CRA response to the National Security and Intelligence Review Agency’s (NSIRA) report
This was the National Security and Intelligence Review Agency’s (NSIRA) first review of the Canada Revenue Agency’s (CRA) program for protecting charities from terrorist abuse, which is administered through the Review and Analysis Division (RAD). The review focused on RAD’s audit workload only, and assessed the program’s national security activities and decision-making for reasonableness, necessity, and compliance with the law.
Introduction
The CRA acknowledges the important role that review bodies play in the national security and intelligence communities and welcomed NSIRA’s review. The CRA is confident that NSIRA’s recommendations will help improve the audit program so that CRA can continue to administratively support Canada’s efforts to combat terrorist financing. The CRA recognizes the value of continually improving its processes and procedures to reinforce consistency and impartiality in decision-making and to ensure the high quality of the charities audit program, and commits to implementing enhancements to strengthen these processes. The CRA is pleased with NSIRA’s findings that many of its risk assessment processes for terrorist abuse and its practice of assessing related risk have improved.
Although the CRA has long had a mandate to protect the integrity of the charitable registration system (which included prohibiting support of terrorism), RAD was established in 2003 in recognition that evolving terrorist activities redefined the role and importance of efforts supporting Canada’s comprehensive anti-terrorism plan and international commitments. Through the RAD, CRA takes a proactive role to identify and address links between terrorist groups and registered charities or organizations applying for registration to ensure supporters of terrorism do not exploit the charitable sector.
The CRA’s contributions to Canada’s anti-terrorist financing regime are through the administration of the Income Tax Act (ITA), and serve to prevent the abuse of registered charities by ensuring that controls are in place to mitigate their risk. The CRA’s contributions are also a key component of Canada’s compliance with international standards that aim to protect the non-profit organization (NPO) sector from terrorist financing, consistent with NSIRA’s finding that the CRA's audit function fulfills Canada's international obligations to combat money-laundering and terrorist financing.
It is important to understand that not all audit outcomes where terrorist risks are initially identified will include findings explicitly related to terrorism, as initial concerns may be addressed through the audit process and final concerns may instead speak to the adequacy of risk mitigation controls in place – rather than validating that resources were used to support terrorism. Ultimately the CRA may only address risks of terrorist financing abuse as they relate to potential non-compliance with the ITA. Law enforcement agencies, not the CRA, are responsible for investigating terrorism related offences, even those that may involve the abuse of a registered charity.
The CRA’s audit program for charities has evolved over time and the understanding of terrorist financing risk and the effectiveness of approaches to mitigate that risk have improved. We are pleased with NSIRA’s finding that the CRA is attuned to shifts in the threat environment. The CRA is mindful of the impact that raising terrorism-related concerns has on the charities it audits, and on the communities in Canada where risks of abuse may be more prevalent given their linkages to conflict regions where terrorist groups that target NPOs for sympathy and support may operate. The CRA is also mindful of the risk of bias in executing its mandate, and takes steps to minimize bias where possible, such as through continuous education and improvements to processes and decision-making.
As NSIRA’s review of the CRA’s workload was since the inception of the RAD and limited to only the program’s audit function, its conclusions unfortunately do not always reflect the CRA’s current practices, nor does it give appropriate weight to improvements in processes or other activities the CRA pursues to support charities with risk mitigation for terrorist abuse. The CRA educates charities and the public with upfront and continued education at registration and throughout the life cycle of a charity, web pages on the prevention of terrorism abuse, and engagement efforts with the charitable sector.
The CRA provides the following responses to NSIRA’s recommendations, which confirms the CRA’s agreement with most recommendations, and the elements of NSIRA’s report with which the CRA respectfully disagrees.
Recommendation 1
NSIRA recommends that the CRA collect and evaluate demographic data from the charitable sector to ensure that its treatment of charities is free from discrimination.
CRA's response to Recommendation 1
The CRA disagrees with this recommendation.
The Privacy Act protects the privacy of individuals with respect to their personal information and governs the federal government’s collection and use of that information. Furthermore, Government departments and agencies must only collect information that relates directly to an operating program or activity.
As it relates to registered charities, the CRA collects only such information as is necessary to administer the tax incentives for charitable donations, and the registration system for charities, including ensuring the ongoing compliance of charities with the rules in the Act. While the CRA has limited authority to collect additional demographic information from the charitable sector to evaluate the program, the CRA cannot require a charity to provide such information, as it is not necessary for the administration of these provisions, nor would it serve a compliance-related purpose.
The CRA commits to improving the documentation and evaluation of its registration and audit activities to ensure that its treatment of charities is free from discrimination. This will include monitoring and evaluating how these programs are carried out and reviewing any results to ensure that it is able to identify potential areas of bias or unfair treatment.
The CRA affirms that it does not select registered charities for audit, nor does it apply policies or procedures differently, based on any particular faith or denomination. The CRA recognizes the challenges and sensitivities for bias that come with administering programs in support of national security (counterterrorism) priorities. These challenges are not unique to the CRA nor to Canada. Racism and discrimination, which stem from biases that any individual may have, are real and important issues that the CRA takes very seriously. The CRA is firmly dedicated to diversity, inclusion, and anti-racism, in alignment with its values of professionalism, integrity, respect, and collaboration, and will continue to support improvements to its processes and procedures to limit opportunities for bias in decision-making.
Recommendation 2
NSIRA recommends that RAD develop an evidence-based method of validating, on an ongoing basis, the risk indicators that it relies on to justify scrutiny of a charity for terrorism-related concerns and update any associated guidance.
CRA's response to Recommendation 2
The CRA agrees with this recommendation.
The CRA maintains a comprehensive internal guide to inform the application of risk indicators for terrorist financing. Although a formal review of these indicators has not been conducted since 2016, they were originally created through extensive research and consultation with national security practitioners. The CRA has ensured that these indicators remain consistent with internationally recognized indicators, as supported by the Financial Action Task Force (FATF), by performing periodic comparative analysis. To date, the indicators used by the CRA have been reflective of concerns that have come to its attention through leads, and the internationally recognized indicators over this period have remained relatively stable.
To enhance its effectiveness in addressing the evolving threats of terrorist financing, the CRA is committed to developing and implementing a formal periodic review process of its risk-based approach for assessing terrorist financing abuse in charities.
Recommendation 3
NSIRA recommends that RAD formally document its decisions regarding when, and on what basis, it will commence its audits.
CRA's response to Recommendation 3
The CRA agrees with this recommendation.
Decisions regarding the commencement of audits following a referral are typically influenced by factors such as priorities, the anticipated size and complexity of the audits, and the availability of auditors. While the number of unassigned audit referrals related to the risk of terrorism abuse is generally minimal, the CRA recognizes the need for enhancements in the documentation supporting these decisions.
Effective for the 2025-26 fiscal year, the CRA will implement a formal tracking mechanism to oversee audit referrals and refine processes for documenting audit selection criteria and decisions. This will enable the CRA to formally document annual audit planning decisions, and identify which registered charities will be audited during a fiscal period based on established priorities and available resources.
Recommendation 4
NSIRA recommends that RAD update its process for assessing the risks of terrorist abuse in a charity’s activities to foster structured, informed decision-making on when or whether to conduct a related audit. This should:
- ensure that risks inform decision-making at every step in its workflow;
- clarify how to weight indicators and grade risks; and
- require that risk assessments be updated, with the benefit of current intelligence, prior to opening an audit.
CRA's response to Recommendation 4
The CRA generally agrees with this recommendation.
The CRA is dedicated to enhancing its processes and procedures to ensure consistency and impartiality in decision-making, thereby supporting a quality charities audit program. The CRA is committed to strengthening its protocols to guarantee comprehensive documentation of risk assessments and workload development processes for files associated with potential risks of terrorist abuse. This initiative will also involve the clear definition of criteria and terminology, fostering a structured and uniform approach to assessing and documenting risk levels.
The CRA will also ensure that all risk indicators and calculated risks are documented to illustrate consistent application of compliance treatments, and to support justifications for proceeding (or not) with audits. Historically, while risk assessment narratives were documented, the relevant risk indicators that informed the assessments and, thereby, the decision on a file, were not always explicitly identified in the written assessments.
Effective immediately, the CRA will begin updating risks assessments as necessary, particularly in cases where there is a significant delay between the closing of the assessment and the initiation of the corresponding audit, or when new information may be available to enhance the understanding of evolving risks.
However, the CRA disagrees with the emphasis that the NSIRA places on partner intelligence for informing CRA risk assessments. While such intelligence can contribute to the CRA’s assessment of risk, the CRA does not pursue the mandate of its partners, nor does it require intelligence in all cases to establish sufficient concern that an audit referral should be made.
The lack of partner intelligence should not be seen as an indication that there are no significant risks from a CRA perspective. In situations where obtaining partner intelligence is relevant, the CRA is committed to ensuring that the intelligence remains up to date.
The CRA also disagrees with the NSIRA’s characterization in its report that the lack of a standardized or weighted approach makes CRA’s determinations 'highly subjective' and undermines its ability to identify registered charities most at risk of non-compliance for audit purposes. The lack of quantitative assessments does not invalidate the significant qualitative assessment that supported determinations for audit selection, which were based on a range of information and in-depth analysis. Additionally, CRA analysts undergo comprehensive training and adhere to detailed guidelines for assessing risk severity and effectively utilizing risk indicators.
However, the CRA nonetheless undertakes to develop and pilot a rating model to quantify and complement its current qualitative risk assessment process. This initiative aims to maintain consistency and impartial decision-making, with a projected completion date by end of 2026.
Recommendation 5
NSIRA recommends that RAD take steps to ensure that its decision-making leading to an audit is supported by current and credible information and/or intelligence, with due regard for exculpatory information and mitigating considerations.
CRA's response to Recommendation 5
The CRA agrees with this recommendation.
This recommendation reflects the CRA's current practice and related internal guidance for evaluating information used in risk assessments and operational processes against established research standards. These standards confirm the methods by which staff should collect, organize, and critically assess information, including partner intelligence, based on fundamental principles, such as relevance, reliability/balance, accuracy, recency, neutrality/impartiality, transparency and traceability. Additionally, CRA employees and managers are provided with training in research methodologies and analytical thinking.
The CRA acknowledges examples identified by the NSIRA regarding references to dated information in a risk assessment; however, this information alone did not serve as a primary or significant basis for an audit referral, nor does it reflect a consistent pattern in the CRA's risk assessments concerning terrorist abuse.
In light of the concerns identified through NSIRA’s review, the CRA is committed to examining its current processes and procedures to identify and implement further measures aimed at reducing the risks of bias in decision-making, particularly in relation to the evaluation and documentation of exculpatory information.
Recommendation 6
NSIRA recommends that the CRA conduct a focused comparison of audit outcomes between RAD and Compliance Division to determine whether the differences identified here are justified.
CRA's response to Recommendation 6
The CRA disagrees with this recommendation.
CRA audits seek to enforce uniform regulations that apply to all registered charities, even when addressing risks that may relate to terrorist abuse. All audit outcomes are determined on a case-by-case basis, relying on the same guidance products and not with targets in mind. Further, NSIRA acknowledged that after communicating initial findings of concern to charities being audited, and where revocation was a possibility, RAD considered additional representations from charities (a process of administrative fairness available to all charities) which helped it determine that revocation was not necessary in every case.
The CRA will nonetheless review its charities audit program to identify potential improvements that could be made to support audit approaches that are consistent and risk-based, and audit outcomes that continue to be appropriate for, and proportionate to, identified non-compliance.