Final Report

Audit, Evaluation, and Risk Branch

February 2022

Executive summary

The Memorandum of Understanding (MOU) between the Canada Revenue Agency (CRA) and Saskatchewan Government Insurance (SGI) sets out the terms and conditions under which SGI provides authorized CRA personnel with electronic access to information concerning Saskatchewan residents who have registered a vehicle or obtained a driver’s licence. The MOU contains an internal audit clause requiring the CRA to conduct periodic internal audits of the protection of SGI information retrieved by CRA.

This engagement is the second internal audit of this MOU, meeting the requirement that the audit should be conducted every five years. The Audit, Evaluation, and Risk Branch published the report for the initial internal audit of this MOU in May 2017.

The Service, Innovation and Integration Branch is responsible for the overall administration of the MOU, while the Saskatchewan Tax Services Office is responsible for the operational aspects of the MOU.

The objective of the audit was to provide the Commissioner, CRA management, and the Board of Management with assurance that the CRA is in compliance with the provisions of the MOU regarding the collection, access, use, disclosure, retention, and disposition of the information received, including the application of the general security standards.

Overall, the CRA is in compliance with the provisions of the MOU regarding the collection, access, use, disclosure, retention, and disposition of the information received, including the application of the general security standards.

Summary of recommendations

The Service, Innovation and Integration Branch should ensure that:

• the management at the Saskatchewan Tax Services Office revises the Saskatchewan Tax Services Office – SGI Data Access – Procedures and Policy 2021 document to ensure that all search requests are processed with the approval of the requester’s supervisor and communicates that revision to all of the personnel involved.
• procedures are updated and implemented to reinforce the requirement that manual logs of accesses to the SGI system, search requests, and related documents are all accessible to support verification in the monitoring process.
• the requirements for saving and transmitting SGI search-related documents are regularly communicated to the personnel involved in those tasks and that periodic monitoring of those tasks be applied.

Management response

The Service, Innovation and Integration Branch and the management at the Saskatchewan Tax Services Office agree with the recommendations in this report and have developed related action plans. The Audit, Evaluation, and Risk Branch has determined that these action plans appear reasonable to address the recommendations.

1. Introduction

The Canada Revenue Agency (CRA) enters into memoranda of understanding (MOUs) and other agreements with federal, provincial, and territorial departments and agencies to improve the efficiency and effectiveness of program delivery.

In 1944, the Government of Saskatchewan passed The Saskatchewan Government Insurance Act, creating the provincial Crown corporation known today as Saskatchewan Government Insurance (SGI). The Auto Fund for the Province of Saskatchewan, which is the entity administered by the SGI under The Automobile Accident Insurance Act, is the province’s compulsory auto insurance program, operating the driver’s licensing and vehicle registration system.

The MOU between the CRA and SGI is an administrative framework that sets out the terms and conditions under which SGI provides authorized CRA personnel with electronic access to information concerning Saskatchewan residents who have registered a vehicle or obtained a driver’s licence. The MOU came into effect on June 24, 2014.

The MOU contains an internal audit clause requiring the CRA to conduct periodic internal audits of the collection, access, use, disclosure, retention, and disposition of the SGI information, and the application of the security standards specified in the MOU. In addition to the internal audit requirement, SGI has requested that the CRA periodically review a selected sample of accesses.

This engagement is the second internal audit of this MOU, responding to the requirement that the audit should be conducted every five years. The Audit, Evaluation, and Risk Branch published the report for the initial internal audit of this MOU in May 2017.

The Service, Innovation and Integration Branch is responsible for the overall administration of the MOU, while the Saskatchewan Tax Services Office is responsible for the operational aspects of the MOU.

The Collections and Verification Branch and the Compliance Programs Branch use the SGI information for audit and collection purposes. The Business Intelligence and Data Division within the Compliance Programs Branch also uses the information to improve its ability to select the highest risk files, primarily in the Western Region.

2. Focus of the audit

This internal audit is included in the Board of Management (Board) approved Risk-Based Assurance and Advisory Plan 2020-2021. The Assignment Planning Memorandum was recommended for Commissioner approval by the Audit Committee of the Board on March 30, 2021.

2.1. Importance

This audit is important because the CRA must comply with the internal audit requirement of the MOU to continue to receive the information from SGI that supports more efficient and effective achievement of CRA objectives. SGI has indicated that it cannot guarantee that their MOU with the CRA will remain in force if such internal audits are not completed.

2.2. Objective

The objective of the audit was to provide the Commissioner, CRA management, the Board and SGI with assurance that the CRA is in compliance with the provisions of the MOU regarding the collection, access, use, disclosure, retention, and disposition of the information received, including the application of the general security standards.

2.3. Scope

The audit covered CRA processes and procedures that involve requests for SGI information, its storage, and the handling of that information before it enters major CRA information systems, and additional features of information management, such as monitoring of accesses to the SGI information system and retention and disposition of information.

The period covered in this audit was the 2019 to 2020 fiscal year.

The examination work was carried out with the participation of the Service, Innovation and Integration Branch, the Saskatchewan Tax Services Office, and the users of the SGI information, who report primarily to the Western Region.

2.4. Audit criteria and methodology

The audit criteria and methodology can be found in the Appendix.

The examination phase of the audit took place from March 2021 to May 2021.

The audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing, as supported by the results of the quality assurance and improvement program.

3. Findings, recommendations, and action plans

The recommendations presented in this report address issues of high significance or mandatory requirements.

The Service, Innovation and Integration Branch and the management at the Saskatchewan Tax Services Office agree with the recommendations in this report and have developed related action plans. The Audit, Evaluation, and Risk Branch has determined that these action plans appear reasonable to address the recommendations.

3.1. Collection, access, and use of information

3.1.1 The SGI information was generally retrieved by officers of various CRA programs for the purpose of administering and enforcing tax legislation, as stated in the MOU. However, revised procedures established in January 2021 removed the requirement for some requestors to obtain a supervisor’s approval for each request.

The examination sought evidence that procedures were in place to support:

• limiting retrievals to only the precise SGI information required
• allowing retrievals only by CRA users who had job responsibilities that required the use of SGI information for administering CRA legislation

Clause 9 of the MOU states: “The CRA will ensure that only Authorized Persons have access to and use of the SGI Information disclosed by SGI under this MOU as required for the performance of their duties”.

Interviews revealed that employees are aware of their roles and responsibilities in regards to SGI search information. Generally, CRA employees are aware of the “Need to Know” principle that requires them to retrieve only the information required to discharge their assigned responsibilities. In terms of how this applies to access requests, employees should retrieve information of only those taxpayers or benefit recipients that are the subjects of the tasks that those employees must complete and retrieve only the information required to complete those tasks.

During the period being audited, fiscal year 2019 to 2020, the documented guidelines for requesting SGI information included a requirement for all such requests to be approved by a supervisor before being actioned. The administrative clerks, who are the only CRA personnel with access to the SGI system, were aware of this requirement and were required to confirm that an authorized supervisor had approved each request before retrieving the information.

The audit team determined that the procedures were generally followed. This was confirmed through interviews and the comparison of SGI-system-generated records of user accesses with the manual log of such accesses maintained by the administration clerks and with the audit trail of requests and related documents

However, the Saskatchewan Tax Services Office – SGI Data Access – Procedures and Policy document was updated in January 2021 to allow for search requests to be processed in some instances without supervisor approval, which removes a level of assurance that retrieved information is used for the sole purpose of administering and enforcing CRA program legislation.

The updated procedures indicate that “employees (SP-05) may submit the search electronically to the clerical team immediately for completion. SP04 classification employees must forward the request to the Team Leader or designate (SP05 classification or higher) for approval.”

The audit did not identify inappropriate accesses to SGI information in relation to this modified procedure as the change occurred after the period of the sample files reviewed.

This change in procedure results in the removal of a preventive step, in some instances, that would ensure that retrieved information is used for the sole purpose of administering and enforcing CRA program legislation.

Recommendation 1

The Service, Innovation and Integration Branch should ensure that the management at the Saskatchewan Tax Services Office revises the Saskatchewan Tax Services Office – SGI Data Access – Procedures and Policy 2021 document to ensure that all search requests are processed with the approval of the requester’s supervisor and communicates that revision to all of the personnel involved.

Action Plan 1

The Service, Innovation and Integration Branch will revise the Saskatchewan Tax Services Office – SGI Data Access – Procedures and Policy 2021 document to state that all search requests are approved by the requester’s supervisor prior to being sent to the clerks for processing, and will communicate the updated document to all of the personnel involved.

The target completion date for this action plan is February 2022.

3.1.2 Access to the SGI information system is effectively controlled.

The examination sought evidence that procedures were in place to support:

• ensuring that only authorized administrative clerks were given access to retrieve information from the SGI information system
• prompt action to modify accesses of the authorized administrative clerks as a result of changes in the clerks’ responsibilities

Through interviews and documentation review, the audit team identified that access to the SGI information system by the CRA is gained through the web-based portal used by SGI personnel. Access through this portal, by CRA employees, is controlled using unique account identifiers and passwords. The Saskatchewan Tax Services Office administrative clerks designated by their team leader are the only employees to receive user accounts from SGI.

Access to the SGI database for each CRA administrative clerk is authorized and that authorization is recorded. The process for approving that authorization is in place and is followed, and an updated record of all SGI database access privileges is kept by the Saskatchewan Tax Services Office and the Service, Innovation and Integration Branch.

Interviews and documentation reviews revealed that the list of CRA personnel with SGI user accounts is actively maintained by the Service, Innovation and Integration Branch officer designated as the liaison with SGI. This includes reviewing access logs produced by the SGI information system to identify inactive accounts that might need to be disabled. On a quarterly basis, the Service, Innovation and Integration Branch verifies with the Saskatchewan Tax Services Office whether the access privileges of each CRA administrative clerk should be maintained.

3.1.3 A monitoring process is in place to verify that SGI search requests are valid and related to a business purpose. In some instances, the records that were retained to allow for the verification of each access were not maintained in a manner that would allow the efficient completion of that verification process. In addition, some documents required for verification could not be accessed despite the Information Technology Branch’s attempts at using restricted software tools to decrypt the documents.

The examination sought evidence that:

• adequate records were maintained to allow the verification of the validity of SGI search requests, including having a valid business purpose for the search
• procedures were in place to allow for the effective monitoring of SGI search requests with respect to having a valid business reason for the search as well as having each search conducted by personnel with the required approvals

Through interviews and a review of the MOU document, the audit team observed that the MOU requires the CRA to monitor up to 5% of the accesses. The Service, Innovation and Integration Branch officer, with the collaboration of the Saskatchewan Tax Services Office, generally verifies about 3 to 4% of all SGI accesses, as recorded in the SGI quarterly monitoring reports. All accesses that could be verified were found to be valid.

Testing of the monitoring process for the period of April 1, 2019, to December 31, 2019, showed that 5,299 accesses were made by using name searches. The audit team attempted, using automated comparisons, to match all of those accesses to the logs maintained at the Saskatchewan Tax Services Office.

Using electronic worksheets to automate comparisons and additional manual efforts to match the manual logs to the SGI report, the audit team could not match 86 (1.6%) of those accesses to the search log entries. The audit team then attempted to match these 86 entries in the SGI system report to the search requests and related documents maintained by the administrative clerks. The result was that the search documents for 27 of those access requests could not be examined because they could not be decrypted by the Information Technology Branch using restricted decryption software tools.

Recommendation 2

The Service, Innovation and Integration Branch should ensure that procedures are updated and implemented to reinforce the requirement that manual logs of accesses to the SGI system, search requests, and related documents are all accessible to support verification in the monitoring process.

Action Plan 2

The Provincial and Territorial Affairs Division of the Service, Innovation and Integration Branch will update and align their quarterly monitoring procedures with those of the Saskatchewan Tax Services Office to reflect current processes and changes being made to the impacted processes as a result of the audit findings. Subsequently, the Service, Innovation and Integration Branch and the Saskatchewan Tax Services Office will ensure the communication of these procedures to all affected employees.

In addition, as part of the quarterly monitoring reviews, the Provincial and Territorial Affairs Division will request, in accordance with the functional model, that the Western Region confirm in writing that the manual logs of all accesses to the system and all search requests and related documents for each quarter are available to support verification or ad hoc reviews at any time during their two-year retention period.

The target completion date for this action plan is September 2022.

The Saskatchewan Tax Services Office management will revise the administrative clerk written procedures and training material to explain the importance of the log process and saving search emails as decrypted. The Saskatchewan Tax Services Office management will also update the clerical team leader written procedures to ensure that the proper procedures are being followed going forward.

In addition, the clerical team leader will verbally review the updated procedures with the clerks, and a follow-up email will be communicated on a quarterly basis to the clerks and to the Provincial and Territorial Affairs Division.

The target completion date for this action plan is April 2022.

3.1.4 The CRA has current procedures and guidelines in place for the collection and use of SGI information that are communicated and accessible to employees.

The examination sought evidence that guidance to support appropriate retrievals of information from the SGI system and proper protection of the information retrieved was developed, documented, communicated to the employees involved to promote awareness and learning, and remained accessible to employees as a reference on an ongoing basis.

The Saskatchewan Tax Services Office – SGI Data Access – Procedures and Policy 2017 document was applicable to the 2019 to 2020 fiscal year, the period examined by the internal audit team. The procedures included:

• request instructions for the Collections and Verifications Branch and the Compliance Programs Branch
• clerical team instructions for the Revenue Collections and Audit programs
• retention and disposition guidelines for information from the SGI information system held in the administrative clerks’ files

As part of a reorganization in December 2020, the administration clerks for the Revenue Collections and Audit programs became one team, reporting to a single team leader in the Program Services area of the Saskatchewan Tax Services Office.

The Saskatchewan Tax Services Office – SGI Data Access – Procedures and Policy document was updated in January 2021. The Saskatchewan Tax Services Office Team Leader communicated the updated procedures to the administrative clerks in January 2021.

The procedures for the Revenue Collections and Audit programs are current, communicated, and accessible. They provide guidance to employees of the Revenue Collections and Audit programs as to when they should request an information search from a source external to the CRA, such as SGI.

3.2. Security of information

3.2.1 There are procedures in place to safeguard the search requests and information retrieved, but improvements could be made in saving information for audit trail purposes and in marking the completed search information with the appropriate classification.

The examination sought evidence that:

• employees have received mandatory security training related to the protection of the SGI search information
• SGI search requests and related documents are stored as required by the MOU requirements and CRA standards
• when information related to SGI search requests is communicated among CRA personnel, the marking of those documents conforms to the MOU requirements and CRA standards

The Saskatchewan Tax Services Office – SGI Data Access – Procedures and Policy are in place and provide written direction for the handling of SGI information. Interviewees stated that they had taken security training, including that related to the protection of information related to taxpayers and benefit recipients. The Saskatchewan Tax Services Office Team Leader confirmed that all employees with access to the SGI system have completed the annual affirmation and have valid and appropriate security clearances. CRA corporate monitoring of the completion of mandatory security training ensures that all employees are up-to-date.

Interviews with administrative clerks indicated that SGI search requests are saved in a CRA shared drive. However, some administrative clerks saved these documents on a personal drive, not accessible to a supervisor, before sending them to the requestor.

Interviews with administrative clerks and the Team Leader revealed that search results are sent to requestors via encrypted emails, and those emails are saved in decrypted form on a restricted shared drive.

The CRA standards document titled Identification and Marking of Protected and Classified Information and Assets Procedures indicates in Section 5 that “every email and CRA created document must contain a categorization level before it is sent, saved or printed”.

The audit team examined 30 completed searches chosen randomly from the monitoring report generated by the SGI system, which showed that 100% of the completed search documents were not marked with a security classification, and 13% of the emails did not include a statement in the subject line that the email contained Protected B taxpayer information, as required by CRA security standards.

Recommendation 3

The Service, Innovation and Integration Branch should ensure that the requirements for saving and transmitting SGI search-related documents are communicated periodically, for example quarterly, to the personnel involved in those tasks and that periodic monitoring of those tasks be applied on an ongoing basis.

Action Plan 3

The Saskatchewan Tax Services Office clerical team leader will hold quarterly update meetings with the clerical team responsible for handling SGI searches, which will coincide with the quarterly SGI reviews. During these update meetings, the clerks’ knowledge of the procedures will be refreshed to ensure that emails are being saved properly and that proper security marking, as reflected in CRA instructional instruments, is being included in outgoing SGI search emails. The Saskatchewan Tax Services Office will also update the written clerical team leader procedures to reflect this new practice.

In addition, the clerical team leader will verbally review the procedures with the clerks and a follow-up email will be communicated on a quarterly basis to the clerks and to the Provincial and Territorial Affairs Division.

The target completion date for this action plan is April 2022.

3.2.2 Employees are aware of the need to properly address security incidents and their role in reporting security incidents, and they know where to find detailed instructions. No security incidents occurred during the period being audited.

The examination sought evidence that instructions for handling security incidents are available and that employees are aware of their obligations regarding security incidents.

Interviewees were aware of their responsibilities for reporting security incidents and were aware that additional instructions are available on the CRA’s intranet (InfoZone).

No security incidents were identified during the period being audited.

3.2.3 The MOU’s requirements for only authorized disclosure of SGI search-related information are addressed in other areas of this report. The retention schedule in use for SGI search-related information and the practices for disposal of SGI information conform with the requirements for that kind of information as reflected in advice from the CRA functional authority, the Information Management Division.

The findings and recommendations related to disclosure of SGI information are provided in other sections of this report:

• Section 3.1.1 addresses disclosures by considering control mechanisms around the authorized uses and collection of SGI information
• Section 3.1.2 addresses unauthorized disclosures by considering access to the SGI information system
• Section 3.1.3 involves the monitoring of SGI search requests, which could result in the identification of unauthorized disclosures
• Section 3.1.4 pertains to the guidance for the collection and use of SGI information, and considers the prevention or detection of unauthorized disclosures
• Section 3.2.1 involves the safeguarding of SGI information against unauthorized disclosures
• Section 3.2.2 addresses unauthorized disclosures that might have occurred resulting from security incidents

The examination sought evidence that the retention and disposition practices for SGI search-related information conform to the prescribed Records Disposition Authority, such that:

• documents are retained for the required two-year period
• disposition practices for documents conform to requirements, including documentation of disposal events and of the accountability for the disposals

Through interviews and a review of documents held in administrative clerks’ records, the audit team determined that documents are retained for two years, which conforms with the two-year retention period mandated for transitory documents.

No disposition records are required for the disposal of transitory records.

4. Conclusion

Overall, the CRA is in compliance with the provisions of the MOU regarding the collection, access, use, disclosure, retention, and disposition of the information received, including the application of the general security standards. Opportunities for improvement were identified in the areas of:

• approvals required for each request to access SGI information
• consistent maintenance of documents that support verification for the monitoring of accesses to the SGI information system
• adherence to established policies for saving retrieved information and for transmitting that information to the requestor

5. Acknowledgement

In closing, we would like to acknowledge and thank the Service, Innovation and Integration Branch, the Saskatchewan Tax Services Office, and users of SGI information in the Western Region for the time dedicated and the information provided during the course of this engagement.

Appendix

Audit criteria and methodology

Methodology

This audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing.

The methodology for examination included the following:

• interviews with selected management and staff
• testing of selected controls through:
  • documentation reviews
  • observation

Due to COVID-19-related restrictions to maintain the safety of all participants, the audit was executed remotely, without site visits by the internal audit team. The Audit, Evaluation, and Risk Branch team was not able to observe the work processes or perform walkthroughs of those processes because of safety concerns regarding travel and close proximity to other employees. The team relied on information provided by employees assigned to provide that information. Some of that information was provided in the form of a picture of information as it was presented on a computer monitor and text copied from other documents.