Language selection

Government of Canada / Gouvernement du Canada

Search

Sign in

Sign in

Memorandum Of Understanding with Respect to the Exchange of Information relating to Ontario Corporations in Support of the Administration of Corporate Taxes

Final Report

Corporate Audit and Evaluation Branch
January 2011

Table of Contents

Executive Summary

Background

The Canada Revenue Agency (CRA) enters into Memoranda of Understanding (MOU) to improve efficiency and effectiveness in program delivery using data and information sharing agreements with other federal government departments, provinces, and territories. The CRA ensures that these information sharing agreements contain the language necessary to make both parties aware of and respect legal and policy requirements related to the use and security of the exchanged information. In order to ensure the appropriate controls are in place regarding the use and security of the information, the MOU contains a clause requiring an internal audit to be conducted by both parties.

This MOU relates to the identification and registration of Ontario corporations in support of the administration by the CRA of corporate taxes in relation to the Corporate Tax Administration for Ontario/Corporate Tax Administration Redesign (CTAO/CTAR) initiative. The information is exchanged with the Ministry of Government Services of Ontario electronically using File Transfer Protocol (FTP) and approximately 90% of the accounts are automatically updated on CRA systems. The remaining 10% of the transactions are updated manually by the Business Number Services team (BNS) located in the Sudbury Taxation Centre (TC). The electronic transmission and automatic updating of the systems eliminates the risks associated with other methods of information transfer such as mail, courier, fax, and email.

Objective

The objective of the audit was to provide assurance that the CRA is in compliance with the terms and conditions governing the use, disclosure, retention, and disposal of the information provided by the Ministry of Government Services (MGS) of Ontario as set out in the MOU.

The audit was conducted from March 2010 to August 2010 in the Assessment and Benefit Services, Corporate Strategies and Business Development, Information Technology, and Finance and Administration Branches, as all have areas of responsibilities relating to the governance of the use, disclosure, retention, and disposal of the information provided by MGS.

The audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing

Conclusion

The CRA is in compliance with the terms and conditions governing the use, disclosure, retention, and disposal of the information provided by MGS as set out in the MOU. Interviews and document analysis results indicate that overall policies and procedures are in place to ensure compliance with the terms of the MOU, including those regarding the use and security of the exchanged information. A few areas for improvement were noted and Management has responded with the appropriate corrective action.

Introduction

The Canada Revenue Agency (CRA) enters into Memoranda of Understanding (MOU) and other written agreements with federal, provincial and territorial departments and agencies to improve efficiency and effectiveness in program delivery. As part of the CRA’s objective to ensure greater compliance, the CRA works closely with partners to improve data and information sharing arrangements[Footnote 1].

The Memorandum of Understanding with Respect to the Exchange of Information Relating to Ontario Corporations in Support of the Administration of Corporate Taxes became effective October 17, 2007. The purpose of this MOU is to establish the administrative framework that will govern the relationship between the CRA and Ontario with respect to the exchange of information relating to the identification and registration of Ontario corporations. This is in support of the administration by the CRA of corporate taxes in relation to the Corporate Tax Administration for Ontario / Corporate Tax Administration Redesign (CTAO/CTAR) initiative.

In accordance with this MOU, the Ministry of Government Services (MGS) provides information related to various corporate registry activities, such as newly incorporated businesses and corporate amalgamations, to the CRA on a daily basis. In response, the CRA provides an electronic file containing any newly created business numbers to the MGS the day following the receipt of the information.

The information exchanged under this MOU is transmitted electronically using the File Transfer Protocol (FTP) and there is an automatic update of the Business Number (BN) system, therefore as a result there is no manual intervention for approximately 90% of the transactions. The remaining 10% of the transactions result in exception reports which are used by the Business Number Services Team (BNS) in Sudbury TC to update the BN system. The use of the FTP to electronically transfer the information and the software in place to automatically update the BN system eliminates the risks associated with other methods of information exchange such as mail, fax, email and courier.

In order to ensure the legal and policy requirements related to the use and security of the exchanged information are respected by both parties, the MOU includes a reciprocal internal audit clause requiring audits to be conducted on the use and security of the information exchanged.

Focus of the Audit

The objective of the audit was to provide assurance that the CRA is in compliance with the terms and conditions governing the use, disclosure, retention, and disposal of the information provided by MGS as set out in the MOU.

This audit focused on the exchange of information relating to Ontario corporations in support of the administration of corporate taxes through a MOU with the province of Ontario as represented by the MSG. The scope included the compliance of the CRA with the terms and conditions contained in the MOU regarding the security of the information received from Ontario and adherence to the specified security standards and procedures.

The audit was conducted from March 2010 to August 2010 in the Assessment and Benefit Services (ABSB), Corporate Strategies and Business Development (CSBDB), Information Technology (ITB), and Finance and Administration (F&A) Branches.

The audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing.

Findings

1.0 Use of information is in compliance with the MOU and the CRA legislation, policies, and procedures

The MOU enables the CRA “to collect taxes payable under the Taxation Act, 2007 or the Corporations Tax Act or other provincial and federal legislations that impose taxes payable by corporations[Footnote 2].” In this regard, the information supplied by the Ontario government can only be used to administer these legislations including the Income Tax Act (ITA) and the Excise Tax Act (ETA).

Information gathered through interviews and audit tests confirm that the information sent by the MGS is used to update the Agency’s BN system, which CRA uses to administer the ITA and the ETA. CRA is in compliance with the terms of the MOU in regards to the use of the information received from Ontario.

2.0 Security and safeguarding of the information

Overall, controls are in place and working as intended to secure and safeguard exchanged information. The information received from and sent to MGS electronically is protected with CRA approved encryption software. The servers and the automated process that update the BN system are monitored by the ITB. Exception reports are stored within a security zone to minimize the risk of loss.

Exception reports are printed and used by the BNS team in the Sudbury TC to update the BN system. Currently, these reports do not have any labelling as required by the Finance and Administration Manual (FAM) security policy to indicate that they are protected B information; however, this represents minimal risk of mishandling the reports due to the BNS teams’ understanding of the policy and procedures related to information security. In addition, the responsibilities of the former manager and the new manager with regard to the granting and deleting of access privileges for new and departing BNS team members are not clearly defined in the FAM. ABSB has implemented a strategy to address the observations with regard to the exception reports and employee access privileges.

A comparison of the security procedures as detailed in the MOU and the FAM indicated that the reporting procedures for security incidents were not consistent. The MOU indicates that any incident involving the information provided under this MOU must be verbally reported immediately to the Director General (DG), Security, Risk Management and Internal Affairs Directorate (SRMIAD), currently known as Security and Internal Affairs Directorate. This report should be followed by a written report as soon as possible to the DG of SRMIAD and the Senior Manager, Technical Operations of the Companies and Personal Property Security Branch within the Ministry of Government Services. The CRA policy indicates that the DG is contacted after the Director of the TSO or TC where the security incident takes place makes the determination to contact the affected taxpayer(s). There is a risk that CRA would not be in compliance with the MOU requirements in the event of a security incident involving information provided by MGS. CSBDB is currently in consultation with F&A to clarify the security reporting procedure.

Conclusion

Memoranda of Understanding and other information sharing agreements play an important role in CRA’s objective to improve efficiency and effectiveness in program delivery. To this end, the CRA works closely with other federal government departments, provinces, and territories to improve data and information sharing arrangements. In order to ensure the appropriate controls are in place regarding the use and security of the information, the MOU contains a clause requiring an internal audit to be conducted by both parties.

The CRA is in compliance with the terms and conditions governing the use, disclosure, retention, and disposal of the information provided by the MGS as set out in the MOU. Interviews and document analysis results indicate that overall policies and procedures are in place to ensure compliance with the terms of the MOU, including those regarding the use and security of the exchanged information. A few areas for improvement were noted and Management has responded with the appropriate corrective action.

Footnotes

Page details

Date modified: