Archived - Internal Audit Responsibility with Respect to Fraud and Abuse in Government (PIN) - September, 1986

Date: September 1986

Subject: Internal Audit Responsibility With Respect To Fraud And Abuse In Government

Question concerning this notice should be directed to:

Policy and Special Projects,
Centre of Excellence for Internal Audit
Comptrollership Branch, TBS
(613) 957-2270

Purpose and Scope

The purpose of this Policy Interpretation Notice (PIN) is to provide the internal audit community with guidance related to their responsibility with respect to fraud and abuse (refer to attachment).

Issues

The role of the internal auditor with respect to fraud and abuse can be found in various sections of The Standards for Internal Audit. Clarification of this role is required in light of the additional audit responsibilities referred to in the Treasury Board circular on Losses of Money Suffered by Her Majesty and offences and Other Illegal Acts Against the Crown, to be promulgated in the near future.

Disposition

The internal audit community is invited to provide comments on this PIN.

Management practices and systems have become increasingly vulnerable to fraud and abuse because of the growth and complexity of the government environment, as well as the proliferation of computer capability. As indicated in The Standards for Internal Audit, the role of audit is to carry out "a systematic review and appraisal of all departmental operations for purposes of advising management as to the efficiency, economy and effectiveness of internal management policies, practices and controls".[1] Internal audit therefore advises on the efficient and effective use of resources through its normal daily activity. This activity can also provide management with the basis for decisions aimed at eliminating the possibility of fraud and abuse.

Internal auditors should know exactly what their responsibilities are should instances of fraud or abuse be discovered either by themselves, or by persons external to the audit group. This paper is intended to highlight and expand those areas in The Standards for Internal Audit in the Government of Canada where mention is made of these responsibilities.

Another objective is to discuss the draft Loss of Money Regulation and the related Treasury Board circular on Losses of Money Suffered by Her Majesty and offences and Other Illegal Acts Against the Crown where these may relate to the internal audit function. The Treasury Board (TB) circular will be issued by the Office of the Comptroller General in the near future; the Regulations will be issued in the longer term. Currently in draft form, these Regulations are being modified to reflect changes suggested by the Auditor General in his recent audit of the adequacy of departmental procedures to report suspected fraud, defalcations, and other illegal activity against the Government of Canada.

Fraud is "false representation of a matter of fact... which deceives and is intended to deceive another... It comprises all acts, omissions and concealments involving a breach of a legal or equitable duty and resulting in damage to another".[2] It can involve "misappropriation of assets or misrepresentations of financial information either to conceal misappropriation of assets or for other purposes, by such means as:

1. manipulation, falsification or alteration of records or documents;
2. suppression of information, transactions or documents;
3. recording of transactions without substance; and
4. misapplication of accounting principles."[3]

Abuse "involves taking advantage of loosely written statutes, poorly written regulations".[4] Although not considered criminal activity when defined in this context, abuse may result in misuse of resources, and consequently lead to inefficient and ineffective operations. By definition, then, abuse points to an anomaly or problem with a facet of the structure set up by management. It occurs where the employee's goals are not congruent with those of the government. This may involve, for example, excessive and unnecessary spending at year-end to ensure that budget funds do not lapse, or excessive travel (on work-related projects) in order to accumulate additional travel bonus points which can later be converted to personal use. The auditor will most likely encounter more incidents of abuse than of fraud within the government environment and should be alert to its occurrence.

The Standards for Internal Audit divide the audit planning process into four major phases, the first of which is the identification of manageable audit units. Each of these audits units should be examined within a period not exceeding three to five years. This cyclical approach to auditing ensures that the audit group maintains an overview of the organization; the frequency of audit ensures that management systems, policies, and procedures are adequate, and out-of-line operations are identified and corrected in a timely fashion.

Consideration of fraud and mismanagement occurs in the second phase of the planning process which is to "evaluate and rank the audit units in order of priority."[5] One of the criteria to be used in ranking the audit units is the risk of loss, which is defined as "a function of the extent and reliability of the control system, the vulnerability to loss through fraud and mismanagement, and the liquidity of the assets managed."[6] The internal auditor should maintain a keen awareness of the possibility of fraud in ranking the units and be knowledgeable of all areas where fraud has previously occurred in the department.

The third and fourth phases involve preparation of the long-term plan and annual schedule. When preparing long-term audit plans, the internal audit group should risk assessments which may alert the auditor to the possibility of fraud and abuse. These assessments should include a determination of the size of budget outlays of each area to be audited, and an analysis of the complexity of administration overseeing these areas.

The objectives and scope of an audit are made specific during the preliminary survey phase of assignment planning. This survey should include, among other activities, discussions with management to determine their concerns, preliminary assessments of significant audit issues, and an examination of available documentation on both previous audits performed and occurrences of fraud. Risk assessments should include an overall analysis of operations, including a review of the complete structure of the particular entity to be audited. This latter review should look at legislation, policies, and systems to determine the existence of inherent flaws.

In performing the audit, an analysis of the consequences of non- existent or weak internal controls should be carried out as part of the risk assessment. The depth of the assessment performed should be commensurate with the level of risk of loss involved. The audit techniques to be used should be based on the risk assessment results. The greater the risk, the higher the confidence level required. The evidence gathered should be relevant, reliable, and sufficient to support audit observations. Where the nature of the entity to be audited is such that there is increased risk of fraud, the auditor, in order to fulfil audit objectives, should extend testing, possibly up to 100 per cent. In lower risk areas, statistical sampling with a lower confidence level or other testing methods should suffice. (See the Internal Audit Handbook, VOl. 1, Chapter III for a discussion on the planning process).

A review of legislation, regulations, policies, and systems plays an important role in identifying circumstances where fraud and abuse can occur. This review may show potential for fraud and abuse which can lead to significant and irrevocable losses. This potential can often be overcome through internal audit involvement in the early stages of development of such legislation, regulations, policies and systems. The Standards for Internal Audit indicate that internal audit involvement should include an evaluation of the auditability of any existing or proposed legislation. Involvement should include ensuring "that audit and control features are built into new systems".[7]

If the audit group contracts out its audits, it should be clearly understood that the audit agents will notify the auditor immediately of any suspected wrongdoing.

The first two chapters of the Standards for Internal Audit in the Government of Canada indicate that sound management entails the integration of adequate internal controls throughout the systems and procedures established within the department or agency. These controls, designed to promote the economy, efficiency, and effectiveness of operations, compliance with established procedures, and the integrity of financial information, should also help prevent the possibility of fraud and abuse. Unfortunately, the effectiveness of internal controls existent within any organization is limited in cases where collusion is found.

Management is ultimately accountable for the establishment of comprehensive and compatible systems, sound operations and results achieved by the organization, and consequently for the prevention of fraud and abuse. To this end, internal "...audit groups can assist management in meeting the objectives of internal control...". one of these objectives being "...to protect funds and other public property from losses due to fraud, mismanagement or inefficiency...".[8]

Internal audit assists management through its audit of the predetermined control framework and what happens in actual practice, through its analysis of the cause and effect of each observation, and through recommendations made to improve the state of the organization. This analysis of each audit observation should include an evaluation of the possibility of fraud or abuse within the system or audited entity. If the possibility of fraud or abuse does exist, further evaluation of possible losses of money or public property should be made. Bearing in mind the magnitude of resources involved, the entire audited area should be scrutinized more closely. All cases of abuse, or deficiencies in the prescribed policies, laws, or regulations, etc., which may lead to abuse, should go the route of most observations and recommendations. These should be brought to the attention of management through the audit report mechanism, if material, or through a management letter, if of a lesser significance.

Where fraud is suspected, The Standards for Internal Audit give specific direction to internal audit groups: "...when the internal auditor suspects wrongdoing, the appropriate authorities within the organization should be informed. The internal auditor may recommend whatever investigation is considered necessary in the circumstances"[9]. The audit should therefore only be carried out to the point where there is serious suspicion that criminal activity may exist. The internal audit group should not automatically take it upon itself to investigate cases of suspected fraud. Its responsibility is to report its observations to the appropriate authority, the body specifically appointed to handle such incidences. Failure to report suspected incidents of fraud may implicate the audit group in any wrongdoing.

The appointment of an appropriate authority is supported by the TB circular on Losses of Money Suffered by Her Majesty and Offences and Other Illegal Acts against the Crown which indicates that deputy heads should "designate an independent function reporting to the deputy head to which all reports of losses of money and incidents suspected of involving...unlawful activity would be reported...". The person(s) appointed by the department for "coordinating the reporting and investigation of incidents" should be knowledgeable of the Criminal Code as well as aspects of the Financial Administration Act (FAA) and specific departmental acts, regulations and procedures.[10] If no one within the department has been assigned the responsibility of coordinating the reporting and investigation of incidents of suspected fraud, the internal audit group should bring this matter to the attention of the Audit Committee.

The major question which arises at this point is who, within the department/agency, should be appointed the appropriate authority? In smaller departments, bearing in mind the qualifications noted in the preceding paragraph, the internal audit group might be assigned this responsibility. Otherwise, where a department has an internal control directorate or similar organization, it might be assigned to them.

Of significant importance in the circular are the clauses that "...the RCMP has primary responsibility for investigating offences against the Crown..." and "...all suspected cases of fraud, defalcation, or any other offence or illegal act (i) are to be immediately referred to the RCMP to determine what investigation is to be undertaken and by whom...".[11] Where departments have their own investigative bodies, these may make special arrangements with the Economic Crimes Directorate of the RCMP concerning what incidents are to be referred to them for investigation. Pre-clearance of any involvement by the internal audit group must be obtained from the RCMP through the deputy head. The RCMP must nevertheless be informed of all incidences, irrespective of whom conducts the investigation.

