I'd like to direct this question to the Auditor General.
Recommendation 3.35 states that IRCC “should develop a comprehensive internal fraud risk assessment based on analysis of the effectiveness of its controls.”
What specific elements of IRCC's fraud-risk assessment were found to be inadequate? If possible, could you please provide examples?