Common menu bar links
Audit of Information Exchange Memoranda of Understanding with the RCMP
(Supplement to the Canada Revenue Agency's Report on Audit of Information Exchange
Memoranda of Understanding with the RCMP, May 2004)
Corporate Audit and Evaluation Branch
December 2004
- EXECUTIVE SUMMARY
- INTRODUCTION
- FOCUS OF THE AUDIT
- FINDINGS, RECOMMENDATIONS AND ACTION PLANS
- CONCLUSION
- AUDIT TEAM
This audit was started, with the fieldwork and review completed, before the announcement of the division of the Canada Customs and Revenue Agency into the Canada Revenue Agency (CRA) and the Canada Border Services Agency (CBSA). CRA agreed to complete the audit and prepare the report for clearance by the CBSA.
EXECUTIVE SUMMARY
The Canada Customs and Revenue Agency (CCRA) entered into memoranda of understanding (MOUs) with several federal and provincial departments and agencies for the exchange of information and joint administration of various acts and/or regulations. It was agreed that organizations, under the provision of an MOU, were to conduct internal audits, within two years of signing the agreement, ensuring that there were adequate controls over the exchange of information. Some organizations, such as the Royal Canadian Mounted Police (RCMP), required the CCRA to complete reciprocal audits.
The Canadian Police Information Centre (CPIC) system is the main system that is used by customs officers to perform their compliance work in the field and at Headquarters. Due to the recent organizational change that transferred Customs from CCRA to the Canada Border Services Agency (CBSA), a separate report has been prepared to summarize the audit findings relating to the former Customs Branch.
Objective. The objective of the audit was to determine whether the CCRA was in compliance with the terms and conditions for receipt, use, storage and destruction of information received from the RCMP, in accordance with the authorized MOUs. The audit was carried out between March and October 2003.
Conclusion. The audit identified discrepancies between the CCRA and the RCMP on the number of MOUs in existence. This was because there was no clear definition of an MOU for exchange of information. Also, various MOUs need to be updated to reflect current operational environments. Negotiations will commence in the near future to update and amalgamate existing legacy Customs and Immigration CPIC MOUs.
There were also some concerns relating to the exchange of information and the security exercised over such processes. There were opportunities to strengthen the controls and processes regarding the use of the CPIC system. CBSA procedures should be clarified and monitored for CPIC users, which would include, but not be limited to, ensuring employees have appropriate security clearances and revoking employee access privileges when they no longer require access. Also, CPIC operational audits should be conducted within the planned time frames.
Action Plan. A review of all CBSA CPIC policies and procedures will be undertaken in order to integrate existing legacy customs and immigration policies and procedures. Consultation and negotiation with CPIC Services will continue in order to ensure that CBSA meets the requirements of the CPIC MOU, policies and procedures. Guidance and consulting will be provided to the regions to ensure that CBSA CPIC policies and procedures are in place and are consistent nationally. Procedures to monitor CPIC users, ensure employees have appropriate security clearances and revoke employee access privileges when they no longer require access are being implemented. An additional nine auditors are scheduled for CPIC Services training/certification in February 2005. However, CPIC Services will not be providing additional auditor certification sessions this fiscal year due to limited resources.
INTRODUCTION
The Canada Customs and Revenue Agency (CCRA) entered into memoranda of understanding (MOUs) with several federal and provincial departments and agencies for the exchange of information and joint administration of various acts and/or regulations. It was agreed that organizations, under the provision of an MOU, were to conduct internal audits, within two years of signing the agreement, ensuring that there were adequate controls over the exchange of information. Some organizations, such as the Royal Canadian Mounted Police (RCMP), required the CCRA to complete reciprocal audits. The Policy and Planning Branch (formerly Policy and Legislation Branch) was responsible for maintaining MOUs in CCRA.
An internal audit was completed on the Memoranda of Understanding between the RCMP and the CCRA relating to the exchange of information. Due to the recent organizational change that transferred Customs from CCRA to the Canada Border Services Agency (CBSA), it was determined that a separate report would be the most appropriate vehicle for summarizing the audit findings relating to the former Customs Branch.
FOCUS OF THE AUDIT
The objective of the audit was to determine whether the CCRA was in compliance with the terms and conditions of the MOUs covering the receipt, use, storage and destruction of information received from the RCMP.
This audit, which was national in scope, was carried out between March and October 2003. It required on-site testing at Headquarters, as well as in the Pacific, Southern Ontario and Quebec regions. Liaison with the RCMP Internal Audit Directorate was established and maintained throughout the audit.
FINDINGS, RECOMMENDATIONS AND ACTION PLANS
When Policy and Legislation Branch, CCRA, was asked to provide a listing of MOUs signed with the RCMP, they identified a total of eighteen. A check with the RCMP revealed that they were holding what they believed were 56 MOUs signed with the CCRA. It was determined that the principal cause for this discrepancy was the lack of a clear definition between the two organizations of what constituted an MOU for exchange of information. It is important from a control standpoint for the two organizations to have lists that agree and to clarify the definition of an MOU.
Testing undertaken to ensure that MOUs were current and accurate reflections of existing conditions revealed that existing MOUs were a mix of current and expired documents. Furthermore, it was observed that a number of these documents were not signed by the Commissioner as directed by the information management policies that were in place. Some of these agreements had signatory approvals down to the Assistant Director level.
CBSA was officially recognized by the CPIC Advisory Committee in November 2004. As a result, negotiations will commence in the near future to update and amalgamate existing legacy customs and immigration CPIC MOUs.
Under CBSA's new organizational structure, the Strategy and Coordination Branch will be responsible for coordinating the review and update of all MOUs.
The CPIC system is maintained by the RCMP and contains information not only from the RCMP but also from many other policing organizations that contribute data. It is the main system used by customs officers to perform their compliance work in the field and at Headquarters. The audit concentrated on the quality and timeliness of training given to CPIC users. A good practice was identified in some regions whereby CPIC operational auditors were sharing information on frequently made errors with CPIC trainers.
Generally speaking, most regions indicated that training was timely and of high quality. However, some regions found it difficult to maintain training requirements for new Customs Inspectors, given that there has been an overall increase in demand for access to CPIC across all business lines in the regions.
Recommendation
Intelligence & Contraband (I&C) in Headquarters should review the provision of CPIC training to Customs Inspectors to ensure that demands are met and coverage across all regions is consistent.
Action Plans
As of December 2004, there were 46 certified CBSA CPIC trainers. Due to limited resources, CPIC Services will not be providing additional train-the-trainer sessions this fiscal year.
Headquarters I&C is providing guidance and consulting with the regions to ensure that CBSA CPIC policies and procedures are in place and are consistent nationally.
Audit tests were performed to ensure that procedures were in place to document, maintain and control access to CPIC information. It was found that local offices did not always revoke employee access privileges when employees left the organization, transferred to another office, or when their duties no longer warranted CPIC system access.
Recommendation
Headquarters I&C should reinforce with the regions and local offices the need to follow procedures to ensure that CPIC access is reviewed and terminated as required. Headquarters I&C should conduct periodic reviews of current users to determine whether their job functions require them to have access to CPIC.
Action plan
A review of current CBSA CPIC users (legacy customs) is underway and is expected to be completed by the end of December 2004. CPIC access will be terminated for those individuals whose job status no longer requires access to CPIC.
Independence and Timeliness of CPIC Operational Audits
It was found that CPIC operational audits provided the necessary assurance on the strengths/weaknesses of access to RCMP information by operations personnel. These audits are a key component of a control framework ensuring that the terms and conditions of the MOUs are met.
An audit test was performed to ensure that operational compliance checks were conducted and reported in accordance with RCMP policies and guidelines. It was noted that in one of the regions, Intelligence and Contraband (I&C) officers conducted the CPIC operational audits on offices other than their own. The audit team considered this to be a good practice, in that it preserved independence in this monitoring activity.
It was observed that a number of CPIC operational audits were not conducted within planned timeframes. Some regions completed a portion of their scheduled audits. They stated that resource pressures prevented them from completing all of them.
Recommendations
Headquarters I&C should ensure that the regional I&C offices have sufficient resources to conduct operational audits as scheduled.
Headquarters I&C should promote the practice of having I&C officers from one office conduct the CPIC operational audit on an office outside their own jurisdiction, to ensure greater objectivity and impartiality.
Action plans
As of December 2004, there were twelve certified CBSA CPIC auditors (legacy customs). An additional nine auditors are scheduled for CPIC Services training/certification in February 2005. Due to limited resources, CPIC Services will not be providing additional auditor certification sessions this fiscal year.
Headquarters I&C will continue to consult and negotiate with CPIC Services in order to ensure that CBSA meets the requirements of the CPIC MOU, policies and procedures.
A review of all CBSA CPIC policies and procedures will be undertaken in order to integrate existing legacy customs and immigration policies and procedures.
Employee Security Clearances and CPIC Access Privileges
An audit test was performed on the procedures in place to ensure that all persons accessing RCMP information have the appropriate security clearances. The audit found instances where employees had access to CPIC information without having the appropriate level of security clearance. The RCMP section in charge of CPIC demands that clearances to the secret level be obtained, with the appropriate check of fingerprints against existing criminal records, before access is granted to the CPIC system. When Customs asks for this level of clearance, including the fingerprinting requirement, from the RCMP, the requests are risk ranked and a fingerprint review is not always completed.
Recommendation
Headquarters I&C, the RCMP and Security Directorate should review the procedures for obtaining clearances to the secret level to ensure that all employees receive the appropriate levels of security clearance before being allowed to access CPIC.
Action plan
A complete review of CPIC security clearance processes (legacy customs and immigration) will be undertaken to ensure that all CBSA CPIC users meet the mandatory clearance level of "enhanced reliability with fingerprints and criminality check."
CONCLUSION
The audit identified discrepancies between the CCRA and the RCMP on the number of MOUs in existence. This was because there was no clear definition of an MOU for exchange of information. Also, various MOUs need to be updated to reflect current operational environments.
There were also some concerns relating to the exchange of information and the security exercised over such processes. There were opportunities to strengthen the controls and processes related to the use of the CPIC system. CBSA procedures should be clarified and monitored for CPIC users, which would include, but not be limited to, ensuring employees have appropriate security clearances and revoking employee access privileges when they no longer require access. Also, CPIC operational audits should be conducted within the planned timeframes.
AUDIT TEAM
Jake Glover, Account Manager
Michael Ryan, Project Leader
Roger Vachon, Internal Auditor (HQ)
Dorothy deBoer, Internal Auditor (SORO)
Dave Wilson, Internal Auditor (Pacific)
Gaston Duclos, Internal Auditor (Quebec)
