The committee met at 8:02 a.m.

[P. Milobar in the chair.]

P. Milobar (Chair): Good morning, everyone. We will get started here.

Today we are looking at the Auditor General's report Fraud Risk Management: Site C Dam and Hydroelectric Energy Project from April 2022.

With that, I will turn it over to Sheila from the Auditor General's office.

Consideration of
Auditor General Reports

Fraud Risk Management: Site C Dam
and HydroelectriC Energy Project

S. Dodds: Good morning. Thank you, Chair, and thank you Members.

First of all, I will begin by acknowledging, with respect, that the Office of the Auditor General conducts its work on Coast Salish territories. Primarily this is the Lək̓ʷəŋin̓əŋ-speaking peoples traditional lands, now known as Victoria, and the W̱SÁNEĆ peoples traditional lands, now known as Saanich. I'm grateful to have been a visitor on these lands for about 40 years now.

This morning we are discussing our report Fraud Risk Management: Site C Dam and Hydroelectric Energy Project.

First off, I appreciate the audit team's professional approach to their work. The audit team includes Stuart Newton, our Assistant Auditor General, who is sitting here with me to my right; Jacquie McDonald, a director, who retired at the end of April; Priscilla Lai, the principal for this audit, and Priscilla is just sitting to Stuart's right. The other team members were Elizabeth Babiarz, Sophie Medwell and Edmond Ng, who are not with us today.

We'd also like to thank the B.C. Hydro staff who assisted with the audit and doing so during the challenging time of the pandemic. And thanks to the Clerk of Committees and the office of the comptroller general for their help in bringing the report to the committee.

Before handing over to Priscilla, I'd just like to take a moment to join you in acknowledging Jewish Heritage Month. Every May in Canada, we mark the tremendous contributions of the Jewish community to the Canadian way of life, from public service and the arts to business and philanthropy. Great Canadians of Jewish heritage include Supreme Court Justice Rosalie Abella, the late journalist Barbara Frum, recording artist Drake, and film star Seth Rogen from Vancouver.

The Canadian Jewish community is the fourth-largest in the world, and I join them in honouring their heritage in this country and their resilience in the face of anti-Semitism.

With that, I'm going to turn it over to Priscilla Lai to walk us through the report.

P. Lai: Thank you, Sheila.

Good morning, Chair, Vice-Chair and committee members. Thank you for the opportunity to present the results of our audit on fraud risk management at B.C. Hydro's Site C dam and hydroelectric energy project.

The purpose of this audit was to determine if B.C. Hydro had established a program to effectively manage fraud risk on the Site C project.

[8:05 a.m.]

What we found. We concluded that B.C. Hydro had not established a fraud risk management program for the Site C project, but they had elements in place and introduced more as the audit progressed.

The first component we looked at was on fraud risk governance. We looked for leadership commitment, communication and training in relation to fraud risk management. We found gaps in fraud-related leadership, communication and training in terms of having a fraud risk policy, and procedures and fraud training for all staff.

Prior to the audit, B.C. Hydro had a code of conduct and code-of-conduct training for all staff that covered integrity and conflict of interest, but the concept of fraud was not introduced. Then on January 12, 2022, just as we were wrapping up the fieldwork phase of our audit, the board of directors approved a new risk policy that does a good job of clarifying B.C. Hydro leadership's commitment to fraud risk management and identifying roles and responsibilities for fraud risk management in the organization.

This was a big step in the right direction. As a result, we recommended that B.C. Hydro, one, implement the new fraud risk policy the board approved in January 2022; second, provide fraud risk management training to all staff.

The second component we looked at was on fraud risk assessment. We also looked to see if B.C. Hydro conducts regular fraud risk assessments on the Site C project. We found that they do not, and in response to the audit, B.C. Hydro prepared an initial fraud risk assessment. Through their initial fraud risk assessment, B.C. Hydro was able to demonstrate they have internal controls to prevent and detect a variety of employee-related fraud threats as well as procurement and contract-related fraud threats.

However, because they haven't been conducting ongoing fraud risk assessments both before and after the application of internal controls, there is the risk that some fraud threats have been missed. We recommended that B.C. Hydro conduct regular fraud risk assessments.

The third component we looked at was on controls to prevent and detect potential fraud. In terms of internal controls that currently exist, we examined them and were able to confirm they were suitably designed and implemented and likely to mitigate the fraud schemes that B.C. Hydro identified in their preliminary risk assessment. However, there may still be unidentified fraud threats where no internal controls to prevent or detect them exist.

The fourth component we looked at was on reporting and investigation of potential fraud. Even the best internal control framework, however, doesn't provide complete fraud protection, which is why it's important for organizations to have multiple ways for individuals to report suspected fraud and strong investigation units in place to look into potential cases of fraud.

We did find that there are many ways for employees to come forward and report suspected fraud and that B.C. Hydro does have an anonymous third-party whistleblower hotline. What we found they needed was a fraud investigation procedure to accompany their new fraud risk policy to promote coordination and clarification as to who should do what, when and how. As such, we recommend that B.C. Hydro develop a fraud investigation procedure.

The last component we looked at was on evaluating fraud risk management. Finally, regular evaluations are valuable to ensure that programs continue to operate as intended. Going forward, we recommended B.C. Hydro perform ongoing fraud risk management program evaluations at Site C and provide regular reports to its board of directors.

In summary, we made five recommendations, and B.C. Hydro accepted all of the recommendations.

Thank you. That concludes my presentation.

Back to the Deputy Auditor General for additional comments.

S. Dodds: Thank you, Priscilla.

To close our presentation, I wanted to draw members' attention to the three questions we have at the conclusion of the Audit at a Glance, the two-page summary. You might want to consider, going forward, what B.C. Hydro has done at Site C to address common fraud threats or how the project team will respond to fraud threats going forward or what organizations that are engaged in public infrastructure projects can learn from this audit.

Thank you again for your consideration of the report, and we look forward to your questions and comments after the next presentation.

[8:10 a.m.]

P. Milobar (Chair): Thank you. We'll turn it over to Hydro now, and then we'll jump into questions after that presentation.

Does the ministry want to jump in too?

D. Wong: Good morning. We had to switch up seats because of the computer.

I'm David Wong, B.C. Hydro CFO. I'm joined, with me on my right, by Henry Honda, who is our director of finance for Site C. Joining us on my left is Les MacLaren, Assistant Deputy Minister for Energy, Mines and Low Carbon Innovation.

We're pleased to be here to talk about our response to the Auditor General's audit on our fraud risk management program. I'd like to emphasize that B.C. Hydro takes fraud risk management very seriously, and it's been a long-standing practice of ours.

We are definitely aligned with the Auditor General that it's an important piece to continue to look at, and we believe, through the work that we're going to do with addressing the five recommendations, we'll continue to enhance our fraud risk management program to support both Site C and B.C. Hydro going forward. In fact — and I think, personally, I'll mention this — we are addressing the recommendations as we speak. It actually even started as the audit was going on.

I want to confirm that fraud mismanagement controls and practices have been a long-standing practice at B.C. Hydro. As specifically mentioned by Priscilla, the Auditor General noted within the report that B.C. Hydro has internal controls to defend against identified fraud threats. However, we do agree that we can be more formal in our fraud risk management program.

As an example, while the audit was going on, and Priscilla had mentioned this, we put together our fraud risk management policy specifically identifying myself, as CFO, responsible for fraud risk management for the organization. This was approved by our board of directors in January 2022 and communicated across our organization.

What I thought would be really useful…. Henry will take us through our fraud risk management program that we have established for many years at B.C. Hydro and specifically for the Site C project, both the controls that we have and also our monitoring process.

I want to start by saying that fraud risk management starts at the top, and our board of directors and executives are very much overseeing fraud risk management through our code of conduct. Our code of conduct is we have training annually that all employees need to go through and really is the basis for the controls that we have established within our organization.

What we hope you see as we go through this are the strong controls that we have in place, and we'll continue to supplement this for the work that we're going to do from the recommendation implementations.

Penny will walk us through this.

I also want to note that Henry was our former internal audit director at B.C. Hydro, so he brings along those strong skill sets with us too.

H. Honda: Thank you, David.

Good morning, Chair and committee members. My name is Henry Honda, as David mentioned, and I am the finance director on the Site C project.

I started on the project approximately 18 months ago, and I worked closely with the OAG auditors on this audit. I would like to thank them for their professionalism.

As David mentioned, earlier in my career at B.C. Hydro, I led the internal audit department for over three years. Therefore, I understand the importance of a robust fraud risk management program.

As noted in the audit, there have been elements of a fraud risk management program in place at B.C. Hydro and at Site C for many years. During the audit, we enhanced these elements. We also have additional items in progress, which are the OAG recommendations.

I'll highlight these items this morning. Together, these items formalize a fraud risk management program at B.C. Hydro and on the Site C project and ensure that the program is robust and aligns with best practices. In addition, I'll highlight the B.C. Hydro internal audits that have been completed on the Site C project over the years to ensure that the controls are effective.

I'm going to start on slide 3, on the left-hand side. This is a list of the B.C. Hydro controls that have been in place prior to the audit. For example, starting with the first item on the top, B.C. Hydro has a comprehensive code-of-conduct policy, which has been in place since 1998. Having a comprehensive code-of-conduct policy is important to ensure that employees are aware of their expectations.

[8:15 a.m.]

For example, the code of conduct policy specifically includes expectations that employees know and comply with applicable laws and do not commit or condone an unlawful act in connection with their work. All B.C. Hydro employees are required to complete an annual refresher training on the code of conduct policy. This code of conduct policy training includes specific examples of conflicts of interest and other code of conduct violations and other misconducts.

The second item on the left-hand side is an ethics program. B.C. Hydro has an ethics program, which was established in 2011 and includes a B.C. Hydro ethics officer and an external third-party reporting line, also referred to as an anonymous reporting line. These mechanisms are important for employees to report potential violations of misconduct or fraud. Both the code of conduct policy and the ethics program also include a confidentiality and non-retaliation requirement for employees, to ensure they feel comfortable reporting potential misconducts and fraud at the company.

Moving down the list on the left, there's also a B.C. Hydro–wide internal controls framework, which includes various policies and procedures, approval requirements, segregation of duties and financial systems that have completed fraud risk assessments as part of their development and implementation.

I would like to provide an example of controls, using our B.C. Hydro procurement process.

The B.C. Hydro procurement process has extensive controls and processes in place, including a centralized procurement team which reports directly to our CFO, David Wong. They also use procurement strategies and contracting plans that are reviewed and approved by multiple teams before the procurement starts. They also have evaluation committees made up of various team members, who are required to sign off on both confidentiality and conflict of interest.

We also use an independent fairness adviser for large procurements. In addition, large procurements are approved by our project assurance board and our B.C. Hydro board of directors.

The Site C project is required to use these underlying financial systems that B.C. Hydro has implemented.

I'm going to move on to the last two boxes on the left-hand side. Monitoring is a really key component of fraud risk management, and B.C. Hydro's internal audit department monitors and audits controls throughout the company on an ongoing basis. B.C. Hydro's internal audit department also investigates potential reported fraud and reports the results directly to the board of directors.

Switching to the right-hand side of this slide. Due to the size of the Site C project, Site C has additional controls that have been implemented. For example, there is a robust process in place to review and approve construction contracts or invoices, which includes segregation of duties across multiple teams, including on-site construction and engineering teams, our contract management teams and our project managers. Invoices over a certain threshold also require a due diligence review by my finance team and financial approvals up to the Site C executive vice-president, our B.C. Hydro CFO and our B.C. Hydro CEO.

For other B.C. Hydro projects, invoice payment approvals are generally delegated to the business groups, but on Site C, invoices over a certain threshold must be approved by the CEO.

Another example is that all committed contracts on the Site C project over $50 million are approved by both the project assurance board and the B.C. Hydro board of directors. Any increases to these contracts over $50 million, even if it's just $500,000, requires the review and approval of the project assurance board and the board of directors as well. Effectively, all our key contracts are reviewed and approved by both boards, who meet monthly on the Site C project.

[8:20 a.m.]

The OAG audit, as they mentioned, assessed the controls on the Site C project relating to potential fraud risks. As per the OAG's report, they concluded that controls to prevent potential fraud have been designed and implemented on the Site C project. We appreciate OAG's acknowledgment and confirmation of these controls, as they are a critical component in any fraud risk management program.

Moving on to slide 4. I'm going to discuss the enhancements that were completed during the audit, as David discussed. Also, we have listed the OAG recommendations which are currently in progress. Starting on the left-hand side, as David mentioned, we completed a formal Site C fraud risk assessment at the beginning of the OAG audit.

Prior to this formal Site C fraud risk assessment, risks that could result in potential fraud were included in the project risk register. The Site C project has a comprehensive project risk register, and potential frauds were included in that particular risk register and monitored through the project's risk management process. These risks were not considered high project risks due to the internal controls in place and due to the fact that there were no material reported or known instances of fraud on the Site C project.

In addition, as mentioned previously, Site C relies on the various B.C. Hydro financial systems, and these financial systems have had fraud risk considered when they were developed and implemented.

The Site C fraud risk assessment completed included over 40 different fraud scenarios in terms of contracts and employee frauds. For example, it included procurement fraud, contractor billing fraud, scope-of-work fraud, and employee payroll and employee expense fraud. The Site C fraud risk assessment did not identify any potential control gaps, based on the controls in place. This fraud risk assessment was reviewed by the OAG auditors.

In terms of the second item on the left-hand side, as David mentioned, B.C. Hydro developed and approved a specific fraud risk policy in January of this year. This policy was implemented to formalize the control processes that already exist and to enhance the dialogue of fraud risk management across the company.

On the right-hand side of slide 4, we have noted the OAG recommendations, which are currently in progress, and David will discuss the timing of completion of these as part of the close.

Moving on to my last slide, which is slide 5. Monitoring of controls is an important component of fraud risk management. Therefore, this slide summarizes the specific Site C internal audits that have been completed over the years, which are the audits on the top half of the slide; and also B.C. Hydro–wide audits, which included Site C, which are the audits noted on the bottom half of the slide.

As previously noted, the internal audit department has had specific fraud training and consider fraud risk as part of their audit planning. There were no significant findings reported for these Site C–specific audits or the B.C. Hydro–wide audits that related to Site C.

In addition, the recently completed payment verification audit, which is the second audit from the right on the top, confirmed that the Site C project has strong controls in place for payments on the Site C project.

To summarize, there have been a number of elements of a fraud risk management program both at B.C. Hydro and on the Site C project. Additional enhancements were completed during the audit. However, we realize that having a formal fraud risk management program is the emerging best practice, and therefore, we agree with and welcome the additional enhancements recommended by the OAG audit.

We believe that together, all these components will ensure that B.C. Hydro and the Site C project have a robust fraud risk management program and align with best practices.

With that, I'd like to hand it back to David to close our presentation.

D. Wong: Thanks, Henry.

I want to reconfirm that we accept all five recommendations, and we will have them completed by March of next year.

Thank you very much.

P. Milobar (Chair): Just before we jump into questions, Carl, do you have anything to add?

C. Fischer: No, thank you, Chair. No further comments.

[8:25 a.m.]

P. Milobar (Chair): Okay. I have a question on my mind here, then. We heard that there's already some fraud risk pieces in place, but obviously, you're going to expand those, which is good to hear; and that procurement — anything over $50 million has to go to the board; and then there's any change orders as well.

Am I able then, I guess, to surmise from all of that that going from what was projected to be an $8 billion project to $16 billion…. It hasn't been a quarterly surprise for the board, or it hasn't been an annual update report to the board of where the cost structure is going with site C — that every step of the way, as the budget has increased from $8 billion to $16 billion, the board has been fully aware of that and has been approving those contracts. I'm assuming the bulk of those contracts would be over $50 million to get an extra $8 billion of project cost in there.

D. Wong: Yeah. I think we just should bifurcate the two things. As contracts get increased, and it has to be within the full budget at that time, the board would be approving that — any change orders. The board would be approving the total project budget, its entirety, and that's what would be able to be spent under those contracts related to that.

They would be reviewing them as the budget and then as the contracts that would fall under that budget.

P. Milobar (Chair): Okay. That's still at $16 billion, and it hasn't increased, then.

D. Wong: The current budget is $16 billion, yes.

P. Milobar (Chair): Any other questions? All right.

It looks like you got off easy today then. Thank you so much.

With that, I guess we'll have a motion to adjourn.

So moved. We're adjourned.

The committee adjourned at 8:27 a.m.