Internal Audit - Memorandum of Understanding for Information Sharing between the Canada Revenue Agency and Saskatchewan Government Insurance

Final Report

Audit, Evaluation, and Risk Branch

February 2017

Executive Summary

Background: The Canada Revenue Agency (CRA) enters into memoranda of understanding (MOUs) and other agreements with federal, provincial and territorial departments and agencies to improve efficiency and effectiveness of program delivery.

Saskatchewan Government Insurance (SGI), a provincial Crown corporation, operates Saskatchewan’s driver licensing and vehicle registration system. Through a MOU for information sharing between the CRA and SGI that came into effect on June 24, 2014, the CRA has permission to access the SGI database to retrieve required information.

The CRA uses driver’s license and vehicle registration information to administer the Income Tax Act, the Excise Tax Act, the Canada Pension Plan and the Employment Insurance Act. The Collections and Verification Branch and the Domestic Compliance Programs Branch use the SGI vehicle and driver’s licence information for audit and collection purposes. Based on statistics available from SGI, the number of information items accessed per year, which could include multiple items for the same taxpayer, is estimated to be 7,500. While the Strategy and Integration Branch is responsible for the overall administration of the MOU, the Saskatchewan Tax Services Office (SKTSO) is responsible for the operational aspects of the MOU.

Objective: The objective of this audit was to provide assurance that the CRA complies with the provisions of the MOU regarding the collection, access, use, disclosure, retention, and disposition of the information received, and applies the security standards specified in the MOU.

Conclusion: The CRA is in compliance with the MOU terms and conditions governing the collection, access, use, disclosure, retention, disposition and general security of received information. The audit noted opportunities for improvement in guidance documents for administrative activities related to information storage and to confirm retention periods and disposition processes for SGI information.

Action Plan: Management of the Income Tax Audit Division and of the Revenue Collections and Client Services Division in the SKTSO took action to address these opportunities as soon as the audit team identified them. Management of the SKTSO advised the audit team that distribution of documentation, training of staff, application of the new procedural guidance, and the retention periods and disposition processes will be completed by June 2017.

Introduction

The Canada Revenue Agency (CRA) enters into memoranda of understanding (MOUs) and other agreements with federal, provincial and territorial departments and agencies to improve efficiency and effectiveness of program delivery.

Saskatchewan Government Insurance (SGI), a provincial Crown corporation, operates the province’s driver’s licensing and vehicle registration system. Through a MOU for information sharing between the CRA and SGI, the CRA has permission to access the SGI database to retrieve required information. The MOU came into effect on June 24, 2014. This is the first internal audit of this MOU by the CRA.  

The CRA uses driver’s license and vehicle registration information for the purpose of administering the Income Tax Act, the Excise Tax Act, the Canada Pension Plan, and the Employment Insurance Act. Based on statistics available from SGI, the number of information items accessed per year, which could include multiple items for the same taxpayer, is estimated to be 7,500.

The Collections and Verification Branch (CVB) and the Domestic Compliance Programs Branch (DCPB) use the SGI vehicle and driver’s licence information of Saskatchewan residents for audit and collection purposes. The information is required by different CRA units including the Collections, Non-Filer/Non-Registrant and Trust-Exam sections that report functionally to the CVB. Also, the Business Intelligence and Quality Assurance (BIQA) Division which reports functionally to the DCPB uses the information to help improve its ability to select the highest risk audit files.

The Strategy and Integration Branch (SIB) is responsible for the overall administration of the MOU. The Saskatchewan Tax Services Office (SKTSO) is responsible for the operational aspects of the MOU.

Focus of the Audit

The objective of this audit was to provide reasonable assurance that the CRA is in compliance with the provisions of the MOU regarding the collection, access, use, retention, and disposition of the information received, including the application of the security standards specified in the MOU.

The internal audit assessed CRA’s processes and procedures to ensure that these MOU requirements are met. The most recent versions of documentation available were reviewed during the examination phase of the internal audit, which was carried out between July and October 2016. The examination work was carried out with the cooperation of personnel from the SIB in Headquarters, the BIQA Division in the Prairie Region, and the SKTSO.

The audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing.

Findings, Recommendations and Action Plans

1.0 Collection, Access and Use of Information

Collection of information

The collection of the SGI information, including retrieval from the SGI database, storage of the retrieved information and transfer to officers, was examined to determine if, within the CRA:

  • Managers and staff are aware of their roles and responsibilities;
  • Process controls and associated supervisory monitoring are in place;
  • Staff is well informed and has received training; and
  • User guides, training material and procedures are in place.

Managers and staff were found to be aware of their roles and responsibilities and follow a control procedure to ensure that the information is retrieved by authorized administrative staff on behalf of only authorized CRA employees.

Initial training and on-the-job training is adequate and the current procedures allow administrative staff to store and transfer information in various secure ways. Collections and audit officers who receive the SGI information follow the procedures for storage of the information in the primary information systems in which they operate: the Windows Audit Laptop System (WinALS), used for audits, and the Automated Collection and Source Deduction Enforcement System (ACSES), used for collections.

Our audit found that there are gaps in the instructions for administrative clerks for storing information that had been documented and in use over the last year. These gaps include lack of instructions regarding the secure storage of information outside of WinALS and ACSES. Instructions for other personnel handling SGI information, including administrative staff, collections officers and collections Team Leaders, audit officers and audit Team Leaders, have not been documented.

SGI information was retained by administrative staff on their network personal drives and in Microsoft Outlook. Although these are secure locations, storing SGI information on personal drives and in Outlook folders makes it difficult for supervisors to monitor for proper use of such information and is not allowed under CRA information management policy.

Recommendation

The Income Tax Audit Division and the Revenue Collections and Client Services Division at the Saskatchewan TSO should ensure that complete and current procedures and guidance for storing and transferring SGI information are in place, disseminated and followed.

Action Plan

The responsible Team Leaders in the SKTSO have updated and aligned Revenue Collections and Audit procedures to clarify administrative staff responsibilities for the logging, storage and transfer of SGI information at the time of retrieval from the SGI database. According to SKTSO management, the communication of these procedures to all affected employees and their implementation will be completed by June 2017.

Access and Use

Access to the SGI database and use of SGI information were examined to ensure that requested SGI information is used for activities under the designated legislation, and that only authorized personnel administer these requests.

Our audit found that access to SGI information is controlled in compliance with CRA policies and MOU provisions: Team Leaders review the access privileges of their employees every year, ensure that requests for information are justified and are for authorized uses, and verify that only designated CRA administrative staff obtain user accounts to access the SGI database. Team Leaders also periodically confirm that samples of CRA employee access activity are related to that employee’s SGI-related workload.

Overall, management of the access to information in the SGI database was found to be appropriate and in compliance with the requirements of the MOU, and effective controls are in place to address proper use of that information.

2.0 Disclosure, Retention, Disposition and Security

Disclosure

Disclosure of SGI information was examined in terms of restricting disclosures to only personnel involved in activities that supported the designated legislation.

Information was found to have been disclosed only in accordance with the terms and conditions set out in the MOU. No operational requirements for information disclosure beyond authorized uses, and no instances of unauthorized sharing were noted.

Retention and Disposition

Retention and disposition of SGI information was examined to ensure that SGI information is retained for the required period, and that at the end of the retention period, disposition of the information is executed in a secure and controlled manner in accordance with the security requirements of the MOU.

SGI information in WinALS and ACSES has been retained according to the records dispositions authorities for data stored in these information systems. However, the retention period for the SGI information stored in shared drives before it is entered into the WinALS and ACSES information systems is not clear.

While no SGI information has been deleted from these shared drives, the personnel interviewed were not aware of the applicable records disposition authority or any other guidance to confirm that this disposition approach is correct. Implementation of the applicable records disposition authority would ensure compliance with the CRA Records Retention and Disposition Policy, and ensure that the CRA meets its operational obligations and satisfies Privacy Act and Access to Information Act requirements.

Recommendation

The Income Tax Audit Division and the Revenue Collections and Client Services Division at the SKTSO should establish clear retention and disposition requirements for all SGI information stored in shared drives before it is entered into the WinALS and ACSES information systems.

Action Plan

The responsible Team Leaders in the Saskatchewan TSO have already identified the retention period for SGI-sourced data held outside these information systems. According to SKTSO management, communicating these retention periods to employees and implementing the retention periods and the corresponding disposition procedures will be completed by June 2017.

Security of Information

Security of SGI information was examined in terms of:

  • Security clearances and security awareness of the employees involved;
  • Workspace and workstation security;
  • Proper reporting of security incidents; and
  • Application of the need-to-know principle when granting access to employees.

Security practices surrounding the SGI information are adequate and appropriate. All employees with access to SGI system have valid and up-to-date security clearances. As required by CRA security policy, all sampled employees have taken the mandatory security awareness training within the last two years. 

The security of the workspaces containing the workstations is supported by badge-controlled access. Access to the SGI information stored in and out of the WinALS and ACSES applications is restricted to the designated personnel through the controls that govern the core CRA computing environment.

While there is an established process for reporting security incidents, there have been no reported security infringement incidents related to SGI information over the past two years.

Administrative staff in the audit units and in the collections units use shared folders to store the information retrieved from the SGI information system. The Team Leaders in these units have indicated that multiple administrative personnel have been provided access to these folders because responsibility for post-retrieval activity is shared by the personnel in these groups. The access restriction settings for these shared folders provide adequate control over retrieval of this information.

SGI information storage in WinALS and ACSES respects the need-to-know rules that govern the audit and collections activities that use that information.

Conclusion

The CRA is in compliance with the MOU terms and conditions concerning the protection and security of information collected in relation to SGI. The audit noted opportunities to improve guidance documents for some administrative activities and to confirm related retention periods and disposition processes for SGI information. The responsible Team Leaders in the SKTSO started to take action to address these opportunities as soon as they were identified by the audit team. According to management of the SKTSO, distribution of documentation, training of staff, and application of the new procedural guidance, the retention periods and disposition processes will be completed by June 2017.

Acknowledgement

In closing, we would like to acknowledge, recognize and thank the SIB, the BIQA Division in the Prairie Region, and the SKTSO for the time dedicated and the information and access provided during the course of this engagement.

Report a problem or mistake on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, contact us.

Date modified: