Internal Audit - Memorandum of Understanding Relating to the Administration and Enforcement of the Spirit Drinks Trade Act

Final Report

Audit, Evaluation, and Risk Branch
November 2015

Table of Contents

• Executive Summary.
• Introduction.
• Focus of the Audit
• Findings, Recommendations and Action Plans
  • 1.0 Use, Disclosure, Retention and Disposition of Information
  • 2.0 Security of Information
• Conclusion

Executive Summary

Background: The Spirit Drinks Trade Act (SDTA) outlines Canada's international commitments regarding the use of names of certain spirit drinks of foreign countries. The SDTA falls under the responsibility of the Minister of Agriculture and Agri-Food.

The Memorandum of Understanding (MOU) relating to the administration and enforcement of the SDTA sets out the respective roles of the Canada Revenue Agency (CRA), the Canada Border Services Agency (CBSA), and Agriculture and Agri-Food Canada (AAFC).

CRA excise officers are designated by the Minister of Agriculture and Agri-Food as inspectors for the purposes of conducting verification activities under the SDTA. This work is performed in conjunction with planned excise duty audits and reviews under the Excise Act, 2001 permitting a cost efficient service for the AAFC.

The MOU came into effect as of July 15, 2008. This is the first internal audit of this MOU by the CRA.

Objective: The objective of this audit was to provide assurance that the use, disclosure, retention, disposition and security of protected information obtained, created or disclosed by the CRA as a result of administration and enforcement of the SDTA complies with the terms and conditions set out in the MOU. This assurance is provided to CRA senior executives, the CRA Board of Management and the officials responsible for the SDTA and this MOU in the AAFC.

Conclusion: For the most part, the CRA is in compliance with the MOU terms and conditions addressing the protection and security of information collected in relation to the SDTA. However, the audit noted opportunities to improve in the following areas:

• Limiting access to SDTA-related verification information; and,
• Marking of documents containing protected SDTA information.

Action Plans: The Legislative Policy and Regulatory Affairs Branch Action Plans include:

• Store SDTA verification documents electronically and use the National Audit Trail Monitoring Program to monitor the accesses to licensee information; and,
• Increase excise staff awareness of CRA policies and procedures on identifying and marking protected information, verify that audit working papers and supporting documents are marked accordingly through a new National Quality Assurance Program, and enhance the manager/team leader file review checklist.

These action plans are currently being executed with completion targeted for July 2016.

Introduction

The Spirit Drinks Trade Act (SDTA) outlines Canada's international commitments regarding the use of names of certain spirit drinks of foreign countries. The SDTA falls under the responsibility of the Minister of Agriculture and Agri-Food.

The Memorandum of Understanding (MOU) relating to the administration and enforcement of the SDTA sets out the understanding of the Canada Revenue Agency (CRA), the Canada Border Services Agency (CBSA), and Agriculture and Agri-food Canada (AAFC) concerning the respective roles of these parties in the administration and enforcement of the SDTA.

The MOU came into effect as of July 15, 2008. This is the first internal audit of this MOU by the CRA.

AAFC has the responsibility to administer and enforce the SDTA and may enter into administrative agreements concerning the designation of inspectors and analysts pursuant to sections 5 and 11 of the SDTA for the purpose of the administration and enforcement of the Act.

The Strategy and Integration Branch (SIB) ensures that the CRA meets its obligations under the MOU. The Legislative Policy and Regulatory Affairs Branch (LPRAB), Excise and GST/HST Rulings Directorate, Excise Duties and Taxes Division, Alcohol Operations administers verification activities under the SDTA, and implements and interprets certain provisions of the MOU.

CRA excise officers are designated by the Minister of Agriculture and Agri-Food as inspectors for the purposes of administering and enforcing the SDTA. They conduct verification activities under the SDTA which are delivered through five regional offices. This work is performed in conjunction with planned excise duty audits and reviews under the Excise Act, 2001 permitting a cost efficient service for the AAFC by including certain verification steps with excise audit and risk assessment work.

The steps involved in SDTA verification include:

• Conducting research to identify the products offered by the excise licensee that have names that are regulated under the SDTA; and,
• If such products are offered, the excise officer determines if the licensee has imported such alcohol from the geographic source specified in the SDTA.

The information recorded includes the documents obtained or working papers created during these activities along with the SDTA compliance status resulting from the verification.

Focus of the Audit

The objective of this audit was to provide assurance that the use, disclosure, retention, disposition and security of protected information obtained, created or disclosed by the CRA as a result of the administration and enforcement of the SDTA under the MOU complies with federal legislation and the terms and conditions set out in the MOU. This assurance is provided to CRA senior executives, the CRA Board of Management and the officials responsible for the SDTA and this MOU in AAFC.

The audit assessed current CRA processes and procedures and examined documentation from the most recent complete fiscal year (2014-2015). The examination included visits to the Vancouver and Hamilton Excise Duty offices in June and July 2015 as well as interviews within Headquarters.

The audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing.

Findings, Recommendations and Action Plans

The CRA reported to AAFC that 48 SDTA verifications were performed in 2014-2015 across Canada, with 14 of those in Ontario and nine in British Columbia, the regions examined. These regions therefore accounted for 48% of the reported national SDTA verifications for that year.

1.0 Use, Disclosure, Retention and Disposition of Information

Use of Information Collected and the Need-to-Know Requirement

The MOU specifies that information obtained by the CRA as a result of the administration and enforcement of the SDTA will only be used for the specific purpose for which it is obtained, and that procedures are in place to protect the information from any further use or disclosure. Also, the CRA Standards for User Identification and Authentication indicate that the need-to-know principle must be applied for all authorized users. In addition, the CRA Code of Ethics and Conduct (Section 3C) states that employees should only access information directly related to their assigned workload.

In both the Vancouver and Hamilton offices when the audit or review of an excise licensee is completed, the excise audit and SDTA working papers are stored in a licensee electronic folder or in filing cabinets which can be accessed by other excise officers located in the same office.

Excise officers may access these files to learn about the industry or to review the prior audit information in preparation for an upcoming audit or review of that licensee, and they may also access files to use the letters and working papers as templates or to learn how to complete certain working papers.

Also, any excise officer in the CRA can access any licensee's records in the Rulings and Interpretations Tracking System (RITS) (an in-house workload management and reporting system), which contains results of SDTA verification activities, the number of hours spent, and the letters sent to licensees.

Some excise officers accessing such information may not be assigned SDTA related verification activities.

Since these excise officers do not need to access SDTA information to perform their roles and duties, the access by these officers does not conform to the requirements of the MOU, the CRA Standards for User Identification and Authentication and the CRA Code of Ethics and Conduct (Section 3C). The limitation of access to SDTA information would reduce the opportunity for its misuse.

Disclosure of Information Collected

The MOU specifies that information should not be disclosed to anyone unless they have an authorized role in SDTA verifications. The expectation is that the CRA personnel involved would be aware of their obligations and avoid disclosure of information beyond authorized personnel.

Disclosure of information was found to be managed in a way that complies with the terms and conditions of the MOU. During interviews, the audit team noted that the authorized employees had been trained and were aware of their responsibilities with respect to the use and protection of information. Interviewees indicated that they have disclosed SDTA information only to excise officers, quality assurance personnel and team leaders working on the files.

Retention and Disposal

The MOU requires that SDTA verification information be retained for the period determined for that type of information and that it be disposed of on a timely basis in accordance with procedures that ensure continued security.

The LPRAB has worked with the Information Management Division in the SIB to establish retention periods and conditions for regional records and to ensure these records are covered under a Records Disposition Authority (RDA). Consultation with Library and Archives Canada took place as required.

The LPRAB had recommended that SDTA-related records be added to an existing Institution Specific Disposal Authority for Excise Duty Program regional records.

At the time of this examination, the change had not yet been approved and the RDA had not yet been updated accordingly. However, soon after the examination, instructions on the retention and disposition procedures for SDTA documents were in the process of being developed.

In addition, interviewees have indicated that they are not aware of any SDTA records that have been disposed of, other than copies contained on electronic media such as USB drives, server hard drives and backup tapes. Copies of the information on the discarded media were retained.

Although retention periods were not established, as a result of not disposing of any information, the LPRAB has ensured that the information was retained for at least the minimum period required.

Effective July 13, 2015, an RDA was approved which specifies that Regional Records to be retained for 10 years while HQ documents are to be retained for 20 years. Since the CRA has gathered and created information for SDTA for less than ten years, there has been no excessive retention of information.

Recommendation

The LPRAB should ensure that access to SDTA verification information respects the need-to-know requirement, and is in accordance with CRA security policies and standards.

Action Plan

The LPRAB will reduce the risk that information obtained during a review under the SDTA will be misused. This will be achieved by storing all audit work electronically with limited and monitored access.

Key activities planned for this initiative include:

• Implement system changes for uploading all audit working papers in RITS;
• Train all employees on procedures for uploading audit working papers in RITS;
• Upload audit working papers into RITS (scan, upload and destroy paper files);
• Restrict access to Excise duty data in RITS to Excise Duty staff only;
• Employee accesses to RITS are recorded into the National Audit Trail System Monitoring Program (NATS);
• Issue a notice to regional staff that all accesses to RITS will be monitored;
• Review of RITS access profiles within Employee System Access Review (ESAR); and,
• Increase awareness of ethical conduct and responsibilities of employees with proprietary information through the mandatory audit skills training course and all other training courses.

This action plan is currently being executed with completion targeted for April 2016.

2.0 Security of Information

The MOU requires the CRA to ensure that protected information obtained or disclosed by the CRA is safeguarded in accordance with security processes and procedures specified in the MOU.

Personnel Authorization

The MOU's requirement for adequate security of information includes ensuring that the information is accessed only by personnel with the required security clearance who are authorized to access that information.

The personnel who have been granted authority to access SDTA information have the required security clearance. The list of authorized users with access privileges are reviewed and updated by a supervisor at a minimum semi-annually as part of the ESAR which is monitored across the Agency at the national level.

Safeguarding of Information

Correspondence

According to the CRA's security policies, protected and classified information must not be sent to a licensee via email, even if the licensee specifically requests and authorizes it. The CRA's security requirements also indicate that SDTA information transferred in paper correspondence to a licensee be contained in a single, gum-sealed envelope with the name and complete mailing address of the intended recipient on the outside of the envelope, as well as the complete return address of the sender.

SDTA information in correspondence is appropriately safeguarded. Information is not transmitted by email by the CRA to licensees. Paper letters sent by the CRA to inform the licensee of the results of the verification are placed in the required envelopes by the local mail rooms.

Security Incidents

The CRA's guidance regarding Security Incident Reporting and Management requires formal reporting of all incidents where information is compromised or could be at risk of disclosure.

The LPRAB interviewees and local security officers have indicated that there have been no security incidents identified in relation to SDTA information. In addition, excise personnel and the local security officers in the regions are aware of the procedures for handling security incidents.

Marking of Protected Information

The CRA's directive and procedures for the identification and marking of protected information requires that documents that contain such information be clearly marked, indicating the category of the protected information, e.g., Protected A or Protected B.

A limited set of the electronic documents containing licensee information was reviewed and some documents were found to be missing the required security marking in accordance with the security requirements of the MOU. In subsequent interviews in Hamilton, supervisors agreed that improvements in this area were required, particularly in the headings of pre-formatted working papers, and immediately committed to addressing the issue.

Greater consistency in security marking would increase employee awareness of the level of protection that must be applied to documents.

Recommendation

The LPRAB should ensure that the electronic documents are marked in accordance with the Identification and Marking of Protected Information procedures issued by the Finance and Administration Branch and in accordance with the security requirements of the MOU.

Action Plan

The LPRAB will reduce exposure to the risk that protected information obtained during a review under the SDTA is not marked in accordance with CRA policies and procedures. This will be achieved by undertaking two initiatives. The first initiative will involve increasing awareness of CRA policies and procedures on identifying and marking protected information. Key activities planned for this initiative include:

• Issue a note to staff and managers to remind them that audit working papers and supporting documentation must be marked in accordance with CRA policies and procedures;
• Increase awareness of responsibilities of employees with protected information through the mandatory audit skills training course and all other training courses; and,
• Update the national audit programs to identify each document as Protected B when completed.

This action plan is currently being executed with completion targeted for April 2016.

The second initiative will involve verifying that audit working papers and supporting documents are marked in accordance with CRA policies. Key activities planned for this initiative include:

• Revise manager/team leader file review check list to include an action item that all papers are appropriately marked; and,
• Include in the new National Quality Assurance Program an activity item to verify that audit working papers and supporting documents are appropriately marked.

This action plan is currently being executed with completion targeted for July 2016.

Conclusion

For the most part, the CRA is in compliance with the MOU terms and conditions addressing the protection and security of information collected in relation to the SDTA. However, the audit noted opportunities to improve in the following areas:

• Limiting access to SDTA-related verification information; and,
• Marking of documents containing protected SDTA information.