reviews, assessments, and analyses of PCO’s governance, risk management and control processes to provide assurance on their adequacy and effectiveness. Conducting a periodic fraud risk assessment is a prudent way to determine whether there are vulnerabilities in the department’s approach to managing fraud risks.
AED’s 2013 Practice Inspection recommended that the Chief Audit Executive (CAE) develop procedures to support an overall fraud risk assessment for annual audit planning purposes. While implementing this recommendation, the CAE proposed and received approval to conduct this more formal preliminary FRA as part of PCO’s 2014-17 RBAP.
Definitions of fraud vary. The Institute of Internal Auditors sees fraud as “...any illegal act characterized by deceit, concealment, or violation of trust...perpetrated by parties and organizations: to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage.”1 Treasury Board’s (TB) Directive on Losses of Money or Property sees fraud as “...a criminal deception involving the use of representation with the specific intent of gaining an unfair or dishonest advantage...” which “...ordinarily involves either wilful misrepresentation or deliberate concealment of material facts for the purpose of inducing another person to either part with cash or something else of value or to surrender a legal right.”2
While definitions vary, the use of deception to gain advantage is common among them.
6.0 Approach and Methodology
The assessment approach used during this FRA was based on the methodology and guidance outlined by the Association of Certified Fraud Examiners (ACFE) and included:
- A review of policies, directives, standards and relevant background documents;
- Interviews with key PCO personnel; and
- An assessment of key high level controls, procedures and governance mechanisms designed to mitigate the risk of fraud in the department.
For comparative purposes, the project team also contacted a selection of other federal departments to discuss how fraud risks are managed in those departments. As well, based on documentation obtained, the project team contacted the Financial Management Sector at the Office of the Comptroller General to discuss an emerging initiative that relates to the management of fraud risk.
This Report is being presented to management and the PCO Audit Committee for consideration before being recommended to the Clerk for formal approval. It may also be presented to the PCO Executive Committee.
6.1 Assessment Criteria
Fraud prevention and detection requires a system of rules and control activities which, in their aggregate, minimise the likelihood of fraud occurring while maximizing the likelihood that any fraudulent activity will be detected. The ACFE has set out the elements of an effective fraud risk management program as described in the following table. These elements, which outline the basic criteria for a fraud management program, were used as a guidance framework against which PCO’s approach to managing fraud risk was assessed during this FRA.
7.0 Elements of an Effective Fraud Management Program
PCO has established various internal control structures and mechanisms, all of which relate either directly or indirectly to the management of fraud risk. Deputy Heads and their management teams decide if their department will establish a formal fraud management program. In either case, internal controls that prevent, detect and respond to the risk of fraud are key components of a department’s management control framework.
The table below presents the overall results of the FRA against the ACFE’s seven recommended elements of an effective fraud risk management program. It shows PCO’s current posture against each element. The three-tiered legend which follows the table applies low, moderate and high ratings to each element to indicate any areas of concern - in other words, the table presents PCO’s strengths in managing fraud risk as well as areas where improvements could be considered.
ACFE’s Elements of an Effective Fraud Management Program
|Prevention - Anti-Fraud Culture and Governance|
|Prevention - Accountability Structure|
|Prevention - Fraud Risk Assessment|
|Prevention - Effective Communications|
|Detection - Reporting and Whistleblower Mechanisms|
|Detection - Monitoring Activities and Mechanisms|
|Response - Investigation and Examination Standards and Practices|
As noted above, the following rating system was used in the table above:
|Low area of concern|
|Moderate area of concern|
|High area of concern|
The text in the following sections of the report presents the project team’s assessment of each of these seven elements presented above. Each element and their sub-components are identified and discussed based on evidence gathered during the FRA.
7.1 Fraud Prevention
Summary Finding: PCO has adequate high level fraud prevention controls in place. These include a governance structure that supports fraud prevention, accountabilities for managing the risk of fraud, mechanisms that promote an anti-fraud culture, and risk management and audit/review mechanisms that further support fraud prevention at PCO.
7.1.1 Anti-Fraud Culture and Governance
Anti-Fraud Culture - PCO’s Values and Ethics Program
A department’s culture starts with the “tone at the top” set by management. At PCO, management has established PCO’s Values and Ethics Program — this Program features PCO’s Code on Values and Ethics (the PCO Code) which is modeled on the Values and Ethics Code for the Public Sector and based on PCO’s unique role of supporting the Clerk and Prime Minister. The Program also features a Values and Ethics Champion at the Assistant Secretary level who promotes ethical behavior consistent with the PCO Code.
PCO’s Values and Ethics Program is a clear demonstration of management’s commitment to a workplace where employees and managers at all levels are expected to apply strong values in their work and to openly demonstrate ethical behaviour. Periodic messages to all PCO employees reinforce these principles, as do periodic information sessions held by Human Resources (HR) personnel who support the Values and Ethics Champion in promoting application of the PCO Code.
The existence of the Values and Ethics Program, the PCO Code, the Values and Ethics Champion, the periodic communications to all PCO personnel, and the information that is available to employees on PCO’s website, all constitute preventive controls that reinforce the anti-fraud culture of PCO.
Governance - PCO’s Governance Structure
At the departmental level, PCO uses its formal structure of governance committees to manage all of its activities and priorities, including risk management (which itself includes fraud risk). This structure features Executive Committee supported by Corporate Management Advisory Committee (CMAC), the Human Resources Advisory Committee (HRAC) and the department’s Audit Committee. Senior management also meets daily as PCO Operations Committee where issues can be raised with the Clerk. As well, a number of lower level committees operate within the department. In addition to this formal governance structure, the manager/employee relationship is a key mechanism in fraud management. Together, this governance approach supports prevention, detection and response controls discussed herein, and clearly demonstrates management’s position that wrongdoing and fraud will not be tolerated at PCO.
Audit Committee and Internal Audit
Under Treasury Board’s Policy on Internal Audit, PCO is a “small” department. As such, it is not required to have an internal audit function or an externally based Audit Committee, but PCO has chosen to maintain these functions.
As such, Audit Committee is a strategic resource that provides objective advice to the Clerk. The Policy on Internal Audit outlines eight (8) Committee responsibilities, many of which include prevention, detection and response controls discussed herein. By discharging their responsibilities, Audit Committee provides additional oversight over these eight areas and the controls within them.
PCO’s internal audit function provides assurance on the effectiveness of departmental governance, risk management and control systems and processes. By delivering approved audit and review projects, internal audit also contributes to PCO’s anti-fraud culture and to the prevention and potential detection of fraud in the department.
Additional Mechanisms Supporting PCO’s Anti-Fraud Culture:
PCO has two (2) additional mechanisms in place which support PCO’s anti-fraud culture - the Senior Disclosure Officer (SDO) and Departmental Security Officer (DSO) functions.
(1) PCO’s Senior Disclosure Officer Function
PCO’s Senior Disclosure Officer is a senior official at the Director General level who, as SDO, reports directly to the Clerk. The current SDO has a legal background. The SDO is supported by well documented protocols, processes and procedures for dealing with wrongdoing or fraud concerns. To assist employees, the SDO has produced several highly informative documents one of which is “The PCO Process for Disclosure of Wrongdoing.” Employees who raise wrongdoing concerns to the SDO will be afforded protections under the Public Servants Disclosure Protection Act (PSDPA). Information available online to employees provides a synthesis and plain-language adaptation of the various authorities that support the PSDPA.
(2) PCO’s Departmental Security Officer Function
The Executive Director of PCO’s Security Operations Division (SECOPS) is the department’s Departmental Security Officer — wrongdoing concerns can be raised to the DSO. Should this occur, SECOPS can undertake a confidential investigation through its Security Controls and Risk Mitigation Unit which has a qualified and experienced investigator with a law enforcement background on staff. The protections of the PSDPA do not apply to an employee who raises a concern to SECOPS.
7.1.2 Accountability Structure
As Deputy Head and as PCO’s Accounting Officer, the Clerk is accountable for the measures taken to organize the resources of the department to deliver departmental programs in compliance with government policies and procedures, and the measures taken to maintain an effective system of internal controls in the department. These accountabilities flow from the Clerk through PCO’s governance and organizational structures to the senior management team, to lower level managers, and to all PCO staff.
As noted in the PCO Code, all public servants at PCO are expected to abide by the PCO Code and to demonstrate the values of the public sector in their actions and behaviour. They are to adhere to the behavioural expectations set out in the Values and Expected Behaviours section of the PCO Code. They are also expected to bring any information that could indicate a serious breach of the PCO Code to the attention of their immediate supervisor, to the SDO, or to the Public Sector Integrity Commissioner3. More particularly, all managers at PCO are to be available to employees who wish to bring forward any concerns, including wrongdoing or fraud. In this regard, all PCO personnel, regardless of function or rank, are expected to support the Clerk with her accountabilities by being aware of and understanding their responsibilities (including those associated with wrongdoing and fraud) and by discharging those responsibilities professionally.
The Clerk’s accountabilities are also delegated more specifically to the SDO and DSO. Each of these functions has been given a mandate to receive information from employees and to conduct investigations as considered necessary. In this regard, each supports the Clerk in a very direct way with the management of fraud risk at PCO.
7.1.3 Fraud Risk Assessment
The 2013 Practice Inspection of AED recommended the CAE develop procedures to support an overall fraud risk assessment for annual audit planning purposes. In response, AED added questions on fraud risk to the questionnaire it uses when conducting annual audit planning interviews with Deputy Secretaries. AED also added similar questions to the questionnaires it uses when conducting management interviews during the planning phase of its projects, and it added a fraud risk questionnaire which is to be completed by the audit manager on each AED audit and review project. As well, the CAE proposed and received approval to conduct this preliminary fraud risk assessment as a project in PCO’s 2014-17 RBAP. While these AED measures support the assessment of fraud risk, other measures by other parts of PCO also support the assessment of fraud risk.
The rotational testing of key financial processes and controls that support the signing of the annual Statement of Management Responsibility for Internal Controls over Financial Reporting (the ICFR Statement)is one example. If testing raises concerns about existing financial controls, the Finance and Corporate Planning Division (FCPD) could decide to re-assess risk (including fraud risk) in relation to the controls tested. We reviewed PCO’s ICFR Statementsfor 2011-12, 2012-13 and 2013-14 and found the 2011-12 ICFR Statement informed the reader that “...an effective system of ICFR aims to achieve reliable financial statements and to provide assurance(s) that assets are safeguarded from risks such as waste, abuse, loss, fraud and mismanagement.” It also noted that for 2012-13 PCO planned to “...conduct operating effectiveness for entity-level controls to ensure that these controls remain effective over a defined period and that any required remediation is addressed. The entity-level controls are non-financial controls that reside higher in the organization that might have a pervasive effect of the risk of errors or fraud."4
PCO’s Risk Profile can also support fraud prevention through an assessment of fraud risk. As the Risk Profile is being created, managers identify risks that could adversely affect the achievement of objectives. Managers could identify the risk of fraud if they have such a concern, which in turn could prompt an assessment of fraud risk in a given area.
Finally, if concerns about potential wrongdoing or fraud are raised with either of the SDO or DSO functions, this may lead to an investigation and could result in an assessment of fraud risk in the area of concern identified.
7.1.4 Effective Communications - Awareness Programs
Effective communications that maintain employee awareness about management’s position on fraud and how fraud is managed is a key element of any fraud management activity or program. Without effective communication and the awareness it can bring, management’s “tone at the top” and information about the ways fraud risk is managed can fail to reach intended audiences. PCO uses various means of communication to raise and maintain employee awareness, starting with PCO’s Code on Values and Ethics.
PCO’s Code was approved in April 2012. All PCO executives, managers and employees received a copy of the Code and were required to officially acknowledge this. If anyone failed to respond, contact was re-established to seek the required acknowledgement. Subsequent to promulgation of the PCO Code to employees, it was added to the documentation package new employees receive when they accept employment at PCO.
Since its introduction, the PCO Code has been actively promoted by PCO’s Values and Ethics Champion and by the HR team who support the Champion. HR offers orientation and education sessions to new employees which promote awareness. HR also offers customized demand-driven training sessions designed to provide general information on wrongdoing, to reinforce ethical practices and behaviours, and to raise awareness of the various mechanisms one can use if they have wrongdoing concerns. These sessions also explore ethical scenarios (e.g. how would one react in a given situation). Because different organizational units may face different ethical dilemmas, the HR team may meet with clients before these sessions to determine their needs and to customize the training programs to these needs. Finally, SECOPS also holds periodic employee awareness sessions to inform about their role and activities and how to report wrongdoing concerns. However, the SDO has not generally been involved in identifying information to be shared with employees during any of these various orientation or training sessions.
Communication also involves making information, materials and guidance available to employees. PCO’s website presents easily accessible information on the Values and Ethics Program, and on the SDO and DSO functions. Website visitors can also obtain information and use links to access other relevant government websites where additional information can be obtained about the PSDPA, the Public Servants Disclosure Protection Tribunal, and the Office of the Public Service Integrity Commissioner.
As well, the SDO has produced highly informative documents that are a synthesis and plain-language adaptation of the authorities supporting the PSDPA and the processes to implement the tenets of this Act. Key among these documents is “The PCO Process for Disclosure of Wrongdoing” which provides employees with information they need to understand the role of the SDO, the PSDPA and the protections it offers employees.
Given its role, PCO can be a target for lobbyists. HR Division issues quarterly reminders to EX-04 and EX-05 level personnel and Ministers and Ministers’ staff who are Designated Public Office Holders (DPOHs). These reminders inform DPOHs that they have obligations to meet and protocols to observe under the Lobbying Act, including disclosing all meetings with lobbyists. Further, the Lobbying Act requires DPOHs (a) to respect the five-year prohibition on lobbying the federal government and (b) to comply with any demand from the Commissioner of Lobbying for information which may include communications received by the DPOH from a lobbyist5. Any DPOH who wilfully violates the Act can be held criminally liable.
While these mechanisms provide PCO employees with easy access to information on the management of wrongdoing including fraud, it is interesting to note that when asked during project interviews about potential improvements PCO might wish to consider, the most common suggestion was to improve communications and awareness so that employees will be better informed.
7.2 Fraud Detection
Summary Finding: PCO has adequate high level fraud detection controls in place. These include mechanisms that allow employees to raise concerns of wrongdoing or fraud with their manager or with other senior PCO officials, as well as controls which, by their design, increase the likelihood that wrongdoing including fraud will be discovered.
7.2.1 Reporting and Whistleblower Mechanisms
If an employee has a concern about wrongdoing or fraud, he or she can approach their manager or report their concern through the SDO or DSO functions. Information and access points on PCO’s website inform employees about how to report such a concern.
Employees who report a concern through the SDO function are afforded protections under the Public Servant Disclosure Protection Act. Employees who report a concern through the DSO/SECOPS function are dealt with in a confidential manner, but the protections of the PSDPA do not apply.
Regardless of the reporting mechanism used, any investigation subsequently conducted by the SDO or DSO would be handled in a professional and confidential manner.
Although these various mechanisms facilitate the reporting of concerns, interview results indicate that there have been no information sharing or coordination meetings between these two functions.
7.2.2 Monitoring Activities
Monitoring provides information to management for decision making. At a high level, PCO’s governance committees and its SDO and DSO functions facilitate oversight and monitoring by senior management and they support the Clerk as PCO’s Accounting Officer. Concerns can be raised to Executive Committee through CMAC, HRAC and Audit Committee, or directly with the Clerk by the SDO or DSO functions. At a lower level, through its annual audit planning and project delivery activities, AED also functions as a monitoring and fraud detection mechanism.
Senior management relies on all PCO managers to exercise due diligence in managing their staff and operations, to be available to staff who might have a wrongdoing concern, and to escalate any such issues if they arise. As well, PCO uses various control systems that support the detection of fraud in key areas such as finance, procurement and contracting, and HR management as discussed below.
Regarding financial management, the assessment of key processes and controls supporting the ICFR Statement is an important monitoring mechanism. Financial control is also exercised through the delegation of financial authorities and through controls used to monitor and verify financial activities. The network of Financial Management Advisors who work closely with PCO managers supporting them with their budgets and financial activities is another control supporting ongoing monitoring. For their part, PCO managers are expected to practice responsible financial management by applying Sections 32 and 34 of the Financial Administration Act to the various transactions they perform - account verification procedures are then applied pursuant to Section 33 before payments are issued. Managers also support detection through the advance approval of travel and overtime and the subsequent monitoring of expense and overtime claims. At any point, these processes may detect errors and/or wrongdoing.
Regarding procurement and contracting, PCO’s Contract Review Committee is a key control that provides an oversight and challenge role over most of PCO’s procurement and contracting activities. As well, PCO’s centralized Procurement and Contracting Services function and its experienced procurement officers support PCO managers with their purchasing requirements and activities. FCPD ensures purchases (excluding by acquisition cards) are reviewed by qualified officers to ensure fairness in the process, that contracts are tendered in accordance with policy and legislative requirements, and that required contract documentation is kept on file. Access controls limit access to vendor tables in the financial system to only a few select employees, and approvals are required from Finance before new vendor accounts can be added or existing accounts modified. Exercising control by segregating functions in this way further supports fraud detection. In terms of controls over and stewardship of departmental assets, PCO’s centralized Inventory Management Services Unit procures, stores, manages and distributes PCO’s office furniture, equipment, stationery and supplies.
PCO’s HR Division also supports fraud detection through, among other things, its participation in the screening and background checks for new personnel — this helps to mitigate the risk that those seeking employment at PCO might erroneously or intentionally provide misleading information. HR would refer any suspected fraudulent practice or behaviour related to any staffing process to the Public Service Commission to review, investigate and impose corrective measures or restrictions as deemed appropriate. HR also supports managers with the performance assessment process.
Finally, the activities of other parties from outside PCO including external assurance providers such as the Office of the Comptroller General and the Office of the Auditor General also support fraud detection at PCO through the conduct of horizontal and subject-specific external audits.
7.3 Fraud Response
Summary Finding: PCO has adequate high level fraud response controls in place. These include mechanisms that allow senior PCO officials to undertake investigations when allegations of wrongdoing or fraud are raised, to escalate situations directly to the Clerk when required, and to involve law enforcement authorities if circumstances warrant.
7.3.1 Investigations and Examination Standards and Protocols
If an employee raises a concern through the SDO or DSO functions, these functions each have a mandate and are authorized to respond by undertaking an investigation.
If a concern is raised with the DSO, the Security Controls and Risk Mitigation Unit in SECOPS may become involved. This Unit has a full time experienced Senior Investigator on staff who has a law enforcement and investigations background and who can initiate a confidential investigation. SECOPS has a shortlist of external investigators with the required security clearances who can quickly be engaged on a contract basis depending on the nature of the investigation. The Senior Investigator can involve other PCO officials (e.g. from HR, procurement, finance and/or legal services) or can, after consulting the DSO, raise the concern with law enforcement officials. When deemed appropriate, the DSO can escalate cases to the Deputy Clerk or Clerk, especially when decisions involving revocation of security clearances or potential dismissal may be required.
Alternatively, an employee can raise a concern to the SDO function, in which case the PSDPA protections apply. The SDO is considered well-equipped to handle disclosures and any resulting investigations. PCO has created and provided the SDO with a well-documented and highly prescriptive binder which outlines roles, responsibilities and the protocols, processes and procedures the SDO will follow when handling such matters, including the undertaking of investigations. This binder also outlines how and where to obtain additional investigators if required, and indicates that in the event of criminal allegations of fraud, the SDO will consult with legal services. Should a case arise where criminal activities are suspected, the binder guides the SDO about which levels of senior PCO personnel to consult with before contacting external law enforcement officials.
8.0 Consultations with Other Departments
As part of this FRA, the project team discussed with representatives from three (3) different departments how the risk of fraud is managed in their departments. Information obtained indicated those departments are managing fraud risk using structures and mechanisms which are generally similar to those used at PCO. In one instance, one of the departments had just completed an in-depth and resource intensive fraud risk assessment. In each of the departments contacted, the overall risk of fraud was considered low.
As well, during this FRA, the project team learned of an emerging initiative being spearheaded by Treasury Board Secretariat. Upon completion, this initiative is expected to bring about integration of a fraud management framework with the ICFR framework across government. PCO will continue to monitor this initiative as it develops.
Although PCO has not established a formal fraud management program, management has established a good framework of high level internal controls that, when taken as a whole, helps to mitigate the risk of fraud and prevent, detect and respond to allegations of wrongdoing or fraud if they arise. With this framework of controls in place, the residual risk of a material fraud occurring at PCO is considered low.
Annex A - List of Interviewees (by title)
Internal - PCO Personnel
- Legal Counsel to the Clerk of the Privy Council
- Assistant Secretary to the Cabinet - Liaison Secretariat for Macroeconomic Policy
--PCO’s Values and Ethics Champion
- Director General of Operations - Operations (Communications & Consultations)
--PCO’s Senior Disclosure Officer
- Executive Director - Security Operations
--PCO’s Departmental Security Officer
--accompanied by Director, Security & Emergency Management, Security Operations
- Executive Director - Finance and Corporate Planning Division
--accompanied by Chief, Policies, Systems and Internal Controls
- Senior Investigator - Security Controls and Risk Mitigation, Security Operations
- Manager, Corporate Human Resources Planning & Programs, Human Resources - Corporate
- Principal Planning Analyst - Finance and Corporate Planning Division
External - Personnel from Other Departments and Agencies
- Director General - Office of Audit and Evaluation, Agriculture and Agri-Food Canada
--accompanied by both a Senior Audit Manager and Senior Advisor
- Director General - Internal Audit and Evaluation Bureau, Treasury Board of Canada Secretariat
--accompanied by a Financial Audit Manager and an Audit Manager
- Chief Audit Executive and Head of Evaluation - Finance Canada
--accompanied by the Director, Internal Audit Operations and Practice Management
- Director - Internal Controls and Financial Policy, Financial Management Sector, Office of the Comptroller General
Report a problem or mistake on this page
- Date modified: