Fraud Risk Review at the Canada. Revenue Agency. Presented to the Financial Management Institute Ottawa November 28, 2013

Transcription

1 Fraud Risk Review at the Canada Revenue Agency Presented to the Financial Management Institute Ottawa November 28, 2013

2 Objectives Provide more insight into why the risk of fraud is a concern to the Canada Revenue Agency (CRA). Show an innovative approach to identify and address potential fraud risk vulnerabilities. Explain the intelligence gained through this approach and the lessons learned. 2

3 Overview The CRA and fraud risk The fraud risk review Phase I risk and control identification and assessment Phase II control testing Phase III recommendations and action plans Moving forward 3

4 The CRA and fraud risk 4

5 Overview of the CRA Tax and benefit administration: o o o o o Personal income tax; Corporate income tax; Excise taxes; Benefit and credit programs; and Charities. The CRA strives to ensure a tax system based on selfassessment and voluntary compliance where: o o o Canadians pay their required share of taxes; They receive their rightful share of entitlements; and, They are provided with an impartial and responsive review of contested decisions. 5

6 Overview of the CRA Setting the context One of the largest federal public-sector organizations with over 40,000 employees. 40 tax service offices and tax centres across Canada. Interacts with more Canadians than any other single government organization. Access to sensitive taxpayer information is required for a significant population of employees to perform their duties. 6

7 Setting the context The CRA must hold itself to the highest standards of conduct to ensure a foundation of trust. We are committed to the enduring values of integrity, professionalism, respect, and cooperation. A comprehensive system works together to uphold the highest ethical standards at the Agency, including: The CRA Integrity Framework Risk-based audit plan Corporate Risk Profile Ad-hoc engagements such as the unintentional privacy breach risk assessment The reputation of a thousand years may be determined by the conduct of one hour. Japanese proverb 7

8 Fraud Risk Review 8

9 What is the Fraud Risk Review? A means to better understand and potentially address vulnerabilities related to: System access Employee integrity lapses related to taxes and benefits administration Includes the following activities: Risk and control identification Risk and control self-assessment Control testing Recommendations and action plans Provides a snapshot for senior management to consider when developing strategies and allocating resources. 9

10 Scope Access to taxpayer and benefit recipient information. Program areas and the systems that support them: Assessing when you file Reassessing after you file Collections when money is owed to the Crown Objections when you disagree Legislation and regulation rulings and interpretations Information technology systems the enabler Vulnerabilities related to intentional and concealed efforts for personal or third-party benefit that contradict the Code of Ethics and Conduct and which are related to tax or benefit information. 10

11 General approach Broken down into manageable pieces (phases), each with clear deliverables and timelines. Identify tangible quick-hit items if possible. Central points of contact in each branch and region, and a dedicated review team for each one. Multidisciplinary review team combined expertise: Risk analysts Internal auditors 11

12 Phase I Risk and control identification and assessment 12

13 Phase I: Objectives 1. Identify risks and internal controls 2. Self-assess the risks and controls identified Phase I results informed the subsequent phase to determine which controls would be tested. 13

14 Phase I: Approach and tools Identification: Three levels of interviews Pre-populated information Validation step included Self-assessment: Electronic voting in Excel Dimensions assessed: 1) Risk impact 2) Risk likelihood 3) Control effectiveness 14

15 Phase I: Taking stock Important to obtain buy-in from the top executives. Early and clear communications to stakeholders were essential. Allow a best-fit approach where one size does not fit all. Many risks identified were common across branches. Exercise created a heightened awareness of potential vulnerabilities within programs and processes. 15

16 Phase II Control testing 16

17 Phase II: Objectives 1. To identify and select internal controls for validation (i.e. testing) based on the control self-assessment results from Phase I, using a risk-based approach. 2. To test whether the selected controls for certain risks are in place and functioning as intended. 17

18 Phase II: Approach and tools Used a risk-based approach to further analyze, re-assess and rank the identified risks from Phase I Pre-determined criteria were used to select controls associated with the most significant risks. Audit testing methodology: interviews, enquiry, documentation reviews, research on previous related internal and external audit results, and analysis of management action plans from previous audit work. 18

19 Phase II: Taking stock Ensure that Phase I results set the groundwork for Phase II audit testing. Ensure maximum linkage and alignment with results from Phase I self-assessments in terms of risk and control. Have clear definitions and parameters to define objective criteria, e.g. effectiveness. Leverage recent internal and external assurance work to maximize efficiency and minimize effort of audit work when working within tight timelines. Keep stakeholders informed with regular status updates and planned next steps. 19

20 Phase III Recommendations and action plans 20

21 Phase III: Objective 1. To analyze the validation and comments received from the Branches on the results of control testing conducted in Phase II; 2. To develop suggestions for improvement to address the identified control gaps; and 3. To solicit and analyze the adequacy of the action plans from the Branches. 21

22 Phase III: Approach and tools Summarized and documented observations (i.e. control gaps/deficiencies) based on results from control testing work performed in Phase ll. Documented summary sent to responsible Branches for validation and comments. Modified observations as warranted based on each Branch s response. Proposed suggestions for improvement to address control gaps. 22

23 Phase III: Taking stock Combine phases ll and lll as this would facilitate discussion of observations and suggestions for improvement. Both are not mutually exclusive. Need to allow sufficient time for stakeholders to fully understand observations and to reconsider action plans for known issues as this facilitates reaching concurrence with the stakeholders. Report results from control testing and action plans at the same time for completeness and facilitate understanding of risk, control, control gaps and action plans to address the gaps. 23

24 Moving forward 24

25 Lessons learned Benefits to be realized when risk analysts and internal auditors work together. The importance of setting the tone at the start. Efficiencies are possible: Leverage documented information Use and adapt existing tools and approaches Reduce red tape The necessity of thinking practically over theoretically. 25

26 What s next Action plans and monitoring: reporting on progress to close gaps Internal fraud risk assessments: informing workload selection Internal audit: developing the annual audit plan Ad-hoc reviews: delving deeper into identified areas of concern 26

27 QUESTIONS / COMMENTS Christopher Bowen Director, Enterprise Risk Management Division Audit, Evaluation, and Risk Branch Canada Revenue Agency Christopher.Bowen@cra-arc.gc.ca Annie Boudreau Director, Internal Audit Assurance Services Division Audit, Evaluation, and Risk Branch Canada Revenue Agency Annie.Boudreau2@cra-arc.gc.ca 27