The committee met at 7:30 p.m.

[P. Milobar in the chair.]

P. Milobar (Chair): Good evening, everyone. I’ll call to order the Select Standing Committee on Public Accounts. This evening we’re dealing with the consideration of the Office of the Auditor General report Fraud Risk and Financial Statements: B.C. Public Sector, Part 1, March of 2023.

We do have Doug Routley online with us, and we’re waiting for a couple other members to sign in as well. We’ll get started, as it is already late in the evening, or end of the workday for most people.

With that, I will turn it over to the Auditor General. We’ll hear from him and then, as usual, go into questions afterwards.

Consideration of
Auditor General Reports

Fraud Risk and Financial Statements:
B.C. Public Sector, Part 1

M. Pickup: Thank you. I acknowledge with respect that at the Office of the Auditor General, we conduct our work on Coast Salish territories, primarily the traditional land of the lək̓ʷəŋən people, now known as Victoria. As a Status Indian member myself of the Miawpukek First Nation, I’m delighted to be able to breathe the air, drink the water and enjoy life as a visitor on these lands.

Before introducing our audit team for tonight’s presentation, I, too, want to recognize that this month has been proclaimed Sikh Heritage Month in British Columbia. The Office of the Auditor General welcomes the opportunity to celebrate with the Sikh community and to take this opportunity to learn more about the community’s rich and unique history.

We’re here to provide insight into part 1 of our two-part series of reports on fraud risk and financial statements. And it’s timely because last month was fraud awareness month. The first part of our two-part series concerns Crown organizations, health authorities, post-secondary institutions and other public sector entities. It was released earlier last month. The second report, looking at government ministries, will be coming out soon.

These reports are somewhat different from reports the committee normally considers when we’re before you. As information reports, they are not audit reports. The information we have gathered, from across the public sector, is self reported. In other words, we don’t audit all of the responses to our questionnaire about fraud risk management.

However, it is important because these surveys allow us to get this work done quickly, to get it done broadly, and do provide valuable insight on two levels. First, the responses can give us a reading on how well the public sector deals with fraud risk management, including policies and procedures for fraud prevention, detection and responses. Secondly, the responses are important to our work as auditors of the province’s summary financial statements. The questionnaire helps us plan our audit and helps us provide assurance about the integrity of government’s financial statements.

And we all remember that fraud is a very real threat to all organizations. Fraud experts say that fraud can cost an organization as much as 5 percent of its annual revenue. Translate that, or think of that in terms of the province’s $70 billion of revenue and expenses, and you can see the real value that lies in having sound fraud risk management regimes in place.

We chose to do this report for three main reasons. As auditors of the province of B.C.’s summary financial statements, we must assess the risk of material misstatements due to fraud or error. The risk of material misstatements due to fraud depends on potential exposure and preventing, detecting and responding to fraud. The fraud risk management questionnaire that we send to 23 significant public sector organizations helps us plan our audit of the province’s 2022-2023 summary financial statements.

Now that I’ve provided some background and some context, it’s my pleasure to introduce to you our audit team and invite them to speak to the report.

[7:35 p.m.]

With me on my right — on your left, I guess — next to me here is Stuart Newton, who is the assistant Auditor General responsible for the financial audit practice and the work we do in the financial audit practice. Next to Stuart is Mark Castator, who has led this work and is the audit director.

I will turn it to you folks to walk through the report.

M. Castator: Good evening, Chair, Vice-Chair, members of the committee. I would like to walk you through our Report at a Glance, at a high level.

We performed this work as part of our audit of B.C.’s summary financial statements for 2022-23. As part of that audit, or any financial audit, the auditor must assess the risk of material misstatements, whether due to fraud or error. To help us assess that risk this year, we sent a questionnaire to 23 significant public sector organizations.

We begin the report by outlining the responsibilities of management of these organizations as they relate to their financial statements. Management of these organizations is responsible for preparing their financial statements in accordance with Canadian generally accepted accounting principles, or GAAP, establishing and maintaining internal controls to ensure the integrity of financial information, and for identifying and ensuring compliance with applicable laws and regulations.

The auditor’s responsibilities for the financial statements are to obtain reasonable but not absolute assurance about whether the financial statements are prepared in accordance with Canadian GAAP and free of material misstatements resulting from fraud or error.

We then outline the responsibilities for management of these organizations for fraud risk management. Management’s responsibilities are to prevent and detect fraud and to determine the appropriate responses to identified frauds, including whether to contact external authorities.

The auditor’s responsibilities for fraud are to (1) assess during audit planning the risk of material misstatement in the organization’s financial statements; (2) to consider the impact of the assessed risk of material misstatement due to fraud on the audit approach, including the nature and extent of testing to be performed; (3) to evaluate the audit evidence and determine how the audit is affected by any material misstatement due to fraud; and (4) to communicate any suspected fraud to the appropriate level of management or to the board of directors if management is involved.

Let’s now move to the results of the questionnaire itself. We sent this questionnaire to help us assess the risk of material misstatement due to fraud at these 23 public sector organizations. We have provided summary level responses in this report to give MLAs insight on fraud risk management in the public sector. The Office of the Auditor General is the auditor for five of these 23 organizations, and we have shared the results for the other organizations with their financial statement auditors.

Auditors will use these results in planning their ap­proach for the financial statement audits of these organizations. The responses to the questionnaire presented here have not been audited. For the questionnaire, we first asked organizations questions to understand their perceptions of the risk of fraud.

We asked the organizations whether they had experienced fraud in the past year. And 61 percent reported they had experienced fraud, with the most common types being theft of physical assets, experienced by 43 percent, and misappropriation of company funds, experienced by 22 percent.

We then asked about their perceived vulnerability to fraud. And 17 percent of organizations reported feeling highly vulnerable to at least one type of fraud, and 74 percent reported their vulnerability to theft of physical assets as low, despite 43 percent having experienced this type of fraud in the past year.

We next asked about fraud risk governance. Two organizations said they had not assigned responsibility for fraud risk management to a member of senior management, and 35 percent of organizations reported they had not established a policy devoted to fraud risk management but had other policies that referred to fraud risk management, while one organization reported not having any policies that referred to fraud risk management.

Next, we asked about fraud risk assessment, and 39 percent of organizations reported having no ongoing process to identify and document ongoing fraud risks. We then asked about the fraud prevention, detection and investigation activities at these organizations. Seventeen percent reported they had not established a compliance monitoring and reporting function, 17 percent said they had not assessed the need for a fraud hotline to report incidents of non-compliance or fraud, and 9 percent said they had not established policies and procedures to follow when potential incidents of fraud were identified.

[7:40 p.m.]

Finally, we asked about the monitoring and evaluation of fraud risk management in these organizations. One organization said they did not have all incidents of fraud and corrective action reviewed by senior management, while 43 percent of organizations said they had not established a schedule to perform fraud risk management evaluations.

After reading our report and reviewing the results of the questionnaire, you may want to ask the following three questions: what are government’s expectations for fraud risk management within public sector organizations? How does government monitor, manage and respond to risks within public sector organizations? For organizations that have said they do not have one or more elements of fraud risk management in place, how will government assess the impact on the summary financial statements?

Thank you. I will now turn it back to Michael.

M. Pickup: Thank you, Mark. That would conclude our opening comments.

P. Milobar (Chair): Carl, anything else that you’d like to add?

C. Fischer: No. I don’t have a presentation today.

P. Milobar (Chair): Any questions from the committee?

S. Chant: You say you sent the questionnaire out to 23 organizations. Did all 23 respond? They did. Okay. Were you surprised at the responses?

M. Castator: I wouldn’t say we have had, really, any expectations. These were large organizations, so we expected them to have some level of sophistication. Given that these are unaudited, it’s hard to judge, really, whether we were surprised or not.

S. Chant: Very good. Thank you.

R. Leonard: A couple of questions. The first one I have is: of those organizations, did you present them with a def­inition of fraud? What kind of fraud activity are we talking about? Was it stealing paperclips, or is it bigger than that?

M. Castator: We didn’t define it. We did have definitions if they wanted to ask us, but we left it up to them to define what they viewed as fraud.

S. Newton: Just to add an additional piece of information, previously, we actually did a fraud risk management survey across all entities within the government reporting entity. I believe it was last year. We reported out on that as well.

This is the second pass we’re taking on fraud and fraud risk management. So the terminology we’re using, the expectations, some of the items in the questionnaire, had already been surveyed previously as well. There would be a familiarity on the part of respondents.

Given the significant size of the Crowns, there is a reasonable expectation that when we’re talking about fraud and fraud risk management, they’re sophisticated enough to understand it, and I believe they are.

M. Pickup: If it is helpful, on page 14, we give about, probably, nine examples of the buckets, if you will, of things that might be thought of as types of fraud, and then they respond to those buckets. These buckets are pretty much accepted. It’s a lot broader than stealing paperclips.

G. Begg: What is the consequence? Is there a conse­quence? A penalty? Ronna-Rae talks about a pen or a paperclip, which we’ve all done. We’ve all taken company pens home, I’m sure. I have, anyway. I’m confessing, I suppose.

If you’re in the Ministry of Forests and stealing a boat or a pump or something, there’s quite a difference. What is the consequence for that?

C. Fischer: Within the province and within all Crown corporations, any incidents of loss related to malfeasance result in appropriately measured disciplinary action, up to and including dismissal.

G. Begg: I’m interested in the criminal aspect of it. If you’re stealing, it doesn’t matter that you’re stealing a generator from Forests or from Home Hardware. It is a criminal offence. I wonder if there’s a consequence.

C. Fischer: There is. The province has a policy on reporting non-emergency matters to the RCMP. Their responsibility is, first of all, any material fraud.

[7:45 p.m.]

Generally, material frauds are considered to be above $5,000. That’s the measure that the RCMP uses. That’s what led to this guideline. Those have to be reported to the office of the comptroller general.

If there is evidence that an occurrence of fraud or enrichment or depriving the government has occurred, we’ll consider whether it’s appropriate to report to the RCMP and make that recommendation with the head of the public body, which would be the deputy minister and include the Deputy Attorney General as well.

G. Begg: One more thing. Sorry to beat a dead horse, but is that tracked as well?

C. Fischer: Yes. To get to the bottom line, in my experience… I’ve only had that occasion once.

G. Begg: Perfect. Thank you.

P. Milobar (Chair): Just to let Doug know, I do see your hand. I’ve just got a couple of speakers ahead of you, that’s all.

Michael, did you want to add something more?

M. Pickup: Just something very quickly on the report at a glance. If you look under fraud prevention, detection and investigation, under bullet 3, 9 percent of these organizations said they had not established policies and procedures to follow when potential incidents of fraud are identified. It may seem like a very obvious thing, but it’s not always an obvious thing.

It’s a good practice to have these policies and procedures in place so you know the triggers as to when you would make those calls and what you would do. I just didn’t want to let that point go as well.

J. Tegart: Reading the report, do we have any sense of the dollar value of what this would reflect in those organizations?

S. Newton: We did not ask a question in relation to that because we were looking more for their impressions of fraud and whether or not they have the practices and processes in place, because outside of an individual event, having the practice and process established in your organization would be the more enduring and important thing to make sure that we were assessing.

J. Tegart: So for the information that has been received in this report, and you said that a questionnaire has gone out previously, is the intent for us to have a matrix so that we can see whether policy has been developed, whether it brings awareness, whether there are education programs, etc.? I guess my question is: what is the intent of asking the question? What do we hope to get out of it?

M. Pickup: There are probably many answers to that question. So what you might find is…. I will give a perspective as to what I would like to see us get out of this, and Stuart can give them more technical answers in terms related to the financial audits and why we do this and why it is important to do.

People who study this stuff, the experts who study fraud, say that the more you start talking about measures in place to manage fraud, the more organizations put these types of things in place, whether they’re fraud risk assessments, policies, training, all of this kind of stuff. As soon as you start doing all of this, this is likely to result in less fraud to start with.

The experts who experience fraud might suggest that 4 percent to 5 percent is that part of the amount of revenue that is at play as a potential loss to fraud. When you start doing these things, people know you’re doing training. People know you have controls. Just the visibility of it…. People know how to report fraud. That alone is going to likely reduce your incidents of fraud because people know that you are managing it.

One of the things I hear in the 150 to 200-plus people I’ve met with across the province in my three years here as Auditor General…. They have told me that these questions are helpful. The stuff in these reports is helpful. It’s helping me, at those senior levels in an organization, ask questions that perhaps I didn’t think about before, and we’re seeing the change happen.

Nobody is likely to pick up the phone and call me or Carl or the Minister of Finance and say: “I didn’t commit fraud this month because all of these things are happening.” To some extent, I think, we have to rely on just the pure science around this, that we know this will reduce it.

[7:50 p.m.]

From my perspective, a big reason in doing this, why we’re not giving up on it, and we’ve done the most extensive survey in the history of the province on this is to get that news out there, get people talking about it, get people thinking about it.

It still can be sort of a pause when you see 22 percent of organizations say they have not assessed the need for fraud risk management training for staff. Well, I would have the view that everybody should take fraud risk management training. It’s probably an important thing to do, and again it pushes that message. So that is why this stuff does interest me and why I think it’s important.

I’m going to throw something out there. Not to be controversial, but let’s say, for example, we’re not dealing with 4 percent of revenue expenses. Let’s say we’re only dealing with 1 percent, and we’re talking about a $70 billion organization. We’ve got $700 million at play at 1 percent. If doing this stuff reduces that by a quarter, then my math tells me that is around $17½ million a year in less fraud by doing these types of things. You can do a lot of fraud improvements and put a lot of things in place for $17½ million a year. A lot of these things don’t cost a lot of money anymore.

Anyway, that’s part of my drive on it. If you want to add some of the technical part or if you’d like us to move on, Jackie, we can move on.

J. Tegart: That’s fine.

S. Newton: I have a couple of quick points. For us, the initial assessment gives us a baseline starting point when we’re working with these particular organizations when we do our audit work. We take their answers, and then we start looking for specifics that either support what they have said or also ask them: “Why not?” Then, sometimes we find even with a “no,” they may have something else in place that’s close or good enough. From that perspective, we’re pushing their understanding of what they might need to do in order to have better fraud risk management in place.

The last piece is that it does help across all the entities, regardless of whether they were included in the 23 or not, in that they’re seeing what their peer organizations are doing in relation to fraud risk management and also understanding that, if they’re in one of these smaller percentages, they probably need to pull up their socks and think about how they might want to address something. Although it’s still subject to further work within an auditee, having that level of information out there, to Michael’s point, gets the dialogue going, gets people’s minds thinking about what they need to be doing.

P. Milobar (Chair): The magnitude is huge. You missed a decimal there. You sold yourself short. It was actually $175 million as a quarter percent, not $17½ million. It just shows you how even a quarter percent is massive in terms of what actually stays into proper organizations of what the taxpayers think they’re funding.

Carl, did you want to add something else real quick?

C. Fischer: Yes. Now, to be clear, we’ve never seen anything like $175 million in fraud impact in the province. I’m not super comfortable with using broad percentages. That 2 to 5 percent includes everyone. That includes Amazon and 7-Eleven and Walmart and all of those commercial enterprises that establish their own tolerance for what they’re willing to lose through loss or fraud or theft versus spending the money to try and prevent it.

Government is very, very different. At the same time, government has a much lower tolerance for loss due to fraud because we are responsible for ensuring the public trust. In addition to the entity’s own fraud policies, the province has a pretty comprehensive fraud policy, fraud assessment program, mandatory training.

The expectations of the province are that all Crown corporations follow the spirit and intent of those policies and practices. I’m with Michael in that it’s very easy to write a policy or print it out and post it on the door because no one ever anticipates being a victim of fraud.

Every organization on this list is very different. Liquor Distribution Branch, for example, has a very different in­herent risk profile than the Provincial Health Services Authority. Their risks are very, very different. Fraud does include an awful lot of things — everything from bounced cheques to shoplifting to people running away with the shopping carts to use them as special forts, things like that.

[7:55 p.m.]

It’s very important for us to encourage organizations to be thoughtful, to learn about their fraud experience and to think about whether they’re responding appropriately. Some organizations naturally have a lot of exposure to fraud. Generally those are the ones that have good policies and a strong response framework.

Other organizations rarely would even think of fraud. A lot of our school districts, for example, that don’t have any kind of ancillary commercial operation or school-generated funds don’t really have a fraud exposure. All of their funding comes from the government regularly through electronic funds transfer. Over 90 percent goes out in salaries, which are managed by a central provider. There’s not a lot of opportunity other than, you know, if someone wanted to steal textbooks. That can still be very costly but limited. The inherent risk isn’t huge.

We’re advocates for focusing on specific fraud policies. The usual way or, I guess, the traditional way would be to include the concept of fraud within your regular control policies that comprise your internal control framework. That worked for many, many years and was fully acceptable. But what we have to realize now is that we’re in a much more interconnected world. Our exposure to fraud increases exponentially all the time.

Within the province, I think we’ve made great strides to increase awareness. We have, I think, a pretty solid relationship with all of the Crowns in terms of dealing with their exposure to fraud. We, in the office of the comptroller general, are involved in all ministry frauds and any Crown agency fraud that is either internal or material in nature. We don’t get a call every time someone shoplifts something from a liquor store. But we do follow up regularly to find out what their metrics are and what their exposure is. There is work being done. But it’s a constantly evolving area and attention is an important thing.

S. Chant: Back to the baseline concept. You did a survey a year ago. You’ve done another one now. Is it apples and apples to look at the results of both the surveys to see if there are any kind of gains made in the year?

S. Newton: Some apples to apples. Some apples to oranges. We did do a little bit more on fraud perception on this one. We also refined the questions to help us do some of our further audit work around financial statement risks. The original survey is a little more generic. This one was a little bit more specific. But there is some degree of comparators.

S. Chant: Did you see whether there was an improvement from last year in some of the comparators?

S. Newton: In relation to the specific 23, given that is small, I didn’t want to start doing the comparison. We really focused on how we could use it for completing the year-end financial statement audit work. I think that that is, from a longitudinal perspective, something that we could go back on as we do some of this work.

S. Chant: Okay, so it’s early days yet is what I’m hearing. Thank you.

D. Routley: First of all, Garry, I want my pen back.

I would also observe that 17 percent of all of the organizations indicated that they felt highly vulnerable. And 17 percent were not assessing a need for a reporting hotline. And 17 percent had no monitoring. Were those the same 17 percent? If so, or if it’s almost that stark a line, do they have other characteristics that are common between them? If they do, does that help you in terms of planning how to outreach to organizations that might share those characteristics?

[8:00 p.m.]

S. Newton: I don’t believe the 17 were completely aligned or even that there was necessarily a great deal of commonality among them. I would say that for the few of them where there were a lot of answers that were either nos or they didn’t have things that we asked about, those would be things that would impact the risk assessments of the auditors of their financial statements. They would make sure to validate that, in fact, it was a no, and that would impact their audit approach as they look at the financial statements of those organizations.

D. Routley: If I could just follow up, are there similar legacy characteristics in organizations that would lead you to think: “Okay, this is an organization that probably needs some help”? Are you able to set targets? Maybe that’s not the best word, but goals based on characteristics?

S. Newton: Part of the work that we did was for year-end summary financial statement audit purposes. In that sense, those organizations that, as we’re going through our year-end financial statement audit, have enduring risk issues that we believe are important…. We would be communicating those to the senior management of those organizations, as well as their board.

If we’ve got a situation where we have concerns about a persistent risk, then part of our reporting back to the board, both during planning before we start our audit work and as we complete our audit work…. Those risks are communicated to senior management and the board, if they’re significant, so that they have the opportunity to address the control issues present in their organizations.

I say that we, as far as…. There are five of these entities we audit directly. We do know from doing oversight on those others that their auditors are also looking at things similarly and would also be bringing issues that were significant to senior management first and then to the audit and finance committees that they report to.

R. Leonard: I’m looking at the management’s responsibility around risk assessment and then the auditor’s responsibilities. Frankly, when I think about what people think about an organization that’s audited — that you’re identifying those frauds through that auditing process — this is giving me a sense of a chink in the armour. Then I look at the report, and you were looking at perception versus, perhaps, reality. I get a sense that there are different ways of assessing risk and what people’s perceptions are around it.

I’m wondering just if you can kind of square this for me, so I understand a little bit better what’s helpful about knowing about perception. I think I heard Carl say that there is training already involved in risk assessment for government services. But this is indicating that, perhaps, it’s not sticking? I don’t know. Is that something that you’re going to be looking at?

Thank you for pointing that out again. I can’t even remember when I read the report. It was when we first got it. I noticed that one of the fraud pieces is information theft. It isn’t dollars and cents stuff, but it’s information. In this day and age, I feel like maybe that’s something that’s going to grow.

Anyway, that’s a lot, I guess.

S. Newton: I’ll answer parts of that, and there may be some of us who all have pieces of the answer.

In relation to our role in relation to fraud risk management, we are looking at the risk of what we would call a material misstatement, so significant misstatement in the financial statements. We would be looking at areas where the number in the financial statement has a risk that it might not be the correct number. That’s how we’re tying it through. We would be looking at things that would affect whether or not the numbers in the financial statements were correct.

There are frauds that can occur in an organization outside of the financial statements that would occur that, while it’s important for us to know the general procedures that are in place to deal with fraud, when we’re assessing risk on a financial statement audit, we’re really looking at the risk of the numbers being incorrect. That limits us to some of what we would look at in relation to fraud risk management.

The general discussion around fraud and whether they have certain things in place would be broad enough to cover those other areas. The auditor on a financial statement audit wouldn’t necessarily be the person to find the non-financial reporting frauds.

[8:05 p.m.]

Many of the large organizations that we go to have an internal audit function that does report to the audit and finance committee and can report on key areas that are of concern to the audit and finance committee. In a number of cases, audit and finance committees are looking at their audit plans and determining: are you covering off information security? Are you covering off cybersecurity risk? Are you covering off procurement decisions? There are other ways that organizations can get information on the quality of their response to potentially risky or fraudulent situations within their organizations.

When you mentioned a chink in the armour in relation to expectations of what a financial statement audit looks at in relation to fraud, it is a limited scope of types of fraud. Once we’ve reviewed the financial statements, we’re providing a clean audited opinion. We’re telling the readers that the numbers are correct.

There may be other processes or situations in the organization that do not affect the financial statements that could have issues. We weren’t opining on those, because it is strictly a financial statement audit. There are probably some differences of understanding of what a financial statement audit covers. Part of that would be where there would be a difference, if that helps.

Then I can’t remember…. I think there may have been a question for Carl in there, so I’ll just turn it to you.

C. Fischer: With regard to the training, we did put together a training package on fraud risk awareness. We deployed it within core government. I think the last time I saw numbers, about 95 percent of public sector employees had gone through the training. It was well received, and I think it did a good job.

We also provided that same training program, along with some policy considerations on fraud risk management, for Crown corporations — our fraud risk assessment package, our fraud management toolkit — on a SharePoint site that we share with Crown agencies, Crown corporations. We don’t have direct responsibility for policy direction for Crown corporations, but we work together quite closely.

We’ve also established a quarterly meeting of the internal audit functions of all Crown agencies to talk about these issues, including fraud, as well as everything else. So we are doing things. We are getting a lot of interest, but every Crown agency, like any other organization, has to think about what their priorities are, where they apply their resources and where their biggest risks are. For some organizations fraud risk may not be the biggest risk they have to tackle.

We continue to advocate. We continue to keep it on the radar and to promote this area of practice amongst a few others. But at this point, we’re not taking a very firm approach and requiring or mandating that everyone adopt a cookie-cutter fraud program that we’ve developed in the province.

What I’m more concerned about is identifying other situations where an organization does not have awareness of fraud risk. It’s actually quite good that so many people kind of identify correctly that they do have exposure to fraud. You want people to be careful just like you do when they’re driving.

Other situations that I’m concerned about are whether there’s a significant change in the volume or the quantity of fraud incidents in an organization. Those are usually the measures that we look to, to determine whether or not we need to get in touch with that organization, find out where there’s been a change in the executive complement or direction or a change in their mandate that’s led to different behaviour and treat it that way.

