GST/HST Audit and Examination
Compliance Programs Branch
GST/HST Directorate
On this page
- Overview & Privacy Impact Assessment Initiation (PIA)
- Summary of the project, initiative or change
- Risk identification and categorization
Overview & Privacy Impact Assessment (PIA) Initiation
Government institution
Canada Revenue Agency
Government official responsible for the PIA
Sahil Behal, A/Director General
GST/HST Directorate
Compliance Programs Branch
Head of the government institution or Delegate for section 10 of the Privacy Act
Lia Jackson
Director
Access to Information and Privacy Directorate
Name of program or activity of the government institution
Reporting Compliance
Standard or institution specific class of record:
Goods and Services Tax/ Harmonized Sales Tax (GST/HST) Audit
Record Number: CRA CPB 476
Standard or institution specific personal information bank:
GST/HST Audit and Examination
Bank Number: CRA PPU 430
TBS Registration Number: 20160020
Legal authority for program or activity
The Minister of National Revenue is responsible for administering and enforcing the Excise Tax Act. Part IX of the Excise Tax Act provides the legislative authorities under which the GST/HST Audit and Examination Program operates and outlines the circumstances and means by which individuals and businesses must calculate, collect, remit and report on the GST/HST. It also outlines the circumstances in which an individual or business may be eligible to claim a rebate of the GST/HST.
The authority to collect personal information is implicitly authorized under subsection 275(1) of the Excise Tax Act as the Minister of National Revenue must collect information to carry out the mandate of administering the GST/HST. There are specific reporting obligations for registrants, as well as specific audit and inspection powers in the Excise Tax Act.
Part III.I of the Federal-Provincial Fiscal Arrangements Act provides the authority for federal-provincial agreements respecting the harmonization of sales tax systems including the accounting for, collection, administration and enforcement of the harmonized taxes.
Authority to inspect, audit and examine
Subsection 288 of the Excise Tax Act authorizes the inspection, audit and examination of documents, property, and processes of a person to validate the correct amount of GST/HST owing on the account and to prevent the issuance of unwarranted refunds and rebates. This includes information already in CRA systems originally collected under Part IX of the Excise Tax Act.
Section 275 of the Excise Tax Act authorizes the use of business intelligence and risk analysis to identify and address non-compliance including the involvement of virtual assets and blockchain technologies.
Authority to require production of documents or information
The CRA may request or require documents and additional information to support a review, examination, or audit under sections 289, 289.1 and 292 of the Excise Tax Act.
Authority for indirect collection
The indirect collection of personal information is implicitly authorized under subsection 275(1) of the Excise Tax Act as the Minister must collect information to carry out the mandate of administering the GST/HST.
Personal information collected from federal and provincial government departments is used to determine the correct amount of GST/HST owing on the account and to prevent the issuance of unwarranted credits and rebates is governed by Part III.1 of the Federal-Provincial Fiscal Arrangements Act.
Personal information already in CRA systems originally collected under the Income Tax Act may be used to validate identity and verify flow through reporting and the sharing of information is authorized under section 241(4)(d)(ii) of the Income Tax Act.
Personal information collected from commercially purchased data such as credit bureau information or real estate data, from other persons and publicly available open sources is authorized by section 275(1) of the Excise Tax Act and is used to determine the correct amount of GST/HST owing on the account and to prevent the issuance of unwarranted refunds and rebates.
Disclosures
Personal information may be disclosed under section 295(5)(d)(ii) of the Excise Tax Act to the Canada Border Services Agency for the purpose of the effective administration and enforcement of the statutes under its responsibility.
Personal information may be disclosed under 295(5)(d)(i) of the Excise Tax Act to Finance Canada for the purposes of formulating or evaluating fiscal policy.
Personal information may be disclosed under section 295(5)(d)(ii) of the Excise Tax Act for the purpose of administering other CRA programs such as individual or corporate returns.
Social insurance number
The social insurance number is collected under the Social Insurance Number Disclosure Regulations, SOR/91-41 and section 237 of the Income Tax Act and is used for identification purposes.
Summary of the project, initiative or change
Overview of the Program or Activity
GST/HST Audit and Examination Program
The GST/HST Audit and Examination Program was separated from income tax and initiated as a separate program to prioritize and strengthen the compliance focus on GST/HST in 2010. The program’s mandate is to:
- Assist GST/HST registrants to comply with their tax obligations under the Excise Tax Act. When non-compliance is detected, the program identifies and quantifies additional taxes owed to the Crown;
- Serve as the focal point for GST/HST compliance programs, excluding enforcement, to ensure there is rigor in risk assessment processes, file selection and audits;
- Collaborate with other functional areas of the CRA, and Canada’s provinces and territories to strengthen overall tax compliance;
- Monitor and risk assess emerging economic activity, with a special focus on the sharing/ digital economy and cryptocurrencies;
The program identifies existing and emerging GST/HST schemes, other arrangements, and transactions that result in a loss to Canada’s tax revenue in all regions, except Quebec, to minimize losses to GST/HST revenue.
Addresses non-compliance by registrants by exploring alternative compliance treatments for this population by using risk-based approaches to identify, select and audit the riskiest files while keeping internal controls and integrity measures in place.
It develops targeted compliance strategies for high-risk segments of the medium business population and provides functional direction and program-specific policies, procedures and advice regarding compliance issues related to the GST/HST of medium businesses defined as owner operated business, small corporations, and partnerships.
Continued enhancement of GST/HST compliance through risk assessment and the implementation of compliance initiatives of the large business population nationally, which is comprised of both domestic and non-resident large business entities, such as corporations, partnerships, trusts, income trusts, gaming authorities, financial institutions, and other business entities (as well as the entities controlled by these large business registrants).
Identify compliance risks and select the highest risk files for GST/HST small business and medium business audits and to appropriately document and communicate the risk identified to auditors; and, to collect, integrate, and analyze relevant information sources. Ensures and promotes the consistent application of standards of quality in compliance program activities; communicating best practices; identifying trends related to learning needs; and providing management with assurances that these standards are being met so audit activities are performed with integrity and meet professional standards. Risk assessing GST/HST credit and debit returns and rebate claims, taking action on the highest risk files while ensuring the timely processing of the lower risk ones to aid in the prevention of payment of unwarranted refunds and addresses non-compliance in an effective and efficient way.
Provides technical guidance and support to auditors in cases where businesses use computerized accounting, electronic point-of-sale, and other computerized business systems.
Promotes and monitors the consistent application of quality standards by reviewing case files, communicating best practices, and identifies learning needs to further promote the quality of computer audit assists and business system evaluations.
Ensures compliance of public service bodies with the Excise Tax Act. Public service bodies consist of charities, non-profit organizations, and entities known as MUSH (municipalities, universities and public colleges, school authorities and hospitals).
What’s New
Virtual assets are transforming financial services markets and changing business models, resulting in tax compliance challenges. As such, the program is working on developing strategies to identify and address non-compliance involving virtual assets and blockchain technologies.
Compliance activities within the virtual asset space are not inherently different from other compliance activities, therefore selecting the right approach in relation to differing degrees of risk will result in the most effective outcome. The program prioritizes outreach activities and business intelligence through the following initiatives:
Encouraging voluntary compliance through educational-based approaches such as training products, plain language guides, and Canada.ca webpages.
Engaging with internal and external stakeholders for the purpose of exchanging data and implementing/adopting regulatory framework of virtual assets.
Enhancing business intelligence:
- maintaining examinations and focused audits which have been identified as an appropriate compliance treatment for those who are considered to be contingent non-compliers.
- expanding the Cryptocurrency Centre of Expertise which has been created to ensure that auditors with specialized knowledge are the ones conducting audits with a virtual asset element.
- Continuing to rely on unnamed persons requirements to ensure crypto users and exchanges are compliant with their obligations under the Income Tax Act and/or Excise Tax Act.
Platform Economy
In response to the Office of the Auditor General report on the Taxation of E-Commerce and with the continued increased focus on the platform economy, the program will provide functional leadership and direction in respect of the platform economy for both the GST/HST.
In response to the Office of the Auditor General report, the CRA has developed a comprehensive compliance strategy to better detect and address non-compliance within the platform economy for both GST/HST, including a plan to better leverage third-party data. More precisely, the strategy recognizes the risks associated with the platform economy, where platform operators connect buyers and consumers with sellers and service providers. Four categories of platforms have been identified: sharing economy, gig economy, peer-to-peer selling and social media influencers. Each category contains unique risks requiring tailored compliance interventions.
The compliance strategy establishes the Agency’s vision in managing the effective tax administration of platforms and their participants to adequately position the Agency for the future. The strategy is based on four themes:
- Business intelligence to develop risk assessment models and better leverage third party-data including the use of legislative tools to help with the identification of non-compliance.
- Service through education and outreach to improve platform participants’ understanding of their tax reporting obligations.
- Compliance activities undertaken by dedicated auditors for the pilot audit approach for both income tax and GST/HST to address non-compliance. A range of compliance interventions is used depending on the nature and level of non-compliance and tax dollars at risk.
- Policy and legislative considerations to address current gaps in the legislative framework and ensure effective tax legislation for individuals and businesses operating within the platform economy.
Additionally, the program, in collaboration with other CRA branches and programs, is working on the implementation of a number of measures that came into effect on July 1, 2021, regarding the collection, filing and reporting of GST/HST by certain online platform operators. In addition to those new responsibilities, accommodation sharing platforms and platforms providing qualifying tangible personal property will also be required to file information returns reporting their sellers’ sales. To effectively implement these measures, the program will continue to engage with other compliance programs, as well as other levels of government.
The Quantum Development Project
The Quantum Development Project is responsible for the ongoing development and support of the ‘Quantum 1.0’ tool. Quantum 1.0 is based on IBM Identity Insight software and integrates internal and external data to visualize the relationships and connections between individual and business entities. Several GST/HST audit programs currently make use of Quantum 1.0 as part of their risk assessment process.
In addition, a multi-year project to develop Quantum 2.0 has started. The goal of Quantum 2.0 is modernize and streamline the risk assessment system in the GST/HST Directorate. This will see data moved to a cloud-based platform, add new predictive models based on data mining and machine learning, and will allow for faster development and implementation of risk issues. The screener experience will be streamlined into a single portal where all the necessary information can be viewed, and can be forwarded for any necessary audit action.
For additional information, the Compliance Programs Branch maintains an accessible and regularly updated website at canada.ca/en/services/taxes. Embedded in that site are videos and recorded webinars that explain CRA’s audit process.
Scope of the Privacy Impact Assessment
The scope of this Privacy Impact Assessment covers the GST/HST Audit and Examination Program. This includes reviews, examinations, and audits at the domestic and international level to determine the correct amount of excise taxes and GST/HST owing on an account and to prevent the issuance of unwarranted refunds and rebates.
This program level, core PIA should be read along with previously completed PIAs related to program:
- Business Intelligence Research and Development Environment PIA
- Business Intelligence and Compliance Risk Assessments PIA.
The Business Intelligence and Compliance Risk Assessments PIA covers the business intelligence activities undertaken by all audit areas in the Compliance Programs Branch. Data gathered and analyzed for business intelligence or risk analysis may be used by auditors during their audits.
Programs and initiatives that focus on GST/HST compliance are constantly being refined. Therefore, as a new initiative or if refinement is identified, this core PIA will be reviewed and updated accordingly, and will support consultations with the Office of the Privacy Commissioner and any personal information bank updates that may be required.
The Act Respecting the Quebec Sales Tax and the Tax Administration Act (Quebec), Leads, Criminal Investigations Division, and Voluntary Disclosures Program are out of the scope of this PIA.
Risk identification and categorization
A) Type of program or activity
Compliance / Regulatory investigations and enforcement
Level of risk to privacy: 3
Details:
The GST/HST Audit and Examination Program uses the audit and inspection powers afforded to it under the Excise Tax Act to collect information relating to the business affairs of licensees and GST/HST registrants in order to determine the correct amount of excise taxes, other levies and GST/HST owing on the account and to prevent the issuance of unwarranted refunds and rebates. The vast majority of cases will involve only administrative consequences - audits resulting in additional excise taxes, other levies and GST/HST owing, and possibly civil penalties. The audit work could also result in leads being generated for other registrants which in turn could result in those registrants being audited. The GST/HST Audit and Examination Program does not undertake criminal prosecutions but some cases may ultimately be referred to the Criminal Investigations Division for criminal prosecution.
B) Type of personal information involved and context
Social insurance number, medical, financial, or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.
Level of risk to privacy: 3
Details:
Audit programs rely on information collected under the authority of the Excise Tax Act to perform audits. Information collected during an audit becomes part of the audit file and may include the social insurance number, financial or other sensitive information. In some cases, indirect verification of income may be necessary, which would include obtaining personal banking or lifestyle information of registrants and other members of their household.
Predictive models use a variety of different data elements that have been statistically correlated with audit returns to generate risk score predicting non-compliance. The dataset includes personal information available internally from source systems (e.g. audit result, number of owners, gross revenue, average age of owners, history of bankruptcy of owners, number of times account changed from monthly to quarterly to annually, etc.) and information obtained from external sources such as other Federal and Provincial government departments, and commercially purchased data such as credit bureau information or real estate data or data collected from other persons related to the administration and enforcement of the Act.
C) Program or activity partners and private sector involvement
Private sector organizations or international organizations or foreign governments
Level of risk to privacy: 4
Details:
In accordance with the Excise Tax Act, information may be collected from and shared with participating provincial partners and other federal institutions. In some cases, an external third-party service may be used to help identify additional risk factors on GST/HST accounts.
D) Duration of the program or activity
Long-term program
Level of risk to privacy: 3
Details:
GST/HST audit and examination is an ongoing long-term program to ensure the integrity of the self-assessment system. Some subprograms may change focus or be added, but the primary mandate will remain the audit or inspection of GST/HST to ensure that every person pays the appropriate amount of tax.
E) Program population
The program affects certain individuals for external administrative purposes.
Level of risk to privacy: 3
Details:
The GST/HST Audit and Examination Program can affect businesses and individuals, both registrants and non-registrants, who have filed a return, rebate, or election related to the GST/HST Audit and Examination Program. The program relies on risk-assessment systems and research to determine which taxpayers are most likely to misunderstand their tax obligations. It also randomly selects tax returns and conducts reviews to verify that taxpayers are paying their taxes in full and on time. If a review indicates that certain activities are more at risk for non-compliance than others, the program may conduct more audits of taxpayers reporting these types of activities.
F) Technology & privacy
Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
Risk to privacy: Yes
Does the new or modified program or activity require any modifications to IT legacy systems and/or services?
Risk to privacy: Yes
Does the new or modified program or activity involve the implementation of one or more of the following technologies?
Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).
Risk to privacy: Yes
Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance/interception, computer aided monitoring including audit trails, satellite surveillance etc.
Risk to privacy: No
Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.
Risk to privacy: Yes
G) Personal information transmission
The personal information is transmitted using wireless technologies.
Level of risk to privacy: 4
Details:
Auditors and examiners in the field use laptops with full disk encryption and standard secure remote access. CRA's Information Technology Branch has developed an enterprise-wide telecommuting platform that offers users secure access to their network. The current release of this platform is Secure Remote Access 2.0. Secure Remote Access 2.0 allows users to gain access to the CRA network anytime anywhere that internet is available. This application is now managed by Shared Services Canada. All users are required to sign on with the Privacy Key Infrastructure and there are clear policies and procedures to be followed.
Secure USB keys and external hard drives may be used for the transmission of information by employees with access permissions. If used, they are formatted with encryption. Disposal protocol is followed by returning any used devices to the Information Technology Branch. Any usage of these methods is subject to the Storage of Protected and Classified Information and Assets Standards.
H) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee
Details:
If a person’s personal information becomes compromised they may become a victim of identity theft, and their information may be used without their knowledge or consent in ways that could result in a financial or reputational loss to that person, such as the misuse of their credit card information, debts being incurred on their behalf, etc.
Page details
- Date modified: