Internal Audit – Charities Audit Process

Final Report
Audit, Evaluation, and Risk Branch
January 14, 2025

Executive summary

Charities play a vital role in achieving goals that are highly valued by Canadians, both at home and abroad. Canadians recognize the value that charities provide for essential services and support of the social well-being of all people.

The Charities Directorate (CD) within the Legislative Policy and Regulatory Affairs Branch (LPRAB) takes a risk-based approach to promote education and compliance, monitors risk present in the charitable sector, and reviews information from various sources, including internal Canada Revenue Agency (CRA) systems, leads, information from Canadian intelligence and law enforcement partners, and other sources relevant to the Income Tax Act, non-compliance and terrorism abuse. The Canada Revenue Agency (CRA) may pursue a range of audit outcomes, including revoking charitable status in cases of serious non-compliance, to ensure that registered charities continue to meet all associated legal and administrative requirements.

The objective of this audit was to provide the Commissioner, CRA management, and the Board of Management with assurance that key audit processes are in place and being followed for the impartial conduct of audits within the CD.

Overall, the audit found process workflows are established and communicated in the CD within divisions that conduct audits of charities to support structured practices. Additionally, planning and oversight processes were generally in place for divisions. However, some improvement is required to strengthen controls over the way the CRA oversees charity audits to better demonstrate impartiality and consistency in the charities audit process.

The charities audit process is manually intensive and relies on the professional judgment and discretion of individuals, thus increasing the risk of inconsistency and partiality. The recommendations presented in this report aim to improve the CD’s plans, processes, supporting documentation, and monitoring activities to better demonstrate the accuracy and consistency of decision-making.

Management response

The LPRAB agrees with the recommendations in this report and has developed related action plans. The Audit, Evaluation, and Risk Branch (AERB) has determined that the action plans appear reasonable to address the recommendations.

Introduction

Charities play a vital role in achieving goals that are highly valued by Canadians, both at home and abroad. Canadians recognize the value that charities provide for essential services and support of the social well-being of all people. With approximately 86,000 federally registered Canadian charities, Canada has been recognized as among the most generous countries in the world^{Footnote 1} .

To encourage the charitable sector’s contributions to Canadian society, Canada provides significant benefits to those that operate exclusively for charitable purposes, including exemption from paying income tax and the ability to issue official donation receipts to donors for income tax purposes.

The CRA administers the Income Tax Act and Charities Registration (Security Information) Act to register charities and to ensure that registered charities continue to meet all associated legal and administrative requirements. This includes a role in minimizing the risk of terrorist financing as part of the Anti-Money Laundering and Anti-Terrorist Financing (AML-ATF) Regime in Canada. In Canada and abroad, terrorist entities have abused charities by involving them, knowingly and unknowingly, in supporting terrorist activities^{Footnote 2} . The AML-ATF Regime is a key element in Canada’s counter-terrorism strategy, which is coordinated by the Department of Finance, Public Safety Canada, and a number of other government organizations to provide leadership and guidance on the responsible and effective sharing of national security information.

The CD within the LPRAB has a mandate to promote compliance with income tax legislation and regulations relating to charities through education and responsible enforcement to support charities while protecting the charitable sector and the public from threats and abuse. Where appropriate, the CD selects and conducts audits to ensure registered charities continue to meet their registration obligations and may pursue a range of audit outcomes, including revoking charitable status in cases of serious non-compliance.

The CD has two divisions that conduct audits of charities:

• The Compliance Division manages the general charities compliance program through its Headquarters (HQ) functions. Its audit function is carried out jointly by the HQ advisors and the charities field auditors located in five tax services offices in Edmonton, Halifax, Kitchener, Montreal, and Victoria.
• The Review and Analysis Division (RAD) manages a compliance program focused solely on risks related to terrorism abuse and non-compliance, among other activities that support Canada's ATF efforts.

The figure below outlines the high-level process followed by both divisions to conduct audits of registered charities.

Focus of the audit

This internal audit was requested by the Commissioner and is included in the most recent 2023-2024 Risk-Based Assurance and Advisory Plan. The internal audit was launched in January 2023, and the Assignment Planning Memorandum was approved by the Commissioner in June 2023.

Importance

This audit is important as maintaining fairness in Canada’s tax and benefit administration, and strengthening trust, transparency, and accountability are two of the CRA’s priorities, both of which are essential to the integrity and continued success of the charitable sector in Canada.

Objective

The audit objective was to provide the Commissioner, CRA management, and the Board with assurance that key audit processes are in place and being followed for the impartial conduct of audits within the CD.

Scope

The scope of the engagement included reviewing the processes and controls related to the conduct of charity audits, including planning and information gathering, risk assessment, identification of workload, as well as audit methodologies.

The scope did not include a broader review of the CD’s effectiveness and a detailed review of how audits are conducted but did include a review of the monitoring and oversight of the conduct of charity audits (such as the quality review process). In addition, the scope did not include broader activities outside of RAD in support of Canada’s AML-ATF Regime or national security efforts.

The period covered in this audit is from April 1, 2020, to March 31, 2023.

Audit criteria and methodology

The audit criteria and methodology can be found in Appendix A.

The examination phase of the audit took place from June 2023 to January 2024.

Findings, recommendations, and action plans

The recommendations presented in this report address the findings. Findings in this report are common to both audit divisions in the CD, unless specified otherwise.

The LPRAB agrees with the recommendations in this report and has developed related action plans. The AERB has determined that the action plans appear reasonable to address the recommendations.

Planning and identification of workload

Plans and risk management approaches

Background

The CD outlines program plans with priorities and risk management approaches for promoting compliance with income tax legislation and regulations. The audit expected to find plans and risk management approaches to be documented, periodically updated, and approved to ensure the strategy and priorities are aligned with program objectives and to provide sound direction and coverage to support the identification and prioritization of audit workloads.

Findings

The audit observed that internal business plans and supporting documentation were documented and approved with strategies, projected workload, and resource allocation within Headquarters and regional tax services offices for the conduct of charity audits. This included a high-level description of initiatives and the risk-based approach to identify and address non-compliance issues within the charitable sector. It also included contributions towards the AML-ATF Regime’s assessment of terrorism financing risks for charities and non-profit organizations. Finally, the audit noted that the CD made commitments for raising awareness and training on unconscious biases.

The audit found that the LPRAB did not have a formal policy requirement to periodically review and approve the risk indicators for assessing the risk of terrorist financing abuse in the Canadian charitable sector in support of audits. [content redacted] however, the audit noted that risk indicators were last updated and approved in December 2016. The formal review would ensure that risk indicators and procedures are current, effective, impartial, and proportionate based on its understanding of the evolving nature of risks of terrorist financing abuse in charities, best practices, and analysis of past audit compliance treatments.

Why it matters

Without regularly updated and approved plans and risk management strategies, there is an increased risk that the audit processes do not remain aligned with the CRA’s priorities, expectations, and business objectives. This misalignment could lead to ineffective identification and prioritization of audit workloads and failure to effectively address emerging risks.

Action Plan #1

The Charities Directorate (the Directorate) regularly engages with other government departments in Canada’s Anti-Money Laundering/Anti-Terrorist Financing (AML/ATF) Regime about national security, anti-terrorist financing, government priorities, and the evolving terrorist financing threat environment. These consultations help the Directorate identify changes in risk indicators of terrorist financing abuse in the charitable sector. Through its participation in the AML/ATF Regime, the Directorate is also subject to various external reviews of its risk-based approach, including the Financial Action Task Force’s Mutual Evaluation and Follow-up Reviews, Canada’s Parliamentary Review of the Proceeds of Crime (Money Laundering) Terrorist Financing Act, and the United Nations Counter Terrorism Committee’s Executive Directorate Review.

The Directorate commits to document the outcomes of interdepartmental committees and external reviews more thoroughly and communicate relevant findings to impacted program areas. In addition, the Directorate commits to a periodic formal review, in line with the evolving terrorist financing threat environment, of its risk-based approach for assessing terrorist financing abuse of charities to ensure it continues to be effective and current. The Directorate will conduct an imminent review of the terrorist financing risk indicators and develop a process to ensure the regular and comprehensive review of risk-based approaches for assessing terrorist financing abuse on an ongoing basis.

Selection of audit files

Background

The CD collects and gathers data from various sources, including CRA-owned systems, leads and referrals, open-source channels, and classified information from intelligence partners. This information helps determine how initial cases are identified for workload and risk assessment for a review of potential non-compliance.

Charities officers and workload employees propose cases in accordance with procedures to determine the validity of non-compliance and terrorist financing concerns. Charities officers and workload employees then apply risk-based approaches to determine compliance treatments proportional to the risk of identified potential non-compliance.

Finally, responsible managers review and approve the identification and prioritization of workloads and risk assessments for potential audits to ensure that objective approaches comply with procedures and standards and that audit selection is conducted impartially before being referred to audit areas.

The audit expected to find that a process and procedures were in place, formally documented, and that existing key internal controls were effective at mitigating risks to impartiality within information gathering and business intelligence, workload, and decision-making.

Findings – Information gathering and business intelligence procedures

The audit reviewed the CD information gathering process, which is reliant on manual procedures. Within this process, procedures for tracking and monitoring were not fully in place, thus reducing the Directorate’s ability to confirm whether information gathering procedures were followed and to prevent unintentional errors.

The CD business plans identify non-compliance risks that support the determination of potential audit cases through business intelligence procedures for the Compliance Division. Within these procedures, the audit found that processes, roles and responsibilities, and appropriate review checkpoints in the audit project lifecycle were not formally documented. At the time of the audit, the CD was in the process of piloting a comprehensive risk assessment model, which is expected to improve the effectiveness of quantitative approaches for identifying audit cases and to reduce the current level of manual effort and discretion for determining compliance treatments.

Specifically for the RAD, the audit reviewed the manual process steps to search and receive information on classified intelligence shared from partners and did not observe significant concerns around the procedures followed by the RAD to gather information. RAD analysts make initial determinations of risk based on information deemed reliable and risk factors within the scope of the Canadian charitable sector and the mandate for the risk of terrorist abuse. The information is securely stored and tracked for potential leads and monitoring research or reference for strategic purposes.

Findings – Risk assessment and workload procedures

The audit reviewed workload and risk assessment process documents, procedures, and sample documents from the CD. The audit also conducted a detailed file review of 21 cases that were risk assessed and considered for audit to assess the validity of the selected compliance treatment (16 for the Compliance Division and 5 for the Review and Analysis Division).

The audit observed recent efforts to improve procedures and templates to address gaps, to ensure key workload development steps are consistently followed and supporting documentation is retained. The audit examined workload cases and monitoring risk assessments, and found assessments were primarily documented and informed by supporting information. Referrals to audit teams were supported by more than a single category of information to reduce the risk of relying on potentially unreliable information.

Specifically for the RAD, the risk assessment and workload development procedures to determine potential concerns around terrorism financing abuse involved an informal, group-based approach. The RAD documented linkages to sources of information and information systems. It also included descriptions that aligned to risk indicators for terrorist financing (see table 2 below).

Table 2: Review and Analysis Division Risk Indicator Reference Guide (Unclassified)

However, the audit found that workload development and monitoring procedures were missing clearly defined criteria and terminology to better support a structured and consistent approach for determining and documenting risk levels. As such, based on the files reviewed, the audit found the risk indicators and overall calculated risk in some cases were not consistently recorded to further support a consistent determination to refer to an appropriate type of compliance treatment.

Findings –Decision-making for workload development

The audit found that appropriate documentation of supervisory review and decision-making over the workload and risk assessment procedures was not always in place for the files reviewed. Specifically for the RAD, manager approval of leads and monitoring files were not always documented and did not always demonstrate consistent segregation of duties. The audit noted decision-making through reviews and approval in the monitoring process was conducted through informal group meetings and included considerations for complexity and available resources in the process. However, for all the cases reviewed, RAD compliance treatment decisions were not consistently documented, including the level of risk and compliance treatment or justification for not proceeding with audits.

Additionally, the audit found the CD information systems and data structure do not meet all current business needs for both divisions to support operations and the monitoring of program objectives. Current processes rely on manually intensive administrative tasks to perform work over various IT networks, systems, and tracking spreadsheets. These manual and separate systems create challenges in effectively managing and reporting on the charities audit workload. The audit found data for reporting and decision-making was limited, incomplete, and spread across many sources, making it difficult to compile and assist with determining the risk of impartiality across the charities’ population.

Why it matters

It is important to have documented procedures and guidance to gather information and assess business intelligence to reduce the risk of inconsistencies, improve oversight, and prevent unintentional errors. This may also support the program’s ability to demonstrate integrity and impartiality through regular review and monitoring.

Charities audit process, procedures and internal standards

Background

Gaps in the key charities processes and procedures have been covered above, but there are additional considerations to note related to formalizing standards in the charities audit process to ensure impartiality is considered.

Both audit divisions in the CD are supported by key processes to ensure controls and expectations are clearly defined and followed when conducting charity audits. Since 2019, the CD has been using the Charities Audit Manual, job aids, working paper templates, and procedures. These communicate structured practices across the CD that enable the consistent and impartial approaches for the respective areas in conducting the charities audit process.

The audit expected to find formal processes, procedures, and internal standards are documented, clear, and communicated in order to inform key areas involved in the charities audit process of expected roles, responsibilities, and controls to mitigate risks of impartiality. Furthermore, the audit expected to see detailed standards, criteria, and checklists in place to support the documentation of decision-making and monitoring activities for various steps within the audit process.

Findings

The audit reviewed documented processes and procedures and conducted interviews with selected staff within the CD and regional tax services offices. The audit found the LPRAB had developed and communicated various workflows, processes, procedures, and job aids for key activities to ensure quality and integrity within the charities audit process. The audit also noted local guides and mandatory training materials are available for employees to improve their awareness of unconscious biases. Despite the current efforts, the audit found gaps within current workflows to ensure process documentation is sufficiently in place and that considerations for risks on impartiality and potential biases in particular are more formally integrated into decision-making.

The audit found the CD had not fully defined and communicated roles and responsibilities to support expectations to identify and mitigate risks related to impartiality when conducting audits. As mentioned above, some processes and procedures related to information gathering, risk assessment and screening, and workload as part of the charities audit process did not contain detailed steps and controls to explicitly address risks to impartiality, such as appropriate tracking, documentation, and reviews to support risk-based approaches to determine compliance treatments.

Finally, through interviews, the audit observed charities auditors and employees were aware of unconscious biases and relied on their own experience, procedures, and support within the CD when making compliance-related decisions. However, in some cases, the audit did not find clearly detailed internal standards, criteria, and review checklists in place to support the consistent documentation of decision-making and monitoring activities as part of the charities audit process. Additional details related to monitoring are covered below.

Why it matters

It is important to have clear roles, responsibilities, processes, procedures, and standards to ensure that processes and decisions are applied consistently and impartially.

Action Plan #2

The Charities Directorate (the Directorate) recognizes the value of continually improving its processes and procedures to reinforce consistency and impartiality in decision making, and to ensure the high quality of the charities audit program. The Directorate commits to the actions outlined below.

1. In order to continually identify and mitigate risks to impartiality in all roles, the Directorate will ensure that all roles and responsibilities are documented, clear, and communicated to all areas involved in the audit process. This will include establishing, approving, and integrating the roles and responsibilities of employees involved in business intelligence, such as risk assessment and screening.

   The target completion date for this action plan is March 2025.

2. The Directorate will review existing processes and procedures in order to identify and implement additional measures to ensure consistency in approach and decision making. The Directorate will develop and implement additional job aids and tools to more fully document responsibilities and processes involved in validating information. This will include:

   • ensuring that procedures for tracking and monitoring are fully in place in order to illustrate that information gathering procedures were followed;
   • documenting processes and appropriate review checkpoints into the business intelligence audit project lifecycle and audit selection decisions;
   • ensuring that the review and approval process is clearly followed and appropriately recorded on all key documents.

   The Review and Analysis Division (RAD) commits to strengthening its written procedures to ensure that they fully document and detail its risk assessment and workload development processes and appropriately reflect its quality review and verification controls. This will include clearly defining criteria and terminology in order to support a structured and consistent approach for determining and documenting risk levels. The RAD will also ensure that all risk indicators and calculated risks are consistently recorded to illustrate consistent application of compliance treatments.

   With respect to information gathering, the information that the Directorate uses for risk-assessment and screening come primarily from internal CRA sources. Other sources of information go through a rigorous process to assess the validity and relevancy of the information and to determine if non-compliance exists. The Directorate will develop and implement additional job aids and tools to more fully document responsibilities and processes involved in validating information.

   The target completion date for this action plan is March 2026.

3. The Directorate commits to update its standards, detailed criteria, and supporting tools to include steps for consistent decision-making that is objective and include considerations to identify and mitigate risks associated with impartiality.

   Prior to the start of the internal audit, the Directorate began building an algorithm-based risk assessment model related to general non-compliance. An enhanced model was fully implemented in April 2024. This model, along with the action items in 2(B), will strengthen the Directorate’s ability to mitigate risks associated with impartiality when identifying potential files for audit, while reducing the current level of manual effort and discretion for determining compliance treatments.

   As mentioned in 2(B), the Directorate continues to develop job aids for employees, outlining specific processes to support consistent and impartial decision-making throughout the audit process.

   The target completion date for this action plan is September 2025.

4. The Directorate commits to ensure decision-making, review, and approval processes are followed and documented to ensure consistent audit outcomes. This will include documenting review and approval decisions on all audit files to illustrate that all outcomes have been reviewed and approved by the appropriate manager level. It will also include consistently documenting the level of risk or compliance treatment for all cases, including justifications for not proceeding with audits.

   In addition, the Directorate will review training material and will reinforce procedures with employees to ensure that decision-making, review, and approval processes are formally documented throughout the entire audit process to ensure consistent audit outcomes. The Directorate will put processes in place to ensure all procedures, standards, and job aids are communicated to new employees, with regular reminders to existing employees. In addition, the Directorate will formally introduce new processes, procedures, standards, and job aids to all employees through targeted communications.

   The target completion date for this action plan is September 2025.

Action Plan #3

In 2023, the Charites Directorate (the Directorate) conducted an in-depth review of its business intelligence (BI) strategy to gain a better understanding of its BI inventory, as well as identify BI and data gaps based on operational requirements. This review suggested various options to address these gaps, including the development of a program-wide risk framework, incorporating data from the charities information return into the Agency’s data warehouse, and enhancing the program’s BI function to better incorporate strategic and operational BI in decision making and workload selection. This work is being considered as part of the Directorate’s broader modernization review in fiscal year 2024 to 2025.

The Directorate recognizes that new technologies and enhanced BI functionality could improve its decision-making processes, provide synergies with data collected by other CRA program areas, and enable new forms of analysis. In addition, a more cohesive information system in which data is not located over various IT networks, systems, and tracking spreadsheets would ensure that processes are less manual and administratively burdensome.

While the Directorate agrees that more sophisticated BI processes and new technologies would be beneficial, existing resource constraints will impact its ability to pursue these program enhancements. In addition, some limitations in the Directorate’s systems may be driven by security requirements related to assessments of terrorist financing risks.

The Directorate will implement the recommendations from its 2023 BI review as part of its broader modernization initiative, and determine the feasibility of consolidating its BI function.

The LPRAB will consult with other branches of the CRA to determine the existing BI tools may be leveraged for use by the charities audit program. This will include a consultation with the Information Technology Branch (ITB) and its IT architecture team to determine the potential costs and timelines associated with updating and integrating systems.

The LPRAB will prepare a final recommendation for its BI function and processes.

Monitoring and oversight

Monitoring

Background

Activities to monitor the charities audit process ensure that established procedures and standards are followed to better support the validation of audit outcomes, thereby contributing to the reporting and oversight of the consistent and impartial approach of the audit program.

The audit expected that monitoring activities, information, and controls are established and working as intended to ensure the integrity and impartiality within the charities audit process.

Findings

The audit reviewed reports prepared by the CD to inform CRA management on operational performance, and AML-ATF regime performance reporting. The audit found that existing oversight monitoring mechanisms were only linked to operational metrics (such as the number of open and closed audit files as well as audit outcomes) and did not include information that would support monitoring of impartiality and consistency of treatment across all audit cases. The CD faced limitations with the existing available data on charities in support of the audit process to facilitate reporting on impartiality. Although incomplete data is available for certain categories and general programs of charitable organizations assigned at the time of charitable registration, the data fields in the information systems did not have the appropriate structure and accuracy needed to readily conduct data analysis and properly track the outcomes for all selected charities and the audit process.

The audit also conducted a file review of 18 completed audits to assess monitoring reviews and approval when conducting charities audits (14 for the Compliance Division and 4 for the RAD). The audit found that internal reviews and approvals were not always fully documented for all audit files reviewed. Supporting documentation, in relation to detailed internal criteria, checklists, and templates, were not always retained or stored centrally in a consistent format for key decision points, making it difficult to determine what elements were considered and assessed to support reviews and approval to ensure audit outcomes are impartial and consistent across the CD.

Additionally, the audit found that, at the time of the audit, only the charity audit cases conducted in tax services offices had a separate function from the audit to conduct monitoring activities and reporting of consistency and impartiality in decision-making across the CD. Although the CD has established additional audit advisory review and quality assurance functions over certain audits conducted, there were gaps in scope that limited the coverage to include improvements across all of HQ areas and key aspects throughout the charities audit process.

Why it matters

Established monitoring activities are important in reducing the risk of misalignment with CRA values and support the ability to demonstrate the effective oversight of the program’s consistent and impartial application of outcomes.

Action Plan #4

1. The Charities Directorate (the Directorate) commits to conduct an assessment of other methods to expand data collection to identify risks to impartiality by consulting within the CRA, as well as with international regulators. For example, the Directorate will survey international regulators to enquire about the steps they have taken in this area and will implement a program that is consistent with the international standards for addressing risks to impartiality.

   In addition, the Directorate will review the feasibility of consolidating the audit quality assurance (AQA) program outside of the operational divisions of the Directorate. This will allow for further development of the AQA program such that assessments of consistency of treatment and impartiality of audit outcomes will be performed on a regular basis. However, similarly to the consolidation and improvements to BI, any consolidation of the AQA program will be dependent on the availability of resources, as well as security requirements related to assessments of terrorist financing risks.

   The target completion date for this action plan is September 2025.

2. The Directorate mitigates risks related to impartiality through a rigorous review and approval process for audit conclusions, including the review of all audit outcomes by Headquarters prior to audit closure. Additional scrutiny is implemented for those audits that conclude with more serious outcomes (such as a revocation or sanction). Furthermore, effective April 1, 2024, the Directorate moved restricted audits from Headquarters to the field offices. These audits will be closely monitored by Headquarters, which will help mitigate risks to impartiality.

   In addition, the Directorate will fully document and centrally retain internal reviews and approvals that lead to audit decisions to ensure impartiality and consistency across all audit outcomes.

   The Review and Analysis Division (RAD) has implemented and will continue to improve its internal reporting mechanisms, including through the adoption of documented briefings to senior management on audit plans, deliverables, progress, and outcomes.

   The target completion date for this action plan is September 2025.

Oversight

Background

Internal oversight provides mechanisms for regular reporting and addressing decision-making within the charities audit process to ensure appropriate measures are taken to mitigate risks to impartiality. In addition, the RAD has external reporting requirements related to the AML-ATF Regime as well as the Financial Action Taskforce (FATF), an international standard setting body for addressing money laundering and terrorist and proliferation financing.

The audit expected internal CRA oversight mechanisms are working as intended to support decision making and appropriate information is communicated to stakeholders.

Findings

The audit examined internal mechanisms for reporting and oversight within the charities audit process, including the external reporting requirements related to the AML-ATF Regime and the FATF.

The audit found that oversight and reporting were generally in place over the charities audit process. Specifically for the RAD, the audit found the Division had recently augmented its internal oversight reporting to include further details and information to address risks to impartiality and consistency for decision-making.

Conclusion

Overall, the audit found process workflows are established and communicated in the CD within divisions that conduct audits of charities to support structured practices. Additionally, planning and oversight processes were generally in place for divisions. However, some improvement is required to strengthen controls over the way the CRA oversees charity audits to better demonstrate impartiality and consistency in the charities audit process.

The charities audit process is manually intensive and relies on the professional judgment and discretion of individuals, thus increasing the risk of inconsistency and partiality. The recommendations presented in this report aim to improve the CD’s plans, processes, supporting documentation, and monitoring activities to better demonstrate the accuracy and consistency of decision-making.

Acknowledgement

In closing, we would like to acknowledge and thank the LPRAB for the time dedicated and the information provided during the course of this engagement.

Appendices

Appendix A: Audit criteria and methodology

Audit criteria

Based on the AERB’s risk assessment, the following lines of enquiry were identified:

Audit criteria

Lines of enquiry	Criteria
1. Planning and identification of workload	1.1 Process, procedures, and standards for charities audits are established and communicated. 1.2 Plans and risk management approaches are established, documented, and regularly reviewed to support the identification, analysis, and prioritization of workloads. 1.3 Controls are in place to ensure information, leads, business intelligence, and potential audit files are assessed, reviewed, and appropriately approved to identify workloads.
2. Monitoring and oversight	2.1 Monitoring activities are established and working as intended to ensure the audit process is impartial. 2.2 Oversight mechanisms are working as intended to support decision making and appropriate information is communicated to stakeholders.

Audit methodology

The methodology for examination included the following:

• reviewing and analyzing documented policies, procedures, and supporting documentation related to charity audits;
• conducting interviews and walkthroughs of processes and procedures with select management and staff at Headquarters and regional tax services offices;
• obtaining access to taxpayer and classified information and reviewing a sample of control outcomes and supporting documentation related to charity risk assessments and audit selection;
• reviewing supporting application data and conducting data analysis to review program statistics and key performance indicators for trends in audit processes and outcomes;
• reviewing and analyzing reporting and monitoring in place for charity audits;
• coordinating with the National Security and Intelligence Governance Section of the Security Branch for various meetings, including meeting with National Security and Intelligence Review Agency.

Appendix B: Glossary

Term	Definition
AML-ATF RegimeFootnote 3	A whole-of-government initiative to counter global financial crime through thirteen departments and agencies which providing dedicated resources to prevent, detect, deter and disrupt money laundering and terrorist financing.
Charities Registration (Security Information) Act	Law enacted by Parliament in 2001 as Part 6 of the Anti-terrorism Act. It provides a mechanism for revoking the registration of any charity or denying registration of an applicant when security information is used to establish that the charity or applicant is involved in supporting terrorism. Under the Act, two ministers may sign a special certificate when they have reasonable grounds to believe that a charity or applicant is implicated in supporting terrorism. A court then reviews the evidence. If it confirms that it was reasonable to issue the certificate, the charity’s registration is revoked or the applicant’s registration is denied on the date of the court’s determination.
Impartial	Principle that processes and decisions are not partial and based on objective criteria, rather than on the basis of bias, prejudice, or preferring to benefit one thing over another for improper reasons.
Leads	A lead is characterized by information, in any form, that detects potential tax/benefit cheating. The Leads Program gives the public the opportunity to come forward and anonymously report suspected cases of non-compliance with the laws administered by the CRA. Leads may contribute to various types of compliance actions pertaining to the laws administered by the CRA, including (but not limited to) audits, requests to file a tax return, the validation of benefits, and outstanding debt collection.
Money laundering	Money laundering is the process used to conceal or disguise the origin of criminal proceeds to make them appear as if they originated from legitimate sources. Money laundering benefits domestic and international criminals and organized crime groups.
Registered charity	Registered charities are a type of qualified donee under the Income Tax Act (Act), as such they can issue official donation receipts for gifts they receive from individuals and corporations. They are also exempt from income tax. To be registered as a charity, an organization must apply to the CRA and meet the requirements for registration under the Act, including that it: be established and resident in Canada, have exclusively charitable purposes and devote its resources to charitable activities. not allow its income to be used for the personal benefit of any of its members, shareholders, or governing officials. File an annual information return, and maintain proper books and records once registered
Revocation or revoked	Registration as a charity has been cancelled and the privileges that go with it have been taken away. The organization can no longer issue official donation receipts and is no longer eligible to receive gifts from registered charities. Registration as a charity is officially revoked when a notice is published in accordance with the Income Tax Act. Registration may be revoked because the charity: chooses to give up its registration (revoked voluntarily) does not file its annual return or does not file it on time (revoked for failure to file) fails to maintain its corporate status (revoked for other reasons) is audited and found to be non-compliant with the requirements for registration (revoked as a result of an audit).
Standards	Throughout this report, the term “standard” is used to refer to standards of audit quality. Application of quality standards to ensure consistency in the application of an audit process.
Terrorist financing	Terrorist financing is the collection and provision of funds from legitimate or illegitimate sources for terrorist activity. It supports and sustains the activities of domestic and international terrorists that can result in terrorist attacks in Canada or abroad, causing loss of life and destruction.