Internal Audit of the Case Processing Centre Ottawa (CPC-O)
Internal Audit & Accountability Branch
13 October 2016
Table of Contents
Executive Summary
Background
The Ottawa Case Processing Centre (CPC-O) was established in 2010 as a pilot to support Immigration, Refugees and Citizenship Canada’s (IRCC) modernization agenda, and became permanent in January 2014. It has supported the roll out of several key priority initiatives such as implementing the Global Case Management System, restructuring the North American immigration program delivery network, assisting with application backlog reduction, and implementing Express Entry. More recently, it played a key role in achieving the Government of Canada’s commitment to welcome 25,000 Syrian refugees during the period from November 2015 to February 2016 by providing back office processing support to colleagues managing intake at the four major Operations Centres in Lebanon, Egypt, Turkey and Jordan.
CPC-O is the largest visa office in the IRCC global visa processing network and processes applications primarily from North America, and also applications submitted at Canadian visa offices or Visa Application Centres overseas.
Audit Objective and Scope
The audit objective was to assess selected elements of the management control framework to determine if they were properly designed and working as intended to support CPC-O operations. These elements were:
- Security – records, information and physical assets are being managed in accordance with policies and procedures;
- Program Integrity – the Program Integrity function is meeting its objectives of supporting risk-informed decision-making in a fraud aware and quality managed environment; and
- Legal and Compliance – application processing complies with key legislation, program delivery instructions and legal delegations to ensure transparency and program integrity.
The audit covered the period from January 1, 2015 to September 30, 2015. Applications with a final decision for the period from January 2015 to September 2015 were included in the testing sample. The testing and reconciliation of controlled forms were conducted in real time and quarterly inventory reports were assessed for the time period from January 1, 2015 to March 31, 2016.
Conclusion
The selected elements of the CPC-O’s management control framework were properly designed and generally working as intended to support operations. Program officials managed the controlled forms in accordance with departmental policies and guidance. A program integrity function is integrated into operations and supports risk management, program adherence and business analysis exercises. Immigration applications are processed in compliance with legislation and program instructions.
There were three opportunities for improvement identified. These included strengthening controlled forms protection, monitoring the implementation of action plans developed in response to program integrity activity review recommendations, and ensuring delegated authorities are appropriately documented.
Management has accepted the audit findings and developed an action plan to address the recommendations.
Background
Introduction
The Centralized Network
The Centralized Network (CN) is Immigration, Refugees and Citizenship Canada’s (IRCC) cross-Canada network responsible for the support and delivery of centralized immigration application processing functions. It is a network of over 2,000 employees located at offices across Canada that report to the Director General, under the Assistant Deputy Minister, Operations. The CN is comprised of a National Headquarters with the Director General’s office located in Ottawa, Ontario; four case processing centres (Ottawa, Ontario; Vegreville, Alberta; Mississauga, Ontario; and Sydney, Nova Scotia), a national call centre located in Montreal, Quebec and an operational support centre located in Ottawa, Ontario.
The Case Processing Centre - Ottawa
The Ottawa Case Processing Centre (CPC-O) was established in 2010 as a pilot to support IRCC’s modernization agenda and became permanent in January 2014. CPC-O has supported the roll out of several key priority initiatives since it is the largest visa office in the IRCC global visa processing network and processes applications primarily from North America, and also applications submitted at Canadian visa offices or Visa Application Centres overseas.
The office provides a learning environment that supports officer training on decision-making skills and allows for the opportunity to acquire practical experience in applying the provisions of the Immigration and Refugee Protection Act (IRPA). CPC-O is involved in training Short-Term Operational Assignment Training (SOAT) candidates. The objectives of the SOAT program are to expose employees involved in policy development and operational coordination to operation and to increase the Department’s pool of officers available for temporary assignments in the CN and potentially overseas. The SOAT program requires two weeks of hands-on training at CPC-O and three six-week temporary duty assignments within two years. Once trained, officers that pass with a minimum of 75 percent on the exam may be deployed to process applications on a short-term assignment to any visa office in IRCC’s global visa processing network.
Since 2010, CPC-O has supported the offsetting of acute pressures in the global visa processing network. For example, following the 2010 earthquake in Haiti, CPC-O provided coordination and processing support for permanent resident applications from Haitian citizens. More recently, CPC-O played a key role in achieving the Government of Canada’s commitment to welcome 25,000 Syrian refugees during the period from November 2015 to February 2016 by providing back office processing support to colleagues managing intake at the four major Operations Centres in Lebanon, Egypt, Turkey and Jordan. CPC-O also has a tradition of operating as a test facility for new systems and functionalities, including processing the vast majority of Express Entry e-applications following implementation of this new application management system in January 2015.
Operating environment
The Director responsible for CPC-O operations is supported by three managers: a Modernization Manager; an Operational Support Manager; and, a Permanent Residents Operations Manager.
As of October 2015, CPC-O had 211 employees – five percent were permanent CPC-O employees, eight percent were students, nine percent were IRCC permanent employees working at CPC-O on short-term assignments, and 78 percent were term and/or casual employees. CPC-O officials have developed a human resources strategy to stabilize their workforce by hiring more permanent staff.
CPC-O program staff conduct their work in accordance with the IRPA, other relevant Acts of Parliament, departmental guidance, policies and procedures, as well as a suite of internal administrative controls that have been put in place to support application processing.
Audit objective, scope and methodology
Audit objective and scope
The audit objective was to assess selected elements of the management control framework to determine if they were properly designed and working as intended to support CPC-O operations. These elements were:
- Security – records, information and physical assets are being managed in accordance with policies and procedures;
- Program Integrity – the Program Integrity function is meeting its objectives of supporting risk-informed decision-making in a fraud aware and quality managed environment; and
- Legal and Compliance – application processing complies with key legislation, program delivery instructions and legal delegations to ensure transparency and program integrity.
The audit covered the period from January 1, 2015 to September 30, 2015. Applications with a final decision for the period from January 2015 to September 2015 were included in the testing sample. The testing and reconciliation of controlled forms was conducted in real time and quarterly inventory reports were assessed for the time period January 1, 2015 to March 31, 2016.
The audit did not include an assessment of Information Technology system controls, and applications returned to IRCC for reconsideration after the applicants had successfully appealed the officers’ refusal to the Immigration Appeal Division. These activities were excluded as they were deemed to be adequately controlled during the planning phase of the audit.
Methodology
The following audit procedures were performed:
- Interviews with functional authorities at IRCC Headquarters;
- Interviews with Centralized Network (CN) and CPC-O officials;
- Documentation reviews;
- File testing of 125 unique applications to assess processing compliance;
- Process walkthroughs, reviews of daily and quarterly reports and inventory counts of controlled forms; and
- Assessment of passport handling procedures.
The audit observations, conclusions and recommendations are based on the work performed.
Statement of Conformance
The audit is in conformance with the Internal Auditing Standards for the Government of Canada as supported by the results of the quality assurance and improvement program.
Audit findings and recommendations
Security – Records, Information and Physical Assets
Criteria. It was expected that controls were in place to ensure appropriate access to, and use of, controlled forms and the printing area workspace.
Conclusion. CPC-O officials have designed and established internal controls to manage controlled forms in accordance with departmental policies and guidance. An opportunity for improvement was identified for maintaining required security clearance levels for employees to strengthen controlled forms protection
Management and storage of controlled forms
Counterfoils and seals are controlled forms that are issued as a visa in a traveler’s passport or single journey travel document. CPC-O has controls in place over the management of controlled forms. A designated Forms Control Officer is accountable to the Director for the usage, storage and reporting on the use of the forms. Visa counterfoils are stored in the appropriate containers and procedures are in place for the handling and safeguarding of controlled forms.
The Forms Control Officer stores the controlled forms inventory in a secure office accessible by pass code in accordance with departmental guidance. All visas issued by CPC-O are recorded in the forms control log book. As part of the log book, the Officer must account for daily use of controlled forms – including spoiled and cancelled visas. On average, CPC-O officials issue approximately 28,000 printed counterfoils every three months from an inventory of approximately 38,530 blank counterfoils.
Access to controlled forms
Physical access to controlled forms
Controlled forms that are held in deep storage are retained in a high-security restricted access zone in approved dial safes as per the department’s Forms Management Program. Access to classified and protected information is limited to authorized individuals who have been security screened at the appropriate level and who have an expressed need for access. Moreover, access to the high-security zone should be limited to authorized individuals that have been security screened at the appropriate level and who have an expressed need for access in accordance with Appendix C of the Treasury Board Directive on Departmental Security Management. At the time of the audit, 23 CPC-O staff members had access to the high-security zone, 10 of whom did not have the required security clearance level. This situation is not in accordance with the provisions set out in section 7.3 of the Forms Management Program, which states that key controlled forms in deep storage are to be retained in a high security restricted access zone, in approved dial safes to which only the Forms Control Officer, the alternate Forms Control Officer, the security officer and the manager have access.
Recommendation 1: The Assistant Deputy Minister, Operations should review the deep storage area access requirements to ensure that only CPC-O employees with the required security clearance level and operational need have access to the controlled forms maintained in this area.
System access for controlled forms management and reporting
Access to the Controlled Key Forms Inventory Tracking System (CKFITS) is appropriate and limited to authorized individuals within CPC-O and monitoring of accounts is carried out by the Forms Control Officer. CKFITS is an information technology system that is used by officers to prepare quarterly inventory reports regarding the use of controlled forms for approval by local/regional authorities. Requests to obtain CKFITS user access accounts and to disable accounts for departed staff are managed using a spreadsheet and copies of email requests are kept on file. It is noted that CPC-O conducted a clean-up exercise in November 2015 to confirm and validate user access accounts.
Reporting and reconciliation of inventory
The Forms Control Officer completes an inventory count of controlled forms stock every three months for quarterly reporting purposes. The inventory count performed by the audit team found that the stock on hand balanced with the inventory as recorded in the tracking system.
As per departmental guidance, the Forms Control Officer should complete the quarterly inventory report, submit it to a manager for review and approval, and send it to the IRCC Forms Management Unit once approved. It was noted that the two quarterly inventory reports submitted for the last six months of fiscal year 2015-16 did not have the appropriate managerial sign-off. The information provided in the reports showed that they were prepared and approved by the Forms Control Officer. This was due to a systemic information technology system control design issue that is being addressed by National Headquarters CKFITS officials.
Program Integrity - Risk Management and Quality Assurance Practices
Criteria. It was expected that a Program Integrity function was in place and integrated into CPC-O operations to support risk management, program adherence and business analysis exercises.
Conclusion. A program integrity function is in place and integrated into CPC-O operations. A program integrity framework is established and supports risk management, program adherence and business analysis exercises. An opportunity for improvement was identified for monitoring the implementation of action plans developed in response to program integrity review recommendations.
Program adherence and business analysis
IRCC has a Program Integrity Framework that integrates risk management, quality assurance, and fraud deterrence and detection into day-to-day operations. The CN established a Program Integrity Framework in April 2012 that is intended to:
- Support risk-informed decisions in a fraud aware and quality managed environment;
- Maintain public confidence with an appropriate balance between client service and risk detection and mitigation;
- Integrate program integrity values throughout the Processing Centres; and
- Continuously improve risk management across all business lines.
In April 2015, CN senior management established an annual CN Strategic Program Adherence / Business Analysis Plan which listed approved exercises. Program Adherence (PA) exercises are undertaken to ensure that applicants and staff comply with established policies and procedures and that the CN is delivering accurate and timely products and services though systematic quality assurance, quality control and monitoring activities. Business Analysis (BA) exercises include obtaining information and data about program delivery, which allows for the identification of risk indicators to measure, assess and mitigate key risks.
Reports on PA and BA exercises are forwarded to program management to respond to recommendations. Once management has responded, the reports are considered final and are sent to the Program Integrity Branch (PIB) under the Assistant Deputy Minister, Operations for inclusion in IRCC’s Program Integrity Report Repository. CN managers are responsible for tracking responses to recommendations in order to ensure timely implementation of necessary actions.
The CPC-O has a dedicated Program Integrity Unit comprised of seven staff members – two of whom are permanent. The five other staff members are either term, casual or on a temporary assignment. Program Integrity resources are funded internally and as a result of the lack of dedicated funding, there is a risk that Program Integrity staff can be reassigned to the Operations unit during peak processing times. This decreases their availability to work on program integrity activities at certain points throughout the year.
CPC-O submitted seven PA / BA exercise proposals for consideration in the CN Annual plan approved in April 2015. Six of the proposed exercises were approved. At the time of the audit, only two of the planned six exercises had been conducted, mainly due to the operational pressures and the lack of dedicated resources in the CPC-O Program Integrity Unit.
An opportunity for improvement was identified related to monitoring the implementation of program integrity activity recommendations. It was noted that action plans to address recommendations were not formally tracked or monitored. Given the significance of program integrity within IRCC, it is important that CPC-O senior management ensure that recommendations are implemented – a key component of this is to track and monitor progress in addressing areas identified for improvement.
Recommendation 2: The Assistant Deputy Minister, Operations should develop and implement a process at CPC-O to monitor and report on the implementation of recommendations that result from program integrity activity exercises. This will support officer decision-making in a fraud aware and quality managed environment.
Anti-fraud and security activities
CPC-O Program Integrity Unit staff advise processing officers on anti-fraud and security screening activities. Additional roles include liaising with security screening partners during the application process and after the application decision. Program Integrity staff members provide training to the processing officers to ensure that they understand their roles and responsibilities related to security screening and admissibility requirements. Training is also provided to SOAT candidates as well as CPC-O staff.
There are specific documented procedures in place that define the Program Integrity Unit’s roles and responsibilities. These include standards for conducting targeted verifications, handling and sharing information, documenting findings and preparing notes. In addition, there are general procedural guidelines drafted which identify roles and responsibilities of the Unit, work objectives and performance indicators for staff. The guidelines also provide detailed step-by-step procedures for security screening and information on non-compliance flags, screening administration, random verifications, tip letters and targeted verifications. The performance indicators have been built in to individual Performance Management Agreements. In 2015, Program Integrity Unit staff conducted targeted verifications and screening support activities (see Table 1).
| Permanent Resident | Temporary Resident | Total | |
|---|---|---|---|
Security (# of clients) |
1,666 | 2,064 | 3,730 |
Verifications (# of applications) |
392 | 104 | 496 |
Anti-fraud activity results are entered into Global Case Management System (GCMS) as information alerts. The GCMS is the system that program officers use to process immigration applications. The data entry is performed by Case Management Branch employees, PIB employees and Canada Border Services Agency (CBSA) officers. As such, at the start of a program officer’s review of an immigration application, an internal system control in GCMS provides a prompt to Program Integrity staff members when an application containing an information alert is being assigned to a CPC-O officer for processing. This is a program integrity control that is built into the GCMS that supports officer decision-making.
When processing applications, it is an officer’s responsibility to request a security screening for an applicant for permanent or temporary residence from one or all of IRCC’s security partners; including the CBSA, the Canadian Security Intelligence Service and for the Royal Canadian Mounted Police. The Program Integrity Unit provides operational support to the officer for these types of requests. The security screening result is an important element for visa officers to consider when making a final determination of an applicant’s admissibility into Canada.
Anti-fraud activities are aimed at detecting potential external fraudulent information / documents presented in applications. Some examples of anti-fraud activities include conducting verifications of employment documentation, marriage documentation and suspect immigration consultant representatives. Program Integrity staff use a variety of tools to detect potential external fraud.
Risk management activities
CPC-O risk management activities are established in the CN Program Integrity Framework. Two of the objectives are to:
- Articulate the activities and outcomes necessary to integrate risk management into day-to-day operations in a systematic and consistent manner; and
- Establish a process to identify, introduce and renew risk indicators based on the results of PA and BA targeted exercises.
The foundation for risk management at CPC-O has been established with several fundamental elements and processes in place for managing program delivery risks. CPC-O officials have regular risk-related discussions with the Canadian visa officers in Beijing, China. In addition, CPC-O officials are regularly deployed on temporary duty assignment to Beijing to better understand the local operating environment, trends and areas of concern that could impact application processing.
CPC-O has conducted several Quality Assurance (QA) and BA verification activities which have identified risk areas and led to the development of strategies to detect and prevent fraud. This information is shared with Canadian visa officers across the global visa processing network.
Legal and Compliance - Application Processing
Criteria. It was expected that immigration applications are processed in compliance with legislation, program instructions and departmental authorities.
Conclusion. Immigration applications are processed in compliance with legislation and program instructions. Attention is required to ensure that the CPC-O has the appropriate delegated authorities to make decisions and that SOAT candidates have been delegated the required legal authority for application decision-making under the departmental delegated authorities.
Application processing compliance
As the largest visa office in the global visa processing network, CPC-O processes temporary resident and permanent resident visa applications in accordance with IRPA and has standard operational procedures in place to support application processing and officer decision-making.
To evaluate the level of compliance with program instructions and departmental authorities, a sample of immigration applications was tested focusing on the final decisions made by CPC-O officials between January 1, 2015 and September 30, 2015. During this period 141,117 final decisions were made by CPC-O (see Table 2).
Table 2 – Final decisions made by CPC-O officials between January and September 2015
Text version: Table 2 – Final decisions made by CPC-O officials between January and September 2015
| Type | Class/Category | % | Count of Application Number |
|---|---|---|---|
| 109,212 Temporary residents applications | |||
| Temporary resident | Visitors | 68.48 | 96,632 |
| Temporary resident | Students | 6.53 | 9,216 |
| Temporary resident | Temporary Foreign Workers | 1.99 | 2,810 |
| Temporary resident | Visitor Record | 0.39 | 554 |
| 31,834 Permanent resident applications including 10,469 Canadian Experience Class applications | |||
| Permanent resident | Economic | 19.31 | 27,251 |
| Permanent resident | Family | 3.25 | 4,582 |
| Permanent resident | Refugee | 0.00 | 1 |
| 71 Other types of applications | |||
| Other | Other | 0.05 | 71 |
Source: Data extracted by OPMB from the Global Case Management System
A sample of 125 unique applications were selected for testing as per Table 3. For the 125 applications, the audit team reviewed a total of 149 decision points that included security, criminality and authority to make a final decision.
| Application Category | Unique Applications | Decision Points |
|---|---|---|
| Temporary Residents & Permanent Residents | 45 | 65 |
| Permanent Resident Canadian Experience Class | 45 | 45 |
| Permanent Resident Excluding Canadian Experience Class | 31 | 31 |
| Specials (Rehabilitations and Authorizations to Return to Canada) | 4 | 8 |
| Totals | 125 | 149 |
In addition, 456 Program Instructions requirements were tested which resulted in an officer compliance rate of 99 percent. Program Instruction requirements relate to IRCC guidance for key processing elements such as accurate biographic data entered into GCMS and printed on documents, documentation of decisions, medical assessments, and specific eligibility requirements for special application categories. The majority of files within the sample were processed in accordance with legislative requirements and departmental guidance.
Delegated authorities over decision-making
IRCC has an Instrument of Designation and Delegation that was last approved in January 2015. This instrument provides written designation of officers and delegated authority to departmental employees in order to exercise the provisions of IRPA, the Immigration and Refugee Protection Regulations and Ministerial Instructions.
Under the current Instrument of Designation and Delegation, CPC-O derives its authorities from Annex B, which does not include the full authorities delegated to organizations and positions listed in the main document. Incorporating CPC-O into the main section of the Instrument would better align CPC-O with the current business model and all visa offices in the global visa processing network. It would also address inconsistencies between the delegations outlined in Annex B and the main instrument.
A sample of applications were tested for compliance with the delegation instrument to ensure that final decisions were made by individuals with the proper delegated authority. It was noted that SOAT officers at CPC-O were making final decisions as part of this program. The current, approved delegation instrument delegates and designates authorities based on position title. As such, since SOAT candidates retain their substantive position within the organization for pay purposes, there is no indication that these candidates have been delegated the proper legal authority to make final decisions on immigration applications. That said, consistent with broader quality assurance practices concerning new and existing employees taking on new responsibilities, CPC-O senior management ensures that all SOAT participants’ decisions are reviewed for quality assurance by experienced visa officers. This provides a level of assurance that appropriate decisions are being made. However, this does not address the potential that SOAT candidates may not have the delegated authority to make final decisions on applications under the current instrument.
Recommendation 3: IRCC should review the Instrument of Designation and Delegation to ensure that the CPC-O has the appropriate delegated authorities to perform its role, and that SOAT participants have the designated and delegated authority to make decisions when processing applications.
GCMS access and use
As stated earlier, GCMS is the system that officers use to process immigration applications. In July 2015, CPC-O conducted a review of all GCMS user accounts to verify that responsibilities were assigned appropriately and consistently in GCMS with respect to IRCC’s delegated authorities and staff duties, and that risks related to user access were appropriately identified and controlled. At that time, there were 933 primary and secondary GCMS user accounts.
As a result of this review CPC-O made adjustments, such as assigning a program manager to ensure that GCMS user accounts were consistent with staff duties, that dormant accounts were deactivated, and primary and secondary accounts were re-set to comply with operational requirements. In addition, CPC-O officers monitor GCMS user accounts to align the current staff compliment with active user accounts in the system.
Conclusion
The selected elements of the CPC-O management control framework were properly designed and generally working as intended to support operations. Program officials managed the controlled forms in accordance with departmental policies and guidance. A program integrity function is integrated into operations and supports risk management, program adherence and business analysis exercises. Immigration applications are processed in compliance with legislation and program instructions.
There were three opportunities for improvement identified. These included: strengthening controlled forms protection; monitoring the implementation of action plans developed in response to program integrity activity review recommendations, and ensuring delegated authorities are appropriately documented.
Management has accepted the audit findings and developed an action plan to address the recommendations.
Appendix A – management response and action plan
Recommendation 1
The Assistant Deputy Minister, Operations should review the deep storage area access requirements to ensure that only CPC-O employees with the required security clearance level and operational need have access to the controlled forms maintained in this area.
Management Response
Management agrees with this recommendation.
CPC-O is in the process of moving to its permanent location at 70 Crémazie in February 2017. The design of the floorplan and access to the print room have already been taken into consideration when refitting the office space for CPC-O needs and construction is already underway.
Following the move in 2017, access to the print room will be restricted to printer-operators only. The deep storage safe will be located in the print room area and will be accessible by employees with operational needs only.
OPI: ADM-Operations
Due Date: February 28, 2017
Recommendation 2
The Assistant Deputy Minister, Operations should develop and implement a process at CPC-O to monitor and report on the implementation of recommendations that result from program integrity activity exercises. This will support officer decision-making in a fraud aware and quality managed environment.
Management Response
CPC-O’s Risk Assessment Unit will assemble a road map that tracks program integrity exercises from launch to the implementation of corrective measures.
The following actions will be taken:
- 2.1 CPC-O will develop advanced queries (Oracle/Siebel Answers) to track individual program integrity exercises (i.e. verifications) and monitor if the exercise had a meaningful impact on the final decision.
- 2.1.1 GCMS queries and reports will be developed and tested
OPI: ADM-Operations
Due Date: March 31, 2017
- 2.1.2 The impacts of the verification on the final decision will be analyzed
OPI: ADM-Operations
Due Date: June 30, 2017
- 2.1.3 The results of the analysis will orient CPC-O program integrity efforts on areas where they will have the most impact
OPI: ADM-Operations
Due Date: August 31, 2017
- 2.2 CPC-O will develop a road map to track larger scale program integrity exercises, from launch to implementations of recommendations
OPI: ADM-Operations
Due Date: March 31, 2017
Recommendation 3
IRCC should review the Instrument of Designation and Delegation to ensure that the CPC-O has the appropriate delegated authorities to perform its role, and that SOAT participants have the designated and delegated authority to make decisions when processing applications.
Management Response
Management agrees with this recommendation.
CPC-O will prepare contributions related to updating the Instrument of Designation and Delegation (IDD) in preparation for the next review of the IDD.
CPC-O will review current work descriptions and responsibilities of decision makers on both TR and PR lines of business as well as considerations related to future growth and centralization of work in Canada. CPC-O will also review responsibilities of the current SOAT trainees to inform the IDD review.
At this time, there is no scheduled review of the IDD which is led by Regulatory Affairs.
OPI: ADM-Operations
Due Date: March 31, 2017
Page details
- Date modified: