Managing Fraud Risk

Were we of the mischievous kind we would put the word “fraud” into the headline of every newsletter that we send because we know that to do so increases readership sometimes ten fold.

As tempting as it was we didn’t put fraud in our newsletter headline this week – having said that there is an excellent report from the Auditor General of Canada on managing the risk of fraud that is worth sharing and for it to be widely read.

As the report noted in setting context:

This audit focused on fraud risk management in five federal organizations: Canadian Food Inspection Agency, Global Affairs Canada, Health Canada, Indigenous and Northern Affairs Canada, and Public Services and Procurement Canada. We chose these organizations because of their different sizes and types of operations.

The audit considered:

Whether the selected organizations had mechanisms in place to appropriately manage the risk of fraud. Specifically, this audit focused on whether these organizations had governance processes to direct, evaluate, and monitor fraud risks; an assessment approach to identify fraud risks and mitigating actions; selected controls (policies, procedures, processes, and activities) to address specific fraud risks; and activities to investigate and manage allegations of fraud. 

The report provided an observation that is (unfortunately) common to too many organisations:

We found that all the organizations we looked at demonstrated the importance of managing their risk of fraud, as evidenced by some good practices we saw in risk governance and risk assessment. However, we were concerned that the organizations did not always implement fraud risk controls.

The report provides a good checklist of what is considered best practice in fraud risk assessment:

  • Identify the potential inherent fraud risks that pose a threat to the organization.
  • Assess the likelihood and significance of occurrence of the identified fraud risks.
  • Identify and map existing preventive and detective controls to the relevant fraud risks.
  • Evaluate whether the identified controls are operating effectively and efficiently.
  • Identify and evaluate the residual fraud risks resulting from ineffective or non-existent controls.
  • Respond to residual fraud risks by identifying mitigating controls, taking into consideration the organization’s risk tolerance to fraud.
  • Periodically review and update the fraud risk assessment.

Interestingly the report noted with regards to fraud investigation:

We found that all five federal organizations had one or more internal groups to manage allegations of fraud. However, the logs these internal groups kept on the allegations could not be relied on to answer basic questions, such as whether or not an allegation was founded and whether or not an investigation was closed.

There are many other areas specifically with regards to fraud controls that the report discusses that it would be time well spent considering.


As an aside we like the way that the Auditor General of Canada has set out the report with the structure:

  1. What we found
  2. Why this finding matters
  3. Recommendation
  4. Analysis to support this finding

A reminder that audit reports need to always tell the story of what, why, where and how (to change).


Download PDF

Subscribe to Receive Our Email Updates

  • This field is for validation purposes and should be left unchanged.