M. Pickup: A couple of points on your question and your comment. Some of this dates back over time.

By way of a little bit of background, I came from the office of the Auditor General of Canada, at one time, where I was the internal specialist on financial management and control. My love for things related to trying to reduce fraud goes back a long time. I brought that to Nova Scotia and now to here.

[8:10 p.m.]

You talked about information theft. One of the things that I learned on some of my training with the Association of Certified Fraud Examiners is that information theft — for example, organized crime — will get into banks not to steal money. They’ll get people in at entry level positions to steal information. That’s where the real money is now, is getting access to that. So things have changed over time, in this whole area of fraud, from trying to steal dollars to stealing things like that.

A couple of other examples, particularly, I guess, for those who haven’t experienced fraud in the public sector or think that perhaps fraud can’t happen or doesn’t happen in the public sector because everybody is honest. If you look at hospital construction across Canada, and you go back over the last 30 years, lots of examples of fraud in hospital constructions.

I won’t comment on this other than to share the fact that, if you didn’t see it, yesterday a public servant who was in the department of Education in Ontario pled guilty to fraud of $47 million over three years. This was not the deputy minister level. This was somebody making $120,000 a year able to do some ID stuff, circumvent the control and spending process and, all of a sudden, he’s got $47 million. He was sentenced yesterday to ten years in jail and didn’t argue it and pled guilty.

So anybody who, perhaps, thinks fraud doesn’t happen…. I’m not suggesting you think that, but I’m saying that unfortunately, there are too many examples, I think, that fraud does happen in the public sector. That’s why we will continue with this work.

My last point is: you asked about trends on this stuff. We’ll be back at this next year and revisiting this and looking at what is happening over time, as well.

R. Leonard: My last question was on perception versus reality. How are you able to bridge the perception with what are actually the actual risks? You mentioned very specifically that this was an exercise in perception.

M. Pickup: Oh, in terms of what they would bring forward to us, rather than an audit — is what people would then identify. Then on these financial audits, the financial auditors would have this information unique to their entities and then would have to go ask additional questions and assess whether that was resulting in a risk.

That’s why — and Stuart made the point that this is very much sort of expanding on the work we do on all of the financial audits anyway — that we’re not done. This is just the starting point for us. And if anybody has missed it, the 23 organizations that we’re doing this on are listed in here, so the organizations are not a secret.

P. Milobar (Chair): Just following up on some of those things — both questions and comments from yourselves, as well — I guess my concern is…. When you look at the one chart on page 14 that lists the types of fraud and lists the self-reporting response or self-awareness that the executives have, it almost seems somewhat contradictory.

I mean, when you think there’s 43 percent actually rec­ognizing theft of physical assets, but 96 percent say their risk to their organization is moderate or low, even though 43 percent of them have acknowledged that they actually are having this problem…. I get there are varying degrees, maybe, within those 43 percent. Some would be very minor. But they’re acknowledging it.

You go through them all, and it seems like you’re asking the people that are supposed to be overseeing and making sure there’s not big exposure: “Do you think there’s an exposure?” Well, human nature is going to be to maybe be a little more optimistic on the one side of the question and a little less on the other.

I say, in terms of…. I fully appreciate and understand what you’re saying about the overall audit. You’re just making sure the numbers all balance and that there’s not $100 million that didn’t show up on a balance sheet somewhere that it should be. I get that. But what I think of when I look at, specifically, procurement, and you think of the amount of sole-source contracts that are starting to happen — and the amount of change orders, to your point around hospital construction, or other types of construction — I have a concern about what controls are in place and how that gets viewed as….

[8:15 p.m.]

The organization might not view it as fraud, because they think: “Oh, we just sole-sourced, and it’s a supplier I like working with, and we just kept signing off on change orders.” But the end result is that all the other contracting companies, instead of it being a…. If $100,000 is your limit for sole-sourcing, and it’s suddenly a half a million or $750,000 project because of all the change orders, that’s a problem.

That’s where I start to have a little worry. It seems like it’s being acknowledged, to a certain degree, by management in these various organizations, but when they get pressed on whether they think it’s truly a risk, they’re either blissfully unaware of the true risk, or they don’t want to be aware of the real risk because their load numbers are off the charts. They’re in the 70s, on every category. Some are even higher. So it just seems like they don’t really appreciate that there’s any potential way that there could be a problem.

Now, I could walk into most bars, with my experience running bars, and tell you exactly how bartenders are scamming an owner pretty quickly, just by sitting there for a few minutes. So every organization, to Carl’s point, has a different threshold of what they accept, but it just seems like there’s a disconnect here, with their answers, in terms of trying to get through the questionnaire without really getting themselves in any hot water or substantive changes to their organizations.

C. Fischer: I think that one reason for that is, first of all, whether or not there is that inherent risk of fraud. Then secondly, to your other point, whether or not they feel that their compensating management controls are sufficient to manage that risk.

Now, that doesn’t necessarily mean they’re always correct. They could, as you say, be kind of fooling themselves into blissful ignorance. But the first part is important — being aware of the risk. The second part is continually working to improve management’s response to risk.

Fortunately, with things like hospitals, they don’t happen every day. We’re not buying ten hospitals a day, so we do have ways of dealing with those types of risks through the involvement of the Crown corporation — I forget its name now; it used to be Partnerships B.C. — through the involvement of legal services and working with the contracting agency.

There are always ways to manage and moderate risk, but you can never absolutely remove it.

P. Milobar (Chair): We’ve got Bruce, then Doug, and then we’ll see if there are any more questions after that.

B. Banman: Carl, you picked up on something. I just want to get a clarification.

Let’s take the liquor control distribution centres that we have, or liquor stores. Are you saying that someone who comes in off the street and steals a bottle of their favourite beverage — that’s fraud?

C. Fischer: They would classify it as a loss due to fraud.

B. Banman: Okay. The retail industry would call that shrink. To me, what I would consider fraud would be that someone within management has figured out how to up their shrink. A case of Scotch goes out the back door, and they have an orchestrated way of somehow defrauding what would be normal theft in any other industry.

Then you mentioned school boards. I would say school boards are actually pretty high at risk of fraud, because they have stores. They have maintenance departments. They buy a lot of stuff. Yes, a vast majority of their budget goes out in wages, but to take a look at what they actually spend…. When they do build, you’re going to go….

For instance, if I’m going to buy a bunch of new trucks or vans for the fleet, is a kickback to whatever particular dealership considered fraud? I would say that very much is.

C. Fischer: Yes. So would I.

B. Banman: You’ve also talked about that we buy….

[8:20 p.m.]

There are have been some catastrophic events in the world where steel going into a bridge is nowhere near up to the snuff that whatever government organization thought they were getting, and there have been deaths as a result. That fraud can become very sophisticated in that the people that are in the procurement area have somehow managed to, you know…. Their kids get graduations to Harvard or whatever.

Do we spend time looking for those more sophisticated areas of fraud that involve kickbacks of a nature where somebody slides a brown envelope across the…. You know, everybody thinks like The Sopranos, for instance, where you’re sliding a brown envelope across the table to be able to get the painting contract for whatever.

Are we looking and do we help Crown corporations look for those very specific things? For instance, a red flag would be that a certain contractor only wants to talk to a certain person when they come in.

Do we have those types of educational areas and red flags to look for signs of fraud? If a corporation is fooled of their money, well, that’s up to them. But when it is the public taxpayer, I think a higher level of security should be required, because it is the public funds. At least, you know, coming from the city, where I did, that was always high on mind. Are we looking for those things?

Are we helping these corporations look for those red flags?

C. Fischer: Yes, absolutely. Everything you mentioned is quite true. If we were to go through a list of everything that could be considered fraud, I think we might have to take some time at the Chair’s bar, rather than trying to cover it all off here. But it’s a huge area.

At one end, you have that very simple crime of shoplifting or pilfering. That’s probably the most common. That’s going to happen every day. It’s going to be the biggest amount of impact. On the other end, you have collusion, conflict of interest, kickback. That’s going to happen much less frequently but can be significant in scale.

So accountants, comptrollers, auditors all have to be aware of those red flags or warning signs. Whether it’s peo­ple have very close relationships with business associates or people who never go on vacation. If you’re away two days, things fall apart, and then it becomes very obvious.

In addition to that, all of an organization’s…. I think pretty much any organization’s policies in the internal control framework need to be designed to combat or identify those types of circumstances, whether it’s procurement policy and the need to involve an evaluation team to ap­prove procurement; whether it is inventory management and warehousing circumstance.

Having good inventory management policies and practices and systems is critical to make sure that forklifts of whatever attractive assets don’t disappear on a regular basis. There’s segregation and personal accountability at every level of the organization. Those are all critical parts.

It’s good to talk about. We need a fraud policy, and the fraud policy should say: “We don’t like fraud. We’re not going to put up with it. We’re going to act on it.” But that’s only one part of that whole framework of internal controls that has to work together and receive equal attention.

Michael and I both have a real interest in fraud, because it’s an area that hasn’t received the attention that it probably should have over the past ten years. We’re focusing a lot of attention there. We also have to be mindful not to overfocus and say: “Hey, if you have this fraud package ready, you can forget about everything else, because it will take care of itself. We’ve made a strong commitment.”

It’s part of a bigger practice area. And then, I guess, the good part about that is it’s jobs for life for accountants and auditors. Yeah, for at least a year.

[8:25 p.m.]

D. Routley: I really appreciated Peter asking the question about change orders. With the scale of public investment, change orders, I think, are perhaps a huge vulnerability on large projects. I’m wondering if other jurisdictions have a similar rate of change orders on the per size of project and whether or not we audit change orders or whether we audit the effectiveness or even the validity of them.

C. Fischer: I wouldn’t be able to answer specifically. I haven’t seen any data from different jurisdictions. I would expect that given the type of business we’re in, whether it’s information technology or buildings or bridges, change orders are going to be part of the process for a variety of reasons.

What’s really important is not the number of change orders. That might be kind of a management problem. If you’re kind of completely revising the project within production, that’s probably just not good management. But what is important is: what is the practice or the policy around procurement to manage those change orders? Is it just one individual who receives them, wrapped around a bottle of champagne or caviar or whatever, and then signs them off, or is there a robust process of recommendation approval, estimation and validation depending on the type of project?

Is it just the vendor and the purchaser that are involved, or is there a quantity surveyor involved in the process, as there often is for large projects? It’s that kind of policy umbrella that really seeks to limit the risk from losses or even cost overrun. I think OAG’s report on fraud risk management on the Site C dam was a good example of some of the practices that are usually deployed in those types of projects to help reduce risk.

M. Pickup: That was a great lead-in, because that was what I had on my piece of paper was to remind folks that we did the audit of the Site C fraud risk management, just over the Site C project.

To remind folks, there were a number of recommendations in there where I would suggest that not everything was being done to what they had wanted or what one might expect. That was April of last year, and we’ll be following that up, but I don’t want to lose sight of that one as well.

I think to the comments about the types of things that can be happening in an organization, obviously, I’m the auditor. It’s not for me to be telling an organization every­thing to be doing. If this interests you, when I worked at the OAG Canada, I got to spend a couple of weeks down in Washington, and the folks in Washington opened their door, and it was specifically on fraud risk and how they were managing fraud risk.

It was amazing — the things they were doing. Maybe I’m a fraud geek, if you will, but the things that they were doing down there…. It was all automated. They were doing things like regular credit checks on people — like the employees — means of how people were living and watching how people were living, and regular monitoring of suspicious words in emails that could be indicative of fraud happening. It was just amazing.

I remember going in to meet with the vice-president of the U.S. Postal Service. She opened this big board on the wall and showed me everything that was happening in the country in terms of how they were managing fraud risk. A lot of examples came up, and yeah, certainly, these things are happening, and obviously, they all depend on the size of the organization.

This is a $70 billion a year spend, so you wouldn’t necessarily, perhaps, expect what’s happening in a $7 trillion a year, but you’d probably expect something more than in a $7 million a year operation.

P. Milobar (Chair): Great. Well, thank you so much. I think in the interest of time, we’ve got part 2 coming, anyway, at some point, so we’ll pick it up from there. Thank you for that.

We’ll just maybe give the auditors a minute here to go, if they like, and then we’ll consider the audit reports from 2018 and earlier for follow-up that we pushed from the last meeting to this meeting.

[8:30 p.m.]

Consideration of Audit Reports

P. Milobar (Chair): With the nine outstanding audits from previous Auditor General reports dating back to 2013…. The most current would be 2018. We have to decide whether or not we’re, essentially, comfortable saying we don’t need to see these come back to the committee anymore.

I do have a motion in place that has all of them listed. If there are a couple that people would like to see come back, we could just strike those out of the motion. Otherwise, we would just proceed with the motion, as it is, to remove the nine.

There are a couple that I’m going to suggest, straight off the hop, are no longer relevant in terms of timeline. The Evergreen Line rapid transit project, from 2013, is open. It’s got passengers on it. It’s the same with the Oversight of Physician Services, from 2014. A lot has changed in the world, in the nine years since that audit would have been done, when it comes to physician services. An Audit of the Education of Aboriginal Students in the B.C. Public School System — again, an incredibly important topic, but it’s from 2013. A lot has changed, as well, on the educational side.

In my opinion, I don’t really see the value of bringing any of these back. If people want to make a case for bringing some of the nine back, here’s your open opportunity. Otherwise, we’ll entertain a motion to remove them and deal with the current audits moving forward.

R. Leonard: I’ll make that motion.

P. Milobar (Chair): Right. Yeah.

I’m not sure…. Doug or Jennifer, just before we do a motion, if you have any concerns about that or not, just chime in.

No, they both seem okay.

R. Leonard: I move that the Select Standing Committee on Public Accounts pursue no further follow-up on the following Office of the Auditor General reports: Audit of the Evergreen Line Rapid Transit Project, 2013; Oversight of Physician Services, 2014; An Audit of the Education of Aboriginal Students in the B.C. Public School System, 2015; Monitoring Fiscal Sustainability, 2015; An Audit of the Adult Custody Division’s Correctional Facilities and Programs, 2015; An Audit of Mid-size Capital Procurement in Post-Secondary Institutions, 2016; An Audit of B.C. Public Service Ethics Management, 2017; Promoting Healthy Eating and Physical Activity in K-12: An Independent Audit, 2018; and An Independent Audit of Executive Expenses at School District 61, 2018.

Motion approved.

P. Milobar (Chair): With that, there’s not any other business, so a motion to adjourn.

Motion approved.

The committee adjourned at 8:33 p.m.