Audit of Personnel Security Screening

From: Employment and Social Development Canada

Official title: Audit of Personnel Security Screening

On this page

Alternate formats

Request other formats online  or call 1 800 O-Canada (1-800-622-6232). If you use a teletypewriter (TTY), call 1-800-926-9105. Large print, braille, audio cassette, audio CD, e-text diskette, e-text CD and DAISY are available on demand.

List of acronyms used in this report

DSO
Departmental Security Officer
ESDC
Employment and Social Development Canada
HRSB
Human Resources Services Branch
IISD
Internal Integrity and Security Directorate
OGD
Other Government Departments
TBS
Treasury Board Secretariat

1.  Background

1.1 Context

Within Employment and Social Development Canada (ESDC), employees are required to access protected and/or classified information to perform their roles and responsibilities. To reduce the risk that protected and/or classified information is inappropriately accessed, used or shared, the Government of Canada has established security policies, including policies related to personnel security screening.

The Treasury Board Secretariat (TBS) Policy on Government Security requires departments to continuously assess and monitor security risks, as well as to implement and maintain appropriate security measures and controls, including controls related to personnel security screening that assess an individual's trustworthiness, reliability and loyalty to Canada.

The management of personnel security screening is primarily governed by the TBS Standard on Security Screening. The objective of the Standard on Security Screening is to ensure that security screening in the Government of Canada is effective, efficient, rigorous, consistent and fair. It is expected that security screening practices provide reasonable assurance that individuals can be trusted to safeguard government information, assets and facilities, and to reliably fulfil their duties.

The Standard includes the following security status and clearances:

Within ESDC, the Internal Integrity and Security Directorate (IISD) of the Integrity Services Branch is responsible for assessing the reliability and loyalty to Canada of applicants and employees.

The table below identifies the number of reliability status and secret clearance processed by the Department between April 1, 2017 and March 31, 2019:

Fiscal year Reliability status - new Reliability status - update Secret clearance - new Secret clearance - update Resolution of doubt Denials Revocations 
2017 to 2018 4,281 1,870 1,123 52 235 7 1
2018 to 2019 3,688 1,707 751 410 267 14

1.2 Audit objective

The objective of this audit was to determine if the management and oversight of the security screening process are adequate.

1.3 Scope

The scope of this audit included key controls pertaining to the adequacy and consistency of personnel security screening processes, as well as the safeguarding and disposal of personal information collected throughout these processes.

The audit excluded processes for top secret clearance, as the number of top secret clearance holders within the Department is insignificant.

1.4 Methodology

The audit was conducted using a number of methodologies including:

A statistical sample of 130 files was selected from a population of 6,556 security screening processes completed by the Department between April 1, 2018 and March 31, 2019. This includes 100 applications for reliability status and 30 applications for secret clearance. In addition, judgemental samples were selected for security screening processes that included Resolution of Doubt interviews and Denied applications for security clearance. All revoked security clearances were reviewed.

The approach and methodology followed the TBS Policy on Internal Audit and the International Standards for the Professional Practice of Internal Auditing  . These Standards require that the audit be planned and performed in such a way as to obtain reasonable assurance that the audit objective is achieved.

2. Audit findings

2.1 Processes for personnel security screening

Within the TBS Standard on Security Screening, departments are responsible for establishing and implementing security screening procedures and practices for security screening processes.

The Standard on Security Screening also states that the Departmental Security Officer (DSO) is responsible for overseeing security screening procedures and practices. Within the Department, it was found that the DSO has overseen the establishment of security screening practices that are implemented by IISD and Regional Security Officers.

During the audit, we found that ESDC has established and implemented procedures and practices for security screening processes.

There are some differences between the screening processes used for individuals joining ESDC from other government departments (OGDs) and the ones used for individuals new to the public service. Specifically:

The service standard for verification of security status for individuals joining the Department from OGDs is five days

The service standard for the processing of new reliability status is seven to 25 business days; the service standard for the processing of new secret clearance is 14 to 90 business days

To support decisions for security screening processes, the Department has developed tools, including a Financial Inquiry Risk Matrix and a Criminal Conviction Risk Matrix. These tools provide the assessor with guidance for granting clearances or conduct Resolution of Doubt interviews for potential adverse findings within these reports (for example: total debt of $250K or more, impaired driving or driving while intoxicated).

2.2 Screening activities

Within the Government of Canada, the Standard on Security Screening identifies the activities to be completed for personnel to obtain reliability status and secret clearance. The table below outlines the required screening activities for reliability status and secret clearance:

Clearance:

Reliability status

Required screening activities:

5-year background information, including:

Clearance:

Secret clearance

Required screening activities:

10-year background information, including:

For applicants for reliability status that entered Canada less than five years ago or applicants for secret clearance that entered Canada less than ten years ago, the Department is required to:

We reviewed the sample of 130 security screening processes and found no issues. Specifically:

It was noted that the IISD was reliant upon Human Resources Services Branch (HRSB) and hiring managers for the verification of the applicant’s identification information and background, educational and professional credentials as well as personal and professional references as a part of the hiring process.

It was also found that the Department generally completed security screening processes within service standards. We observed that not all Personnel Screening, Consent and Authorization forms were date-stamped when the screening process was initiated. For forms without these date stamps, we were unable to assess whether screening processes were completed within service standards.

2.3 Resolution of doubt interviews

Within the Standard on Security Screening, it is stated that security interviews may be used as a means to resolve doubt and/or to address adverse information that is uncovered during security screening.

We were advised by IISD management that when adverse information is uncovered during screening processes, Resolution of Doubt interviews are conducted either by Regional Security Officers or by IISD personnel within National Headquarters during which the adverse information is discussed. Based on the Resolution of Doubt interviews, IISD provides the DSO with recommendations on whether the applicant’s clearance should be granted or denied.

During the audit, we reviewed applications for security clearances for which Resolution of Doubt interviews were conducted.

2.4 Applications for security clearances

The Standard on Security Screening states that when there is reasonable doubt as to an individual’s reliability or loyalty to Canada, a security status or clearance may be denied.

Resolution of Doubt interviews were conducted during each of these screening processes, but information provided by the individual in these interviews did not sufficiently address the adverse information. Therefore, the security clearances were not granted.

2.5 Process for revocation of security clearances

As stated in the Standard on Security Screening, a revocation is an administrative decision to withdraw, following an update or a review for cause, the security status or clearance previously granted to an individual. When a revocation is being considered for an employee, departments are required to consult with their human resources organizations. In all cases, the reason for revocation must be documented and individuals must be informed in writing of the decision and of their rights of review or redress.

Between April 1, 2018 and March 31, 2019, the Department revoked seven security clearances. During the audit, we reviewed six out of seven revoked files.Footnote 1

In general, it was found that the files for revocations contained much of the information required by the Standard on Security Screening. Specifically, files included evidence that HRSB was consulted by the DSO, documented the reason for revocation and included copies of written notification to the employee of the decision to revoke their security clearance and their right to review or redress.

2.6 Protection of personal information

The Standard on Security Screening requires that personal information created, collected, used, disclosed, retained and disposed of for security screening will be safeguarded in accordance with government standards for the protection of personal information.

During the audit, it was observed that personnel security files are stored within a secure room that requires swipe card access.

In addition, within the sample of 100 applications for reliability status and 30 applications for secret clearances, seven files were found to relate to individuals that are no longer employees of the Department. It was found these files pertained to employees for which employment was terminated within the last two years. As such, it is appropriate that the Department still holds personal information created, collected, used, disclosed, retained and disposed of for their security screening.

3. Conclusion

The Department is adequately managing security screening processes and has developed appropriate procedures and practices to support those processes that are overseen by the DSO.

4. Statement of assurance

In our professional judgement, sufficient and appropriate audit procedures were performed and evidence gathered to support the accuracy of the conclusions reached and contained in this report. The conclusions were based on observations and analyses at the time of our audit. The conclusions are applicable only for the Audit of Personnel Security Screening. The evidence was gathered in accordance with the Treasury Board Policy on Internal Audit and the International Standards for the Professional Practice of Internal Auditing.

Appendix A: Audit criteria assessment

Audit criteria:

It is expected that screening requirements for positions are accurately determined; and personnel security screening applications and updates are assessed or reviewed in a timely manner based on established processes that are consistent with applicable TBS Standards.

Rating:  Sufficiently controlled; low-risk exposure

Audit criteria

It is expected that personal information collected during the screening process is appropriately safeguarded and disposed of when it is no longer of value.

Rating:  Sufficiently controlled; low-risk exposure

Report a problem or mistake on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, contact us.

Date modified: