Audit of Personnel Security Screening
Official title: Audit of Personnel Security Screening
On this page
- 1. Background
- 2. Audit findings
- 3. Conclusion
- 4. Statement of assurance
- Appendix A: Audit criteria assessment
Request other formats online or call 1 800 O-Canada (1-800-622-6232). If you use a teletypewriter (TTY), call 1-800-926-9105. Large print, braille, audio cassette, audio CD, e-text diskette, e-text CD and DAISY are available on demand.
List of acronyms used in this report
- Departmental Security Officer
- Employment and Social Development Canada
- Human Resources Services Branch
- Internal Integrity and Security Directorate
- Other Government Departments
- Treasury Board Secretariat
Within Employment and Social Development Canada (ESDC), employees are required to access protected and/or classified information to perform their roles and responsibilities. To reduce the risk that protected and/or classified information is inappropriately accessed, used or shared, the Government of Canada has established security policies, including policies related to personnel security screening.
The Treasury Board Secretariat (TBS) Policy on Government Security requires departments to continuously assess and monitor security risks, as well as to implement and maintain appropriate security measures and controls, including controls related to personnel security screening that assess an individual's trustworthiness, reliability and loyalty to Canada.
The management of personnel security screening is primarily governed by the TBS Standard on Security Screening. The objective of the Standard on Security Screening is to ensure that security screening in the Government of Canada is effective, efficient, rigorous, consistent and fair. It is expected that security screening practices provide reasonable assurance that individuals can be trusted to safeguard government information, assets and facilities, and to reliably fulfil their duties.
The Standard includes the following security status and clearances:
- reliability status is a personnel security status that is required before an employee can gain access to Protected A, B or C information, assets or work sites
- secret is a personnel security clearance required before an employee can gain access to secret information, assets or work sites
- top secret is a personnel security clearance required before an employee can gain access to top secret information, assets or work sites
Within ESDC, the Internal Integrity and Security Directorate (IISD) of the Integrity Services Branch is responsible for assessing the reliability and loyalty to Canada of applicants and employees.
The table below identifies the number of reliability status and secret clearance processed by the Department between April 1, 2017 and March 31, 2019:
|Fiscal year||Reliability status - new||Reliability status - update||Secret clearance - new||Secret clearance - update||Resolution of doubt||Denials||Revocations|
|2017 to 2018||4,281||1,870||1,123||52||235||7||1|
|2018 to 2019||3,688||1,707||751||410||267||14||7|
1.2 Audit objective
The objective of this audit was to determine if the management and oversight of the security screening process are adequate.
The scope of this audit included key controls pertaining to the adequacy and consistency of personnel security screening processes, as well as the safeguarding and disposal of personal information collected throughout these processes.
The audit excluded processes for top secret clearance, as the number of top secret clearance holders within the Department is insignificant.
The audit was conducted using a number of methodologies including:
- document review and analysis
- on-site observations and walkthroughs of processes
- interviews with departmental management and staff
- review and testing of a sample of security clearance files
A statistical sample of 130 files was selected from a population of 6,556 security screening processes completed by the Department between April 1, 2018 and March 31, 2019. This includes 100 applications for reliability status and 30 applications for secret clearance. In addition, judgemental samples were selected for security screening processes that included Resolution of Doubt interviews and Denied applications for security clearance. All revoked security clearances were reviewed.
The approach and methodology followed the TBS Policy on Internal Audit and the International Standards for the Professional Practice of Internal Auditing . These Standards require that the audit be planned and performed in such a way as to obtain reasonable assurance that the audit objective is achieved.
2. Audit findings
2.1 Processes for personnel security screening
Within the TBS Standard on Security Screening, departments are responsible for establishing and implementing security screening procedures and practices for security screening processes.
The Standard on Security Screening also states that the Departmental Security Officer (DSO) is responsible for overseeing security screening procedures and practices. Within the Department, it was found that the DSO has overseen the establishment of security screening practices that are implemented by IISD and Regional Security Officers.
During the audit, we found that ESDC has established and implemented procedures and practices for security screening processes.
There are some differences between the screening processes used for individuals joining ESDC from other government departments (OGDs) and the ones used for individuals new to the public service. Specifically:
- For individuals joining ESDC from OGDs, the Department verifies via email from the OGD that a security clearance exists for the individual. The information requested from the OGD includes clearance level, expiry date, whether there is adverse information on file, if the clearance is active or terminated and whether the OGD holds the physical file
The service standard for verification of security status for individuals joining the Department from OGDs is five days
- For individuals new to the public service, the Department has developed and documented processes for performance of:
- Background Verifications: They are performed to verify the accuracy of the individual’s background and ensure that all subsequent security activities are conducted in relation to the actual individual
- Law Enforcement Inquiries: They are a verification of a criminal record against the Royal Canadian Mounted Police's National Repository of Criminal Records
The service standard for the processing of new reliability status is seven to 25 business days; the service standard for the processing of new secret clearance is 14 to 90 business days
To support decisions for security screening processes, the Department has developed tools, including a Financial Inquiry Risk Matrix and a Criminal Conviction Risk Matrix. These tools provide the assessor with guidance for granting clearances or conduct Resolution of Doubt interviews for potential adverse findings within these reports (for example: total debt of $250K or more, impaired driving or driving while intoxicated).
2.2 Screening activities
Within the Government of Canada, the Standard on Security Screening identifies the activities to be completed for personnel to obtain reliability status and secret clearance. The table below outlines the required screening activities for reliability status and secret clearance:
Required screening activities:
5-year background information, including:
- verification of identity and background
- verification of educational and professional credentials
- personal and professional references
- financial inquiry (in other words, credit check)
- law enforcement inquiry (in other words, criminal record check)
Required screening activities:
10-year background information, including:
- reliability status
- Canadian Security Intelligence Service security assessment
For applicants for reliability status that entered Canada less than five years ago or applicants for secret clearance that entered Canada less than ten years ago, the Department is required to:
- Obtain a copy of the applicant’s valid passport;
- Obtain a copy of the applicant’s Canadian visa, work/education permit or Canadian citizenship card; and
- Perform a law enforcement inquiry from the applicant’s country of birth.
We reviewed the sample of 130 security screening processes and found no issues. Specifically:
- Financial inquiries were performed by obtaining Equifax Consumer Reports for the applicants
- Law enforcement inquiries were performed by obtaining Criminal Record checks from the Royal Canadian Mounted Police National Repository of Criminal Records
It was noted that the IISD was reliant upon Human Resources Services Branch (HRSB) and hiring managers for the verification of the applicant’s identification information and background, educational and professional credentials as well as personal and professional references as a part of the hiring process.
It was also found that the Department generally completed security screening processes within service standards. We observed that not all Personnel Screening, Consent and Authorization forms were date-stamped when the screening process was initiated. For forms without these date stamps, we were unable to assess whether screening processes were completed within service standards.
2.3 Resolution of doubt interviews
Within the Standard on Security Screening, it is stated that security interviews may be used as a means to resolve doubt and/or to address adverse information that is uncovered during security screening.
We were advised by IISD management that when adverse information is uncovered during screening processes, Resolution of Doubt interviews are conducted either by Regional Security Officers or by IISD personnel within National Headquarters during which the adverse information is discussed. Based on the Resolution of Doubt interviews, IISD provides the DSO with recommendations on whether the applicant’s clearance should be granted or denied.
During the audit, we reviewed applications for security clearances for which Resolution of Doubt interviews were conducted.
2.4 Applications for security clearances
The Standard on Security Screening states that when there is reasonable doubt as to an individual’s reliability or loyalty to Canada, a security status or clearance may be denied.
Resolution of Doubt interviews were conducted during each of these screening processes, but information provided by the individual in these interviews did not sufficiently address the adverse information. Therefore, the security clearances were not granted.
2.5 Process for revocation of security clearances
As stated in the Standard on Security Screening, a revocation is an administrative decision to withdraw, following an update or a review for cause, the security status or clearance previously granted to an individual. When a revocation is being considered for an employee, departments are required to consult with their human resources organizations. In all cases, the reason for revocation must be documented and individuals must be informed in writing of the decision and of their rights of review or redress.
Between April 1, 2018 and March 31, 2019, the Department revoked seven security clearances. During the audit, we reviewed six out of seven revoked files.Footnote 1
In general, it was found that the files for revocations contained much of the information required by the Standard on Security Screening. Specifically, files included evidence that HRSB was consulted by the DSO, documented the reason for revocation and included copies of written notification to the employee of the decision to revoke their security clearance and their right to review or redress.
2.6 Protection of personal information
The Standard on Security Screening requires that personal information created, collected, used, disclosed, retained and disposed of for security screening will be safeguarded in accordance with government standards for the protection of personal information.
During the audit, it was observed that personnel security files are stored within a secure room that requires swipe card access.
In addition, within the sample of 100 applications for reliability status and 30 applications for secret clearances, seven files were found to relate to individuals that are no longer employees of the Department. It was found these files pertained to employees for which employment was terminated within the last two years. As such, it is appropriate that the Department still holds personal information created, collected, used, disclosed, retained and disposed of for their security screening.
The Department is adequately managing security screening processes and has developed appropriate procedures and practices to support those processes that are overseen by the DSO.
4. Statement of assurance
In our professional judgement, sufficient and appropriate audit procedures were performed and evidence gathered to support the accuracy of the conclusions reached and contained in this report. The conclusions were based on observations and analyses at the time of our audit. The conclusions are applicable only for the Audit of Personnel Security Screening. The evidence was gathered in accordance with the Treasury Board Policy on Internal Audit and the International Standards for the Professional Practice of Internal Auditing.
Appendix A: Audit criteria assessment
It is expected that screening requirements for positions are accurately determined; and personnel security screening applications and updates are assessed or reviewed in a timely manner based on established processes that are consistent with applicable TBS Standards.
Rating: Sufficiently controlled; low-risk exposure
It is expected that personal information collected during the screening process is appropriately safeguarded and disposed of when it is no longer of value.
Rating: Sufficiently controlled; low-risk exposure
Report a problem or mistake on this page
- Date modified: