Auditor General Releases Two Performance Audits Examining Emergency Planning and Fraud Risk Management

  • Office of the Auditor General

April 23, 2026

Auditor General of Newfoundland and Labrador, Denise Hanrahan, today delivered two performance audit reports to the House of Assembly. The first report examined whether the Department of Justice and Public Safety effectively managed Emergency Management and Business Continuity Plans. The second report addresses whether the Treasury Board Secretariat provided effective oversight of the implementation of the Fraud Management Policy throughout government.

The report auditing emergency management and business continuity planning contains findings and recommendations regarding organizational issues, inadequate policies and procedures, as well as outdated guidance on plan testing and review.

“Emergency preparedness across the province was found to be weak and inconsistent; with emergency management plans not regularly updated, tested, or monitored, possibly leading to increased risk during emergency events. Only 41 – that’s nine per cent – of municipalities had a valid emergency management plan and on average plans haven’t been updated in over eight years. Also worth noting is that three per cent of our population – 120 unincorporated areas – were not required to have a plan and were not specifically addressed in the provincial plan. With respect to business continuity plans, the audit found not all government entities were included, including Newfoundland and Labrador Health Services and Memorial University,” commented Denise Hanrahan, Auditor General of Newfoundland and Labrador.

The report examining Fraud Risk Management found that government policy was lacking key requirements and oversight was weak. More than half of government entities did not complete fraud risk assessments in 2025, including Newfoundland and Labrador Health Services, Memorial University, and the College of the North Atlantic. Additional information on both reports can be found in the Backgrounder below.

“Fraud at any level poses a significant risk to the integrity and accountability of government operations. Weak oversight, unclear requirements, and inconsistent training and reporting limit government’s ability to prevent, detect, and respond to fraud,” added Auditor General Hanrahan. “Gaps in fraud risk management can undermine trust in government accountability. This audit confirmed that my Office is not being notified of all suspected fraud incidents within the public service and that is simply not good enough.”

The reports contain 20 recommendations. Both reports as well as audit overviews can be found by visiting. www.ag.gov.nl.ca.

-30-

Learn more
Like us on Facebook

Join us on LinkedIn

Media contact
Chrysta Collins
Office of the Auditor General
709-730-1568
chrystacollins@oag.nl.ca

BACKGROUNDER

Emergency Management and Business Continuity Plans

Emergency Plans Policies and Procedures
Policies and procedures meant to guide development, review, and maintenance of Municipal Emergency Management Plans or the Provincial Emergency Management Plan were outdated.

Management of Municipal Emergency Management Plans
The Emergency Services Division had issues with the majority of plan management, including monitoring plan updates, template compliance, as well as testing and debriefing. The division retained 311 of 436 possible Municipal Emergency Management Plans, but not all were approved or adopted by a municipality, and most had not been updated within the required three-year period.

  • Only 41 Municipal Emergency Management Plans were signed and dated as adopted by municipalities within the required period. Meaning only nine per cent of municipalities (41 of 436) had a valid Municipal Emergency Management Plan; and
  • Eighty per cent of adopted plans (167 of 208) had not been updated within the required three years, and 62 per cent were over nine years old.

The Emergency Services Division did not have a standardized or centralized system to track the status of municipalities’ emergency management plans. There was also no documented process or schedule for regular contact with municipalities to encourage plan completion, despite only nine per cent of municipalities having a valid plan.

Most municipalities did not test their plans; only 10 of the 208 municipalities (five per cent) performed testing exercises.

The Emergency Services Division did not always monitor or support municipalities to ensure debriefing occurred or that lessons learned were incorporated into Municipal Emergency Management Plans. Only five of the 10 exercises performed (50 per cent) incorporated debriefing into testing exercises.

Business Continuity Plans

Documented Policies and Procedures
There were no current documented policies and procedures in place to guide development, review, and maintenance of departmental Business Continuity Plans or the Government Business Continuity Plan.

Coverage of Essential Services in the Government Business Continuity Plan
The Department of Justice and Public Safety did not include all relevant entities in Government’s Business Continuity Plan, thereby creating the risk that essential services were missing. The 2024 Government Business Continuity Plan only included 24 departments and entities – it did not consider the 37 other entities that might be considered essential, such as Crown corporations or agencies. We found that 24 (65 per cent) of these entities did not have a business continuity plan, including Newfoundland and Labrador Health Services, who did not have a current, consolidated plan, and Memorial University, who did not have a university-level plan.

Updating and Review of Business Continuity Plans
Annual reviews were not completed as required, and the Department of Justice and Public Safety did not encourage departments to review or update their plans within established timelines.

Business Continuity Plan Testing and Debriefing
The Department did not document any efforts to encourage departments to perform testing exercises or debriefing for their business continuity plans.

Fraud Risk Management

Fraud Management Program and Policy
There was no formalized, comprehensive document outlining the specifics of the government’s Fraud Management Program. The policy did not consistently apply its requirements to all government entities. The policy also contained weaknesses, specifically:

  • The policy did not clearly outline mandatory training requirements, nor did it specify what fraud‑related training was required, or how often it needed to be completed;
  • There was no specific requirement to complete formal, periodic fraud risk assessments;
  • The policy did not assign oversight responsibility to any particular entity; and
  • There was no definition of how fraud management effectiveness would be measured.

The scope of entities included in government’s fraud management program was incomplete, and it did not consistently include entities in their monitoring, such as Memorial University or WorkplaceNL.

Of the 44 government entities assessed, 10 entities (23 per cent) had not implemented any fraud management policy. Another 10 entities (23 per cent) had implemented their own fraud policy.  We assessed whether these policies were aligned with government policy and found five of the 10 entities (50 per cent) had misalignments.

Fraud Risk Assessments
There were 48 medium and high-risk areas identified across 11 departments. The Department of Justice and Public Safety had two high-risk and 14 medium-risk areas identified, the most of all departments. Treasury Board Secretariat performed only one detailed fraud risk assessment annually, regardless of the number of medium and high risks identified from departmental risk self-assessments. More than half of government’s entities, 24 of 44 (55 per cent), reported not completing a fraud risk self-assessment for the 2024-25 year.

Fraud Reporting and Investigations
Not all suspected instances of fraud were reported to government. Confusion existed among departments and entities regarding their responsibilities for reporting instances of fraud. There were eight entities with seventeen suspected fraud incidents that did not report them to Treasury Board Secretariat, government’s Audit Committee or the Office of the Auditor General. These unreported instances occurred in different areas, highlighting potential weaknesses in controls.

Fraud Training and Awareness
The Fraud Prevention and Detection course was not deemed mandatory for government employees. Government did not require periodic refreshing of fraud training and did not develop specific training for high-risk areas. It also did not have effective monitoring processes to ensure the Fraud Prevention and Detection course was being completed by government employees. Some entities did not have access to the online training portal and virtually all employees from 24 of 44 entities (55 per cent) did not complete the Fraud Prevention and Detection training course.

2026 04 23 4:10 pm