Follow-Up of 2004-2005 Internal Audit Reports

Corporate Audit and Evaluation Branch
January 2008


Introduction

This report summarizes the results of the annual follow-up process on findings and recommendations made by the Corporate Audit and Evaluation Branch (CAEB) through Internal Audits.

Internal audit professional standards require the Internal Audit (IA) function to perform follow-up activities to determine if management action plans have been implemented and if they have been effective in addressing the identified issues.

CAEB's annual follow-up process is based on self-assessment by Canada Revenue Agency (CRA) management, supplemented by more in-depth procedures where warranted. For all action plans, CRA management is responsible for reporting the progress made in implementing their action plans. In areas of greatest risk, CAEB requests additional supporting information or documentation to ensure an accurate conclusion is drawn. The annual follow-up report is presented to the Internal Audit Management Committee (IAMC) and to the Audit Committee of the Board of Management (BoM).

This year's process encompassed the action plans from the 25 internal audit reports approved by the IAMC in 2004-2005, action plans that had not been fully implemented in 4 reports from prior years, and the results of the in depth follow-up that was conducted in 2007 on the multi-regional audit of the GST/HST credit returns prepayment program.

In total, 5 out of the 25 internal audit reports approved in 2004-2005 were identified as requiring in depth follow-up by CAEB. The more detailed work on these five includes:

  • Risk Management in the Underground Economy Initiative (Atlantic Region):
    A national underground economy audit is currently under way which includes issues raised in the 2005 report;
  • Acquisition Cards Prairie Region:
    A national audit of E-Procurement activities is currently under way;
  • Informatics Technology Continuity (ITC) Planning:
    An ITC planning follow-up audit is planned and will include issues raised in the 2004 report;
  • Information Technology (IT) Security 5 Year Review and Follow-Up:
    An IT security follow-up audit is currently under way, which covers issues raised in the 2004 report; and
  • ·National Audit of Contracting Processes:
    A full follow-up audit of the contracting processes was conducted in 2006.

The follow-up process was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing.

Summary of Results

Overall, CRA management have implemented the action plans committed to in 2004-2005 or made progress towards implementing them. In total, 95% of action plans (172 of 182 as detailed in Appendix A) approved by the IAMC throughout 2004-2005 have made satisfactory progress, have been implemented, or actions/circumstances have overtaken the need to do further work.

Those audits with higher risk action plans and/or those requiring attention are summarized below.

Information Exchange Agreement Audit – (Agency Wide – October 2002)

The Information Exchange Agreement Audit was reported to the IAMC in October 2002 and to the Audit Committee of the BoM in December 2002.

The objective of the 2002 audit was to determine whether the CRA was using, protecting and destroying confidential client information received from various provincial and federal organizations with which it had information exchange agreements in a manner that was consistent with the terms and conditions contained in those agreements. The audit concluded that while no major weaknesses in the existing control framework were identified it was apparent from the audit that certain controls needed to be enhanced.

The fall 2007 follow-up activity indicated that Corporate Strategies and Business Development Branch (CSBDB) continues to take action on the two remaining action plans within their responsibility.

The first of these remaining action plans dealt with more fully engaging Security Services in regular monitoring of information received under memorandums of understanding (MOUs) and to help ensure policies and procedures are followed more consistently. The Security, Risk Management and Internal Affairs Directorate (SRMIAD) completed a review of the compliance and monitoring exercise launched in 2003-2004 to assess the degree to which physical security policies included information security. The revised document includes specific elements pertaining to MOUs where CRA is in receipt of information from a third party.

SRMIAD undertook a pilot project in 2007 to test the proposed monitoring approach. The Directorate also met with the Client Relations Directorate in December 2007 to discuss their involvement in the site visits. These actions are consistent with the timeline identified in the revised action plan tabled at IAMC in March 2007.

The second remaining action plan dealt with defining reporting requirements for information received under MOUs. Some delays are being experienced in this regard, as CSBDB continues to define reporting needs and work with Information Technology Branch (ITB) to build a database. A project charter for the development of the National Information Exchange Register (NIER) was drafted and approved in June 2007. The High-Level Business Requirements have also been developed and the NIER is expected to be operational in March 2008.

External Recruitment Audit (February 2004)

The External Recruitment Audit was reported to the IAMC in February 2004 and to the Audit Committee of the BoM in March 2004.

The objective of the audit was to assess the effectiveness of the new staffing process for external recruitment and compliance with the staffing principles. The audit was also to identify best practices and opportunities for improvement to the delivery of external recruitment activities.

The audit concluded that the new staffing process for external recruitment was adequate, however, effectiveness could be enhanced with improvements to the management framework by establishing and reporting on measurable goals and objectives, clarifying roles and responsibilities, setting appropriate client service standards and ensuring that resources are properly allocated to support external recruitment activities.

Other opportunities for improvement included closer alignment of human resources planning with business planning, corporate initiatives and budgeting. There was also a requirement to upgrade and maintain the technology and systems supporting external recruitment activities.

Follow-up activity conducted in November 2006, and reported in March 2007, established that 14 recommendations and action plans from the original audit report were addressed and that 9 action plans remained outstanding.

Based on the November 2007 follow up, Human Resources Branch (HRB) has completed two of the nine outstanding action plans and six show satisfactory progress to date. However, HR planning is still in the development stage with no evidence of deliverables completed at this time.

HR planning is now part of the Agency Workforce Plan and is under development with collaboration from regions and branches. HRB's intention is to create an integrated HR Plan that will provide an overview of Agency business transformation and related HR connections. The projected timeframe for the Plan is March 2008.

Workforce planning remains a risk, as no comprehensive plan exists linking corporate business and HR resourcing objectives. Only some components, such as official languages and employment equity, are integrated into HR planning at this time.

 

Information Exchange MOU with HRDC (January 2005)

The Information Exchange MOU with Human Resources Development Canada (HRDC) audit was reported to the IAMC in January 2005 and to Audit Committee of the BoM in March 2005.

The objective of the audit was to determine whether the CRA was in compliance with the terms and conditions governing receipt, use, storage and destruction of information received from HRDC, in accordance with the authorized MOUs and General Amendment thereto.

The audit concluded that revisions to the MOUs with HRDC were required to reflect the changes to the organizational structure and designated officials of both organizations in order to confirm administrative authorities and to ensure clarity of roles and responsibilities. In addition, the terms and provisions of the MOUs were to be clarified and communicated to management and staff to maximize awareness, understanding, and appropriate use in program delivery.

Follow-up activity indicates that CSBDB encountered delays in re-negotiating the four MOUs with Human Resources and Social Development Canada (HRSDC), mainly as a result of the numerous organizational and personnel changes within HRSDC. Satisfactory action was taken concerning the task of increasing awareness at the branch and regional levels. CSBDB has committed to re-focusing work with HRSDC in fall 2007 to negotiate a new comprehensive MOU that would be user friendly, reflect the actual structure of both organizations, clarify which information can be exchanged and communication channels, detail the recording and reporting requirements, and establish security requirements.

Review of the Management of Accounts Receivable (January 2005)

The Review of the Management of Accounts Receivable Audit (AR) was reported to the IAMC in January 2005 and to the Audit Committee of the BoM in March 2005.

The objective of the audit was to identify factors influencing the growth in AR, to provide assurance that the accounts are managed effectively and to identify potential opportunities for improvement. In addition, relevant recommendations and action plans from the internal audit of the Statistical Tracking Analysis and Reporting System (STARS) of June 2001 were also included in the scope.

The audit concluded that the growth in AR had been influenced by factors both external and internal to CRA. The report also contained a number of recommendations to help CRA better manage taxpayer debts. In particular, enhancements to the risk scoring, reporting and performance systems were planned to provide the more robust analytical capacity to the Accounts Receivable Division (ARD).

Follow-up activity indicates that 6 of 11 action plans developed in response to the audit have been fully implemented, and those remaining show acceptable progress. The Integrated Revenue Collections (IRC) responds to a number of the action plans in progress. Given that the IRC system changes are planned for phased implementation starting in 2009, these action plans will be met over the next several years as the IRC phases are implemented.

TSDMB is making progress through a combination of incremental changes that require significant new systems functionality. These changes develop over years and Internal Audit will track progress through follow-up audit work as described below. This will help ensure the risks identified in our 2001 and 2005 reports are addressed.

Given the inherent risk of large IT projects and the centrality of IRC to addressing key Debt Management challenges, the Corporate Audit and Evaluation Branch has two current engagements in this area. The Evaluation Division is supporting ARD in building a logic model and evaluation framework to better guide the IRC project. The Internal Audit Division is conducting a pre-implementation audit of the IRC project.

GST/HST Credit Returns Prepayment Program Audit (April 2002) – In Depth Follow-up (September 2007)

As part of the 2006-2009 IA planning exercise, Compliance Programs Branch (CPB) and IA agreed that due to ongoing risk associated with the program, an in-depth follow-up should be carried out on the GST/HST Credit Return Prepayment Program.

Significant progress has been made in implementing the action plans outlined in the original report, however one audit recommendation has not yet been fully addressed.

The recommendation was to create a link between the GST Registration and audit functions, which would increase the Agency's ability to identify fraudulent registrants. GST/HST Enhanced Registration Review (GERR), Audit Registration Review Officers (ARRO), and High Risk Audit Team (HRAT) units were set up to identify medium/high risk registrants with the GST/HST Credit Returns Prepayment audit program responsible for monitoring medium risks identified by the ARRO units.

The follow-up work established that enhanced coordination between the ARRO units and the audit function was required. The follow-up also identified a need for greater management attention and support in the areas of policy, procedures, reporting, analysis and monitoring.

The Program Evaluation Division, Corporate Audit and Evaluation Branch (CAEB), is currently evaluating the GERR/ARRO/HRAT initiatives as part of an evaluation study of GST/HST Registration Compliance. Internal Audit's findings with respect to the GERR/ARRO/HRAT initiatives, and GST/HST Prepayment's responsibilities in supporting them, are similar to those established by Program Evaluation. The evaluation will be reported in early 2008 and will include specific recommendations and action plans to address these issues.

Conclusion

Overall, CRA management implements their action plans in a timely manner. Those categorized as having made satisfactory progress, as having been implemented, or where actions/circumstances have overtaken the need to do so account for 95% of the action plans included in this report. Six of the outstanding action plans are reliant on negotiations with another department, which contributes to the complexity of implementation of those plans.

All of the above noted outstanding action plans will be included in the scope of the next annual follow-up.

Appendix A

Office of Primary Interest (OPI) Audit Title Number of Action Plans Complete Low Risk or No Longer Relevant / Applicable Satisfactory Progress Requires Attention
Prior to 2004-2005 Still Being Monitored 2004-2005

CPB

Electronic Commerce (Nov 2002)

1

 

1

     

CPB

Small and Medium Enterprises

(Dec 2002)

1

     

1

 

HRB

External Recruitment (Feb 2004)

9

 

2

 

6

1

CSBDB F&A

Information Exchange Agreement

(Oct 2002)

3

 

1

   

2

CPB

Follow-up of the Internal Audit of the 2002 Multi-Regional Audit of the GST/HST Credit Returns Prepayment Program (Sept 2007)

7

 

6

   

1

CSBDB

Information Exchange Memoranda of Understanding with HRDC (Jan 2005)

 

9

1

2

 

6

TSDMB

Review of the Management of Accounts Receivable (Jan 2005)

 

11

5

1

5

 

CSBDB F&A Atlantic ITB

Controls over Confidentiality of Client Information (Dec 2004)

 

27

23

 

4

 

Québec

Remote Management (Dec 2004)

 

10

10

     

Québec

Long Term Leave Management Audit (Dec 2004)

 

8

8

     

CPB

Voluntary Disclosures Program

(Dec 2004)

 

11

7

 

4

 

CSBDB & ABSB

Information received from the Province of PEI (Dec 2004) [Footnote 1]

 

0

       

CSBDB

Information Exchange Memoranda of Understanding with the RCMP

(May 2004)1

 

0

       

F&A

Cash management Tax Follow-Up

(Sept 2004)[Footnote 2]

 

0

       

HRB

Occupational Health & Safety

(Sept 2004)

 

18

11

 

7

 

CPB

Leads Management and Workload Development (Jun 2004)

 

3

2

 

1

 

ABSB Winnipeg Pacific

T1 Reassessment Reversals (Jun 2004)

 

9

8

 

1

 

F&A

Sustainable Development (May 2004)

 

11

11

     

F&A Ontario

Non-Capital Asset Management

(May 2004)

 

7

3

1

3

 

Atlantic

Regional Strategic Priorities (May 2004)

 

4

3

1

   

CPB

Internal Audit of Investigations Directorate (Apr 2004)

 

3

3

     

ITB Atlantic

Information Technology Management Framework (Apr 2004)

 

20

15

 

5

 

CSBDB ABSB TSDMB

Partnership with the Nova Scotia Worker's Compensation Board

(Apr 2004)

 

4

4

     

Pacific

Surrey Tax Centre Business Returns Division Management Framework

(Apr 2004)

 

6

6

     

F&A

2002-2003 Selected Fiscal Year-End Procedures Audit (Apr 2004)[Footnote 3]

 

0

       
 

TOTALS

21

161

130

5

37

10

Office of Primary Interest (OPI) Legend

Appeals Appeals Branch
ABSB Assessment and Benefit Services Branch
TSDMB Taxpayer Services and Debt Management Branch
CPB Compliance Programs Branch
LPRAB Legislative Policy and Regulatory Affairs Branch
CSBDB Corporate Strategies and Business Development Branch
PAB Public Affairs Branch
ITB Information Technology Branch
CAEB Corporate Audit and Evaluation Branch
F&A Finance and Administration Branch
HRB Human Resources Branch
Atlantic Atlantic Region
Québec Québec Region
Ontario Ontario Region
Prairie Prairie Region
Pacific Pacific Region


Footnotes

[Footnote 1]
There were no action plans to follow-up on.
[Footnote 2]
Internal Audit has reported on this area twice and no further reporting is required. This was a follow-up of the Internal Audit on Cash Management of Income Tax Revenues from December 2000. Additionally, outstanding issues were reported as low risk or no longer relevant/applicable in CAEB's 2005-2006 annual follow-up process.
[Footnote 3]
Annual audits are performed and capture any outstanding issues.
Report a problem or mistake on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, contact us.

Date modified: