Audit of Information Exchange
Memoranda of Understanding
With HRSDC

Audit Directorate
Canada Border Services Agency
March 2005

Table of Contents

• Executive Summary
• Introduction
• Focus of the Audit
• Findings, Recommendations and Action Plans
  • Management of Mous
  • Internal Controls
  • Safeguarding of Assets
  • Employee Ethics, Values and Conduct
• Conclusion
• Audit Team
• Appendix A

Executive Summary

Background:
The Canada Border Services Agency (CBSA) has a number of Memoranda of Understanding (MOUs) with other federal and provincial government departments and agencies for the exchange of information. These MOUs often require regular internal audits to verify adequate protection of the information received. In 2003, Human Resources Development Canada (HRDC) conducted an internal audit on the management of personal information. Human Resources and Skills Development Canada (HRSDC, a successor organization to HRDC) requested the CBSA to complete a reciprocal internal audit.

Objective:
To determine if the CBSA was complying with the terms and conditions for receipt, use, storage and destruction of information received from HRSDC, in accordance with the applicable MOUs.

Conclusion:
The CBSA has one MOU with HRSDC for the exchange of information. The processes and controls for the receipt, handling, storage, and disposal of information received from HRSDC were in compliance with, and often exceeded, the security requirements of the MOU and the Agency security policy. However, the CBSA had yet to establish a policy and process, with clear roles and responsibilities, for managing MOUs. The CBSA should develop such a process and establish an inventory of MOUs as soon as possible.

Action Plan: The Strategy and Coordination Branch, which is accountable for managing MOUs in the CBSA, agrees that a policy and process on the management of MOUs will be developed. The Branch plans to develop the MOU policy framework and establish a list of CBSA MOUs by November 2005.

Introduction

The Canada Customs and Revenue Agency (CCRA), which has become part of the Canada Border Services Agency (CBSA) and the Canada Revenue Agency (CRA), had MOUs with a number of federal and provincial departments and agencies for the exchange of information. In 2000, to ensure protection of confidential client information, CCRA negotiated with a number of organizations to include a requirement to provide for regular internal audits to verify adequate controls over information exchanged.

In June 2001, Human Resources Development Canada (HRDC) and CCRA signed a general amendment to their MOUs for the exchange of information. The amendment included a reciprocal audit clause providing for periodic internal audits to be conducted by each internal audit organization. In 2003, at the CCRA's request, HRDC conducted an internal audit of the management of personal information in its department. The audit included information received from the CCRA. The audit results were published in the Human Resources and Skills Development Canada (HRSDC, the successor organization to HRDC) audit report, dated May 2004.

Following the reorganization of the CCRA, HRSDC requested both the CBSA and the CRA to continue the reciprocal internal audit that had been started by CCRA to parallel HRDC's audit. The CBSA had one MOU with HRSDC. This MOU dealt with the arrangements for the receipt of requests from HRSDC for selected information collected by the CBSA on the Customs Declaration Card (form E311).

Focus of the Audit

Objective

To determine if the CBSA was in compliance with the terms and conditions for receipt, use, storage and destruction of information received from HRSDC, in accordance with the applicable MOUs.

Scope

The internal audit focused on the CBSA controls in place for receiving, handling and processing the information provided by HRSDC. Preliminary reviews had indicated there was no field component to this activity. As a result, this audit was carried out at Headquarters only, between August and December 2004.

Methodology

The methodology used in carrying out this audit included:

• review of related policies, procedures, directives, workflows and other documentation;
• interviews with key Headquarters managers and staff;
• walk-throughs of the processes involved in the information exchange;
• testing of elements of the workflow against management practices and processes to ensure proper controls; and
• reviews with representatives from the Corporate Security and Internal Affairs Division to verify appropriate security levels for personnel, proper security of physical premises and equipment, and compliance with policy and procedures for document retention and disposal.

This internal audit was conducted in accordance with the Treasury Board policy on internal audit.

Findings, Recommendations and Action Plans

Management of MOUs

As the CBSA did not have an inventory of its MOUs with other federal and provincial government departments and agencies, the CCRA inventory list was used to determine that the CBSA had one MOU with HRSDC covering the exchange of information. This MOU dealt with the arrangements for the receipt of requests from HRSDC for selected information collected by the CBSA on the Customs Declaration Card (form E311). The MOU, which was revised in April 2004, was found to be current and complete.

Accountability for managing CBSAMOUs rests with the new Strategy and Coordination Branch of CBSA. However, the process for managing MOUs had yet to be established, and specific roles and responsibilities still needed to be clarified and defined.

Recommendation:
The Strategy and Coordination Branch should establish a policy and process, including an inventory of MOUs, for the management of Memoranda of Understanding in CBSA.

Action Plan:
The Strategy and Coordination Branch will identify a program officer who will be responsible for the development of the MOU policy framework and for creating a list of existing MOUs by November 2005. The Branch will create a Web page on the CBSA Intranet and will be responsible for updating it and managing the supporting policy framework. The day-to-day administration of the MOUs will continue to rest with the office of primary interest, such as Enforcement Branch or Admissibility Branch.

Internal Controls

Under the terms of the MOU, HRSDC sent requests with selected E311 information to the Customs Contraband Intelligence and Investigation (CCII) Division of the Enforcement Branch for further processing. Only three employees in CCII handled the receipt and processing of the HRSDC information on a need-to-know basis. Staff involved in the exchange of traveller declaration information with HRSDC were aware of, and understood, the provisions of the MOU and their particular roles and responsibilities

The CCII Division had specific procedures, including the establishment of clear lines of communication, for the receipt and handling of all information requests from HRSDC. These procedures involved verification of information received and supervisory approval of information and documentation produced in response to HRSDC's request. The review process ensured that the CBSA was handling client information in accordance with the procedures outlined in the MOU and the security policy. It also provided assurance that the information from HRSDC was being used only for the purposes intended.

Safeguarding of Assets

The procedures in CCII for the receipt and handling of HRSDC information reflected the policy and guidelines on security that had been established. Historical records and second-party confirmations indicated that there have been no security incidents affecting this information.

With the assistance of experts from the CBSA corporate security area, a security review of the facility and function related to information exchange with HRSDC was conducted to determine if the CBSA was complying with the security requirements of the MOU. According to Corporate Security and Internal Affairs Division, the regular work activities of the staff in CCII often dealt with very sensitive information that required more stringent security than for the HRSDC information. As a result, the security clearance levels of staff involved in the receipt, handling and processing of HRSDC information exceeded the requirements of the MOU.

Staff from CCII were located in a high-security area, which was regularly monitored and exceeded the security requirements of the MOU. The HRSDC information was stored in specially designed cabinets, with appropriate locks, in the high-security area. A disintegrator was used to destroy documents in this area.

Employee Ethics, Values And Conduct

The staff in the CCII Division, in the course of their regular day-to-day duties, were used to dealing with highly sensitive information. They were well aware of their responsibility for ensuring the protection of sensitive information, and adhered to the established policy and procedures. The more stringent security measures demanded by some of their other tasks, which exceeded the requirements of the MOU, were also applied to the receipt and handling of the HRSDC information.

A process was in place to identify and report security breaches to the designated CBSA and HRSDC officials in accordance with the CBSA security policy and the MOU. The review of current and historical records showed that no breaches had been reported to suggest improper or unethical conduct in the handling of HRSDC information by CBSA staff.

Conclusion

CBSA has one MOU with HRSDC for the exchange of information. The processes and controls for the receipt, handling, storage and disposal of information received from HRSDC were in compliance with, and often exceeded, the security requirements of the MOU and the Agency security policy. However, the CBSA had yet to establish a policy and process, with clear roles and responsibilities, for managing MOUs. The CBSA should develop such a process and establish an inventory of MOUs as soon as possible.

Audit Team

Marie Daoust, Account Manager

Michael Ryan, Project Leader

John Fanjoy, Internal Auditor

Appendix A

Management Action Plans

Recommendations
The Strategy and Coordination Branch should establish a policy and process, including an inventory of MOUs, for the management of Memoranda of Understanding in CBSA.

Action Plans
The Strategy and Coordination Branch will identify a program officer who will be responsible for the development of the MOU policy framework and for creating a list of existing MOUs by November 2005. The Branch will create a webpage on the CBSA Intranet and will be responsible for updating it and managing the supporting policy framework. The day-to-day administration of the MOUs will continue to rest with the office of primary interest, such as Enforcement Branch or Admissibility Branch.

Planned Completion Date: November 2005

Responsibility: Strategy and Coordination Branch