Canada Border Services Agency
Symbol of the Government of Canada
Skip to content | Skip to institutional links

Common menu bar links

Home > About the CBSA > Corporate documents > Audit and Evaluation Reports

Institutional links

Review of the Audit Requirements of the Canadian Police Information Centre (CPIC) System

Table of Contents

Executive Summary

Background
Since the late 1960s, the Canadian Police Information Centre (CPIC) has provided all Canadian law enforcement agencies with information on crime and criminals. CPIC is a national repository of police operational information and is a shared resource within the Canadian law enforcement community. The Royal Canadian Mounted Police (RCMP) maintains and operates the CPIC database. Approximately 4900 Canada Border Services Agency (CBSA) employees access the CPIC system from some 250 work locations.

The CPIC policy requires that the RCMP conduct audits of CPIC usage and security on organizations with access to the system. As outlined in Memorandums of Understanding (MOUs) between the RCMP and the CBSA legacy organizations, CPIC audits were completed by the legacy organizations with results reported to the RCMP annually. At the former Canada Customs and Revenue Agency (CCRA), regional enforcement personnel performed these audits, while at Citizenship and Immigration Canada (CIC), internal audit personnel were tasked with this responsibility.

In the four-year period prior to the establishment of the CBSA (December 2003), the legacy organizations had only conducted 121 audits out of a required 250 locations.

Purpose
As the CBSA legacy organizations had two different approaches to conducting CPIC audits, this review examined the audit requirements of the CPIC policy and related MOUs in order to determine the most appropriate method of conducting independent and timely CPIC audits at the CBSA.

Conclusion
The Enforcement Branch has taken the lead and is going in the right direction with the creation of a full-time National CPIC Coordinator at CBSA Headquarters, access and control officers in the regions, and a network of regional auditors. The implementation of a CBSA CPIC policy and MOU, the development of an audit plan/schedule, and the centralized monitoring of audits conducted at Headquarters and the regions will provide for better coordination of CPIC audits, physical control over CPIC terminals, and reinforce information and general security awareness with users.

Action Plans
The Enforcement Branch has committed to the following:

  • Complete CPIC MOU and related internal policies and procedures;
  • Define roles and responsibilities for CPIC audit stakeholders;
  • Establish an audit plan and resume audits; and
  • Ensure that the annual report is presented to the Internal Audit and Evaluation Committee.
Return to Top of Page

Introduction

Since the late 1960s, the Canadian Police Information Centre (CPIC) has provided all Canadian law enforcement agencies with information on crime and criminals. This national repository of police operational information is shared within the Canadian law enforcement community via the CPIC system. The CPIC Field Operations Section of the Royal Canadian Mounted Police (RCMP) administers the CPIC policy and maintains and operates the CPIC database.

CPIC is an essential tool that assists Canada Border Services Agency (CBSA) employees in providing the first line of defence in the management of people and goods into and out of Canada. CPIC information assists in securing our borders and providing safer communities for all Canadians. It provides information on outstanding warrants, criminal history, identifying stolen goods and property, and provides CBSA employees with other timely and pertinent law enforcement information.

Approximately 4900 CBSA employees access the CPIC system from some 250 work locations. The CPIC policy requires regularly scheduled audits be conducted on system use and security with annual reporting to the CPIC Advisory Committee of the RCMP.

This review was included in the 2005-2006 Internal Audit Strategic Plan that was approved by the Internal Audit and Evaluation Committee on March 17, 2005.

Focus of the Audit

Objective
This review examined the audit requirements of the CPIC policy and related Memorandums of Understanding (MOUs) in order to determine the most appropriate method of conducting independent and timely CPIC audits at the CBSA.

Scope
The engagement included a review of CPIC audit practices in the legacy customs and immigration organizations and the current CBSA. The Immigration Warrant Response Centre (IWRC) was excluded as it is audited by CPIC Services.

Methodology
The methodology consisted of an analysis of the current CPIC policy and applicable MOUs; interviews with CBSA and Citizenship and Immigration Canada (CIC) personnel at Headquarters (HQ) and the regions; interviews with RCMP CPIC Services officials; analysis of CPIC audit methodologies used in other law enforcement organizations; and review of previous CPIC audit files completed at CBSA legacy organizations.

Return to Top of Page

Findings, Recommendations and Actions Plans

CPIC Audit Requirements of the CBSA

Approximately 4900 CBSA employees access the CPIC system via the Field Operations System (FOSS) and/or the Integrated Customs Enforcement System (ICES) from 250 work locations representing 698 terminals across the country. Each terminal is known as an originating agency identifier (ORI).

The CPIC policy requires that regularly scheduled audits be conducted on system use and security. The CPIC Field Operations Section generally conducts these audits. The MOUs required the legacy organizations to complete the audits and report annually to the CPIC Advisory Committee. These MOUs are now applicable to the CBSA.

At the former Canada Customs and Revenue Agency (CCRA), regional enforcement personnel performed the CPIC audits, while at Citizenship and Immigration Canada (CIC), internal audit personnel at HQ were tasked with this responsibility. As specified by the CPIC policy and based on a risk-analysis strategy, each CPIC work location is to be audited a minimum of once every four years.

A CPIC audit consists of the following steps: ensuring that all CPIC users have had criminality checks and have been fingerprinted; examining how CPIC information is disseminated, communicated and disposed of; reviewing the CPIC system security and CPIC access; and analyzing CPIC traffic. The physical environment of the CPIC terminal is also reviewed.

A new MOU and CBSA CPIC policy are currently being developed. The new MOU will continue to have the CBSA conduct CPIC audits. In the interim period, the CBSA is following the CPIC legacy MOUs of the Department of National Revenue and CIC. The CBSA follows the CPIC Audit Procedures Manual provided by CPIC Services of the RCMP to carry out its CPIC audits.

The RCMP is making technological changes to the CPIC system requiring departments to access the system via the Internet. The CBSA is currently in the process of this transition and will be completed by April 2006. CPIC Services officials have indicated that the auditing requirements will remain largely the same.

Upon the creation of the CBSA in December 2003, responsibility for the coordination of CPIC audits was not immediately assigned and the subsequent conduct of audits has been inconsistent across the Agency. In the four-year period prior to December 2003, the legacy organizations conducted 121 audits out of a required 250 locations and none were conducted in the Quebec region. Since that time, only 10 audits have been undertaken in the new Agency.

There was no evidence of a comprehensive schedule illustrating a full review of all work locations subject to CPIC audit. Although required, the regions have not been forwarding all copies of completed audit reports to HQ. Consequently, HQ is unable to accurately analyze the reports to ensure that policies and guidelines are adhered to by the Agency, make recommendations or follow-up on outstanding issues.

Recently, the Enforcement Branch has taken responsibility for coordinating CPIC issues and has identified a National CPIC Coordinator. Regional access and control officers are also in the process of being identified and appointed.

The table below identifies the number of auditors, CPIC terminals and completed audits for the 2000-2003 period in each region.

Region CPIC Auditors No. of CPIC Terminals (ORI) Completed Audits (2000-2003)
Atlantic23215
Quebec3500
Northern Ontario7317
Greater Toronto Area3319
Niagara/Fort Erie21715
Windsor/St. Clair2188
Prairie34524
Pacific4698
HQ7671
CICn/a33834
Total 33 698 1 121 2

1 This number includes 170 ORI terminals for training and development and 11 ORI terminals for IWRC that are audited by CPIC Services. The total 698 CBSA ORIs are situated in 250 work locations.

2 113 of the 121 audit files were reviewed.


Recommendation 1
In order to enable the National CPIC Coordinator to identify trends and rectify any problems identified through a well-coordinated audit program, the Enforcement Branch should ensure the CBSA CPIC policies and procedures currently in development include a strong centralized coordination and monitoring process of CPIC audits.

Response/Action Plan
By April 2006 - The Enforcement Branch will put in place an action plan to address the following (including deadlines for action/completion):

  • Finalization of CPIC policies and procedures.
  • Finalization of the updated CPIC MOU.
  • Define the role, responsibilities and accountabilities of regional access and control officers and the Enforcement Branch at HQ, including strong centralized coordination and monitoring.
  • Define the role, responsibilities and accountabilities of the Innovation, Science and Technology Branch and the Enforcement Branch at HQ as they relate to CPIC access.
Return to Top of Page

Resources (FTE) and Training Requirements

It takes one to five days to perform CPIC audits based on the geographic location of the regional CPIC auditor and the facility to be audited. Given the size of the Agency and the location of the CPIC terminal, it may be possible to schedule two audits per week in a neighbouring location. Some larger locations may take longer while smaller offices may be completed in less than a week. This would include the time it takes to obtain, review and analyze hard copies of the CPIC reports, conduct an on-site inspection and prepare the audit report.

The Data Control Section of the RCMP provides the CPIC reports on access and traffic. Electronic versions of the reports are not available due to the age of the CPIC system. Upgrading by the RCMP of the CPIC reporting system is not a consideration at this time or in the near future.

CBSA auditors are trained and approved by CPIC Services. Auditors are expected to supply independent analyses, assessments, advice and recommendations as required. The auditors are mainly composed of regional enforcement personnel and perform the audits on a part-time basis as the audits are scheduled. The Agency now has 29 trained CPIC auditors (an increase of 17 from 2004) throughout the regions and at HQ.

Given the current number of auditors and locations to be covered in the four-year period, the average auditor would only be required to complete two audits a year at a cost of less than one-person month. Although it is difficult to accurately estimate travel expenses, one week's out-of-office travel expenses would range between $2000 and $2500 per trip (likely less in regions of smaller geographic size). If distributed evenly, the cost of performing the audit program at the CBSA is estimated to be less than 1.5 full-time equivalents (FTEs) and approximately $160,000 in travel per year. This does not include the full-time salary costs of the National Coordinator and regional access and control officers that have other non-CPIC-related responsibilities.

The following chart summarizes the above annual costing estimates required to conduct audits over the four-year audit cycle:

No. of audits required each year No. of audits by auditor assuming 29 auditors No. of FTEs required assuming 1 week per audit and each auditor completes 2 audits each year Cost of travel assuming $2500 per week and 1 week per audit
62.52.21.2$156,000
Totals over 4 years
2508.84.8$624,000

As the Enforcement Branch has already provided for the establishment of a National Coordinator and regional access and control officers and given the geographic availability of the 29 trained auditors across the country, there would be minimal, if any, benefits to centralizing the audit process within the CBSA. While the FTE cost would remain relatively the same, the travel costs from a central location would most certainly increase. It should be noted that for cost-efficiency reasons, the CPIC Field Operations Section of the RCMP has decentralized its auditors across Canada to be closer to its audit work.

Recommendation 2
The Enforcement Branch, through the National CPIC Coordinator, re-establish the CPIC audit program for the CBSA by developing a plan to ensure the audits are completed at all 250 locations by regional auditors (including the Quebec region) within a reasonable schedule and that completed audit reports are forwarded to HQ for review and to assist in the preparation of the annual report to CPIC Services.

Response/Action Plan
By March 31, 2006 - The Enforcement Branch to liaise with the RCMP to ensure additional audit and evaluation training is available in both official languages (i.e. for Quebec).

By April 2006 - Confirm CPIC "ongoing" funding for HQ and regions.

By August 2006 - The Enforcement Branch in consultation with the Internal Audit Directorate at HQ and the regions will put in place an audit plan to ensure CPIC audits are conducted in all regions and sent to HQ by the end of October 2006 (dependant on funding obtained and audit training provided to regions).

Return to Top of Page

Cost and Security Awareness Requirements

As described earlier, at the former CCRA, regional enforcement personnel performed the CPIC audits, while at CIC, internal audit personnel at HQ were tasked with this responsibility.

The CBSA is classified by CPIC Services as a Category II organization with limited law enforcement responsibilities. As a Category II, the CBSA cannot input information in the CPIC system except for the IWRC, which is audited by the RCMP CPIC Services.

In an effort to benchmark the CBSA against other Category II organizations, the Internal Audit Directorate contacted the Canada Revenue Agency, the National Parole Board, Industry Canada and the Passport Office; all have a small number of CPIC terminals and few users. The RCMP performs the CPIC audits for those Category II organizations, while the CBSA is obliged by the MOU to perform their own CPIC audits. Internal Audit was unable to benchmark or identify best practices or other models applicable to the Agency.

While the current lack of electronic audit trails from the RCMP is limited in usefulness, CPIC audits do provide the opportunity to reinforce information security awareness and remind employees that access to sensitive information is monitored. Only one security incident over the last 18 months involving the personal use of CPIC occurred. This came to light as result of a complaint rather than through an audit and was referred to Internal Affairs.

The most common problems detected by audits include: remarks field incomplete, contracted cleaning staff unsupervised while cleaning the secure area, "Acknowledgement of Restriction" form not on file, sharing of a user ID, and users granted access before having received formal training. Action plans were developed to address these problems and the follow-up performed by the CPIC auditor.

The RCMP CPIC policy requires that the CBSA provide an annual report to the CPIC Advisory Committee of the RCMP. To date there is no evidence that this report was provided to the Committee.

Recommendation 3
In keeping with the new directive on departmental audit committees from the Treasury Board Secretariat effective April 1, 2006, the Enforcement Branch submit the annual CPIC report to the Internal Audit and Evaluation Committee for approval prior to forwarding it to the RCMP.

Response/Action Plan
The RCMP indicated that for the 2005-2006 fiscal year, the CBSA is not required to submit an annual CPIC audit report because of the unique circumstances it is facing; however, a report will be required for the 2006-2007 fiscal year.

By October 2006 - A consolidated annual report to be provided to the Audit Committee to be forwarded to CPIC services.

Return to Top of Page

Conclusion

The CBSA is unique organization with CPIC audit requirements and it will have to develop and implement an auditing approach that meets the CPIC policy, the CPIC audit manual and the MOU. The Agency cannot maintain the previous status quo whereby two different methods were used to perform CPIC audits and they were not completed in all work locations over the four-year audit period. Efforts need to be focused on establishing an effective CPIC audit program for the CBSA.

The Enforcement Branch has taken the lead and is going in the right direction with the creation of a full-time National CPIC Coordinator at CBSA Headquarters, access and control officers in the regions and a network of regional auditors. The implementation of a CBSA CPIC policy and MOU, the development of an audit plan/schedule, and centralized monitoring of audits conducted at HQ and the regions will provide for better coordination of CPIC audits, physical control over CPIC terminals, and reinforce information and general security awareness with users.

Audit Team

Wayne Tallack, Manager
Diane Robert, Project Leader
Gilles Lapointe, Internal Auditor

Date Modified: 2006-04-07

Top of Page
Important Notices