Income Tax Audit Manual
Compliance Programs Branch (CPB)
This chapter was last updated October 2019.
Hyperlinks to external or unaffiliated websites are for information purposes only. The Canada Revenue Agency (CRA) is not responsible for the content or practices of such websites. While efforts are made to make sure that hyperlinks are current and up-to-date, it is not guaranteed.
Chapter 4.0 Auditor's standard of conduct, authorities, and responsibilities
Table of Contents
- 4.1.0 Introduction
- 4.2.0 Auditor's standard of conduct
- 4.3.0 Rights and obligations
- 4.4.0 Auditing CRA employee-owned businesses
- 4.5.0 Legal authority to conduct audits
- 4.6.0 Auditing under unusual circumstances
- 4.7.0 Security of information and assets
- 4.7.1 CRA security policy
- 4.7.2 CRA operational manuals
- 4.7.3 Security of information and other assets
- 4.7.4 Security and use of property and information
- 4.7.5 CRA computer information systems
- 4.7.6 Transmittal of sensitive information
- 4.7.7 Storing information
- 4.7.8 Transportation of sensitive documents outside the office
- 4.7.9 Destroying sensitive documents and property
- 4.8.0 Laptop use, care, and security
- 4.9.0 Use of personal digital assistants/Palm Pilots within the CRA
As an employee of the CRA, the auditor's employer is the federal government. The Treasury Board represents the employer.
All employees of the federal government are expected to fulfil their duties in an efficient and effective manner.
Auditors are usually members of a team in a specific section or division with specific goals and objectives. The team's goals and objectives form an integral part of the CRA's mission to promote compliance with Canada's tax laws through communication, quality service, and responsible enforcement.
4.2.0 Auditor's standard of conduct
All employees of the CRA are governed by the Code of Integrity and Professional Conduct (The Code).
The Code is a comprehensive document setting out the standards of conduct expected from all employees. Every employee must read the Code to ensure they understand and fully appreciate the ethical issues and corporate values relating to the work of the CRA.
The Code provides a one-source reference for various documents that set out the CRA policy and procedures to provide employees with guidance on dealing with difficult situations or ethical issues.
For more information, go to Code of Integrity and Professional Conduct (We Manage and Protect Public Funds).
For more information, go to Terms and conditions of employment for public service employees.
The Canadian Human Rights Act protects the privacy of all Canadians with respect to personal information about themselves held by a government institution. That right is extended to the place of work through the federal government's policy on security. The Privacy Act provides the employee protection by limiting the extent that any organization, including the CRA, can go to when investigating employees or prospective employees.
The Canadian Constitution states that English and French are the official languages of Canada and have equal status, rights and privileges.
The main objectives of the Official Languages Act and its policies are to ensure that:
- the public can obtain services from and communicate with the Government of Canada in both official languages
- public servants can generally work in the official language of their choice
- there is full participation for both French-speaking and English-speaking Canadians
For more information, go to Official Languages.
The CRA is committed to achieve equality in the workplace and to remove employment barriers for members of the designated employment equity groups including Aboriginal peoples, visible minorities, persons with disabilities, and women. The CRA is committed to the key principles of employment equity by striving to have:
- a workforce that reflects Canada's diverse population
- equal opportunities for advancement based on employees' competencies and knowledge
Through active leadership and a supportive environment, the CRA has made employment equity an essential part of the human resources practices and the way that business is conducted.
Candidates are given the opportunity to voluntarily self-identify as a member of a designated employment equity group. The CRA Employment Equity Officer retains a confidential record of this self-identification.
For more information, go to Employment equity.
4.3.4 Safety and health
A number of policies, standards, regulations, and guidelines concerning employee safety and health have been developed to ensure protection from exposure to occupational hazards and environmental conditions and factors.
For more information, go to Occupational Health and Safety.
The CRA is committed to providing a healthy, safe and violence-free workplace, which respects the requirements outlined in the Canada Labour Code (CLC), Part II, and Canada Occupational Health and Safety Regulations (COHSR) – Part XX – Violence Prevention in the Work Place.
The Procedures in response to workplace violence set out the responsibilities for all CRA employees for preventing workplace violence. They also outline the process for handling an actual or potential incident of workplace violence.
4.3.5 Suicide calls
The increased concern over telephone calls from taxpayers that are allegedly contemplating or threatening to commit suicide is a sensitive issue with legal and emotional implications for taxpayers, employees, and the organization.
For more information, go to Suicide Calls Guidelines.
4.3.6 Administrative responsibilities
For internal forms used for administrative purposes, go to Forms and publications.
Weekly activity reports are used by Audit Divisions to track the units of production, time per unit, and time spent on other activities.
For more information, go to Time and Activity Recording (TAR) Policy and Recording Instructions.
Employees may be required to travel on government business. The specific duties of the position determine the extent, nature, and frequency of travel.
For more information, go to Travel Policy.
Supplementary Business Insurance
Employees that use their personal vehicle for government business may find it necessary to increase insurance coverage to include business use (Supplementary Business Insurance or SBI). The need for additional coverage should be discussed with an insurance agent. If an additional cost is incurred, the employee is entitled to reimbursement.
Automobile insurance varies in each province or territory. As a result, the TSOs may use different methods for reimbursing the employee's SBI claim. Contact the TSO's Finance and Administration unit to determine the specific requirements.
For more information, go to Vehicle Insurance.
4.4.0 Auditing CRA employee-owned businesses
Auditors may be assigned a file where one of the owners is another employee. The following questions require addressing:
- How should this situation be dealt with?
- Is there a potential conflict of interest?
- What existing CRA policies govern the scenario if an audit is to be carried out within a particular office and one of the employees is either related to, an acquaintance of, or the proprietor of the business that is to be audited?
Auditors should ensure that they do not allow themselves to be placed in situations of real or perceived conflict of interest in accordance with the conflict of interest guidelines in the Code of Integrity and Professional Conduct.
Providing that the employee whose business is being audited has complied with all of the CRA's conflict of interest policies, these guidelines apply:
- Treatment of the file should be identical to any other audit case, with standard operating procedures being used (that is, confidentiality, need to know basis, and the process which is followed).
- The employee (who is the owner) must not be assigned the case.
- The person who is assigned the file is expected to follow the same policies and principles as found in the Code of Integrity and Professional Conduct - Preventing Conflicts of Interest section.
If it is not possible to avoid a real, potential, or perceived conflict of interest by assigning the audit within the TSO, the file should be referred to another TSO.
There may be other situations where an actual conflict of interest does not exist, but the employee assigned a file requests that the file be reassigned because it might be difficult to remain objective and impartial. For example, the employee knows the owner, the employee knows an employee personally, or the taxpayer is a former employer of the employee.
4.5.0 Legal authority to conduct audits
4.5.1 Authorization card
Subsection 231.1(1) of the Income Tax Act (ITA) and subsection 288(1) of the Excise Tax Act (ETA) provide the legal authority for authorized employees to conduct audits.
Auditors are provided an RC121A authorization card that outlines that the person named on the card is authorized to carry out these functions under the relevant provisions of the ITA and the ETA:
- enter a place of business
- enter a personal residence, if required, with the occupant's consent
- require persons on the premises to give assistance and to answer questions
- require a person to accompany them if legally provided
- examine and copy documents
- examine property
Entering a personal dwelling without the occupant's permission is expressly forbidden under the legislation unless a judge has issued a warrant that authorizes entering the dwelling.
The legal name as shown on the authorized person's birth certificate or other official document (certificate of name change, marriage certificate, certificate of Canadian citizenship) should be shown on the RC121A authorization card. A new authorization card must be issued when a person legally changes their name.
The RC121A authorization card must not be used as a personal identification card or for any purposes for which it is not intended. It must be kept separate from the employee's building identification and should never leave the employee's possession. Any requests to photocopy it must be denied for security reasons but taxpayers may copy the wording by hand.
A lost or stolen card must be reported immediately as a security incident and a security incident report must be completed.
For more information, go to Security Incident Reporting and Management Directive.
For information, go to Identification Cards and Building Passes Policy.
4.6.0 Auditing under unusual circumstances
The information that follows is from Audit Communiqué AD-01-02, Conducting Enforcement Actions under Unusual Circumstances, issued by the Compliance Programs Branch July 12, 2001. The Communiqué provides Audit employees with updated guidelines that apply when conducting enforcement actions under unusual circumstances, including those situations that may arise as a result of various de-tax activities.
For more information, go to Abuse, Threats, Stalking and Assaults against Employees Policy.
In recent years, there has been an increase in de-tax activities from individuals or groups of individuals. These people encourage others to join in anti-tax movements through seminars and information sessions. Some de-tax organizers even act as representatives for taxpayers in dealing with the CRA on tax matters.
The common de-tax strategies being used by taxpayers that are being encountered by CRA officials are:
- video or audio taping audits/interviews off CRA premises or within the taxpayers' places of business/premises
- requiring CRA officials to fill out questionnaires before allowing access to their books and records and/or premises
- refusing to file returns, when required or filing returns filled with N/A (not applicable)
- using various technicalities to delay or postpone enforcement actions, for example, question constitutionality of federal taxes, making excessive requests for disclosure of information, and other harassment tactics
- putting liens on personal properties of some employees; and
- distributing derogatory, defamatory, and threatening statements against CRA employees through the Internet and flyers
4.6.3 Manager's responsibilities
If an assignment involves unusual or potentially volatile circumstances, the first priority for a manager is to take any required action to protect the employee and to prevent injury. The manager must also ensure that enforcement actions are not postponed or delayed indefinitely. To do this, the manager should:
- ensure that appropriate precautionary measures and procedures are in place, such as requiring employees to provide precise itineraries, implementing a "buddy" system and providing these employees with cellular phones for the duration of the assignment
- re-schedule any off-site meeting to be held instead on CRA premises or other neutral location and/or attend the meeting with the employee or assign a "buddy" to be present at the meeting
- if appropriate, issue a requirement for documents or information that would require that the records be made available at the CRA office
- discuss volatile situations with Justice officials and the security administrator to determine what alternative measures may be taken
- request police involvement or protection when volatile situations are expected; and
- notify the director and the security administrator as soon as possible after an employee reports an incident
4.6.4 Helpful reminders to employees
In any dangerous situation the employee's safety must be the first priority. Wherever permissible under the law or associated responsibilities, employees should remove themselves from any threatening situation. Employees must protect themselves at all times ensuring their own safety and that of their families, together with the safety of their fellow employees and the taxpayer. To assist in effectively implementing these guidelines, Audit employees should:
- adhere to established CRA work procedures, preventative measures, guidelines (such as the ones contained in the Finance and Administration Manual, Security Volume), and reporting requirements;
- request guidance and assistance from managers, if required to call on and confront difficult individuals; and
- use best judgment to identify threats or prevent threats from happening when conducting audits and related tasks for income tax purposes.
Reporting known or suspected advocates of violence, intimidation, or abuse of government employees
Employees in various functional and operational areas of the CRA are involved in identifying individuals or groups of individuals who advocate/promote violence, intimidation or abuse of government employees and non-compliance with tax legislation. These employees monitor various public information sources, such as media publications, Internet postings, and court cases. The public information gathered is shared with all offices and other government (provincial and federal) agencies, if appropriate.
Employees who encounter or come across publicly available information on known or suspected advocates of violence, intimidation, or abuse of government employees and non-compliance with tax legislation, in the course of performing their authorized duties, should report their findings to their manager. The report should include relevant details on the persons or groups and the activities being advocated or promoted. In all cases, the manager will share the findings with other operational areas in the TSO. If the case has possible regional or national implications, the manager will notify other offices in the Region and Headquarters accordingly.
Employees are not to investigate persons or groups involved in these activities and they are not authorized to access confidential taxpayer information solely for this purpose. Employees are reminded that unauthorized access to taxpayer information is an offence, and that employees who attempt unauthorized access to taxpayer information for any reason are subject to disciplinary measures that could include dismissal.
Assignment with potential for an incident involving threat or violence
Employees should adhere to the following precautionary measures if it is suspected that an assignment may be potentially volatile. These measures could minimize the employee's exposure to possible harm or injury:
- A precise itinerary should be left in the office indicating the name of the contact, telephone number, exact address of the taxpayer, and the times when the employee is supposed to be at the taxpayer's premises.
- Request the presence of the manager or a "buddy" during the meeting with a taxpayer who is known or suspected to be hostile towards the CRA.
- Schedule meetings with other employees, on the same field trip, at specified times and places.
- Contact the office at specified times. Failure to make a scheduled contact would alert the office of imminent trouble and enable them to take appropriate action.
- Vacate taxpayer's premises and/or contact the office as soon as a problem becomes imminent.
Request for video or audio taping off CRA premises
The CRA has no legal authority to prevent a taxpayer from video or audio taping an interview, audit, or examination at their own premises. When a meeting with a taxpayer takes place off CRA premises, employees must not consent to being video taped or recorded. If that is the case, the meeting must be terminated immediately and the taxpayer informed that management will be in contact to discuss the issue and make other arrangements.
Reviewing records at a taxpayer's residence
Reviewing books and records at a taxpayer's residence could leave Audit employees vulnerable to accusations of wrongdoings by the taxpayer. This is because the employee may be left alone with the books and records most of the time, and also has access to the taxpayer's household belongings or properties.
To minimize being placed in a compromising situation, the employee should consider:
- borrowing the books and records and doing the review in the office or a hotel room, with the taxpayer's consent. Some taxpayers may consider borrowing books and records as a form of seizure by the CRA, which is why this is only an option
- avoiding after-hour appointments for conducting the review, if possible
- requesting the presence of a "buddy" and/or the taxpayer or representative at all times, if the review has to be conducted at the taxpayer's place of residence
Offensive or threatening interviews
If the taxpayer's or authorized representative's language or behaviour becomes offensive or intimidating and the business purpose of the meeting cannot reasonably be achieved, the employee should:
- calmly suspend or terminate the interview
- consult the manager to decide on appropriate measures that should be taken
- prepare a written report of the incident, detailing all relevant facts
Lien on personal property
If it is determined that a tax protestor has registered a lien on an employee's personal property, the incident should be reported to the manager immediately. The manager will request local Justice officials to take the necessary action to facilitate removal or de-registration of the improper lien. The incident should be reported to Headquarters, including the Security Directorate.
When the potential for assault exists and the employee's safety appears to be at risk, the employee should:
- not restrain or agitate the taxpayer or representative
- vacate the premises immediately
- use best judgment on how to secure personal safety and protection if unable to leave, such as calling for help using a cellular telephone or attracting attention of other people nearby
- call the police as soon as possible, if assaulted, follow their instructions, obtain a medical examination from a qualified physician, and alert the manager as soon as possible
- prepare a written report of the incident, detailing all relevant facts
Demands for personal and other irrelevant information
Employees are required to present their CRA authorization cards and to explain to a taxpayer the reason for, the nature of, and legal authority for the enforcement action. However, they are not obligated to, and for personal security, should never provide any personal information such as a home telephone number or address, or produce personal documents like a driver's license.
If the taxpayer continues to demand other irrelevant information from employees and hinders them from performing their duties, the meeting should be terminated. The incident must be reported to the manager.
Taxpayers may ask employees to fill out questionnaires or forms before allowing them access to the records and premises.
Employees should not, under any circumstances, complete questionnaires, forms, or other non-CRA documents. Managers must be informed that the taxpayer made such a request.
Some taxpayers are concerned that confidential information may be divulged inappropriately and have requested that the auditor sign a non-disclosure agreement before allowing access to the records and premises.
It is recommended that auditors should not sign a non-disclosure agreement. Instead, the taxpayer should be informed that the Access to Information Act and the Privacy Act strictly control how the government collects, uses, stores, discloses, and disposes of any personal information. The auditor should also inform the taxpayer that the ITA includes strict confidentiality provisions. Finally, they should inform the taxpayer that all federal public servants, including auditors, have taken the Oath of Office and Secrecy and swore or affirmed that they would not disclose any information they may become aware in the course of the exercise of their duties.
A refusal by the taxpayer to allow an auditor to conduct an audit because they have refused to sign a form should be dealt with under the usual enforcement measures.
For more information, go to 10.2.2, Authority to examine books and records.
Demands for information under section 337 of the Criminal Code
Some taxpayers may submit demands for information, based on this quote from the Criminal Code:
Section 337 – Public servant refusing to deliver property:
"Every one who, being or having been employed in the service of Her Majesty in the right of Canada or a province, or in the service of a municipality, and entrusted by virtue of that employment with the receipt, custody, management or control of anything, refuses or fails to deliver it to a person who is authorized to demand it and does demand it, is guilty of an indictable offence and liable to imprisonment for a term not exceeding fourteen years."
Some examples of the information being demanded under this section are:
- completed original of the "Public Servant Questionnaire"
- true and certified copies of the preambles for the Canada Pension Plan, Income Tax Act of all provinces and territories, Petroleum and Gas Revenue Tax Act, Employment Insurance Act and Excise Tax Act
- true and certified copies of employee identification, employee's oath, record of employment with CRA, and official authorization documentation which evidences employee's capacity to act on behalf of the minister
- the exact and particular sections of the ITA which explicitly and precisely identify the forms on which to file within such reasonable time as may be stipulated in a demand or requirement from the minister
- true, lawful, and certified copy of the specific definition of dollar and general definition of money
These taxpayers should be advised that the CRA is under no obligation to respond to such demands.
Post-incident help, employee compensation, and benefits
The CRA offers support to employees and their family members who have been the target of abuse, threats, stalking, and/or assaults as a result of the performance of their duties. This support is available in many forms, including counseling through the Employee Assistance Program (EAP). Local Human Resources advisors should be contacted, through the managers, for details on the support available and for procedures to be followed in order to obtain it.
For more information on the Guidelines for Managers, go to:
- Compensation and benefits for employees for injury
- For damages to personal property
- Legal services and compensation for lawsuits, civil claims, and charges against employees
For more guidance and explanation of the expected behaviour in the above and other unusual situations, the auditor should consult these guidelines and documents:
- Security Incident Reporting and Management Directive
- Abuse, Threats, Stalking, and Assaults against Employees Policy
- Tax protestor information guide - Tax programs
4.7.0 Security of information and assets
Information and property must be protected from improper use, theft, and deliberate damage. All reasonable precautions must be taken to prevent accidental damage. Sensitive information and material requires that employees take extra measures to protect these assets.
The CRA security policy is intended to maintain a level of security sufficient to protect information, employees, and property and to ensure taxpayers that the information submitted to the CRA is kept strictly confidential.
For more information, see Finance and Administration Manual, Security Volume.
Employees have access to the CRA operating manuals as part of their work-related duties. Certain sections of these manuals may contain confidential information that is protected under the Access to Information Act. Care must be exercised before releasing any part of the CRA's operational manuals to the public.
Employees must ensure that persons who are not authorized and who may attempt to obtain classified or designated information are not given the opportunity to do so. The following categories apply:
- Classified Information and Assets – Sensitive information and assets that are important to the national interest (security of the nation) including “Top Secret,” “Secret,” and “Confidential.” Classified assets include encryption codes and certain encryption devices.
- Designated "Protected" Information and Assets – Information that lies outside the national interest, but is nevertheless sensitive (for example, taxpayer information and personal data).
- Assets of value include computers, printers, fax machines, and furniture. There is a particularly sensitive sub-category that includes "Protected" information of a very sensitive nature such as investigations into violations of the law or scientific material submitted to the CRA.
Classified and designated "Protected" information and assets and containers in which they are stored must be located in areas where access is controlled in accordance with the highest level of sensitivity of the material.
Classified and designated information and assets must be safeguarded when removed from, stored, and used outside the workplace or stored in accordance with the requirements of the following CRA security policies outlined in the Finance and Administration Manual, Security Volume:
- Storage of Protected and Classified Information and Assets Standards
- Transmittal and Transport of Protected and Classified Information and Assets Standards
- Disposal of Protected and Classified Information and Assets Standards
- Information and Systems Protection Standards
- 6. Personal electronic devices
- 7. Portable data storage devices (CDs, DVDs, USB memory sticks, hard drives, etc.)
- 8. Use of equipment outside CRA premises
If classified and designated information is to be processed, stored, and transmitted on the CRA computer systems located either on CRA premises or outside of the workplace, employees are to apply security safeguards as outlined in the Finance and Administration Manual, Security Volume:
- Information and Systems Protection Standrads
- 5. Protection of CRA information and systems
- 8. Use of equipment outside CRA premises
- Information and Systems Security Directive, 6.3 Internet access
For more information, see Security Volume of the Finance and Administration Manual.
Also consider Human Resources' Policy on Workplace Management, Appendix A - Virtual Work Arrangements. For more information, go to Telework.
CRA offices are frequently located in large complexes where members of the general public have access to the buildings. Employees are responsible for the proper care, handling, and safeguarding of furniture, equipment, and other property in their possession. The assets must be returned when changing work locations or employment is terminated.
Periodic checks are made to ensure that assets assigned to the employee are still in their possession. In addition, standards such as the following should be used as a guide:
- Expensive and attractive items such as computers, calculators, tape recorders, and cameras, must be securely stored when not in use.
- Private property, such as purses, wallets, cash, and items of sentimental value should be kept in a safe place at all times. Purses and wallets should never be left unattended.
- All losses and thefts should be reported to the Security Office to facilitate possible identification of the person responsible and the return of recovered items.
- Persons that are unfamiliar and may not be authorized should be challenged to produce identification and state the reason for their presence. If necessary, the Security Office should be advised immediately.
Taking an interest in security is most important for the protection of public and personal property as well as for the safety of all employees of the CRA.
For more information, see Code of Integrity and Professional Conduct, We Protect Our Assets and Property, and for taxpayer property held by the CRA, see We Protect Information.
Use of Crown property
Unless proper authorization is received, employees may not use equipment, material (including identification), vehicles, or facilities owned or leased by the Crown for other than official purposes.
For more information, see Code of Integrity and Professional Conduct, We Protect Our Assets and Property, and for taxpayer property held by the CRA, see We Protect Information.
Under section 72 of the Canada Revenue Agency Act, section 12 of the Copyright Act, and section 3 of the Public Servants Inventions Act, anything employees have created, designed, developed, or produced while doing their job becomes the property of the CRA. This includes software, computer devices, work methods, forms, and evaluation systems. To market or sell these items is breaking the law and the employee could face legal action.
When leaving the CRA, employees cannot take any documents or communicate unpublished information that was obtained while an employee of the CRA.
Security of information
Information received from taxpayers or other sources as well as information issued by the CRA must be protected by appropriate security measures for the following reasons:
- The nature of the information is such that any unauthorized disclosure could affect national security and must be protected in keeping with the Security of Information Act and the security policies of the Government of Canada. The information will be clearly identified as "Top secret," "Secret," or "Confidential" and is available only to employees who have the appropriate security clearance.
- Most of the information handled by the CRA does not concern national security but still requires a certain amount of protection. This type of information is identified as "Protected" and employees are provided access to it on a need to know basis. Procedures have been developed to handle access, transmission, removal, storage, and destruction or disposal.
The general public often assumes that CRA employees have access to all CRA information. Even though this is not the case, employees must arrange their private affairs in such a way as to avoid the perception and all suspicion that they have benefited from access to any information of a confidential nature.
Employees are not permitted to access taxpayer information unless their work requires. Confidential information cannot be used for the purpose of personal gain or financial benefit of the employee, the employee's relatives, or any other person.
For related information, go to 3.0, Taxpayer rights and taxpayer relief.
The CRA operates one of the nation's largest private telecommunications networks. The network is used to conduct business with taxpayers using systems such as CANPASS or NETFILE, to communicate with each other using email systems, to communicate with other departments, and increasingly, to connect with other Internet-based contacts.
The CRA computer systems and electronic networks are valuable tools for obtaining, storing, and distributing information. The primary systems, databases, and networks such as mainframe applications are corporate resources provided for CRA business purposes only.
Limited personal use is permitted on secondary systems such as email, Office Suite, or the Internet. Personal use must have no negative impact on the performance of the employee or other employees and must comply with these CRA policies and guidelines:
- Code of Integrity and Professional Conduct
- Policy on Workplace Management
- Directive on conflict of interest, gifts and hospitality, and post-employment
- Leaving the CRA
Authorized employees are granted access privileges with respect to the CRA computer systems and resources that are required to perform their duties. All employees have had a reliability check or security clearance and have completed Form TF469 for access to the CRA's electronic networks.
Employees can quickly access a large quantity of information from any computer terminal and must ensure that the system is locked when not in use or end the current session (Log off) when it is necessary to leave the workstation.
The computer systems are protected by security systems; access is controlled by authorized personnel and monitored. A control list is maintained and revised as needed by the CRA. Passwords are particularly important, must be remembered, and should never be recorded.
The CRA’s policy is to guarantee the confidentiality and integrity of the information that is transmitted that concerns taxpayers as well as any other information of a delicate nature.
For more information, go to Communications Security (COMSEC) Policy.
Information networks that are not adequately protected and all electronic communications are subject to unauthorized access (pirating), interception, and rerouting. The consequences of such actions include service interruptions, financial losses resulting from the theft of telecommunication services, and the unauthorized disclosure of information.
For more information, go to Monitoring of the Electronic Networks’ Usage Policy.
Telephones, wireless headsets, or other equipment (Personal cellular communication services or PCCS) that use unprotected radio-electric frequencies are subject to risk. These signals can be easily intercepted. The users of these communication systems must assume that a third party may be listening to the conversation and take these precautions:
- Designated and classified information must never be transmitted over unprotected cell phones or PCCS systems or by any other type of equipment using unprotected radio‑electric waves. The party receiving the call must provide satisfactory identification before any sensitive information can be disclosed.
- Cell and PCCS telephones are attractive items that must be kept in a safe place. When left in a vehicle, the telephone should be placed in the trunk or out of view and the doors should be locked. Anti-theft devises should be used when available.
“Protected” information can be communicated by ordinary telephone only to authorized employees, that is, those who have a specific and legitimate need to know or to a taxpayer if the information concerns that taxpayer. Taxpayers must be informed of the possible risks, such as eavesdropping or the interception of calls and must accept these risks.
The CRA’s cell phones must:
- be used only for CRA purposes
- have access only to mobile voice messaging systems and not the office system
- be used only to share information that is not sensitive; and
- be stored in a safe manner when not in use
The CRA uses both the public fax network and a secret fax protected network. The public network is used to receive information from taxpayers. It can also be used to send non‑confidential documents to a taxpayer or confidential documents of specific concern to the taxpayer if the taxpayer provides adequate proof of their identity in keeping with current Customer Service standards and if the taxpayer specifically requests a response by fax.
The secret fax protected network must be used for transmitting all protected documents as well as those of a particularly sensitive nature to the CRA as well as to other federal government departments that use the protected network.
Transmittal of sensitive information by regular mail
Classified and designated “Protected” information and assets must be adequately safeguarded when sent by mail. Classified and designated "protected" information and assets must be packaged and sent in accordance with procedures approved by the Security Directorate.
All classified and designated "Protected" information and assets should be sent through a CRA mailroom that have established and approved procedures for transmittal of mail both within and outside the CRA. It is the responsibility of the sender to ensure information and assets are properly packaged before sending them to the mailroom or mailing them directly. The following procedures should be followed at all times:
- Designated "Protected" Information: For internal mailing, place in a reusable (economy) envelope. For mailing outside the CRA, use a single gum-sealed envelope. No security marking is required.
- Designated "Protected" Information of a Particularly Sensitive Nature and Classified Information (Secret, Top Secret, and Confidential): For both internal mailing and for mailing outside the CRA use two gum-sealed envelopes. The address appears on both inside and outside envelopes. A security marking appears on the inner envelope only. The inner envelope should also be marked as follows: "To be opened by addressee only."
For more information, go to Transmittal of Sensitive Information and Assets Policy.
Employees must ensure that classified and "Protected" documents and property are stored in a safe place when they are not in use or when they are left unattended. The objective of this policy is to reduce the risk of theft and unauthorized access to classified and designated "Protected" information and assets.
Policy requirements are:
- Classified and designated "Protected" information and assets, and containers in which they are stored, must be located in areas where there is an effective control of access in accordance with the highest level of sensitivity of the material.
- Designated "Protected" information must be stored in a locked filing cabinet.
- Designated "Protected" information of a particularly sensitive nature and classified information must be stored in a locked filing cabinet (a container or a safe) specifically approved by the Security Directorate for the level of sensitivity of the information.
- In situations where it is not feasible to store sensitive information in locked cabinets, the information may be kept in a secure room designed in accordance with specifications approved by the Security Directorate.
- Designated "Protected" assets of relatively high value (laptop computers, calculators, etc.) should be stored in locked filing cabinets to reduce the risk of theft.
For more information, go to Storage of Protected and Classified Information and Assets Policy.
When removing information from the office:
- Advise the team leader and obtain authorization before carrying information out of the office.
- Transport documents in a locked briefcase or container with a proper identification tag.
- Briefcases, audit bags, storage containers, and other items, such as a laptop computer, should be locked in the trunk of the vehicle while travelling or as temporary storage. If the vehicle does not have a trunk (vans or hatchbacks), these items must be kept out of view.
- Briefcases and other containers must be locked when using public transportation systems or walking to an assignment. Sensitive documents should not be removed from a briefcase or container while using public transportation.
- When leaving documents at a taxpayer's place of business, they must be secured in a locked container located in a locked room with restricted access. Briefcases that contain taxpayer information should not be left at the taxpayer's office overnight.
- Information should be locked in a briefcase or container and placed out of sight if leaving it when not in use (hotel room or the auditor's place of residence).
- Sensitive documents or valuable material left in a commercial building or at the auditor's home must be placed in a locked briefcase or container and should be hidden from view.
For more information, go to Protection of Classified and Protected Information and Assets Outside the Workplace Policy.
Sensitive information and assets must be disposed of in accordance with requirements and procedures approved by the Security Directorate. Although documents and property designated as "Protected" do not concern national security, the information is nevertheless sensitive and often involves taxpayers and/or personal information.
Documents that are no longer required must be disposed of. Waste that is designated as "Protected" is sent to archives for destruction, in keeping with established security standards.
For more information, go to Disposal of Sensitive Information and Assets Policy.
4.8.0 Laptop use, care, and security
Laptops are a very important tool for use in the audit process. Proper use and care of the equipment is necessary to prevent damage and to safeguard the assets of the CRA as well as the security and confidentiality of taxpayer information.
Equipment is provided for the use of audit employees for official purposes at the office, at the taxpayer's place of business, while in travel status, or any other location where CRA business is conducted, including telework locations.
The portability of laptops increases the risk of loss and potential damage both in transit and at the work site. Software and sensitive information stored on the laptop requires safekeeping.
Users are responsible for:
- performing regular backups of information
- locking CDs and other information in a secure place when not in use
- ensuring equipment is securely stored at the end of the workday
- providing a clean area for laptop use and cleaning a laptop when necessary
- reporting any problems encountered with equipment or software
- observing software licensing agreements
- encrypting CDs removed from CRA facilities if the CDs contain sensitive information
- scanning all CDs for viruses before using the CDs in CRA equipment
- observing suggested security guidelines for the use and care of equipment
- handling and storing CDs as recommended by the manufacturer
- protecting passwords at all times
- immediately reporting any actual or suspected loss, as well as unauthorized disclosure of sensitive information or access to CRA computer systems, according to prescribed procedures
The following suggestions are provided to limit problems that may be encountered if laptops are not cared for appropriately:
- Do not move the laptop when the disk is in operation. The laptop should be turned off prior to moving it to ensure that the disk head is parked.
- If the laptop has been exposed to extreme cold, allow it to warm to room temperature prior to use. This will take approximately 60 minutes.
- The power should be left on when the laptop is not in use for short periods of time. Turning the power on and off several times during the course of the day may cause damage to the power supply.
- The power should not be turned off during an application. Improper exits from an application may cause loss of data files. Files are not encrypted when the application is not exited properly.
- If Windows is used, the "Shut Down" procedure closes files and removes temporary files from the directory. If this procedure is not completed, the system prompts the user to scan the disk at start-up to ensure that the integrity of system has not been compromised.
- Power should be switched off prior to unplugging the laptop or attaching any peripheral equipment such as a printer.
- Flipping the screen to the closed position will shut off the display, allow the screen to cool down after long periods of use, and protect the screen from damage.
- Ensure that the screen saver feature is password protected and used when away from the laptop for short periods of time.
- Using the legs at the rear of the laptop (if available) increases air circulation around the equipment and keeps it from overheating. The legs also provide a more comfortable angle for working at the keyboard.
- Extreme caution should be exercised with food and drink around the laptop to prevent costly repairs and down time.
- Carrying carts should be used only if absolutely necessary to transport the laptop.
- Taxpayer information should not be stored on the hard disk. If possible, the taxpayer information should be stored on encrypted CDs separately from the laptop.
The following suggestions will prevent loss of large volumes of data and keep the laptop available for use:
- Back up data daily.
- Check the carrying case and strap for wear.
- Clean the screen using the materials provided. Individually packaged wipes are available in most offices. If spray cleaners are used, always spray the cleaner on a clean cloth, never on the screen.
- Dust and small particles can be removed from the keyboard using a can of condensed air. The nozzle should be positioned properly towards the keyboard. Short bursts of the condensed air are aimed at the keyboard to remove small objects and dust that collect between keys over time. A soft damp cloth can be used to wipe the surface of the keyboard when not in use. Keeping the cover closed when the laptop is not in use will not only prevent damage to the screen but also help prevent the collection of dirt in and on the keyboard.
- Avoid attaching sticky labels to the laptop.
The portable nature of laptops makes them particularly susceptible to theft. Employees are expected to exercise reasonable care to prevent loss and damage. It would not be considered reasonable care if a laptop was left in a vehicle overnight, or if the laptop was left where visible to passers-by while the vehicle was parked and unattended.
- Laptops should not be left unattended if accessible. When the laptop must be left in a vehicle, it should not be visible. If possible, the laptop should always be locked in the trunk when in transit.
- When travelling by air, the laptop should not be checked as baggage. A manual inspection of the equipment and CDs should be requested rather than subjecting the equipment to the normal security scanners.
- All laptops should be marked with CRA identification numbers. Auditor ID tags should be attached to carrying cases. Additional identification (such as a business card) should be placed inside the carrying case.
- Loss or theft of equipment or information must be reported immediately as outlined in CRA guidelines.
- Laptops should be locked in a secure place at night even when left at the office.
- If equipment is lost, stolen, or damaged, the appropriate personnel must be notified immediately. The CRA is responsible for replacing the equipment if there is no evidence of negligence on the part of the employee.
- Loss or theft of equipment should be reported to the police and the immediate supervisor without delay.
Security of taxpayer data and audit working papers
All audit working papers are considered to be "information holdings" and are subject to the federal government's information management policies developed by Treasury Board Secretariat.
For more information, go to:
- Policy on Information Management
- 9.8.0, Working papers
Users are to be granted access to the departmental intranet and Internet systems to perform work-related activities. Use of the intranet and the Internet in a responsible and informed manner for work-related purposes is promoted. Unacceptable or unlawful activity is not permitted.
For more information, go to Security Risk Management – Information Technology Threat and Risk Assessments Policy.
Software installed on laptops is not to be copied. Software agreements and copyright restrictions should be followed at all times. Copies of programs developed by the CRA, such as penalty and interest programs, are not to be made available to the public.
All software from sources outside the CRA should be scanned and tested for viruses to minimize the risk of infecting the PC environment. CDs used on external PCs should be scanned prior to using on CRA hardware. If a virus is found on software or on a CD, it should be reported as soon as possible to prevent possible spreading.
Limited personal use of laptop computers is permitted provided that the personal use complies with CRA policies and legislation and if the productivity and performance of the employee and the employee's colleagues are maintained.
The following procedures should be followed when the laptop requires servicing:
- Document what occurred prior to the failure or problem; record any error messages or numbers that are displayed.
- Contact the designated laptop resource person or the helpdesk in the TSO.
- If the laptop failure significantly affects the completion of any audits in progress, the team leader should be advised.
4.9.0 Use of personal digital assistants/Palm Pilots within the CRA
Personal digital assistants (PDA) or Palm Pilots are electronic devices that duplicate some of the functions of notebook computers. That is to say, they can record and organize personal information such as agendas and important dates, notes on various subjects, and the transmission and reception of messages. The new versions also allow for interactive updating of information from workstations.
The CRA security policy requires computers that are intended to be removed from the office to incorporate approved encryption algorithms and access control mechanisms before any sensitive information can be stored or processed on them. PDAs/Palm Pilots protect information by means of a password that has been entered into the system. These passwords can generally be bypassed, thereby exposing the information to unauthorized persons.
Some newer systems such as the Blackberry provide an encryption function, but the algorithms have not been reviewed or approved for the protection of government sensitive information; this is being assessed and results will be communicated when available. In addition, PDA/Palm Pilot devices have not yet been certified on a national basis for use on CRA networks.
Like notebook computers, these devices are attractive items, and the risk of their being stolen for their intrinsic value is high. If lost or stolen, all information on these devices would be accessible to unauthorized persons.
Due to the security limitations of PDAs/Palm Pilots (whether purchased by individuals for personal use or purchased by the CRA for business use), they are not to be used to store or process any sensitive information. Passwords and access control codes are considered to be sensitive in nature and are not to be stored on these devices. Similarly, email is considered to be sensitive and may not be transferred to these devices.
The Security Directorate has advised that "calendar" information (meeting times, locations, names of those invited or attending) is not considered sensitive and may be stored on these devices.
Report a problem or mistake on this page
- Date modified: