Memorandum of Understanding for the Provision of Protected Information with the Canada Border Services Agency

Final Report

Corporate Audit and Evaluation Branch
October 2011


Executive Summary

Background: The Canada Revenue Agency (CRA) [Footnote 1] enters into Memoranda of Understanding (MOUs) and other written agreements with various federal, provincial and territorial departments and agencies to improve efficiency and effectiveness in program delivery.

Where there is an exchange of sensitive information with these entities, the CRA ensures that the MOUs contain the language necessary to make both parties aware of and respect legal and policy requirements related to the use and security of the exchanged information. In order to ensure that these provisions are respected by both parties, the MOUs include a clause requiring that internal audits be conducted on the use and security of the information provided.

This audit focused on protected information received by the CRA under the Memorandum of Understanding for the Provision of Protected Information between the Canada Revenue Agency and the Canada Border Services Agency (CBSA) signed on June 19, 2007.

Objective: The objective of this audit was to determine the extent to which the CRA was in compliance with the conditions governing the use, disclosure, security, storage, and disposal of protected information provided by the CBSA under the MOU.

Conclusion: For the most part, the CRA complies with the conditions governing the use, disclosure, storage, and disposal of information provided by the CBSA. However, improvements should be made in order to define the roles and responsibilities stated in certain appendices of the MOU. In addition, the requirements to maintain and record the information received from the CBSA should be defined, Annex D of the MOU should be revised in order to reflect the needs of stakeholders, and access to CBSA computer systems should be monitored.

The audit was conducted in accordance with the International Standards for the Professional Practice of Internal Audit.

Action Plans: The Strategy and Integration Branch and the Finance and Administration Branch have prepared action plans to address the findings.

Introduction

In accordance with a Memorandum of Understanding (MOU) [Footnote 2] signed on June 19, 2007 with the Canada Border Services Agency (CBSA), the Canada Revenue Agency (CRA) can request various types of information on individuals or businesses, importers and exporters, customs brokers, carriers and warehouses. This information may include goods imported or exported, product analysis, licensing, amounts owed by CBSA clients, and appeals or adjudication decisions. Annex D of the MOU describes the information, use, procedures and frequency of exchanges, as well as the representatives authorized to communicate between both organizations.

The two branches that are involved in the majority of information requests are the Taxpayer Services and Debt Management Branch (TSDMB) and the Legislative Policy and Regulatory Affairs Branch (LPRAB). Together, these branches are authorized to request 19 of the 22 types of information in Annex D of the MOU.

When the CBSA was created in 2003, the collection duties for which the Canada Customs and Revenue Agency was responsible remained tasks to be carried out by the CRA by delegation from the Minister of National Revenue. The CRA is responsible for collecting all outstanding debts on behalf of the CBSA, such as expenses, charges, taxes, penalties or all other amounts owed in accordance with the various legislation and regulations administered by the CBSA. To do this, the Accounts Receivable Directorate of TSDMB and revenue collection divisions within certain tax services offices (TSOs) receive information from the CBSA.

The Excise Duties and Taxes Division of LPRAB is mainly responsible for interpreting and administering, among others, the Excise Act, 2001, the Excise Act, the Excise Tax Act and the Importation of Intoxicating Liquors Act for alcohol and tobacco products. This Division and its regional offices receive information from the CBSA for the administration of the excise duty program.

Focus of the audit

The objective of this internal audit was to determine whether the CRA was in compliance with the conditions governing the use, disclosure, storage, and disposal of information provided by the CBSA.

The examination phase of the audit was carried out from January 2011 to April 2011. Interviews and key documentation reviews were conducted in the Ontario and Quebec regions. Interviews were also conducted with managers and employees from TSDMB, LPRAB, the Compliance Programs Branch (CPB), the Finance and Administration Branch, as well as local and regional offices of the Information Technology Branch (ITB).

Findings, recommendations and action plans

1.0 Use and communication of information

1.1 Roles and responsibilities for the use and communication of information received from the CBSA are clearly defined and understood

Roles and responsibilities related to the use and communication for information received must be defined in order to ensure that the information is used for purposes provided for by the MOU.

In TSDMB, the roles and responsibilities for the collection of CBSA accounts receivable were known, and a communication process was in place for CRA offices that handle these accounts. In addition, a communication process was established several years ago with CBSA representatives.

For LPRAB, one of the two regions visited had defined roles and responsibilities for the use and communication of information related to Appendix D-8: Facility for information retrieval management reports (FIRM reports) and customs coding form (B3) information. Pursuant to this appendix, the information is used for the purpose of assessing compliance with the provisions of the Income Tax Act, the Excise Tax Act, the Excise Act and the Excise Act, 2001. FIRM reports (D-8) may contain information such as ports of entry and exportation, importers, consignees, tariff classification, and destinations. The B3 information is used in CRA risk assessment systems to identify non-compliance issues and the associated revenue risks.

The primary user of Appendix D-8 is CPB’s Compliance Research and Risk Assessment Division. However, this Division would like to receive additional information under this appendix. LPRAB uses CPB’s services to obtain FIRM reports from the CBSA that are required to perform its duties in HQ and the regions.

Appendix D-10 provides for the exchange of information on the importation of excisable goods, and LPRAB can use information from the FIRM reports to audit licence holders. At the time of the audit, LPRAB had issued a new directive to its regional offices stating that all future requests for FIRM reports must be addressed to LPRAB. At the same time, LPRAB requested an interpretation from the Strategy and Integration Branch (SIB) to clarify the situations in which information from appendices D-8 and D-10 can be used.

Recommendation

SIB, in collaboration with CPB and LPRAB representatives, should review the CRA’s needs, including roles and responsibilities, for appendices D-8 and D-10 of Annex D of the MOU.  

Action plan

SIB has discussions underway with CBSA and CPB to review and update Appendix D‑8. As Appendix D-10 also involves CPB, SIB will recommend both annexes be updated.

1.2 MOU requirements for the use of information are met

In TSDBM, receiving information on CBSA accounts receivable is part of daily work. In accordance with the MOU, the information is used in processing collection accounts and receiving payment. TSDMB also handles individual and complex cases and reconciles accounts receivable. The two regions visited created local initiatives to maximize the processing of collection accounts and it was done in accordance with the use requirements mentioned in the MOU.

LPRAB generally receives two types of information from the CBSA: Appendix D‑11, Information shared with the Laboratory and Scientific Services Directorate (LSSD) and Appendix D-8 (FIRM reports). According to Appendix D-11, the CBSA laboratory conducts analyses on formulations or characteristics for products such as spirits, wine, beer and tobacco. In the CRA regions, laboratory services are mainly used for alcohol analyses.

Information obtained under appendices D‑11 and D-8 is used for audit purposes or for the regulatory review of licences. In addition, auditors make appropriate use of the information provided by the CBSA.

1.3 Access to CBSA systems is controlled and limited to authorized employees

In LPRAB and TSDMB, procedures were in place to control accesses to CBSA computer systems. Managers control their employees’ access privileges through the Employee System Access Review (ESAR) and inform ITB or the Security and Internal Affairs Directorate (SIAD) of any changes, if necessary. Access privileges for the Laboratory Analysis Support System (LASS) (laboratory) used by LPRAB do not appear in ESAR. These accesses are controlled and updated by CBSA laboratory staff along with a designated CRA manager from the areas involved.

The regional information technology service centres or local security grant access to CBSA mainframes and maintain a registry of authorized managers and users. Access to premises, work areas and storage equipment is controlled in order to protect information provided by the CBSA, and complies with the MOU requirements and the CRA Finance and Administration Manual.

Staff members in both branches were aware of the requirements for confidentiality. Interviews confirmed that the information received is treated in the same manner as information received from taxpayers. Information security awareness is supported by CRA documents such as the Code of Ethics and Conduct, for which reminders are issued annually. Employees periodically receive training on the confidentiality of information and emails on the protection of documents.

The MOU also provides for accesses to CBSA systems by CRA employees. The SIAD confirmed that, at this time, it was not possible to keep audit trails on the central systems used by TSDMB’s St. Laurent Data Centre. Since those systems are independent from the CRA systems, only CBSA staff can keep audit trails on their systems. However, TSDMB had not requested any audit trails from the CBSA and did not know how to obtain them.

In addition, LPRAB uses CBSA’s LASS to obtain analytical formulations or characteristics about spirits, among others. This information is accessible through a secure Internet connection on CRA workstations. Managers keep a registry of users. However, there was no evidence that the audit trails were being done.

In TSDMB, CBSA’s Temporary Accounts Receivable System (TARS) controls the inventory of CBSA collection accounts. For the fives offices visited, two types of installations were noted: the TARS can be installed on a stand-alone computer or in a network mode at the local level only. However, TSDMB managers have added physical controls by periodically revising each employee’s account inventory. The CRA's local offices and Headquarters are not connected on a network, and it is not possible to keep audit trails.

Recommendation

The Security and Internal Affairs Directorate should consult with the CBSA to determine the feasibility and relevance of audit trails to control the use of CBSA systems by CRA employees and establish a procedure, if necessary.

Should the procedure be established, SIB should ensure that the MOU provides a clear detailed list of audit trail requirements, particularly the roles and responsibilities of each party when an employee accesses the other organization’s computer system.

Action plan

The Information Security Division of SIAD will coordinate an initial meeting with appropriate representatives from ITB, CBSA, and Internal Affairs and Fraud Prevention Division in order to determine the feasibility and relevance of keeping audit trails to control the use of CBSA systems by CRA employees. Based on the outcome of this meeting, SIAD will develop and establish the process if needed. This meeting will be completed before January 2012 and the results of this meeting will be communicated with Corporate Audit and Evaluation Branch.

If a process is established as a result of the action plan identified above, the Policy, Programs and Business Management Division of SIAD will consult with SIB to ensure appropriate amendments are made to the existing MOU to reflect the requirements and the roles and responsibilities of each party.

1.4 Information received from the CBSA is communicated in accordance with the provisions of the MOU

The MOU lists parameters for communicating information, such as disclosing information to third parties, transmitting information, obtaining security authorization for users, and appointing designated representatives responsible for maintaining communications between the two organizations. The MOU requires that no information be communicated unless authorized by legislation and only for the purposes provided for by that legislation. Information must not be shared with another party without written consent from the party that communicated the information.

In LPRAB and TSDMB, staff confirmed that none of the information received was shared with a third party. The initial receipt of information provided by the CBSA was done in a secure manner, and in accordance with the expected requirements for each system. Subsequent transmittal of information to CRA internal partners was also controlled. Work procedures were in place and used for transmittal via secure fax. Encrypted emails and secure mail services were also used. All staff members interviewed at the CRA had appropriate and valid security authorizations.

Most staff members interviewed in LPRAB and TSDMB said that they were unfamiliar with the MOU. In the past two years, there have been very few exchanges of information under Annex D of the MOU, particularly in LPRAB. Of the 13 types of information that the LPRAB can receive, only FIRM reports and laboratory reports are requested. Since TSDMB has been responsible for accounts receivable for many years even before the CBSA was created staff members do not feel that it is necessary to refer to the MOU, as the requirements listed are an integral part of their daily tasks.

In LPRAB, the lack of knowledge about the MOU and the few requests for FIRM reports may result in the auditors not receiving all of the relevant information available to help them perform their work for the purposes of administering the Excise Act and the Excise Tax Act.

Interviews and the review of Annex D of the MOU concluded that the titles of some authorized representatives and the names of some branches and divisions no longer reflect the organizational structure of the CRA.

Recommendation

With regard to the 13 types of information stated in Annex D of the MOU, SIB, in collaboration with other branches’ management, should define their needs with respect to the information that can be received.

SIB should revise and update the titles of the representatives listed in appendices D-1 to D-22 and ensure that the designated representatives are kept informed. 

Action plan

SIB, in collaboration with CRA program areas and the CBSA, will review and update Annex D by September 30, 2012. CRA program areas are to be advised about the existence of both the updated annex and the existence of the MOU.

SIB will remind Branch officials of the need to update contact information in the MOU, and will coordinate a review and update.

2.0 Protection of the information

2.1 Roles and responsibilities for the storage and destruction of information provided by the CBSA are defined and understood

Employees and managers in LPRAB and TSDMB applied appropriate and secure storage methods and used the tools available to destroy documents.  

2.2 Information provided by the CBSA is stored according to MOU requirements and CRA policies

Various devices are used by LPRAB and TSDMB, such as locked filing cabinets, safes, portable USB keys, diskettes and encryption devices, if necessary. Information received is stored in the designated controlled storage rooms. TARS electronic data was saved, and backup copies were made and stored according to ITB requirements.

Section 3 of Annex E of the MOU states that any information received must be maintained and accounted for in accordance with each party’s information management policies and procedures. However, LPRAB and TSDMB staff could not define the requirements of the MOU with regard to maintaining and recording information received. In TSDMB, it is not necessary to account for the information received from the CBSA since this information is an integral part of collection accounts and it is processed on a daily basis in TARS. In addition, the information provided to LPRAB from the CBSA is not recorded. This information is integrated to the excise audit file or filed using an integrated record management system.

Recommendation

SIB should clarify section 3 of Annex E of the MOU on the requirement of maintaining and keeping track of information received as well as define the desired method of recording this information such as: date, subject, file number, etc.

Action plan

SIB will coordinate with branches and the CBSA to review and update Annex E of the MOU by September 30, 2012.

2.3 Information received from the CBSA is destroyed or returned according to the provisions of the MOU

Section 20 of the MOU states the following: “The information received under this MOU will be retained for the minimum period that is required by the law and administrative policies of the government of Canada. Thereafter, it must be immediately destroyed or returned to the other party.” While very few documents are destroyed in LPRAB and TSDBM, findings of the site visit concluded that documents were destroyed according to the requirements of the MOU. In addition, the information received is not returned to the CBSA. Most employees interviewed could not distinguish between storing and disposing of documents received and could not specify the minimum storage period. Recent internal audit work identified the issue regarding the minimum storage period for all CRA MOUs, and action plans are currently being developed by SIB.

2.4 Security incidents are reported in accordance with the MOU and CRA directives

No security incidents were reported in the last two years with regard to information received from the CBSA.

Conclusion

For the most part, the CRA complies with the conditions governing the use, disclosure, storage, and disposal of information received from the CBSA. However, improvements should be made regarding the roles and responsibilities stated in certain appendices of the MOU. In addition, steps should be taken to monitor accesses to CBSA computer systems. Several appendices in Annex D of the MOU are not being used. A review should be conducted to determine the needs of stakeholders, and the list of designated representatives authorized to communicate with the CBSA should be updated. The requirement to maintain and record the information received from the CBSA pursuant to Section 3 of Annex E of the MOU and a method of accounting for this information should be clarified.

Appendix 1

List of Acronyms
Appendix D-8 FIRM report and B3 information
Appendix D-10 Information on the importation of excisable goods
Appendix D-11 Information shared with laboratory and scientific services directorate under a service level agreement
B3 Customs coding form
CBSA Canada Border Services Agency 
CPB Compliance Programs Branch
CRA Canada Revenue Agency
ESAR Employee System Access Review
FAB Finance and Administration Branch
FIRM Facility for information retrieval management reports
ITB Information Technology Branch
LASS Laboratory Analysis Support System
LPRAB Legislative Policy and Regulatory Affaires Branch
SIAD Security and Internal Affairs Directorate
SIB Strategy and Integration Branch
TARS Temporary accounts receivables system
TSDMB Taxpayer Services and Debt Management Branch

Footnotes:

Report a problem or mistake on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, contact us.

Date modified: