Authorized Third Party Access to Taxpayer/Registrant Information

Final Report

Corporate Audit and Evaluation Branch
April 2011

Table of Contents

Executive summary

Background: An authorized representative is an individual or a business who the taxpayer has given permission to represent them in communications with the Canada Revenue Agency. Since February 2006, the Represent a Client (RAC) online service provides registered authorized representatives with a secure, single point of access to information for multiple clients.

The Assessment and Benefit Services Branch (ABSB) has primary responsibility for third party access management, including monitoring. The Benefit Programs Directorate is responsible for the Taxpayer Representative Information System (TRIS) database and the policies and procedures for processing authorization forms for individuals. The Individual Returns Directorate (IRD) is responsible for RAC and My Account. The Business Returns Directorate is responsible for My Business Account, the Business Number System (BNS), and policies and procedures for processing authorization forms for businesses.

In 2009-2010, approximately 3.1 million authorizations were processed for representatives with respect to individual taxpayers and 900,000 authorizations for businesses. Almost 100% of these authorizations were submitted on paper. The number of electronic accesses to taxpayer information through RAC has experienced rapid growth. In 2009-2010, there were 2.1 million accesses to RAC, an increase of more than 60% over the previous year [Footnote 1].

Objective and scope: The objective of this audit was to assess whether the controls associated with authorized representatives acting on behalf of taxpayers are in place and functioning as intended. The focus was on front-end, detective, and preventive controls, including authentication, authorization, and monitoring processes for taxpayers, businesses, and authorized representatives.

The examination phase of this audit took place from October 2009 to April 2010. This audit was conducted in the ABSB, Taxpayer Services and Debt Management Branch, Compliance Programs Branch, and selected tax centres and tax services offices.

The audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing.

Conclusion: Overall, controls over the authorization process are in place and working to ensure that authorization information is entered accurately into the TRIS and BNS databases and in compliance with procedures.

Roles and responsibilities for authorized representation were understood within ABSB. However, roles and responsibilities for monitoring authorized representatives were not clear and a risk assessment specific to authorized representation was not evident. An agency-wide risk assessment specific to authorized representation should be completed to ensure risks are identified, assigned, and monitored.

To mitigate the risk of inappropriate activities, authentication controls should be strengthened PROTECTED. The monitoring framework should be enhanced in terms of clearly defined roles and responsibilities, proactive identification, and response to risks associated with authorized representation.

Action Plan: The ABSB agrees with the recommendations and has committed in their action plans to addressing the issues identified in the audit, including:

Introduction

An authorized representative is an individual or a business who the taxpayer has given permission to represent them in communications with the Canada Revenue Agency (CRA). An authorized representative can be a family member, a friend, a tax professional, or a business. In accordance with section 241 of the Income Tax Act and section 295 of the Excise Tax Act, confidential taxpayer information must be protected and disclosed only to authorized persons. Before disclosing or changing taxpayer information at the request of a third party, CRA employees are responsible for ensuring the third party request has been made by an authorized representative.

The nature and scope of information to which representatives have access is governed by levels of authorization granted by the taxpayer. An authorized representative may be granted level 1 or level 2 access. Level 1 allows the CRA to disclose taxpayer information to the representative. Level 2 includes privileges under level 1 and also allows the representative to request changes to taxpayer information such as adjusting the reported income, deductions, or tax credits. An authorized representative is not allowed to change a taxpayer's name, address, marital status, or direct deposit information.

Authorized representatives are either registered or non-registered. Both types have access to taxpayer information over the phone, through written correspondence and in person. Registered authorized representatives also have online access to taxpayer information.

Since February 2006, the Represent a Client (RAC) online service has provided registered authorized representatives with a secure, single point of access to information for multiple clients. To view confidential information online, the representative must first be authorized by the taxpayer through My Account, My Business Account, or by completing an Authorizing or Cancelling a Representative form (T1013) or a Business Consent form (RC59).

A taxpayer can authorize his electronic filer (efiler) for unregistered level 2 access by completing Part E of form Information Return for Electronic Filing of an Individual's Income Tax and Benefit return (T183).This authorization is valid only for the year of the income tax return.

Information on authorized representatives for individuals is kept in the Taxpayer Representative Identification System (TRIS). Information on authorized representatives for businesses is kept in the Business Number System (BNS).

The Assessment and Benefit Services Branch (ABSB) has primary responsibility for third party access management, including monitoring. The Benefit Programs Directorate (BPD) is responsible for the TRIS database and the policies and procedures for processing the T1013 form. The Individual Returns Directorate (IRD) is responsible for RAC and My Account. The Business Returns Directorate (BRD) is responsible for My Business Account, the BNS, and policies and procedures for processing the RC59 form.

The Taxpayer Services and Debt Management Branch (TSDMB) is responsible for the development and application of national policies and procedures for Taxpayer Services Call Centres including confidentiality procedures to authenticate taxpayers, business owners, and their authorized representatives.

IRD currently leads the Special Assessment Working Group (SAWG) which identifies suspicious activities and trends on personal income tax returns with the purpose of enhancing front-end controls. The Compliance Programs Branch (CPB) plays a key role in SAWG.

In 2009-2010, approximately 3.1 million authorizations were processed for representatives with respect to individual taxpayers and 900,000 authorizations for businesses. Almost 100% of these authorizations were submitted on paper. The number of electronic accesses to taxpayer information through RAC has experienced rapid growth. In 2009-2010, there were 2.1 million accesses to RAC, an increase of more than 60% over the previous year [Footnote 2].

Scope of the Audit

The objective of this audit was to assess whether the controls associated with authorized representatives acting on behalf of taxpayers were in place and functioning as intended. The focus was on front-end, detective, and preventive controls, including authentication, authorization, and monitoring processes for taxpayers, businesses, and authorized representatives.

The examination phase of this audit took place from October 2009 to April 2010. This audit was conducted in the ABSB, TSDMB, CPB and selected tax centres (TCs) and tax services offices.

The audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing.

Findings, Recommendations and Action Plans

1.0 Program management

All functions in the CRA which are in contact with taxpayers and their authorized representatives have a stake in authorized representation. Consequently, changes to authorized representation processes and procedures should be implemented based on due consideration of the impact that these changes may have on the operations of other functions in the CRA.

Information stored on CRA databases is used by CRA employees to authenticate clients and authorized representatives, and used to allow access to electronic services such as My Account. Consequently, the information contained in those databases should be accurate and entered in accordance with CRA procedures.

Within ABSB, BPD, BRD, and IRD have a direct stake in authorized representation. They should be clear about their governance and risk management roles and responsibilities to mitigate the risk of inconsistencies.

1.1 Roles and responsibilities

ABSB has primary responsibility for third party access management. Roles and responsibilities for authorized representation were reviewed and interviews with stakeholders in BPD, IRD, and BRD confirmed a general understanding of their responsibilities. However, roles and responsibilities for monitoring authorized representatives were not clear (see section 3.2).

Risk assessments were reviewed to determine if risks relevant to authorized representation had been identified by the Agency and monitored. A comprehensive risk assessment involving key stakeholders to assess operational risks relevant to authorized representation was not evident. Six risks relevant to authorized representation were identified during branch and directorate risk assessments; but, action plans to mitigate those risks were not evident. The risk assessment carried out for RAC (2004) during the project phase identified 35 risks but had not been updated to address ongoing operational risks (e.g. identity theft, misuse of taxpayer information). Without a comprehensive risk assessment of authorized representation involving input from all stakeholders, critical operational risks may not be identified, assigned, and monitored.

Recommendations

  1. The Agency should complete a formal risk assessment of operational risks associated with authorized representation and potential misuse of taxpayer information.
  2. ABSB, in conjunction with stakeholders, should develop mitigating strategies to address the results of the risk assessment.

Action plan

  1. In January 2011, ABSB will initiate a formal comprehensive risk assessment associated with authorized representation and provide a Recommendation Report by December 2011.
  2. Through significant annual investments, the ABSB has been developing and enhancing its services for the approximately 4 million registered third party representatives. The Branch will establish a cross-functional, director-level steering committee in January 2011 that will provide oversight for developing strategies and solutions for services offered to authorized representatives. This committee will guide the ABSB in determining clear roles and responsibilities surrounding authorized representatives and ensure program areas are delivering services in a consistent manner. In addition, the committee will oversee the risk assessment and ensure resulting recommendations are actioned, as necessary.

1.2 Policies and procedures

Policies and procedures for processing authorizations and providing information to authorized representatives had been defined and communicated. BPD's Quality Assurance (QA) Project provided assurance that policies and procedures were followed for the T1013 workload. For the RC59 process, policies and procedures were documented and communicated.

2.0 Reliability and protection of information

In accordance with section 241 of the Income Tax Act and section 295 of the Excise Tax Act, the provision of and access to taxpayer information are restricted to those who are duly authorized. To meet these requirements, representative registration and authorization processes should be in place to ensure that authorized third party information in CRA systems is accurate. Authentication requirements should be in place for taxpayers and representatives when they contact the Agency to obtain or change taxpayer information. In addition, the responsibilities of taxpayers and authorized representatives should be communicated by the CRA to support the protection of taxpayer information.

2.1 Accuracy of information

The accuracy of individual authorization forms (T1013) data entered into the TRIS is monitored through the QA Project. The 2009-2010 reports indicated that the BPD's accuracy standard of 98% for T1013s had been met.

A random sample of business authorization forms (RC59) for three TCs confirmed an acceptable accuracy rate of 92%. At the time of the audit, BRD was developing a QA program for BNS workloads (including business authorization forms) to be implemented by April 1, 2011.

2.2 Authentication controls

Taxpayers and representatives contact the CRA through various service channels: in-person, paper, telephone, and electronic. A review of the controls used to authenticate taxpayers and representatives was done for each channel.

Controls were in place to address situations where there had been suspicious activities on the taxpayer's account. PROTECTED. Enhanced confidentiality measures may be used to authenticate the taxpayer. PROTECTED.

Opportunities exist to strengthen authentication controls PROTECTED to mitigate the risk of unauthorized access. PROTECTED.

Recommendation

ABSB should strengthen the authentication controls PROTECTED to mitigate the risk of inappropriate activities.

Action plan

As noted in Section 1.0 of the action plan in this report, the ABSB is undertaking a risk assessment and based on analysis and recommendations will modify its controls PROTECTED as necessary.

2.3 Responsibilities of taxpayers and authorized representatives

CRA communication products and website were examined to assess whether communications addressed responsibilities and risks with regard to authorized representation. Effective communications contribute to minimizing risks for the taxpayer.

Roles and responsibilities of authorized representatives who are not efilers had not been defined. For efilers, responsibilities and information on what constitutes unacceptable behaviour were on the CRA Internet website. Efiler activities were monitored to ensure compliance and privileges could be suspended following inappropriate activities. PROTECTED.

Recommendation

Responsibilities for authorized representation should be defined by ABSB and communicated to all stakeholders.

Action plan

ABSB will better define and clearly communicate the responsibilities for authorized representation through its informational Web pages by February 2011. Paper and electronic forms will be modified in accordance with their publishing cycles in preparation for the 2012 filing season.

3.0 Compliance measures

A comprehensive monitoring framework for authorized representation should be in place to mitigate the risk of inappropriate and fraudulent activity such as identity theft by authorized representatives. Early warning indicators should be included in the monitoring activities.

3.1 Controls preventing and detecting unauthorized access and misuse of  taxpayer information

The CRA has many preventive and detective controls in place to identify or block suspicious transactions. A number of these controls address situations where the identity of the taxpayer is in question. PROTECTED.

Increased awareness about identity theft has led to the creation of the SAWG. This network, with representation from eight branches, has the mandate to coordinate the identification, reporting, and actions taken to address suspicious and fraudulent activity. The SAWG has been successful in addressing some control gaps. In 2009, SAWG activities prevented an estimated $9.8 million in unwarranted refunds [Footnote 3]. SAWG has developed a database to document cases of suspected identity theft; however, this database has not been used in the analysis of authorized representatives' involvement in suspicious activities.

3.2 Monitoring framework to ensure preventive and detective controls are responsive to current and emerging risks

A coordinated effort to collect and analyze information about unauthorized access was not evident. For example, letters of intent are sent to the taxpayer when an authorization form is received requesting online access for a representative. This provides the taxpayer with an opportunity to contact and alert the CRA if the authorization request is not valid. Data regarding intent letters that lead to the removal of authorization privileges was not collected and analyzed for trends and patterns.

The lack of a co-ordinated effort may be attributed to unclear roles and responsibilities for monitoring authorized representatives. With the exception of efilers who are also representatives, the monitoring framework in place did not include assessing and mitigating the risks of authorized representation. Monitoring activities specific to suspicious activities by authorized representatives was not evident.

Representatives who are efilers are monitored through the Efiler Suitability Screening and Monitoring Program. Applicants to the efiling program must first register and pass suitability screening criteria. Responsibilities of efilers are outlined on the CRA website and once set up as an efiler, periodic monitoring activities take place to ensure efilers remain compliant. Non-compliance can eventually result in a suspension of efiling privileges and/or representation privileges that were granted through a T183 form.

Recommendation

  1. ABSB should enhance the monitoring framework to identify, track and monitor identified risks associated with authorized representation.
  2. Roles and responsibilities for monitoring authorized representatives should be clarified and assigned by ABSB.

Action plan

  1. ABSB is committed to implementing the recommendations that will result from the risk assessment and will strengthen the monitoring framework accordingly. Enhancements will be developed under the direction of the Authorized Representatives Steering Committee.
  2. Roles and responsibilities for monitoring will be clarified under the oversight of the Authorized Representatives Steering Committee for the 2011 program and further enhanced pursuant to the recommendations of the risk assessment. Periodic sampling will continue through 2011.

Conclusion

Overall, controls over the authorization process are in place and working to ensure that authorization information is entered accurately into the TRIS and BNS databases and in compliance with procedures.

Roles and responsibilities for authorized representation were understood within ABSB. However, roles and responsibilities for monitoring authorized representatives were not clear and a risk assessment specific to authorized representation was not evident. An agency-wide risk assessment specific to authorized representation should be completed to ensure risks are identified, assigned, and monitored.

To mitigate the risk of inappropriate activities, authentication controls should be strengthened PROTECTED.The monitoring framework should be enhanced in terms of clearly defined roles and responsibilities, proactive identification, and response to risks associated with authorized representation.

Page details

Date modified: