Internal Audit – Management of Memoranda of Understanding where the CRA shares information with partners

Source URL

https://www.canada.ca/en/revenue-agency/programs/about-canada-revenue-agency-cra/internal-audit-program-evaluation/internal-audit-program-evaluation-reports-2023/internal-audit-management-memoranda-understanding-where-cra-shares-information-partners.html

Disclaimer

We do not guarantee the accuracy of this copy of the CRA website.

Scraped Page Content

Internal Audit – Management of Memoranda of Understanding where the CRA shares information with partners

Final Report

Audit, Evaluation, and Risk Branch

June 2023


On this page

Executive summary

In delivering its mandate, the Canada Revenue Agency (CRA) works collaboratively with partners, which includes providing them with taxpayer information, where proper legislative authorities exist. In most cases, the CRA enters into Written Collaborative Arrangements with various partners in order to do so. The most common type of Written Collaborative Arrangement is a Memorandum of Understanding (MOU), which is an administrative understanding between the CRA and partners and is not intended to be legally binding or enforceable before the Courts. Of the more than 250 active information exchange MOUs, more than 230 provide taxpayer information to various federal, provincial, and territorial partners.

The objective of this audit was to provide assurance that an adequate framework for the management of MOUs exists at the CRA and is working as intended, specifically for the development, amendment, mandatory review, and monitoring of MOUs where the CRA provides information to partners.

Overall, the audit found that improvement is required to the framework for the management of MOUs within in the CRA. Addressing these gaps will help the Agency mitigate risks identified during the course of this audit and strengthen the Agency’s posture of protecting taxpayer information and information exchanges with key partners.

More specifically, the internal audit team found that corporate policy instruments related to the management of MOUs are communicated and understood. However, there was a lack of detailed documented processes and procedures at the operational level that include roles and responsibilities for internal stakeholders specifically related to the development, amendment, mandatory review, and monitoring of MOUs, including when and how each internal stakeholder should be involved in these processes.

The internal audit team also found that improvements are needed to develop processes and procedures and to further refine existing tools to carry out the risk-based prioritization of the mandatory review and monitoring of MOUs.

Summary of recommendations

  • The Service, Innovation and Integration Branch (SIIB), in consultation with the Security Branch, the Public Affairs Branch, and other internal stakeholders, should develop, communicate, and implement more detailed documented processes and procedures for the management of MOUs.
  • The SIIB should determine their MOU-related data requirements and improve their existing case management systems to ensure it can appropriately input MOU-related data to generate statistics and reports that can be used to support the management of MOUs.
  • The SIIB should develop a comprehensive risk-based monitoring framework for the risk-based prioritization of the monitoring and the mandatory review of MOUs.

Management response

The SIIB, the Security Branch, and the Public Affairs Branch agree with the recommendations in this report and have developed related action plans. The Audit, Evaluation, and Risk Branch has determined that the action plans appear reasonable to address the recommendations.

1. Introduction

The Canada Revenue Agency (CRA) administers tax, benefits, and related programs and ensures compliance on behalf of governments across Canada, thereby contributing to the economic and social well-being of Canadians. To meet tax obligations and receive benefits, taxpayers provide the CRA with their personal information, making the CRA one of the largest holders of personal information in the Government of Canada.

In delivering its mandate, the CRA works collaboratively with partnersFootnote 1 , which includes obtaining and disclosing taxpayer information. In most cases, the CRA enters into Written Collaborative Arrangements with various partners. A Written Collaborative Arrangement is a written administrative understanding between the CRA and a partner that sets out the accountability framework and terms and conditions of the arrangement.

The most common type of Written Collaborative Arrangement, a Memorandum of Understanding (MOU), is an arrangement between the CRA and a federal department or agency or other order of government in Canada that is primarily used to outline the provisions for obtaining goods or services or exchanging taxpayer information or other similar information as authorized by law. MOUs are administrative understandings between the CRA and partners and are not intended to be legally binding or enforceable before the Courts. However, the exchange of information is supported through various legislationFootnote 2 .

Currently, the CRA has more than 250 active information exchange MOUs with various federal, provincial, and territorial partners. Each MOU establishes the administrative framework that will facilitate the provision or the exchange of taxpayer information by the CRA, by the partner, or between the CRA and the partner.

2. Focus of the audit

This internal audit was included in the most recent Board of Management approved 2022-2023 Risk-Based Assurance and Advisory Plan. The Assignment Planning Memorandum was approved by the Commissioner on September 13, 2022.

2.1. Importance

This audit is important because the CRA has more than 250 active information exchange MOUs. 233Footnote 3 (over 90%) of these allow the CRA to provide taxpayer information to various federal, provincial, and territorial governmental partners. Therefore, it is critical that the CRA manage these MOUs with its partners to protect the confidentiality of taxpayer information and monitor its use and disclosure.

One of the CRA’s priorities is to continuously strengthen security, effectively manage taxpayer information, and increase transparencyFootnote 4 to help the CRA maintain and build the public’s trust and support its commitment to protect Canadians’ privacy. This audit also relates to the risk identified in the 2022-2023 Corporate Risk Profile.

Finally, as an assurance engagement had never been conducted on how the CRA manages the activities of development, amendment, mandatory review, and monitoring of information exchange MOUs where the CRA provides information to partners, an internal audit in this area was determined to be both relevant and timely.

2.2. Objective

The objective of this audit was to provide assurance that an adequate framework for the management of MOUs exists at the CRA and is working as intended, specifically for the development, amendment, mandatory review, and monitoring of MOUs where the CRA provides information to partners.

2.3. Scope

This audit focused on the corporate policy instruments, processes, procedures, and tools in place at the CRA to develop, amend, mandatorily review, and monitor MOUs where the CRA provides information to partners.

Information sharing MOUs where the CRA provides information to partners that were active up to and including December 2021 were within the scope of this audit.

The scope of this audit was supported by the Audit, Evaluation, and Risk Branch’s risk assessment as well as the need for assurance in this area.

This audit did not include an assessment of the IT infrastructure or systems involved in the sharing of information with partners. It also did not include MOU cost recovery processes and procedures.

2.4. Audit criteria and methodology

The audit criteria and methodology can be found in Appendix A.

The examination phase of the audit took place from August 2022 to December 2022.

The audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing, as supported by the results of the quality assurance and improvement program.

3. Findings, recommendations, and action plans

The Service, Innovation and Integration Branch (SIIB), the Security Branch, and the Public Affairs Branch agree with the recommendations in this report and have developed related action plans. The Audit, Evaluation, and Risk Branch has determined that the action plans appear reasonable to address the recommendations.

3.1. Governance, policies, and procedures

The internal audit team conducted documentation reviews and interviews in order to determine if:

  • the CRA has appropriate processes and procedures in place related to the development, amendment, mandatory review, and monitoring of MOUs
  • roles and responsibilities with respect to the management of MOUs are defined
  • channels of communication exist between internal stakeholders and with partners

3.1.1 The CRA has corporate policy instruments related to MOUs that are communicated and understood by internal stakeholders and channels of communication between internal stakeholders. However, improvement is required concerning detailed documented processes and procedures at the operational level.

The SIIB, the Security Branch, and the Public Affairs Branch have and use corporate policy instruments, including some processes, procedures, and tools related to MOUs that are understood and communicated by internal stakeholders. The internal audit team also noted that channels of communication and consultation related to the management of MOUs exist between internal stakeholders and between the CRA and partners.

The CRA’s Directive for Developing Written Collaborative Arrangements outlines the general requirements, including general roles and responsibilities for the CRA to develop MOUs with partners. The directive includes a 10-year mandatory review requirement. In addition, the MOU templates and MOUs contain high-level roles and responsibilities for both internal stakeholders and partners. The SIIB uses these generic MOU templates to develop and amend MOUs.

The audit team noted that the CRA does not have detailed, standardized, and documented processes and procedures related to the amendment, review, and monitoring of MOUs. The audit also noted that the current processes for managing the MOUs are heavily reliant on the experience of staff in place.

Although the CRA has general corporate policy instruments related to MOUs, there was a lack of detailed and documented processes and procedures at the operational level related to the development, amendment, mandatory review, and monitoring of MOUs, including when and how each internal stakeholder should be involved in the processes. Without these detailed documented processes and procedures in place, there is a risk that the CRA may not be able to ensure consistent and effective management of MOUs, particularly when key employees leave.

Recommendation 1

The SIIB, in consultation with the Security Branch, the Public Affairs Branch, and other internal stakeholders, should develop, communicate, and implement more detailed documented processes and procedures for the management of MOUs, including but not limited to their development, amendment, mandatory review, and monitoring.

Action Plan 1

The SIIB has developed various tools, including checklists and internal guidance documents, with respect to the management of MOUs, which will be enhanced and communicated to reflect current procedures. The target completion date for this component of the action plan is September 2023.

In addition, discussions are ongoing with the Security Branch and the Access to Information and Privacy Directorate of the Public Affairs Branch to confirm roles and responsibilities with respect to the security and privacy aspect of MOUs. Related internal processes or procedures will be updated accordingly. The target completion date for this component of the action plan is December 2023.

3.2. Monitoring

The internal audit team conducted documentation reviews, data analysis, and interviews to determine if the CRA conducted mandatory review and monitoring of MOUs. Mandatory review would determine if MOUs should stay in their current form, be updated, or terminated. Monitoring would ensure adherence to the requirements, terms and conditions of MOUs, and whether any of these should be addressed.

3.2.1 The SIIB is able to generate limited statistics or reports pertaining to the mandatory review of MOUs from the Written Collaborative Arrangements Repository or the Workload Tracking System.

The SIIB’s Partnerships Directorate maintains the CRA’s Written Collaborative Arrangement Repository (the repository), which is a database of all Written Collaborative Arrangements, including MOUs. The Partnerships Directorate uses the Workload Tracking System to enter data on the MOUs they manage. The Workload Tracking System interfaces with the repository to create and update information.

In its analysis of the repository, the internal audit team observed that information sharing MOUs could not be easily distinguished from other types of Written Collaborative Arrangement and could not systematically be coded first by the direction of their information exchange prior to coding them by sub-category. Due to the system limitations of the repository and the Workload Tracking System, the SIIB uses a manual process with the Written Collaborative Arrangement Search Tool to determine:

  • how many information exchange MOUs are active; as a result, the SIIB could not easily and accurately identify the population of information exchange MOUs for the purposes of this audit
  • which MOUs are in their tenth year of existence and require a mandatory review

The SIIB indicated that it keeps records of MOUs that are due for and have had a mandatory review. However, due to limited system functionalities, it cannot systematically generate statistics or reports from the repository or the Workload Tracking System that list which MOUs have undergone a mandatory review and when, the date of an upcoming mandatory review and what actions were taken as a result of the mandatory review.

Recommendation 2

The SIIB should determine their MOU-related data requirements and improve their existing case management systems to ensure they can appropriately input MOU-related data to generate statistics and reports that can be used to support the management of MOUs.

Action Plan 2

The SIIB has been improving its automated systems over the past few years and is currently reviewing the functionality of its Workload Tracking System and Written Collaborative Arrangements Repository through a pilot project to address the needs of the branch in supporting the management of MOUs. As a result, the SIIB has developed related action plans.

The SIIB will continue with its current pilot project within the Federal, Indigenous and Quebec Affairs Division to assess what data and functionalities would address the recommendation of the audit. The target completion date for this component of the action plan is December 2023.

The SIIB will conduct a feasibility study to determine if increased integration of the current system is adequate to address the recommendation of the audit or if other technological options are available. The target completion date for this component of the action plan is March 2024.

3.2.2 The SIIB does not have a documented plan to prioritize and conduct the mandatory review of MOUs.

The CRA has over 200 active information exchange MOUs with various federal, provincial, and territorial partners. Currently, the SIIB conducts mandatory review of MOUs; however, the SIIB does not have a documented plan to prioritize which MOUs to review.

With respect to mandatory review, since 2016, MOU terms and conditions state that a review should be conducted on or before the tenth year after signing. These are conducted to determine if the MOUs should stay in their current form, be updated, or terminated. If a mandatory review is not conducted by the end of the 10-year period, the MOU will be terminated effective 30 days following the tenth year after signing. MOUs that do not have the mandatory review clause will be amended to include the clause once renewed.

The internal audit team analyzed the 233 active MOUs and found that for over 40% of these, more than 10 years had elapsed since their signing. The SIIB confirmed that it has and is currently reviewing these older MOUs on a priority basis, but it does not have a documented plan for the mandatory review of these older MOUs.

Consequently, as there is no documented plan to conduct mandatory reviews or to ensure they are reviewed prior to the tenth year, there is a risk that MOUs that are no longer required could still be active, MOUs that are required could be deemed terminated, and MOUs could have outdated requirements, terms and conditions.

Additionally, given the large volume of MOUs and the amount of time required to perform mandatory reviews, being able to prioritize reviews based on the relative risk of the MOUs would ensure that the CRA has a plan to conduct reviews and mitigate the risks of MOUs lapsing past the mandatory review period, and having outdated clauses.

3.2.3 The SIIB does not have a monitoring framework that integrates the results of relevant risk-based data, analysis, and monitoring performed by all relevant internal stakeholders.

The Provincial and Territorial Affairs Division within the SIIB recently developed its Client Engagement Framework and began administering its Client Engagement Questionnaire to conduct external monitoring exercises with partners. However, the SIIB does not have a comprehensive monitoring framework in place to monitor all partners adherence to the requirements, terms, and conditions of information exchange MOUs at the directorate level.

A comprehensive monitoring framework would ensure MOUs are monitored and consequently reviewed based on the relative risk of the MOU. This could be achieved by leveraging the results of MOU-related monitoring activities conducted by internal and external stakeholders, and assessing them against other risk factors inherent to the profile of the partner, such as the type of MOU, the sensitivity of information, the volume or frequency of the information shared, and the method of transfer used to provide the information to the partner.

More specifically, the SIIB does not have a documented plan to assess the risk of each MOU by taking into account all available risk-based information that would indicate one MOU being relatively riskier over another to prioritize its monitoring. Given the large volume of MOUs, being able to prioritize these activities based on the relative risk of the MOUs is optimal.

Consequently, without a risk-based monitoring framework, the CRA could potentially be exposed to greater reputational, security, and privacy risks because it would not have a comprehensive method of monitoring its existing MOUs and, ultimately, the information it shares with partners.

Recommendation 3

The SIIB should develop a comprehensive monitoring framework used for the risk-based prioritization of the monitoring and the mandatory review of MOUs concerning the adherence to the terms and conditions of MOUs where the CRA provides information to partners.

Action Plan 3

The SIIB has relied on informal risk assessments based on experience and relationships with clients. However, to date, monitoring and related reviews have not been based on risk as both processes are relatively new.

The SIIB will conduct a formal risk assessment of MOUs to identify, measure, and mitigate related risks. The target completion date for this component of the action plan is September 2023.

The SIIB will continue to enhance and document the process for the monitoring and the related reviews of MOUs to reflect these risk indicators and prioritize its work accordingly. The target completion date for this component of the action plan is December 2024.

In addition, discussions are ongoing with the Security Branch and the Public Affairs Branch to confirm roles and responsibilities with respect to the monitoring of the security and privacy aspect of MOUs. These will be included in related internal processes or procedures. When applicable, the SIIB will update its related internal processes, procedures, and the Directive for Developing Written Collaborative Arrangements to clarify the SIIB’s, the Security Branch’s, and the Public Affairs Branch’s roles and responsibilities with respect to the monitoring of MOUs. The target completion date for this component of the action plan is December 2024.

4. Conclusion

Overall, the audit found that improvement is required to the framework for the management of MOUs in the CRA. Addressing these gaps will help the CRA mitigate risks identified during the course of this audit and strengthen the CRA’s posture of protecting taxpayer information and information exchanges with key partners.

More specifically, the internal audit team found that corporate policy instruments related to the management of MOUs are communicated and understood. However, there was a lack of detailed documented processes and procedures at the operational level that include roles and responsibilities for internal stakeholders specifically related to the development, amendment, mandatory review, and monitoring of MOUs, including when and how each internal stakeholder should be involved in these processes.

The internal audit team also found that improvements are needed to develop processes and procedures and to further refine existing tools to carry out the risk-based prioritization of the mandatory review and monitoring of MOUs.

5. Acknowledgement

In closing, we would like to acknowledge and thank the SIIB, the Security Branch, and the Public Affairs Branch for the time dedicated and the information provided during the course of this engagement.

6. Appendices

Appendix A: Audit criteria and methodology

Based on the Audit, Evaluation, and Risk Branch’s risk assessment, the following lines of enquiry were identified:

Appendix A: Audit criteria and methodology
Lines of enquiry Criteria
Governance, Policies, and Procedures Corporate policy instruments, including processes and procedures related to the management of MOUs, exist, are complete, are communicated, and are understood by internal stakeholders with respect to the information provided to partners.
Roles and responsibilities with respect to the management of MOUs are clearly defined, communicated, and understood by internal stakeholders and partners with respect to the information provided to partners.
Appropriate channels of communication exist between internal stakeholders and with partners related to the management of MOUs.
Monitoring Processes exist to prioritize the monitoring and mandatory review of MOUs.
MOUs are reviewed based on risk and, where required, are revised or terminated accordingly.
A risk-based framework is in place to monitor adherence to the terms and conditions of the MOUs by internal stakeholders and partners.

Methodology

The methodology used in the examination included the following:Footnote

  • Document review: reviewing and analyzing corporate policy instruments and supporting documentation (processes, procedures, and tools) related to the exchange of information between the CRA and partners
  • File review: reviewing and analyzing a sample of MOUs
  • Data analysis: conducting data analytics on the content of the Written Collaborative Arrangement Repository
  • Internal interviews: conducting interviews with the management and staff of the office of primary interest and offices of collateral interest
  • External interviews: conducting interviews with a sample of partners

Appendix B: Glossary

Appendix B: Glossary
TermFootnote 5 Definition
Framework (for the purposes of this audit) Comprehensive approach that incorporates corporate policy instruments, methodologies, processes, procedures, and tools.
Information

Taxpayer information according to subsection 241(10) of the Income Tax Act: information of any kind and in any form relating to one or more taxpayers that is:

  • (a) obtained by or on behalf of the Minister for the purposes of this Act, or
  • (b) prepared from information referred to in paragraph (a), but does not include information that does not directly or indirectly reveal the identity of the taxpayer to whom it relates and, for the purposes of applying subsections (2), (5) and (6) to a representative of a government entity that is not an official, taxpayer information includes only the information referred to in paragraph (4)(l).

Confidential information according to subsection 295(1) of the Excise Tax Act: information of any kind and in any form that relates to one or more persons and that is:

  • (a) obtained by or on behalf of the Minister for the purposes of this Part, or
  • (b) prepared from information referred to in paragraph (a), but does not include information that does not directly or indirectly reveal the identity of the person to whom it relates and, for the purposes of applying subsections (3), (6) and (7) to a representative of a government entity who is not an official, includes only the information described in paragraph (5)(j).

Confidential information according to subsection 211(1) of the Excise Act, 2001: information of any kind and in any form that relates to one or more persons and that is:

  • (a) obtained by or on behalf of the Minister for the purposes of this Act;
  • (a.1) obtained by or on behalf of the Minister of Public Safety and Emergency Preparedness for the purposes of section 68; or
  • (b) prepared from information referred to in paragraph (a) or (a.1).
    It excludes information that does not directly or indirectly reveal the identity of the person to whom it relates and, for the purposes of applying subsections (3), (8) and (9) to a representative of a government entity that is not an official, it includes only the information referred to in paragraph (6)(j).

Confidential information according to subsection 84(1) of the Softwood Lumber Products Export Charge Act, 2006: information of any kind and in any form that relates to one or more persons and that is obtained by or on behalf of the Minister for the purposes of this Act, and any information that is prepared from such information, but does not include information that does not directly or indirectly reveal the identity of the person to whom it relates.

Client informationFootnote 6: Information, from or about clients, of any kind and in any form obtained by or on behalf of, or created by or for, the Minister of National Revenue for the purposes of the administration or enforcement of the program legislation listed in the Policy. This includes information that reveals, directly or indirectly, the identity of the client to whom it relates.

Personal informationFootnote 7: Taxpayer information about an identifiable individual is also personal information about that individual.
Internal stakeholders The internal audit team refers to internal stakeholders as CRA branches that are involved in the management of MOUs. Internal stakeholders include the SIIB, the Security Branch, the Public Affairs Branch, the Information Technology Branch, the Finance and Administration Branch, and operational program areas (within branches and regions).
Management of an MOU (for the purposes of this audit) Includes the development, amendment, mandatory review, and monitoring of information exchange MOUs where the CRA provides information to partners.
Memorandum of Understanding (MOU) An arrangement between the CRA and a federal department, agency, or other order of government in Canada that is primarily used to outline the provision or obtaining of goods or services or exchanging taxpayer information or other similar information as authorized by law.
Partners (for the purposes of this audit) “Partners” refers to “other organizations” in the definition of a Written Collaborative Arrangement who are Indigenous governments, federal, provincial and territorial governments, agencies, or crown corporations who have signed information exchange MOUs with the CRA.
Taxpayer (for the purposes of this audit) A taxpayer, according to the meaning assigned in subsection 248(1) of the Income Tax Act, is a person referred to in the definition of confidential information in subsection 295(1) of the Excise Tax Act or subsection 211(1) of the Excise Act, 2001, or subsection 84(1) of the Softwood Lumber Products Export Charge Act, 2006, or a similar person or entityFootnote 6.
Taxpayer information (for the purposes of this audit) Taxpayer information refers to taxpayer information under subsection 241(10) of the Income Tax Act, confidential information in subsection 295(1) of the Excise Tax Act or subsection 211(1) of the Excise Act, 2001, or subsection 84(1) of the Softwood Lumber Products Export Charge Act, 2006, client information and personal information where such information is provided or exchanged through an MOU between the CRA and a partner.
Written Collaborative Arrangement A written administrative understanding between the CRA and another organization (partner) that sets out the accountability framework and terms and conditions of the arrangement, but is not a letter of concurrence, a contract, or a tax treaty. A Written Collaborative Arrangement is not legally enforceable, and parties are not liable for breaches of its terms and conditions. Written Collaborative Arrangements include letters of agreement, letters of intent, memoranda of understanding, service level agreements, and service agreements.

Footnotes

Footnote 1

A partner is an Indigenous governments, federal, provincial and territorial governments, agencies, or crown corporations who have signed information exchange MOUs with the CRA.

Return to footnote1 referrer

Footnote 2

Legislation includes the Income Tax Act, the CRA Act, the Excise Tax Act, the Excise Act, 2001, the Softwood Lumber Products Export Charge Act, 2006, the Privacy Act, and legislative authorities applicable to the partner.

Return to footnote2 referrer

Footnote 3

Of the 233 MOUs verified by the internal audit team where the CRA provides information to partners, 194 are bi-directional exchanges (IN/OUT) and 39 are unidirectional provisions (OUT ONLY).

Return to footnote3 referrer

Footnote 4

CRA Departmental Plan 2022-2023, Summary of the Corporate Business Plan 2021-2022 to 2023-2024

Return to footnote4 referrer

Footnote 5

Note that most of the above definitions come from the Directive for Developing Written Collaborative Arrangements, some from the Guidelines on the Use and Disclosure of Client Information, and others through validation by the SIIB.

Return to footnote5 referrer

Footnote 6

From the CRA Guidelines on the Use and Disclosure of Client Information.

Return to footnote6 referrer

Footnote 7

From the CRA Directive for Developing Written Collaborative Arrangements.

Return to footnote7 referrer


Page details

Date modified:
2023-09-18