Final report
July 2015

Table of Contents

• Executive Summary
• Introduction
• Focus of the Audit
• Findings, Recommendations and Action Plans
  • 1.0 Compliance with Policies, Plans, Procedures, Laws and Regulations
  • 2.0 Protection of Information
• Conclusion

Executive Summary

Background:

The Canada Revenue Agency (CRA) enters into written collaborative arrangements, such as Memoranda of Understanding (MOUs), with various federal, provincial and territorial departments and agencies to improve efficiency and effectiveness in program delivery. Where there is an exchange of confidential information with these entities, the CRA ensures that the agreements contain the language necessary to make both parties aware of and respect legal and policy requirements related to the use and security of this information.

In order to ensure that these provisions are respected by both parties, the MOUs include a clause requiring that internal audits be conducted on the use, communication, security, retention and disposition of the information provided. In this specific MOU, it stipulates that each party shall conduct, within two years of signing the MOU, an internal audit on the protection of information obtained from the other party. Subsequent audits shall be conducted on the dates agreed to by the CRA and the Workers' Compensation Board of Nova Scotia (WCBNS).

This audit focused on protected information received by the CRA under the MOU with the WCBNS.

The Strategy and Integration Branch (SIB) has primary responsibility for MOUs, particularly in terms of ensuring that the CRA and other parties to the MOUs satisfy their mutual obligations under the agreements.

Objective:

The objective of this audit is to provide reasonable assurance that the CRA is in compliance with the provisions of the MOU regarding the use, communication, security, retention, and disposition of the information received from the WCBNS.

Conclusion:

Overall, the CRA is in compliance with the provisions governing the confidentiality and security of information received from the WCBNS as stated in the MOU. In addition, based on the audit work conducted, no discrepancies were found by the audit team when examining the transmission of protected information such as remittance vouchers and cheques. However, there are opportunities for improvement to better support staff by providing guidance and tools to ensure ongoing compliance with CRA security procedures and the MOU relating to the marking of protected information and retention of administrative information for the WCBNS workload. The SIB has indicated that some corrective actions have been completed and others are in the process of being implemented.

Action Plan: The SIB will be taking steps to ensure that those responsible for WCBNS workload are aware of relevant security and retention requirements.

Furthermore, the SIB will take steps to ensure that remittance vouchers and statement of accounts are properly marked “Protected B when completed”, to be in compliance with the security marking requirements.

Introduction

The Canada Revenue Agency (CRA) enters into Memoranda of Understanding (MOUs), with various federal, provincial and territorial departments and agencies to improve efficiency and effectiveness in program delivery.

The Strategy and Integration Branch (SIB) has primary responsibility for MOUs, particularly in terms of ensuring that the CRA and other parties to the MOUs satisfy their mutual obligations under the agreements such as using the information exchanged only for the purpose intended and safeguarding the exchanged information.

To ensure that certain provisions are respected by both parties, the MOUs include a clause requiring that internal audits be conducted on the use, communication, security, retention and disposition of the information provided. In the Worker's Compensation Board of Nova Scotia (WCBNS) MOU, it stipulates that each party shall conduct, within two years of signing the MOU, an audit on the protection of information obtained from the other party. Subsequent audits shall be conducted on the dates agreed to by those responsible for applying the MOU. The MOU with the WCBNS was signed on October 21, 2004.

The primary purpose of the MOU is to establish an administrative framework for information exchanged between the CRA and the WCBNS, and to set out the terms and conditions that apply to the release of this information.

This MOU outlines various activities in which the parties are engaged such as the provision of the Business Number, payment processing services, as well as printing and mailing services for WCBNS accounts.

Focus of the Audit

The objective of this audit was to provide reasonable assurance that the CRA is in compliance with the provisions of the MOU regarding the use, communication, security, retention, and disposition of the information received from the WCBNS.

The examination phase of this audit was conducted from February 2014 to June 2014 in the Assessment, Benefit, and Service Branch (ABSB) and Information Technology Branch at Headquarters as well as at the Summerside Tax Centre (TC), Shawinigan TC and the St. John's TC. Additional audit work was performed in April 2015. Examination activities included interviews, walkthroughs, testing, and a review of documentation and processes to ensure compliance with the security requirements of the MOU and the CRA security procedures relating to the protection of information.

This audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing.

Findings, Recommendations and Action Plans

1.0 Compliance with Policies, Plans, Procedures, Laws and Regulations

According to the MOU, all information that the CRA receives from the WCBNS under this MOU is only to be used for the specific purpose for which it is provided. The CRA must therefore ensure that procedures are in place to protect this information.

Testing indicated that the information received from the WCBNS was used solely for the purposes stated in the MOU, the access to the information was provided on a need to know basis, and the information was disclosed only under the terms and conditions as specified in the MOU.

The vast majority of the WCBNS information is received electronically via secure networks. There are different systems involved: the Business Number system, print to mail systems, and payment processing systems. With the exception of vouchers and cheques, few documents are received by mail. The Print to Mail Section at the Summerside TC uses CRA guidelines to ensure security and data protection for all jobs related to printing and mailing services to clients and taxpayers.

All payment processing workload is completed in accordance with CRA's established operational policies and procedures. Although general payment processing training is provided to employees, no specific WCBNS training is given as this workload is completed similarly to other payment processing workloads. Appendix H of the MOU details procedures for the confidentiality and security of information for the WCBNS workload. Most employees are not aware of the Appendix but it does not preclude them from performing their duties according to CRA policies and procedures and the MOU.

Recommendation:

The SIB should develop, in collaboration with the relevant Regions and Branches, awareness sessions formulated towards the requirements of Appendix H of the WCBNS MOU.

Action Plan:

Information sessions to increase awareness of roles and responsibilities with regard to Appendix H of the WCBNS MOU were held with managers and team leaders who are responsible for WCB related workload in the Atlantic Region TCs in December 2014 and January 2015. These sessions covered the use, maintenance, and safeguarding of WCB information. Similar sessions were held with Headquarters in May 2015 and with Shawinigan TC staff on June 2015.

Agency staff were also required to complete a mandatory eLearning course on Security by March 31, 2015 and participate in a "Security - It's Everyone's Business".

In addition, the Atlantic Intergovernmental Relations Advisors hold regular information sessions with Tax Office Management on Information Sharing, where the security of information is discussed.

2.0 Protection of Information

Appendix H of the MOU includes security standards for the handling, storage and disposition of information. The CRA is required to protect information provided by the WCBNS in accordance with the conditions and procedures specified in this Appendix as well as CRA’s own procedures relating to the protection of information as documented in the Suite of Security Corporate Policy Instruments.

Marking of Protected Information

According to CRA security procedures, as well as the confidentiality and security standards of Appendix H of the MOU, all documents containing protected information are to be marked Protected A, B, or C depending on the degree of potential injury to the organization.

The CRA accepts and processes payments on behalf of the WCBNS. Remittance vouchers are sent to CRA along with these payments by employers. These vouchers contain protected information such as the business name, mailing address, business number, and the amount of workers’ compensation remitted. When examining these vouchers, it was found that the remittance vouchers are not marked “Protected B when completed” in accordance with CRA’s Identification and Marking of Protected Information procedures or the terms of Appendix H of the MOU.

Recommendations:

The ABSB and SIB should ensure that the WCBNS remittance vouchers are marked “Protected B when completed” in accordance with the Identification and Marking of Protected Information procedures issued by the Finance and Administration Branch (FAB) and in accordance with the security requirements of Appendix H of the WCBNS MOU.

Action Plan:

The remittance voucher (W1) and statement of account (WB-1), as well as the remittance booklet (W1-RB), will be pre-printed with the “Protected B when completed” marking. The WCBNS has indicated their agreement to the change and the W1 and WB1 will be updated effective June 2015. The W1-RB booklet is printed in December 2015 and will also be updated to include the “Protected” marking.

Transmission of Protected Information

CRA's Secure Mailing of Information Procedures and Appendix H of the MOU include procedures for sending protected information such as remittance vouchers through internal or external mail. Testing including interviews, process observations and document reviews was conducted at the Summerside TC, the Ottawa Technology Centre, and the Revenue Processing Division at the St. John's TC.

The internal audit team found that the Revenue Processing Division is in compliance with the security requirements of the MOU and the CRA's Secure Mailing of Information Procedures when mailing vouchers to the Ottawa Technology Centre and cheques to the financial institution for deposit.

Staff indicated through interviews that procedures contained in the FAB Suite of Security Corporate Policy Instruments and Taxation Operation Manuals are communicated and followed when handling and mailing vouchers and cheques which contain protected information.

The audit team also conducted a test of a sample of 66 vouchers mailed from the Revenue Processing Division at the St. John's TC to the Ottawa Technology Centre over a two-day period in March 2015. Over the same period, the audit team tested a sample of 102 batches of cheques couriered from St. John's to a financial institution. No discrepancies were found by the audit team when examining the transmission of vouchers and cheques, and in both cases testing indicated that the program was in compliance with CRA's procedures as well as the requirements of the MOU.

Retention and Disposition of Information

The CRA security standards state that when protected and classified information is no longer required, it must be destroyed. Although this applies to the MOU with the WCBNS, the MOU does not specify retention period requirements.

Examination work conducted at the Summerside TC, St. John's TC as well as the Ottawa Technology Centre indicated that the retention period for administrative information generated to support employees in the delivery of the WCBNS workload was not communicated or understood by employees. As a result, employees were unsure of the retention period, and in some instances the information was kept longer than required.

For electronic information, the CRA applies the overwrite utility software that is approved for federal organizations regarding the disposal of hard drives containing classified and/or protected information. The software currently used to securely remove data is consistent with the procedures required by the WCBNS MOU and CRA standards.

Recommendation:

The SIB should communicate CRA's policy on retention and disposition of administrative information as set out in the Retention and Disposition Authorities, with the relevant regional and headquarter employees that handle information related to the WCBNS workload.

Action Plan:

The SIB Information Management Directorate will provide management responsible for the employees involved in the WCBNS program, with the information related to retention periods for administrative information. This information will be incorporated into future information sessions related to roles and responsibilities with regard to appendix H of the WCBNS MOU, by March 31, 2016.

Conclusion

Overall, the CRA is in compliance with the provisions governing the confidentiality and security of information received from the WCBNS as stated in the MOU. In addition, based on the audit work conducted, no discrepancies were found by the audit team when examining the transmission of protected information such as remittance vouchers and cheques. However, there are opportunities for improvement to better support staff by providing guidance and tools to ensure ongoing compliance with CRA security procedures and the MOU relating to the marking of protected information and retention of administrative information for the WCBNS workload. The SIB has indicated that some corrective actions have been completed and others are in the process of being implemented.