Employer Compliance Audit v3.0

Collections and Verification Branch
Business Compliance Directorate

On this page

• Overview & Privacy Impact Assessment Initiation (PIA)
• Summary of the project, initiative or change
• Risk identification and categorization

Overview & Privacy Impact Assessment (PIA) Initiation 

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Mohammad Rahman
Director General, Business Compliance Directorate
Collections and Verification Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Lia Jackson
Director
Access to Information and Privacy Directorate

Name of program or activity of the government institution

Returns Compliance

Standard or institution specific class of record:

Employer Compliance
CRA CVB 188

Standard or institution specific personal information bank:

Employer Compliance
CRA PPU 120
TBS Registration 001948

Legal authority for program or activity

The authorities of the Employer Compliance Audit (ECA) program come from:

• subsections 8(1) and 8(4) of the Canada Revenue Agency Act
• subsections 220(1) and 220(2.01) of the Income Tax Act
• subsections 275(1) and 275(3) of the Excise Tax Act
• subsections 97(1) and 108(1.1) of the Employment Insurance Act, and
• subsection 5(2) of the Canada Pension Plan Act

The legal authority to review the books and records of businesses, including payroll accounts, comes from:

• section 231.1 of the Income Tax Act
• section 288 of the Excise Tax Act
• section 88 of the Employment Insurance Act. and
• section 25 of the Canada Pension Plan Act

The legal authority to assess deficiencies comes from:

• sections 152 and 227 of the Income Tax Act
• section 296 of the Excise Tax Act
• section 85 of the Employment Insurance Act and
• section 22 of the Canada Pension Plan Act

The following legislative authorities enable the CRA to apply penalties and interest for payroll compliance:

• Every person who fails to remit or pay is liable to a penalty of 10% according to:
  • Paragraph 227 (9)(a) of the Income Tax Act
  • Paragraph 21 (7)(a) of the Canada Pension Plan Act
  • Paragraph 82 (9)(a) of the Employment Insurance Act

If the person knowingly or under circumstances amounting to gross negligence failed to remit or pay, 20% of the amount owed:

• Paragraph 227 (9)(b) of the Income Tax Act
• Paragraph 21 (7)(b) of the Canada Pension Plan Act
• Paragraph 82 (9)(b) of the Employment Insurance Act

Interest payable at the prescribed rate according to:

• Subsection 227 (9.2) of the Income Tax Act
• Subsection 21 (6) of the Canada Pension Plan Act
• Subsection 82 (8) of the Employment Insurance Act

Paragraph 231.1 (1)(c) of the Income Tax Act provides legal authority to enter premises.

Subsection 231.1 (1) of the Income Tax Act provides legal authority to inspect, audit, or examine the taxpayer's books, records and documents.

Subsection 231.5 (1) of the Income Tax Act provides legal authority to make copies of any document.

Subsection 231.2 (1) of the Income Tax Act authorizes auditors to send a notice of requirement for information to an employer as an extraordinary measure.

Subsection 162(4) of the Income Tax Act allows penalties for not filing an ownership certificate.

Summary of the project, initiative or change

Overview of the Program or Activity

The mandate of ECA program is to maintain the integrity of the tax system regarding:

• reporting employment income and taxable benefits, as well as taxable benefits to shareholders
• withholding and remitting payroll-source deductions, and
• properly characterizing workers

It does this through a combination of taxpayer education and responsible enforcement.

The program is designed to increase and enhance voluntary compliance by promoting employer awareness and understanding of the tax laws and obligations in the following legislation:

• Income Tax Act
• the Excise Tax Act
• Canada Pension Plan
• Employment Insurance Act, and
• their respective regulations

The ECA program is responsible for:

• identifying, through in-depth employer audits, that employers have complied with employer reporting requirements
• ensuring that employers properly calculate and report all employment related income and other forms of compensation, such as employer provided taxable benefits, and shareholder taxable benefits
• ensuring that employers properly calculate, report, and submit related payroll source deductions
• Ensuring that employers properly characterize their workers’ status (employee or self-employed) through CPP/EI rulings, and
• addressing non-compliance related to reporting requirements

Employer compliance auditors may forward requests to the CPP/EI Rulings program to determine workers’ status. The rulings program can help to properly characterize the workers as contract of service workers or contract for service workers. This characterization ensures that employers or payers correctly report the appropriate remuneration and payments. The auditors also perform a goods and services tax (GST) or harmonized sales tax (HST) compliance review to ensure that employers made their GST or HST remittances, as required under the Excise Tax Act. The auditors may also forward referrals to GST/HST enforcement programs as needed.

The Research and Business Intelligence Solutions Section in the Business Compliance Directorate performs risk assessments to determine whether an employer will comply with their employer reporting obligations.

The target population of employer compliance audits includes all employer establishments. For example, these establishments could include corporations, partnerships, municipalities, universities, schools, hospitals, crown corporations (if they are exempt from tax under section 149 of the Income Tax Act and do not file a T2 corporation return based on this tax exemption), prescribed crown corporations, utilities, charities, unions, and other groups, associations, and individuals.

What’s New

As of January 2021, each representative authorized by a firm, a business, or a group must get their own representative identifier (RepID) and provide it to the CRA before they can represent their client. Businesses can update their authorized representatives using My Business Account.

Businesses can also authorize offline access (phone, fax, mail, or in person) for representatives by submitting Form AUT-01, Authorize a Representative for Offline Access Form. The AUT-01 form replaced Form RC59, Business Consent. A new application allows the ECA program to authenticate the representative by cross referencing a representative’s RepID with the CRA’s records. This new procedure is a proactive initiative put in place to support the CRA’s legal obligation to protect confidential taxpayer information.

In April 2019, the Research and Business Intelligence Solutions Section started supporting the ECA program’s workload development by coordinating requests for analytics, research, and trends analysis reports. That section relies on risk-assessment systems and research to determine which employers are most likely to misunderstand their tax obligations.

The CRA authorized the use of Microsoft Teams as a communication tool at the onset of the pandemic. The ECA program started to use the tool while completing the Canada emergency wage subsidy files and has occasionally used Microsoft Teams when contacting taxpayers. The auditors should use Teams as an alternative if they are unable to be at the place of business.

Scope of the Privacy Impact Assessment

This PIA identifies and assesses privacy risks to personal information relating to the activities of ECA program.

The Employer Accounts program and the Trust Accounts Examination program have been assessed under separate PIAs.

Activities relating to creating workloads, identifying unknown non-compliance, and delivering business intelligence solutions in support of the ECA program, are assessed in the Workload Development and Business Intelligence - Business Compliance Programs PIA.

The Collections and Verification Business Intelligence PIA assesses the business intelligence-related data solutions and services for the program. The results and outcomes from the reports and queries, and how that information is being used, is reflected in this program PIA.

Activities relating to the work done by employer compliance auditors for the Canada emergency wage subsidy will be assessed in the Canada Emergency Wage Subsidy (CEWS), the Canada Recovery Hiring Program (CRHP), the Canada Emergency Rent Subsidy (CERS), the Tourism and Hospitality Recovery Program (THRP), and the Hardest-Hit Business Recovery Program (HHBRP) Compliance PIA.

Risk identification and categorization

A) Type of program or activity

Compliance / Regulatory investigations and enforcement  

Level of risk to privacy: 3

Details:

The program uses personal information to review the books and records, including in-depth employer audits, of businesses. It does this to ensure that businesses comply with their filing, reporting, and withholding requirements, and to assess deficiencies when applicable. The program also uses this information to review payroll and GST/HST accounts for taxable benefits and the proper characterization of workers.

As well, this program uses personal information to perform risk assessments to determine the level of non-compliance by employers who seemingly appear compliant.

B) Type of personal information involved and context

Social insurance number; medical, financial or other sensitive personal information; and the context surrounding the personal information. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual. 

Level of risk to privacy: 3

Details:

This program uses personal information to review business books and documents including any relevant tax slips issued to employees. When reviewing these records, the auditor would have access to social insurance numbers and financial information.

They may also have access to other information, such as contact information, other identification numbers, languages, signatures, dates of birth, dates of death, medical information, and employee personnel information. 

C) Program or activity partners and private sector involvement

Private sector organizations, international organizations, or foreign governments

Level of risk to privacy: 4

Details:

This program has a regional workload team that is responsible for developing the regions’ workload and identifying selected audit cases. This team reviews other CRA systems to help develop the program’s workload.

The program works with the Technology and Business Intelligence Directorate in the Collections and Verification Branch to get more system-related data on selected cases. This data may be retrieved from database storage using macros or reports.

Internal and external referrals for employer compliance audits are sent to the regional workload teams to assess the validity of the referral.

The program may share personal information with other CRA programs so they can collect outstanding balances, audit activities, or report suspect activities.

Information regarding payroll deductions may be shared with Québec, in accordance with a memorandum of understanding with Revenu Québec, in order to process misapplied payments.

Paper records containing personal information are stored by a third-party private sector service provider.

D) Duration of the program or activity

Long-term program 

Level of risk to privacy: 3

Details:

This program does not have an end date.

E) Program population

The program affects certain individuals for external administrative purposes.

Level of risk to privacy: 3

Details:

The target population of employer compliance audits consists of all employer establishments, including corporations, partnerships, municipalities, utilities, schools, hospitals, crown corporations, prescribed crown corporations, charities, unions, and other groups, associations, and individuals.

F) Technology & privacy

1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
   
   Risk to privacy: Yes
2. Does the new or modified program or activity require any modifications to IT legacy systems and/or services?
   Risk to privacy: No
3. Does the new or modified program or activity involve the implementation of one or more of the following technologies?

Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy: No

Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance/interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy: No

Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy: No

G) Personal information transmission

The personal information is transmitted using wireless technologies. 

Level of risk to privacy: 4

Details:

When on-site at an employer’s location, employer compliance auditors use a laptop computer with access control and may also use an encrypted universal serial bus (USB) key. Access to the CRA network from remote locations must be done with full disk encryption and standard secure remote access. The Information Technology Branch has developed an agency‑wide telecommuting platform that offers users secure access to the network.

H) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee

Details:

If the personal information is compromised, it has the potential to cause financial harm and embarrassment to the affected individual or employee. The affected individual or employee may also become a victim of identity theft, and their information may be used without their knowledge or consent.