Information Received under the Memorandum of Understanding with Statistics Canada
Disclaimer
We do not guarantee the accuracy of this copy of the CRA website.
Scraped Page Content
Information Received under the Memorandum of Understanding with Statistics Canada
Final Report
Corporate Audit and Evaluation Branch
June 2010
Table of Contents
Executive Summary
Background: The Canada Revenue Agency (CRA) enters into Memoranda of Understanding (MOU) and other written agreements with federal, provincial and territorial departments and agencies to improve efficiency and effectiveness in program delivery. Where it exchanges sensitive information with these entities, CRA negotiates MOUs in order for both parties to be aware of and respect the legal and policy requirements related to the use and security of information.
This audit deals with protected information received by CRA pursuant to the MOU concerning the exchange of information between CRA and Statistics Canada (SC). Under this MOU, signed on April 4, 2003, CRA receives North American Industry Classification System (NAICS) codes for each business number (BN).
The NAICS was created to provide a uniform framework for the collection, analysis and distribution of industrial statistics used by public administrations. This classification, which organizes economic information by industry, is used by Canada, Mexico and the United States. The NAICS is reviewed every five years to ensure that the system continues to reflect the structure of a rapidly changing economy.
Objective: The objective of this audit was to determine if CRA is in compliance with the terms and conditions governing the use, disclosure, retention and disposal of NAICS codes received from SC.
The audit was conducted in accordance with the International Standards for the Professional Practice of Internal Audit.
Conclusion: The CRA is in compliance with the terms and conditions that govern the disclosure and retention of NAICS codes. However, clarification should be provided concerning CRA's use of NAICS codes. It should be noted that discussions initiated between the two parties in 2009 to possibly broaden the use of NAICS codes are still underway.
Improvements are also needed in issuing disclosure orders, performing audit trail verification of employees' access and clarifying the disposal method of electronic data.
In addition, some appendices of the MOU are not up to date, for example, those that identify the responsible individuals, as well as the appendix on security, which describes the procedure for erasing electronic data.
Action plans
The Corporate Strategies and Business Development Branch (CSBDB) is in agreement with the recommendations and has developed action plans to address them. Through the submission of the annual Disclosure Order to Statistic Canada, CSBDB will ensure that the NAICS data is only used as stated in the MOU. CSBDB has also provided a long term action plan that will lead to tax filers, both individual and corporate, to self identify their NAICS activities.
A new version of the MOU is in the approval cycle and will include updated information concerning the lists of authorised officials and the appropriate electronic data sanitization method.
Introduction
Pursuant to a Memorandum of Understanding (MOU) signed on April 4, 2003 with Statistics Canada (SC), the Canada Revenue Agency (CRA) receives North American Industry Classification System (NAICS) codes from SC for each business number (BN).
The NAICS was created to provide a uniform framework for the collection, analysis and distribution of industrial statistics used by public administrations. This classification, which organizes economic information by industry, is used by Canada, Mexico and the United States. The NAICS is reviewed every five years to ensure that the system continues to reflect the structure of a rapidly changing economy.
The BN is a unique number assigned by CRA and used by businesses, partnerships, certain individuals and other organizations. BN files contain identifying information on all registered entities.
The Business Returns Directorate (BRD) of the Assessment and Benefits Services Branch (ABSB) is responsible for registering and assigning a BN to all businesses in Canada. CRA regularly sends the assigned BNs to SC as well as changes in the business activities of these businesses.
Upon receipt of these BNs, SC assigns a six digit code, which is generated by SC's NAICS. The BRD is then responsible for incorporating the NAICS codes from SC into the BN data from CRA. Under section 26 of the MOU, CRA can then use this information for statistical research and analysis purposes.
The Corporate Strategies and Business Development Branch (CSBDB) is responsible for producing, analyzing and distributing statistical data to both internal and external clients. The NAICS codes can be incorporated into the statistical products that are delivered to the provincial and territorial ministries of Finance and other federal departments and agencies.
Scope
The objective of the internal audit was to determine whether CRA is in compliance with the terms and conditions governing the use, disclosure, retention and disposal of NAICS codes received from SC.
The examination phase of the audit was conducted from August 2009 to March 2010. Interviews and reviews of key documentation were performed exclusively at Headquarters.
Assurance on CRA information technology (IT) controls and those concerning access to information and their disposal was based, in part, on recent audit work. Among others, those audits include the IT security follow-up and recent MOU audits on BN information exchanged between CRA and British Columbia, Ontario, New Brunswick and Manitoba.
Managers and employees from the following branches were interviewed or consulted:
- Corporate Strategies and Business Development Branch (CSBDB)
- Assessment and Benefits Services (ABSB)
- Information Technology Branch (ITB)
- Finance and Administration Branch (FAB)
Findings, Recommendations and Action Plans
1.1 Use of NAICS codes
According to the MOU, CRA must annually notify SC in writing of the possible use of NAICS codes, through a disclosure order. Upon receipt of these orders, SC issues authorizations of disclosure.
Documentation received from the CSBDB concluded that few requests for a Disclosure Order were sent annually to SC, specifically in recent years. However, authorizations were regularly issued by SC.
According to the MOU, CRA is authorized to use NAICS codes for analysis or research purposes. To address this issue, a meeting was held in March 2009 between representatives from CRA and SC. In the course of the audit, staff from various branches of CRA acknowledged using or having the intention to use NAICS codes for policy development, policy evaluation and some program monitoring but only in conjunction with other data. CRA therefore asked SC to clarify the possible usage of NAICS for other than analysis or research purposes. At the time of the audit, this issue was still under discussion between CRA and SC.
In addition, Appendix A of the MOU, which identifies the directorates responsible for the enforcement and administration of the MOU, was not up to date. It is our understanding that this appendix should be revised at the time of renewing the current MOU.
Recommendation
Annually, CRA should send a letter to SC detailing the planned use of NAICS codes. CRA should also continue the ongoing discussions with SC concerning the acceptable use of NAICS codes and incorporate the final decision into the MOU at the time of review. The list of responsible individuals in Appendix A of the MOU should also be updated.
Action Plan
CSBDB, through its Client Relations Directorate (CRD), already consults functional Branches and coordinates the annual Disclosure Order letter to SC. The letter continues to constitute the Canada Revenue Agency's (CRA) commitment to the SC MOU. CRD will continue to review the CRA's current uses of NAICS data to ensure it is for analytical or research purposes only. Where areas within the CRA are identified as using NAICS for purposes other than those stated in the MOU, CRD will inform these areas of their responsibilities and terms of use related to NAICS data. If requested, CRD will seek permission from SC for the stated use, as per the MOU.
The revised MOU includes an updated list of authorized officials now listed as Appendix B.
Long-term: The CRA is currently working on a NAICS collection initiative that will lead to tax filers, both individual and corporate, self-identifying their NAICS codes when completing computer-based declarations. The self-coding routine will be completed by the tax filer when completing his/her return and will be included in all commercial software packages. This will allow the CRA to collect its own NAICS and end the dependence on SC data.
1.2 Adherence to procedures
Interviews and documentation collected led to the conclusion that procedures were followed for processing NAICS codes at CRA. Procedure manuals, work plans and joint committees between CRA and SC were in place. In addition, mechanisms have been established in both organizations to monitor the quality of NAICS codes.
Employees from the various branches were aware of their obligations with regard to confidentiality of NAICS codes. These codes were treated in the same way as taxpayer information.
1.3 Access to information
According to section 31 of the MOU, CRA and SC must ensure that an audit trail of all access to information provided under this MOU is maintained and provided upon request.
Through audit work completed in another audit, it was confirmed that the BN access are recorded in the national audit trail system. However, at the time of the audit, two CSBDB divisions and two ABSB divisions were unable to demonstrate that they were conducting audit trail verification of their employees' access to BN information. The interviews concluded that there was no uniform understanding of the audit trail monitoring process. CRD and ITB were not affected by this issue.
Recommendation
CSBDB and ABSB should ensure that their managers perform audit trails for their employees.
Action Plan
CSBDB will establish routine audit trails for its employees with access to NAICS on the mainframe. Performing regular audits of users accessing the NAICS data will ensure the use of the data is in compliance with those specified in the MOU.
The Statistics and Information Management Directorate (SIMD) will institute quarterly reporting for audited activities on behalf of CSBDB. This will be achieved by using a five (5) day audit period on a random sample of employees with access to NAICS. This regular audit routine will allow CRD to fulfill its reporting requirements to SC.
As for employees of ABSB, NAICS information is contained in the Business Number (BN) system. Accessing NAICS codes information can be done by anyone who has a profile for accessing IDENT screen. Having an audit trail to identify an employee who viewed one element in that screen may not be feasible. Additionally, although only CSBDB and ABSB were cited, other program areas should also be included in the exploration of other options around creating audit trails for CRA employees. CSBDB will take the lead in reminding program branches that audit trails are required and in the exploration of other options.
Reporting on these measures will be part of the annual letter to SC mentioned in section 1.1.
1.4 Security
According to CRA's security standards, a systems access privileges record must be created and maintained for each employee.
At CRA, managers must establish, identify and approve the minimum access privileges of the employees under their responsibility. They must review the employees' access privileges at least twice a year to ensure that accesses to IT networks and systems and CRA information correspond to assigned duties.
During interviews, managers indicated that the semi-annual review of access profiles had been completed using the Employee System Access Review (ESAR). However, it was impossible to obtain completed sample ESAR forms from the Statistics and Information Management Directorate.
Recommendation
The Statistics and Information Management Directorate should update the ESAR.
Action Plan
As part of the Canada Revenue Agency's requirements to update and maintain the Employee System Access Review (ESAR) on a semi-annual basis, CSBDB will continue to fulfill its responsibilities as follows.
In accordance to the Finance and Administration Manual, Security Volume, Chapter 17, managers and supervisors are responsible to review the system access privileges of their employees at least semi-annually, or when there is a change in the user's assigned functions.
- CSBDB has updated ESAR as of March 2010.
- The next scheduled update is September 2010.
2. Disclosure to third parties
The MOU outlines the various laws that govern the communication of information. In order to comply with these requirements, CRA must obtain authorization for disclosure from SC before sending information that contains NAICS codes and the transmission should be in accordance with prescribed security standards.
The audit concluded that a control registry for exchanged information and internal approval forms were in place at the CRD of CSBDB. The Client Services Sector of Statistical Services Division obtained approval before sending the information to both internal and external clients of CRA. Information delivered to our external partners was consistent with the disclosure authorizations received from SC.
Transmission of information between CRA and SC was initially carried out using magnetic tapes. In 2008, both organizations implemented a secured electronic data transmission process, through file transfer protocol (FTP), which met the security standards of CRA. This transmission method replaced the magnetic tapes and some removable media.
In addition, subsequent transmission of data to CRA partners was also controlled. Work procedures were in place, encryption methods existed based on transfer volume and a demonstration of the methods employed was given. The encryption methods used are described in section 3.2.
3.1 Protection of NAICS data
As required by the MOU and the Security for the Computing Environment Policy[Footnote1], CRA must provide assurance that security measures are in place for all IT networks and systems in order to protect them from threats that could impact confidentiality, integrity, availability or planned use.
To this end, CRA conducted three IT Threat and Risk Assessments (TRAs). One assessment addressed the BN systems, while the second dealt with exchanges of information or requests between CRA and its external partners through the BN Messaging System. Likewise, as part of the Information Technology Renewal initiative, a TRA was carried out to address, among others, the migration of Statistical Services Division servers to the ITB computing environment. Action plans were prepared and staff members were assigned to execute these plans.
These three TRAs enabled CRA to identify the risks related to its IT systems as well as to address and monitor them on an ongoing basis.
3.2 Data encryption
Appendix D of the MOU and CRA security standards stipulate that protective measures must be in place so as to not compromise the integrity of information that is stored, transmitted or processed by an IT system.
The audit concluded that work procedures were established to define the various encryption methods of removable media for sending and receiving data to and from SC. The same procedures applied for data sent to external CRA partners.
Depending on the size of the document and the media used, two encryption methods were available: public key infrastructure for transmission through encrypted email and “O'TOSTORE” encryption for use of an eHD device.[Footnote2] These encryption methods complied with CRA security standards.
CRA and SC implemented security measures to protect the physical transportation of data, where applicable. A joint work procedure was established in September 2009 defining the roles and responsibilities of both organizations. The interviews demonstrated comprehension and application of this procedure.
3.3 Storage
At the time of the review, NAICS data was stored in CRA's central computer. For their work requirements, employees of the Statistical Operations and Statistical Services divisions had access to desktop computers networked to a server. Staff stored NAICS data in the common network directories of their respective divisions.
The interviews and observations concluded that requirements set out in Appendix D of the MOU relating to data storage on the local network were met since work areas were controlled, servers were located in a secure room and employees were saving the data in common network directories.
In addition, under Appendix C-27 of the MOU, a master centralized repository must be identified. At CRA, NAICS data was stored in the central computer, and ITB conducted a physical check of its premises. At the Statistical Services Division of CSBDB, a copy of required data was saved on independent servers to produce statistical reports; a physical check of the premises was also noted.
Further to the same appendix, CRA must also provide SC with annual notice of the methods used to store NAICS codes. However, no proof of correspondence was found during the review.
Recommendation
CSBDB should provide SC with an annual notice of the methods used to store NAICS data.
Action Plan
CSBDB will institute a regular review of its NAICS storage methods which will be part of the review activities on the planned uses of NAICS data (see Section 1.1).
CRD will coordinate and consult with the functional Branches to prepare the Agency's response to SC. Reporting on these measures will be part of the annual letter to SC mentioned in section 1.1.
4. Disposal
Appendix D of the MOU sets out the erasure and disposal procedures for protected information. Under this appendix, electronic information must be erased using WIPEDISK software or an approved degausser.
These methods of erasing and destroying data were not used by the Statistical Operations Division or Statistical Services Division for work stored in the common network directory. During interviews, employees indicated that data saved on the hard drives of independent servers were not erased according to the requirements of the MOU because new data would overwrite the previous data. Nevertheless, this method is not compliant with Appendix D of the MOU.
In addition, as part of the Information Technology Renewal initiative, the Statistical Services Division developed an action plan to ensure that no data was saved on the hard drives of desktop computers.
Even though very few paper copies of statistical reports are produced, the workplace review concluded that paper shredders were in place in each sector, usually in common areas. In addition, protected fax machines were located in the Client Services unit of the Statistical Services Division, but were not used to send information.
Recommendation
CSBDB, in collaboration with the Security, Risk Management and Internal Affairs Directorate, should clarify the appropriate erasure method for electronic information and include it in all MOUs.
Action Plan
The new MOU details the appropriate destruction methods related to the CRA (in Annex C-2). CRD will ensure all new MOUs and subsequently revised MOUs will include the appropriate destruction methods provided by SRMIAD of F&A.
Conclusion
According to the audit work performed, CRA complies with the terms and conditions that govern the disclosure and retention of NAICS codes. Nevertheless, some clarifications need to be made concerning CRA's use of the NAICS codes. It should be noted that discussions initiated in 2009 between both parties are ongoing in order to define the non-administrative use of NAICS codes.
However, improvements are needed in issuing disclosure orders, performing audit trails verification of employees' access and clarifying the disposal method of electronic data.
In addition, some appendices of the MOU are not up to date, for example those that identify the responsible individuals, as well as the appendix on security, which describes the procedure for erasing electronic data.
Footnotes
- [Footnote 1]
- Finance and Administration Manual, Security Volume, Chapter 18
- [Footnote 2]
- An eHD is a portable hard drive used to transport data.
Page details
- Date modified:
- 2010-10-29