The persons responsible for the actual investigation must have the appropriate training. Internal auditors are not generally trained to handle the investigative role. Although audit and investigative roles and techniques used may be similar to a degree, they are not identical. Standards of evidence are different: the evidence accumulated may be the same, but the methods used to accumulate it have important ramifications on the legal process. Interviewing techniques used by auditors may invalidate any findings made and render them inadmissible in a court of law. Becoming a fraud investigator while in an audit position involves stepping out of role, and may seriously jeopardize good auditee relations which have been fostered over the years. Internal audit's role is to make recommendations to change departmental systems, policies, or procedures which may have fostered an environment where fraud became possible. The audit group should not as a matter of routine become involved in fraud investigations. Internal audit should routinely, however, scrutinize all reports of losses of money, offences, and illegal acts made to the appropriate authority.

Where the role of the appropriate authority is assumed by the audit group, and/or where internal audit is involved in a special investigations, caution should be exercised to ensure that the status of the internal audit group is not jeopardized. The internal audit group should not hesitate to communicate any difficulties to the deputy head and suggest that further assistance from the RCMP may be necessary.

The Standards for Internal Audit also address the concept of due care which requires that reasonable care, competence and an appropriate level of audit skill, and auditor judgement be used.

This means, among other things, being alert to the consequences of inefficient policies and systems and lack of controls. It does not mean taking a greater pro-active role than what has already been discussed with relation to fraud and abuse, but does mean maintaining an awareness that fraud and abuse are possible. The Institute of Internal Auditors Statement on Internal Auditing Standards Standard 380.01 states:

Internal audit groups must therefore exercise due care in all of their audit work.

The Standards for Internal Audit show that internal audit's responsibility for the deterrence of fraud and abuse consists of alerting management to possible instances uncovered during the audit and evaluation of all levels of the organization, and making recommendations on the controls required to prevent fraud and abuse.

The internal audit group should be alert for fraud, but not make a search for fraud their raison d'être. Their main responsibility in the detection of fraud and abuse is the application of the concept of due care in all of their activity.

They should not investigate fraud independently if found during the course of their work, but should report this to the authority designated by the department. In the case where the internal audit group has been appointed the appropriate authority and/or is responsible for a special investigation, great care must be exercised in the performance of the assignment.

1. "An Attack on Financial Fraud", K.W. Olesen, The Internal Auditor. April 1983.
2. "Appreciation Paper - The Role of the Auditor as it Relates to Fraud", Director General Audit, DND.
3. Black's Law Dictionary, Fifth Edition, H.C. Black, West Publishing Co., St. Paul, Minn., 1979.
4. "Combating Fraud", A. Futter, Public Finance and Accountancy, June 1984.
5. "Detection of Fraud", H. Chernovsky, CGA Magazine, August 1985.
6. Deterrence, Detection, Investigation, and Reporting of Fraud, Statement in Internal Auditing Standards No. 3, May 1985.
7. "Federal Fraud, Waste and Abuse: Causes and Responses", T.F. Eagleton and I. Shapiro, The Government Accountants Journal, 1985.
8. "Federal Waste Receding With Effective Detection", GAO Review, Summer 1985.
9. "Fraud Awareness in the Government Environment", W.F. Radburn, Cost and Management, March-April 1982.
10. "Fraud Challenge in the Utility Industry", T.A. Agee, The Internal Auditor, December 1984.
11. "Fraud Investigation", J. Bailey, The Internal Auditor, April 1978.
12. Internal Audit Handbook, Vol. 1, Ch. 3, DSS, 1985.
13. Draft Loss of Money Regulations, OCG, March 1986.
14. "Implementing the Internal Control Evaluation, Improvement and Reporting Process in the Federal Government", F. Heim and H. Steinberg, The Government Accountants Journal, 1984.
15. "Internal Control and Auditing for Fraud", M.A. Dittenhofer, The Government Accountants Journal, 1985.
16. "Reflections on the Root Causes of Fraud, Abuse, and Waste in Federal Social Programs", J.D. Young, Public Administration Review, July/August 1983.
17. Standards for Internal Audit in the Government of Canada, Treasury Board of Canada, 1982.
18. "The Impact of Polygraph Testing on Internal Control", The Internal Auditor, December 1984.
19. "The Inspector General Program is Changing Federal Audits", A.L. Reynolds, The Internal Auditor, August 1982.
20. Draft Treasury Board Circular on Losses of Money Suffered by Her Majesty and Offences and Other Illegal Acts Against the Crown, August 1986.
21. The President's Management Improvement Program: Reform 88, OMB, Washington, October 11, 1984.
22. "Will We Make the Same Mistake", F.B. Palmer, The Internal Auditor, December 1984.
23. "White-Collar Crime", D.L. Nich and R.D. Miller, The Internal Auditor, December 1984.