Language selection

Government of Canada / Gouvernement du Canada

Search

Sign in

Sign in

Audit of Information Received Under The Memorandum of Understanding with Respect to Joint Registration of Business - Province of British Columbia

Corporate Audit and Evaluation Branch
October 2006

Table of Contents

Executive Summary

The Canada Revenue Agency (CRA) has entered into a large number of Memoranda of Understanding (MOUs) and agreements with federal, provincial and territorial departments and agencies. This audit dealt with information received by the CRA under the MOU with respect to the Joint Registration of Business between the Canada Revenue Agency and the Province of British Columbia signed on April 28, 2004.

According to the MOU, the Province of British Columbia (BC) and the CRA agreed to implement an integrated registration process to provide clients with a simplified method for registering with multiple government agencies. This was to provide a mechanism for the CRA and BC to utilize a common business identifier for their clients and provide on-line access to a joint registration system. Information provided to the CRA by BC is that which is required for the CRA to create a business number and maintain an account in the National Business Registry.

Information exchange MOUs signed since 2001 generally include a clause whereby both parties will conduct periodic internal audits of the use, communication, and security with respect to information provided to each other. This MOU states that audits are to be conducted within two years of the effective date of the MOU, and, thereafter, at a minimum of once every five years. This internal audit report will be forwarded to BC by the Corporate Strategies and Business Development Branch in accordance with the terms of the MOU.

Objective: The objective of the audit was to provide assurance that the CRA is in compliance with the terms and conditions governing the use, communication, security, retention and disposition of information received from BC under this MOU. This audit was conducted during fiscal year 2005-2006, and was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing.

Conclusion: Based on the audit work performed, it is our opinion that the CRA is in compliance with the terms and conditions of the MOU governing the use, disclosure, and security of information received from BC. There was no evidence that information was used for other than the purpose for which it was intended, or disclosed to anyone outside of the terms of the MOU. Selected security standards applicable to the safeguarding of information received have been met.

Introduction

The Canada Revenue Agency (CRA) has entered into a large number of Memoranda of Understanding (MOUs) and agreements with federal, provincial and territorial departments and agencies.This audit deals with information received by the CRA under the MOU with respect to the Joint Registration of Business Between the Canada Revenue Agency and the Province of British Columbia signed on April 28, 2004.

Information exchange MOUs signed since 2001 generally include a clause whereby both parties will conduct periodic internal audits of the use, communication to others and security with respect to information provided to each other. The inclusion of the internal audit clause was part of a Corporate Strategies and Business Development Branch initiative to strengthen the security and client confidentiality provisions of existing MOUs that provided for the exchange of confidential client information. This MOU states that audits are to be conducted within two years of the effective date of the MOU, and, thereafter, at a minimum of once every five years. The Corporate Strategies and Business Development Branch will forward this report to BC in accordance with the terms of the MOU.

The purpose of the MOU between BC and the CRA was to implement an integrated registration process to provide clients with a simplified method for registering with multiple government agencies. This was to provide a mechanism for the CRA and BC to utilize a common business identifier for their clients and provide on-line access to a joint registration system. Businesses may register for BC programs using the CRA Internet application called Business Registration On-line (BRO) or they may use various provincial service channels including the Internet, mail, telephone, or counter-service. Information provided to the CRA by BC is that which is required for the CRA to create a business number (BN) and maintain an account in the National Business Registry [Footnote 1]. The Business Number Services unit at the Surrey Tax Centre facilitates the resolution of problems that may occur during the registration process.

The BN is a common identifier for businesses to simplify their dealings with all government levels, supporting the concept of “one client, one number”. This concept also reflects one of the strategic objectives of the CRA, to strengthen partnerships with provinces and territories. BN data includes client identification and program registration information for numerous programs at all government levels.

The business number database maintained by the CRA contains approximately 8.3 million accounts for more than 4.7 million business entities. The number of accounts maintained by the CRA for BC provincial programs is approximately 163,000 for Worksafe BC, 103,000 for BC Provincial Tax and 322,000 for the BC Corporate Registry.

The MOU between the CRA and BC requires both parties to ensure that procedures are in place to protect the information from any unauthorized disclosure. Both parties agreed to protect information in accordance with a series of standards related to the handling of client information. These standards are contained in an appendix to the MOU. In addition, a separate security standards document was also signed by both parties and is referred to in the MOU. [Footnote 2] This document outlines administrative, personnel, physical, and communication security standards.

Focus of the Audit

The objective of the audit was to provide assurance that the CRA is in compliance with the terms and conditions governing the use, communication, security, retention and disposition of information received from BC.

The scope of the audit included the Assessment and Benefit Services Branch (Business Registration Programs Support Section), the Corporate Strategies and Business Development Branch (Provincial and Territorial Relations Division), and the Surrey Tax Centre (Business Number Services). Audit work carried out in 2006 included document reviews and interviews. The audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing.

Findings

Use and Disclosure of Information

Under conditions outlined in the MOU, the CRA will use information received from BC for the purpose of administering the Income Tax Act and the Excise Tax Act; and information is only to be disclosed to others under the terms and conditions set out in the MOU.

Much of the data provided by BC is available to the general public. Therefore, limited audit procedures were performed in this area as the risks and consequences from inappropriate use and disclosure would not be significant. There was no evidence that information was used for other than the purpose for which it was intended.

The CRA uses information provided by BC for the purpose of assigning a business number to a business entity in BC. The information received by the CRA would include the legal name of the business, business address, and owner(s) name(s). CRA maintains approximately 588,000 accounts on behalf of BC, which represents around 7% of the active accounts in the National Business registry. Many of the business entities associated with the accounts also have CRA accounts (e.g. GST/HST, Corporation Tax, or Payroll Deduction accounts). Therefore, the core information related to BN accounts is the same for both the CRA and BC programs, and the risk is minimal that BC specific information will be disclosed outside the terms of the MOU.

Interviews conducted at the Assessment and Benefit Services Branch (Business Returns and Payments Processing Directorate) and the Surrey Tax Centre (Business Number Services unit) indicate that information received from BC is used to assign a business number and is only further disclosed within the terms of the MOU. An example relating to disclosure would be a situation where BC sends a message to the CRA to advise of a name change in a BC corporation. This information would then be updated in the BN system and then communicated to all systems legally permitted to receive the information including other provinces that have adopted the BN registration system and that are impacted by the change.

Interviews conducted with the Business Number Services (BNS) staff at the Surrey Tax Centre (STC) indicated that they were not aware of any security incidents relating to inappropriate use and communication of information received from BC. In addition, the Security, Risk Management, and Internal Affairs Directorate of the Finance and Administration Branch has indicated that there have been no reported security incidents with respect to information received under this MOU. Controls in place regarding security awareness of employees (discussed later in this report) also serve to strengthen and enhance compliance with the terms and conditions for the use and disclosure of information.

Security and Safeguarding of Information

The MOU contains an appendix that outlines the CRA's security standards for the handling of protected client information. In addition, a separate document entitled Security Standards –CRA and Non-Federal Organizations Protection of Information was jointly signed by the CRA and BC. Overall, the two documents refer to over 30 security standards applicable to the handling, storage, and disposition of information.

Internal audit conducted a risk assessment of these security standards to determine which of them presented the most significant risks in relation to the information received from BC. The Information Security Division of the Finance and Administration Branch also provided expert advice. Based on the assessment, the following controls were examined:

Management of User Access Privileges

The security of confidential client information is enhanced when access to information systems is only granted to employees when the information is needed to perform work-related activities. Furthermore, a management control system of user access rights ensures that employees do not accumulate user access rights when they change jobs within an organization. CRA security standards require that a record of all computer system access privileges is to be created and maintained for each employee. In addition, a user's access privilege is to be kept current and immediately revoked or suspended when access to perform the assigned functions is no longer required. These security standards have been met in the BNS unit at the STC.

Audit tests indicated that employees in the BNS unit at the STC held user profiles in CRA systems that were compatible with their duties. Audit testing also confirmed that the staff assigned to correspond with BC through email had the required Entrust profiles for encrypted email and that the remaining staff did not have those profiles.

The management of mainframe user access profiles is controlled by the team leader in the BNS unit at the STC. Most other access profiles are managed by the local IT services unit.

Client information received from BC and maintained in the BN system may be accessed by any CRA employee with an appropriate access profile in the BN system or any CRA system that is updated by the BN system. [Footnote 3] Therefore, a large portion of the CRA's 40,000 employees would require access to this type of information to perform their duties. The management of user access profiles in the CRA has been identified as an issue in a number of internal audit reports including an audit of information technology security in 2004. As a result of these audits, the Information Security Division of the Finance and Administration (F&A) Branch has undertaken several user access profile initiatives. The Internal Audit Division will conduct a follow-up to the 2004 audit during the fiscal year 2006-2007.

Encryption

Under the terms of the MOU, the CRA and BC agree that client information transmitted electronically will be encrypted. Information is sent electronically to the CRA by BC using an encrypted secure channel as part of the Business Registration Online (BRO) process. A Threat and Risk Assessment (TRA) of BRO has been approved by the Security, Risk Management, and Internal Affairs Directorate (Finance and Administration Branch) and the Information Technology Branch. The TRA identifies potential threats, the likelihood of the threats occurring and possible consequences. Given the safeguards, such as encryption, that have been put in place in the BRO system, the TRA does not identify any residual high-risk areas.

Information is also exchanged between BC and the BNS unit at the STC using email when the province receives an error message when attempting to create an account. These e-mails meet the CRA standard for encryption.

Destruction of Information

According to the security standards applicable to the MOU, all information provided is to be returned or destroyed when it is no longer required. Account information stored electronically in the BN system is not destroyed where an account, for example, has been closed. All information remains in the BN system for an indefinite period of time. The Business Returns and Payments Processing Directorate of the Assessment and Benefit Services Branch has indicated that the retention of account information on closed BNs can facilitate debt collection and account reactivation.

The BN system generates work in process (WIP) reports that are automatically printed at the BNS unit at the STC on a daily basis. These reports are generated where the BN system has detected a possible duplicate registration. Research is completed, usually on the same day the WIP report is received, to determine whether a duplicate registration has occurred during the business registration process. Once it is determined whether a duplicate registration has occurred, the printout containing the client information is placed in a confidential waste bin for shredding.

Security Awareness

CRA administrative security standards related to the computing environment include the following:

The audit did not find any instances in which the BNS unit at the STC compromised on the CRA security standards.

The On-line Audit Trail System (OATS) is used to generate records of access to taxpayer accounts in the mainframe systems for randomly selected employees. Managers are then required to certify that accesses are for work related purposes. A sample OATS report was examined for this audit to ensure all elements required by the security standard were included in the report. In addition, the team leader for the BNS unit confirmed that an OATS report had been received for all employees in the BNS unit and that there were no security issues identified.

A security awareness program is in place in the CRA and is delivered both on national and at local levels. The program promotes awareness of policies and procedures related to the protection of CRA personnel, information, and physical assets.

On a local level, at the STC, all employees that were interviewed during the audit reported that they had received security awareness training when they first joined the agency and periodically thereafter. Security issues are discussed at team meetings and employees also receive local security reminders via email.

On a national level, the Security, Risk Management, and Internal Affairs Directorate of the Finance and Administration Branch launched the electronic interactive awareness session called Protecting Agency Employees, Information, and Assets: I make it my business in February 2006 as part of security awareness week in the CRA. The session is composed of several modules. The modules cover such topics as the legislative context, personnel security screening, categorization and protection of information, reporting of security incidents, and access to personal income tax information. All employees in the BNS Unit in the STC indicated that they had recently completed the interactive session. Additionally, at regular intervals throughout the year, the Directorate sends newsletters to all CRA employees via e-mail. The newsletters cover a range of security topics including e-mail security best practices, access to CRA systems, and protecting user IDs and passwords.

Conclusion

Based on the audit work performed, it is our opinion that the CRA is in compliance with the terms and conditions of the MOU governing the use, disclosure, and security of information received from BC. There was no evidence that information was used for other than the purpose for which it was intended, or disclosed to anyone outside of the terms of the MOU. Selected security standards applicable to the safeguarding of information received have been met.

Footnotes

[Footnote 1]
The National Business Registry is the CRA's central repository of information for businesses using the BN system for federal and provincial programs
[Footnote 2]
The document is entitled: Security Standards – CRA and Non-Federal Organizations Protection of Information With Regard To The MOU concerning: Joint Registration of Business Between the CRA and the Province of British Columbia.
[Footnote 3]
Example of systems that are updated by the BN system are the RAPID system (Random Access Personal Information Database for T1 Personal Income Tax); GST Production; and Cortax (Corporation Income Tax)

Page details

Date modified: