Follow-Up of 2006-2007 Internal Audit Reports
Final Report
Corporate Audit and Evaluation Branch
January 2010
Introduction
Internal audit professional standards require the Chief Audit Executive to establish a follow-up process to monitor and ensure that management action plans have been effectively implemented or that senior management has accepted the risk of not taking action. This report summarizes the results of the Corporate Audit and Evaluation Branch (CAEB) annual follow-up process which this year was focused on recommendations made in the 2006-2007 internal audit reports as well as any action plans outstanding from prior year audits.
CAEB's annual follow-up process is based on self-assessments by Canada Revenue Agency (CRA) management, supplemented by more in-depth procedures where warranted. CRA management is responsible for reporting progress made in implementing their action plans. For areas of high risk, CAEB requests additional supporting information or documentation to ensure an accurate conclusion is drawn. When recommendations for corrective action in a prior audit relate to areas considered being at risk, more in depth follow-up audits are included in subsequent CAEB annual business plans. The annual follow-up report is presented to the Management Audit and Evaluation Committee (MAEC) and to the Audit Committee of the Board of Management (BoM).
The follow-up process was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing.
Summary of results
Covered in this year's self-assessment process were 74 management action plans resulting from seven of the 14 internal audit reports that were approved by the MAEC in 2006-2007 and 38 action plans remaining from 15 prior year audits. A listing of all of the audits and status of the action plans for each are set out in Appendix A.
Overall, there were 68 action plans that CRA management reported as implemented that were confirmed by CAEB as completed (61%) with the majority being those from the 2006-2007 audits. In addition, 31 of the remaining (28%) had satisfactory progress or were no longer relevant as actions or circumstances had overtaken the need to do further work.
The remaining 13 action plans (11%) that were not considered complete relate to three audits: Use of Legislative Enforcement Provisions (May 2006); Tax Information Exchange MOU with Revenu Québec (February 2006); and Information Exchange MOU with Human Resources Development Canada (January 2005). These outstanding action plans will be included in the scope of the next annual follow-up process. The remainder of this report summarizes the items requiring renewed management attention which are presented below in reference to the original audit.
Use of Legislative Enforcement Provisions (May 2006)
The Use of Legislative Enforcement Provisions (ULEP) audit was reported to the MAEC in May 2006 and to the BoM in June 2006. The objective of the audit was to establish whether the enforcement measures available to the CRA were appropriately applied to deter non-compliance in support of the Canada Revenue Agency (CRA) strategic goal of responsible enforcement. The overall conclusion was that the Compliance Programs Branch (CPB) needed to further improve its guidance, monitoring and research for enforcement measures.
Follow-up activity indicates that CPB has completed two of the nine action plans prepared in response to the recommendations from the audit. It has also made satisfactory progress on the action plan related to Repeated Failures to Report Income Penalties. The remaining six action plans requiring attention are identified below.
- Gross Negligence Penalties
Internal Audit (IA) recommended that the Branch monitoring process should include the requirement of specific action plans to address issues identified in program assessments and quality assurance reviews as well as timeframes for expected completion.
CPB indicated that action plans are requested from the tax services offices to address recommendations however, the action plans do not indicate timeframes for completion. The revised expected completion date for this additional requirement is December 2009.
- Requirements for Information
Two action plans relate to Requirements for Information. CPB has indicated that there is no additional progress to report at this time with respect to the recommendations for: analyzing ongoing results to ensure effective and consistent use of Requirements for Information and evaluating the use of such requirements to ensure they are used when appropriate. CPB continues to collect data and will conduct an analysis by November 2009.
- Requirements to Maintain Proper Books and Records
Two action plans relate to Requirements to maintain Proper Books and Records. There is also little progress with respect to recommendations related to: assessing the effectiveness of informal requests in improving compliance in the maintenance of adequate books and records, and the assessment of the effectiveness of requirements to maintain proper books and records.
CPB is presently undertaking an Underground Economy pilot initiative in the Atlantic Region. The Branch continues to collect data and is expected to conduct an analysis by March 2010.
- Evaluating the Effectiveness of Enforcement Measures
An assessment of the impacts of the gross negligence penalty on the future filing and reporting compliance behaviour of self-employed individuals was reported in October 2007. CPB is currently reworking the Compliance Research Agenda setting process and hopes to start using the process later in 2009. CPB has disseminated a call letter to program areas on Evaluating the Effectiveness of Enforcement Measures in August 2009 and anticipates receiving any research request related to that call letter before the end of September 2009.
Tax Information Exchange MOU with Revenu Québec (February 2006)
The Tax Information Exchange MOU with Revenu Québec (RQ) audit was reported to the MAEC in February 2006 and to the BoM in March 2006. The objective of the audit was to provide assurance to senior management that CRA is observing the general conditions governing the receipt, use, storage and return or destruction of information received from RQ and the sending of information to the latter in accordance with the MOU.
The audit concluded that managers, users and authorized persons were not sufficiently knowledgeable about the MOU, their roles and responsibilities, and related compliance requirements. Consequently, although authorized under subsection 241(4) of the Income Tax Act, there were frequent exchanges between individuals not authorized to do so under the terms of this MOU. Moreover, there were cases where the information exchanged and the frequency of distribution was not consistent with the terms of the MOU. Shortcomings were also observed in transmitting information electronically and the protection applied.
From the original 16 action plans prepared in response to the recommendations in this audit there were eight remaining that needed further follow-up this year. Satisfactory progress was made for three action plans and three action plans are directly related to the renewal of the MOU with RQ which required an order in council for signature by RQ. The order in council has now been obtained by the province and the MOU is being finalized for signature. In recognition of the lengthy renewal process and the number of stakeholders involved, the progress made in completing these is considered satisfactory.
The remaining two action plans are related to the updating of the CRA national “Policy on the Management of Protected Client Information” by Corporate Strategies and Business Development Branch (CSBDB). Progress on these action plans has not been made because the policy is still only under development, and the process is being delayed by other related initiatives, such as the renewal of procedures and guides on information agreements. Management has however indicated that the draft policy is now expected to be completed in the fall of 2009 and approved in 2010.
Information Exchange MOU with HRDC (January 2005)
The Information Exchange MOU with Human Resources Development Canada (HRDC) audit was reported to the MAEC in January 2005 and to the BoM in March 2005. The objective of the audit was to determine whether the CRA was in compliance with the terms and conditions set out in various authorized MOUs governing receipt, use, storage and destruction of information received from HRDC.
The audit concluded that revisions to the MOUs with HRDC were required to reflect the changes in the organizational structure and designated officials of both organizations in order to confirm administrative authorities and to ensure clarity of roles and responsibilities. In addition, the terms and provisions of the MOUs were to be clarified and communicated to management and staff to maximize awareness, understanding, and appropriate use in program delivery.
From the original nine action plans prepared in response to the recommendations in this audit, five are still outstanding and little progress was achieved over the past year. All of the plans are linked to the creation of an umbrella MOU which will consolidate existing ones and be more user friendly and reflect the actual structure of both organizations. Developing the umbrella MOU also involves compiling a list of exchangeable information and designated staff, creating an online tool to facilitate work for both organizations, defining recording and reporting procedures, and identifying security requirements for documents.
The establishment of Service Canada has contributed to the delays in the MOU and made the negotiations more complicated between HRDC (now Human Resources and Skills Development Canada – HRSDC) and the CSBDB. However, there has been some progress made more recently.
Meetings have been held with HRSDC and Service Canada representatives in 2009 and in June a CRA working group of program stakeholders was organized to prepare a draft umbrella MOU. The Assistant Deputy Minister of the Citizen Service Branch, Service Canada was also approached by CSBDB to identify who would have lead responsibility in the negotiations of the new umbrella MOU. A work schedule has been established by CSBDB and the umbrella MOU is now expected to be completed by the end of the 2009-2010 fiscal year.
Page details
- Date modified: