Audit of identity management practices

From: Employment and Social Development Canada

Official title: Audit of identity management practices

On this page 

Alternate formats

Request other formats online  or call 1 800 O-Canada (1-800-622-6232). If you use a teletypewriter (TTY), call 1-800-926-9105. Large print, braille, audio cassette, audio CD, e-text diskette, e-text CD and DAISY are available on demand.

Acronyms used in this report


AG
Apprenticeship Grants
CSJ
Canada Summer Jobs
EI
Employment Insurance
GCOS
Grants and Contributions Online System
ISB
Integrity Services Branch
NHSP
New Horizon for Seniors Program
OAS
Old Age Security
PYVC
Parents of Young Victims of Crime
ROE
Records of Employment
WEPP
Wage Earner Protection Program

1. Background

1.1 Context

Identity management is the process by which the Department determines the identity of an individual or organisation with whom it is transacting is legitimate. Adequate and consistent identity management practices mitigate the risks related to identity theft, the fraudulent use of identity documents, the improper granting of entitlements, the inappropriate allocation of benefits and services, financial losses to affected parties and the breach of an individual's right to privacy.

Pursuant to the Treasury Board’s Directive on Identity Management, the Department adopted an Identity Management Policy in April 2011, which was updated in April 2016. Supporting the departmental policy are the Identity Assurance, Evidence of Identity and Business Identity Validation standards. These standards are based on the Pan-Canadian Assurance Model that aims to achieve a “seamless, cross-jurisdictional, user-centric and multi-channel service delivery experience for all Canadians.”

These standards are meant to outline a framework for assessing the identity assurance needs of programs and services, and set the minimum information and process requirements for achieving the required levels of identity assurance within the existing legal authorities. Furthermore, identity management practices for programs and services must be developed to ensure alignment with the assurance level requirements for registration, authentication and validation.

Identity management practices broadly fall in the following processes:

The development of identity management practices (including tools and procedures) is supported by advice, tools and guidance from Integrity Services Branch’s (ISB) Identity Policy and Programs Directorate.

1.2 Audit objective

The objective of this audit was to determine if identity management practices:

1.3 Scope

The scope of this audit included key departmental structures, processes and practices pertaining to the management of identity for a risk-based selection of programs and services with varying identity assurance needs. Identity management for individuals as well as businesses and organisations were included in the scope of this audit.

1.4 Methodology

The audit was conducted using a number of methodologies including:

2. Audit findings

2.1 Departmental policies and standards have not resulted in consistent identity management practices

Identity management for individuals

Internal Audit reviewed identity management practices for individuals across the following selection of programs:

Over the course of 2014, 2015 and 2016, all of these programs underwent a departmental assessment to determine if their identity management practices met policy requirements. Out of the 10 programs, only EI and OAS fully complied with the identity standards. The remaining 8 programs identified gaps, mostly related to the collection and validation of clients’ mother’s family name at birth and client status (in other words, Canadian citizenship, Aboriginal or Foreign status). Citing costly system changes, privacy implications and sufficient compensating controls, 7 out of the 8 programs opted for the status quo and did not modify their identity management practices. This preserved the inconsistencies that existed prior to the creation of the departmental policy.

Following those assessments, in April 2016, the Department updated its identity management policy and related standards to allow for more flexibility. For example, in the updated standards, identity attributes are now to be collected “within the limits of each individual program’s respective authorities” and the mother’s family name at birth “could be collected […] when applicable or if required”. Current identity standards for individuals adopt a non-prescriptive tone and allow for interpretation which might explain the inconsistent identity management practices across the Department.

Furthermore, the policy and standards remain vague on going above requirements. For example, for returning clients, the departmental standard mandates a minimum of 3 identity attributes that need to be provided by the client. Internal Audit’s fieldwork has shown that all programs use more than the minimum, some programs using 6 identity attributes to validate the identity of clients.

The absence of a departmental approach to identity management of third party representatives also resulted in inconsistencies observed by Internal Audit during our fieldwork. The current standard acknowledges this shortcoming and mandates programs to determine their own requirements for recognition of someone claiming to represent a client, based on their respective authorities.

Although consistency and a seamless service experience are mentioned repeatedly in the Department’s identity management policy (both as principles and expected results), Internal Audit’s fieldwork observed fragmented practices that lead to inconsistent user experience when accessing the Department’s programs, benefits and services.

Identity management for organisations

As part of the April 2016 update to the Department’s identity management policy, a business identity validation standard was created to “ensure program integrity as well as the service experience of organisations.” Internal Audit has reviewed the standard and concludes that the tone is prescriptive enough to achieve the expected consistency if programs comply with the standard.

Recommendation

ISB should review the current Identity Management Policy and its related standards to use a language that is prescriptive enough to achieve the expected consistency across program and delivery channels, especially as it relates to third party representatives.

Management response

ISB agrees with this recommendation. While a degree of flexibility is required to accommodate individual program authorities, consistent identity management practices are expected to ensure seamless service delivery. ISB will undertake a review of the Identity Management Policy to strengthen the requirement language and limit interpretation, in particular to the requirements for PROTECTED.

Actions are expected to be completed by September 2020.

2.2 Current identity management practices for individuals can be improved to adequately support program integrity

Internal Audit reviewed identity management practices for individuals across the following selection of programs and noted the following:

Recommendation

ISB should periodically monitor departmental programs to confirm that consistent and sufficient identity management practices have been implemented.

Management response

ISB agrees with this recommendation and had already obtained consultant services, in the winter of the 2018 to 2019 fiscal year, to develop options for a monitoring and reporting strategy to address this issue. ISB will continue to explore these options and engage with program areas to put a reporting schedule into place that would help ensure that programs have fully implemented consistent identity management practices.

Actions are expected to be completed by September 2020.

2.3 Current identity management practices for organisations need to be strengthened to adequately support program integrity

Internal Audit reviewed identity management practices for organisations across the following selection of programs and noted the following:

Recommendation

ISB, in collaboration with program areas, should review identity management practices for organisation to address compliance gaps with departmental and government identity standards. PROTECTED.

Management response

ISB agrees with this recommendation and confirms that there is a gap in the implementation of the Identity Management Policy for PROTECTED as they had been requested to pause the development of their gap analyses and implementation plans until after the Department became PROTECTED. Recent amendments to the Department of Employment and Social Development Act for service delivery have resolved this issue.

The Treasury Board Secretariat is expecting to renew the Directive on Identity Management in 2019. ISB will work with PROTECTED to address any gaps in their identity management practices and/or update the Policy as necessary. Preliminary contact has already been made with PROTECTED to provide identity management guidance.

Actions are expected to be completed by March 2022.

3. Conclusion

The audit concluded that identity management practices have been developed, implemented but have not achieved the expected level of consistency across programs and service delivery channels. These consistency issues mainly stem from programs that use a higher standard than required by the policy and from a lack of a departmental approach to handling individual clients’ third party representatives.

Overall, identity management practices for individuals adequately support the integrity and security of programs and services. Exceptions have been identified for each program where enhancements could be made to further increase the integrity of programs.

PROTECTED

4. Statement of assurance

In our professional judgement, sufficient and appropriate audit procedures were performed and evidence gathered to support the accuracy of the conclusions reached and contained in this report. The conclusions were based on observations and analyses at the time of our audit. The conclusions are applicable only for identity management practices of the programs listed in this report. The evidence was gathered in accordance with the Treasury Board Policy on Internal Audit and the International Standards for the Professional Practice of Internal Auditing.

Appendix A: Audit criteria assessment

Audit criteria:
It is expected that the Department developed adequate policy, standards, tools and guidance that enable the development of consistent identity management practices by departmental programs and services.
Rating:
Controlled, but should be strengthened; medium-risk exposure
Audit criteria:
It is expected that the Department monitors developed identity management practices to confirm that policy requirements are met.
Rating:
Controlled, but should be strengthened; medium-risk exposure
Audit criteria:
Identity management practices for individuals : It is expected that programs and services implemented (in other words, designed, documented and communicated) identity management practices that align with the assurance level requirements for registration, authentication, validation and modifications.
Rating:
Controlled, but should be strengthened; medium-risk exposure
Audit criteria:
Identity management practices for organisations : It is expected that programs and services implemented (in other words, designed, documented and communicated) identity management practices that align with the assurance level requirements for registration, authentication, validation and modifications.
Rating:
Controlled, but should be strengthened; medium-risk exposure
Audit criteria:
It is expected that programs and services secure identity information from unauthorized access.
Rating:
Sufficiently controlled; low-risk exposure
Audit criteria:
For all channels (in-person, specialised call center, mail, online) except processing center : It is expected that programs and services monitor identity management activities to confirm that remedial actions are taken on a timely basis to address gaps impacting program integrity.
Rating:
Sufficiently controlled; low-risk exposure
Audit criteria:
For processing centers incoming and outgoing calls : It is expected that programs and services monitor identity management activities to confirm that remedial actions are taken on a timely basis to address gaps impacting program integrity.
Rating:
Controlled, but should be strengthened; medium-risk exposure
Report a problem or mistake on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, contact us.

Date modified: