2017 Spring Reports of the Auditor General of Canada to the Parliament of Canada Independent Audit ReportReport 3—Preventing Corruption in Immigration and Border Services

2017 Spring Reports of the Auditor General of Canada to the Parliament of CanadaReport 3—Preventing Corruption in Immigration and Border Services

Independent Audit Report

Introduction

Background

3.1 Citizens of other countries who wish to enter Canada must have appropriate documentation to travel here and must be vetted by Canadian border services officers to ensure they are eligible to enter. Immigration, Refugees and Citizenship Canada (the Department) and the Canada Border Services Agency (the Agency) share the responsibility of facilitating travel to Canada and the entry of people and goods into Canada.

3.2 The Department facilitates travel to Canada by arranging visas for eligible visitors. The Agency facilitates the flow of people and goods across our borders while supporting national security and public safety, as required by the Immigration and Refugee Protection Act and the Customs Act.

3.3 A risk for any organization is that employees could misuse their influence in a business transaction and violate their duty to the organization to gain a direct or indirect benefit. The Department and Agency also face this possibility. According to the Immigration and Refugee Protection Act, an officer or employee of the Government of Canada is guilty of an offence if he or she “knowingly makes or issues any false document or statement, or accepts or agrees to accept a bribe or other benefit, in respect of any matter under this Act or knowingly fails to perform their duties under this Act.” In this report, we refer to such actions as corruption. The Agency primarily call these actions “fraud,” and the Department calls these actions “malfeasance.”

3.4 It is important that the Department and the Agency have controls—meaning policies, procedures, processes, and activities—to reduce the risk of corruption. If these controls do not work as intended, staff may be able to circumvent the rules for personal gain. Such failures may also make staff vulnerable to coercion, and can result in unauthorized persons travelling to or entering the country, possibly with inadmissible goods.

3.5 The Department and the Agency cannot prevent or detect all corruption. However, by identifying the risks of corruption and having effective controls in place, they can assure Canadians that they are doing what they can to protect their employees from coercion and to reduce the risk of corruption.

Focus of the audit

3.6 This audit focused on whether Immigration, Refugees and Citizenship Canada and the Canada Border Services Agency implemented selected controls—meaning policies, procedures, processes, and activities—to address the risk that immigration and border services staff could be corrupted.

3.7 We examined whether the organizations identified the risks related to corruption of officials and what controls they used to mitigate the risks. We also selected and tested controls to determine whether they worked as intended. For the Department, we focused on risks and selected controls related to issuing visitor and international student visas at Canadian missions abroad. For the Agency, we focused on risks and selected controls related to land border crossings where the first point of contact is a border services officer.

3.8 This audit is important because Department officials play an important role in determining who can travel to Canada, and Agency officials play an important role in deciding which foreign nationals can enter the country, what goods are admissible, and what level of assessment Canadian travellers require before they can re-enter the country. If these officials can be corrupted, then individuals who do not meet the requirements may travel to or enter Canada—along with any potentially inadmissible goods they are carrying—without the necessary vetting. Visas and entry requirements exist to guard against illegal travel to or entry into Canada in the interest of public safety and security.

3.9 More details about the audit objective, scope, approach, and criteria are in About the Audit at the end of this report.

Findings, Recommendations, and Responses

Identifying corruption risks and controls

Overall message

3.10 Overall, we found that the Canada Border Services Agency and Immigration, Refugees and Citizenship Canada had identified corruption as a risk that could result in unauthorized foreign nationals travelling to and entering the country, and in Canadians re-entering the country, without undergoing all elements of a required inspection.

3.11 We found that both organizations also developed controls—policies, procedures, processes, and activities—to mitigate the risks. However, neither organization adequately monitored the controls to ensure they were working as intended.

3.12 This is important because the Department’s and the Agency’s ability to guard against the corruption of their employees depends on their ability to understand the type and prevalence of the risks to which they are exposed, and on their ability to implement effective controls.

3.13 To understand which controls will be most effective to address the risk of corruption, each organization must first understand and identify its unique corruption risks. There are various ways of doing this, such as conducting risk assessments and using available information to see where the greatest weaknesses lie. Having identified these risks, the organizations must then develop specific controls to mitigate them.

3.14 Agency border services officers are responsible for assessing travellers to determine foreign nationals’ admissibility, to determine whether further examination is required of both foreign and Canadian travellers, and to assess the admissibility of all travellers’ goods. Superintendents are responsible for overseeing border services officers and ensuring they follow the Agency’s code of conduct, policies, and procedures.

3.15 Immigration, Refugees and Citizenship Canada issues visas to foreign nationals who need them to enter Canada. It also delivers Canada’s immigration program abroad through its International Network branch. Its visa officers make final decisions on visa applications, processing visas in 50 missions around the world, with about 280 Canadian immigration officials (known as Canada-based staff) and about 1,100 locally engaged staff.

The Canada Border Services Agency understood its key corruption risks and had controls to mitigate them, but did not know if they worked

3.16 We found that the Canada Border Services Agency identified the potential corruption of its officials as a risk and designed controls (policies, procedures, processes, and activities) to mitigate the risk. However, it did not use all the information it had at its disposal to monitor and evaluate the effectiveness of its controls and to proactively detect corruption.

3.17 Our analysis supporting this finding presents what we examined and discusses the following topics:

3.18 This finding matters because the Agency needs effective controls to make sure that Canadians returning to the country are properly vetted and that inadmissible foreign nationals and goods are not entering Canada as a result of corruption.

3.19 Our recommendation in this area of examination appears at paragraph 3.69.

3.20 What we examined. We examined key corporate risk documents to determine whether the Canada Border Services Agency had identified the risk of corruption at land border crossings, had controls in place to reduce the risk, and used its information to understand the controls needed.

3.21 Identifying the risk of corruption. We found that the Agency’s Enterprise Risk Profile, Fraud Risk Profile, and Departmental Security Plan all identified the risk that its employees could engage in unethical or illegal activities. The Fraud Risk Profile further defined the risk as the chance that employees could illegally allow inadmissible people or goods into Canada.

Primary inspection line—The point where travellers entering Canada report themselves and their goods to border services officers, as required under the Customs Act and the Immigration and Refugee Protection Act.

Integrated Primary Inspection Line—The system used to query travellers and to provide information to border services officers to help them process and vet travellers at the first point of contact.

3.22 Identifying and implementing controls to reduce the risk of corruption. We found that the Agency had designed controls to reduce the risk of corruption. Some, like awareness training, were meant to inform officers of appropriate actions on the job, while others—such as randomly assigning border services officers to the primary inspection line—were meant to make it difficult for corrupt activity to happen.

3.23 Using available information for ongoing assessment. Border services officers collect information about travellers entering Canada. For example, they scan passports into the Integrated Primary Inspection Line system. The system records the actions taken by an officer, such as when an officer corrects traveller information.

3.24 We found that the Agency kept information by region, land border crossing, and officer, but that it did not use this information to identify possible corrupt activity by its officials. For example, it did not conduct tests similar to those we conducted during our audit (described in paragraphs 3.48 to 3.52 and 3.60 to 3.67). It relied instead on allegations made by staff, other government officials, or the public to identify possible corruption. This meant the Agency missed opportunities to detect improper actions in a timely way, leaving it vulnerable to corruption.

3.25 The Agency is aware that not proactively monitoring digital systems creates a lack of awareness of improper actions. It has been developing an Information Security Integrity Monitoring Strategy since 2013. This was originally scheduled for completion in 2016. At the time of this audit, the strategy was still at an early stage of development.

Immigration, Refugees and Citizenship Canada’s International Network branch did not have a comprehensive risk assessment in place

3.26 We found that Immigration, Refugees and Citizenship Canada had identified corruption risks in its department-level documents, such as in its Fraud Management Policy Framework. However, at the program level, the Department’s International Network branch, which delivers Canada’s immigration program abroad, did not use available information to develop a comprehensive risk assessment. In addition, the Department had not determined whether controls in place were sufficient and working.

3.27 Our analysis supporting this finding presents what we examined and discusses the following topics:

3.28 This finding matters because where corruption is identified as a risk, effective controls are needed to reduce the possibility of corrupt activities. This is especially important at offices in parts of the world where corruption is prevalent.

3.29 Our recommendation in this area of examination appears at paragraph 3.35.

3.30 What we examined. We examined key risk documents to determine whether Immigration, Refugees and Citizenship Canada identified the risk of corruption and mitigating controls. We also looked at risk documents related to processing visitor and international student visas at missions from the Department’s International Network branch to see whether controls were in place to mitigate the risk of corruption, and whether information from its visa offices abroad was used to inform the Department’s understanding of risks and controls.

3.31 The Department’s risk documents. We found that at the departmental level, Immigration, Refugees and Citizenship Canada’s risk profile and security plan identified improper actions by employees as a risk inherent to its overall operations. For example, the Department had identified the risk that staff could improperly disclose or share sensitive information. Also, in November 2015, the Department approved a Fraud Management Policy Framework that identified activities for fraud awareness, prevention, and detection. The Department stated its intention to conduct a formal internal fraud risk assessment by May 2017.

3.32 The International Network branch’s use of available information to assess risks. Immigration, Refugees and Citizenship Canada’s Fraud Management Policy Framework states that fraud risk management controls must be in place and be regularly assessed and adjusted to ensure their ongoing effectiveness.

3.33 We found that the International Network branch had documented some processes to lessen the risk of corruption. In particular, we noted that it supplied managers in its visa offices abroad with an annual checklist to help them review the risks in their local operating environments. For example, checklists covered measures to prevent collusion between locally engaged staff who were related, and to identify whether Canada-based staff were located in work areas in order to supervise locally engaged staff. Managers submitted the completed checklists to headquarters.

3.34 However, the International Network branch did not use the information gathered through the checklists to develop a comprehensive risk assessment. Nor did it use the Global Case Management System—the integrated, worldwide system used to process applications for citizenship and immigration—to analyze employees’ processing activities across all missions to inform risks and evaluate the effectiveness of its controls.

3.35 Recommendation. Immigration, Refugees and Citizenship Canada should develop a comprehensive internal fraud risk assessment based on analysis of the effectiveness of its controls.

Immigration, Refugees and Citizenship Canada’s response. Agreed. Immigration, Refugees and Citizenship Canada has developed the International Network Professional Conduct Standard, which focuses on the comprehensive management of risks related to internal fraud in the international context of program delivery. The standard, which is based on a continuous cycle of awareness, prevention, detection, assessment, response, and reporting, has already been incorporated into the International Network Integrated Management Plan and will be fully operational on a continuous basis beginning in the 2017–18 fiscal year.

Applying controls to mitigate corruption

Overall message

3.36 Overall, we found that neither the Canada Border Services Agency nor Immigration, Refugees and Citizenship Canada adequately monitored the controls they had in place to address the risk of corruption. This left the organizations and their officials vulnerable to corruption. For example, neither organization used available information proactively to detect staff activities that could indicate potential corruption.

3.37 We found examples of improper (though not necessarily corrupt) actions at both organizations that were similar to known violations of code-of-conduct scenarios. For example, Agency border services officers at land border crossings did not follow all policies or practices consistently. Based on our analysis of a sample, we estimated that over a 12-month period, about 300,000 of 19 million vehicles entering Canada (2 percent) entered without undergoing all elements of a required inspection by border staff.

3.38 We found that at Immigration, Refugees and Citizenship Canada, controls designed to prevent unauthorized staff from issuing visas were effective. However, 14 locally engaged staff acted against the Department’s code of conduct by consulting their own visa records.

3.39 We found no evidence that the improper actions we observed were the result of corruption at either the Department or the Agency.

3.40 These findings matter because when controls are effective, they minimize the opportunities for corruption or coercion. But when controls are weak, there is more opportunity for corruption to occur, thereby making it more possible for ineligible people to travel to Canada, whether through obtaining visas or through being admitted at land border crossings. This potentially exposes the country to serious security and safety risks.

3.41 Agency border services officers are Canada’s first point of contact with most travellers at land border crossings. Officers are required to inspect travellers at the primary inspection line by questioning them and entering their information into the automated Integrated Primary Inspection Line system. Officers do this either by scanning travel documents, such as passports, or by entering information manually. The system provides real-time information to help officers determine foreign nationals’ admissibility and whether further examination is required of both foreign and Canadian travellers.

3.42 Immigration, Refugees and Citizenship Canada provides visas to people requiring them to enter Canada. Individuals may apply for a visa from abroad or in Canada. Both locally engaged staff and Canada-based staff are involved in processing visas abroad.

3.43 The Agency and the Department both use data systems to carry out their responsibilities. The systems’ primary function is to process travellers and visa applications. However, they can also serve as anti-corruption tools to ensure that staff conduct all of the required processing steps.

Canada Border Services Agency staff did not always follow Agency policies at land border crossings

3.44 We found that Agency border services officers did not input information about all travellers into the Agency’s system. Our analysis of a sample indicated that out of about 19 million vehicles that entered Canada during a 12-month period, about 300,000 vehicles (2 percent) were admitted to Canada without border services officers having entered traveller information from documents of the people in the vehicles. We also found instances of officers sharing their system log-in information with other officers. Both of these practices were against Agency policy.

3.45 Our analysis supporting this finding presents what we examined and discusses the following topics:

3.46 This finding matters because a border services officer who does not follow policy could knowingly, and without detection, allow someone to enter the country who may not have been entitled to (in the case of a foreign national) or who should have received further examination (in the case of a Canadian).

3.47 Our recommendation in this area of examination appears at paragraph 3.69.

3.48 What we examined. We examined data in the Integrated Primary Inspection Line system to determine how often vehicles passed through land border crossings without undergoing all the elements of a required inspection. The system’s main purpose is to support processing at a border crossing, but it also serves as an anti-corruption tool, since all activities that are entered into the system can be traced back to a specific officer.

3.49 Inspections of travellers entering Canada. It is the Canada Border Services Agency’s policy that border services officers complete and document an inspection of every person entering Canada at a land border crossing where a border services officer is the first point of contact. The border services officer must enter the traveller’s information in the Integrated Primary Inspection Line system and ask the traveller a series of questions. This ensures the officer obtains the information needed to decide whether to let a foreign national enter Canada, or to refer a foreign or Canadian traveller for further Agency examination. This also provides a record of which officer processed the traveller.

3.50 We examined data for the periods 1 April 2015 to 14 March 2016 and 13 June to 4 July 2016 about vehicles entering Canada where a licence plate reader recorded the vehicle’s licence plate information in the Integrated Primary Inspection Line system. Out of about 19 million vehicles that were scanned by a licence plate reader, we found anomalies in 511,000 cases. From these, we selected a representative sample of 66 vehicle entries to look at in more detail and found that in 38 cases, border services officers did not scan or manually enter information from documents for these travellers as required. This meant that about 300,000 of 19 million vehicles (2 percent) did not undergo all elements of a required inspection. Since each vehicle could contain more than one individual, this meant that more than 300,000 individuals likely entered the country without a full inspection. We do not know why border services officers did not follow all the required procedures. The fact that officers did not record the required information did not mean that a corrupt activity occurred, but it was a breakdown in the control that the Agency needed to know about.

3.51 Employees’ user identifications and passwords. The Agency’s code of conduct and Customs Enforcement Manual state that under no circumstances should users share their passwords or user identifications with anyone. The intent of this control is to link transactions to specific officers. Through its own investigations, the Agency identified past instances of border services officers sharing log-in information.

3.52 We looked at data from 1 April 2015 to 14 March 2016 to determine whether the same user identification had been used simultaneously at different land border crossing booths. We found instances in which an officer was processing at one land border crossing booth under a particular user identification and within 20 seconds, the same user identification was used at another land border crossing booth, thereby potentially sharing the user identification. We examined data for 8 officers that accounted for 15 percent of the instances in which user identification was potentially shared, and we found that 7 officers were sharing their user identification. Another 744 officers each had at least one similar instance of sharing user identification.

Agency superintendents did not monitor staff adequately to detect possible corruption

Lookout—An automated message entered into the Integrated Primary Inspection Line system to alert border services officers at land border crossings that a person or vehicle may pose a threat to Canadians.

3.53 We found that Canada Border Services Agency superintendents did not adequately supervise border services officers. They did not spend enough time on supervisory activities to detect potential corruption at land border crossings. Some weaknesses were related to superintendents’ monitoring of lookouts: there were instances in which individuals who had been identified for closer inspection entered Canada without such inspections being completed. Other weaknesses were related to temporary resident permits—individuals who would not normally have been permitted to enter the country did so without the Agency’s written justification.

3.54 Our analysis supporting this finding presents what we examined and discusses the following topics:

3.55 This finding matters because sufficient monitoring of border services officers helps ensure that officers follow required policies and procedures, and helps the Agency uncover inappropriate activities—whether involving individuals or occurring in patterns at specific land border crossings or regions. A better understanding of anomalies would allow the Agency to improve its controls to prevent corrupt activities in a timely way.

3.56 Our recommendation in this area of examination appears at paragraph 3.69.

3.57 What we examined. We examined whether superintendents supervised border services officers to ensure the officers followed the Canada Border Services Agency’s code of conduct, policies, and procedures. We did this by analyzing the results of an April 2016 survey we conducted with superintendents, and by looking at the monitoring reports generated by superintendents. We also examined documentation for lookouts and temporary resident permits to see whether border services officers completed the required documentation.

3.58 Monitoring border processing activities. Superintendents supervise border services officers and are expected to monitor border processing activities on a regular basis. In 2009, the Agency required superintendents to increase their physical monitoring of inspection activities at all land border crossings. The Agency did not specify a required level of monitoring, but suggested activities, such as unexpected or random visits by superintendents to the primary inspection line.

3.59 Seventy-four percent of superintendents responded to our survey. Seventy-one percent stated they spent less than 25 percent of their shifts overseeing border services officers. According to their replies, most of their time was spent on administrative tasks, such as producing statistical reports on land border crossings, providing reports to regional and national headquarters, and managing emails. Sixty percent said they did not have enough time to supervise on-site operations.

3.60 It is our view that a stronger superintendent presence at land border crossings would make it easier for the Agency to detect unusual activities. For example, one unusual activity we found was that some border services officers turned the Integrated Primary Inspection Line system on and off multiple times during a single shift. Out of a total of 2,553 officers who worked shifts at a land border crossing from 13 June to 4 July 2016, 1,649 officers (65 percent) logged in more than once during their shifts. Although the data did not allow us to draw a conclusion of corruption, a greater superintendent presence would allow the Agency to understand why this happened.

3.61 Reports generated from the Integrated Primary Inspection Line system are important systematic monitoring tools for superintendents. We were told that report information is meant to

However, we found that not all superintendents used the reports. The data we examined from 1 April 2015 to 14 March 2016 showed that only about half of superintendents at about a third of land border crossings generated reports. For land border crossings with no permanent on-site superintendents, we found that no reports were generated at the majority of these crossings, meaning there was neither on-site nor computer monitoring.

3.62 Monitoring missed lookouts. A “lookout” is an automated message entered into the Integrated Primary Inspection Line system to alert border services officers at land border crossings that a person or vehicle may pose a threat to Canadians. A message is triggered when the system matches the traveller or vehicle information entered by an officer with lookout information already in the system. Lookouts may be issued for a number of reasons, including past immigration violations or possible possession of contraband goods, such as drugs or weapons. Agency policy says border services officers must refer all travellers and vehicles identified by lookouts for secondary inspections.

3.63 Despite these requirements, we found that border services officers sometimes missed lookouts. The Agency says this can happen if the officer does not see the lookout at the time of processing. Also, officers can legitimately modify information that has triggered a lookout. For example, if an automated licence plate reader misreads a number, the officer can correct it.

3.64 Superintendents are responsible for following up on all missed lookouts and for taking corrective action when a lookout is missed. We examined 9,082 lookouts from 1 April 2015 to 14 March 2016. We found that border services officers missed 56 lookouts and superintendents either did not follow up as required or the follow-up was not complete. Although there were few missed lookouts (0.6 percent), some involved organized crime and contraband drugs.

3.65 Monitoring the issuing of temporary resident permits. A temporary resident permit may be issued to a person who would not normally be allowed to enter Canada. An example is someone who has a criminal record. Border services officers with the appropriate authority may issue temporary resident permits for social, humanitarian, or economic reasons. For example, someone with a criminal record may wish to attend a family funeral in Canada. Border services officers who issue temporary resident permits must justify their decisions in their documentation.

3.66 We examined all 3,125 temporary resident permits issued at land border crossings for a one-year period ending on 31 March 2016. We checked whether policies and procedures were followed and exceptions properly justified.

3.67 We found 113 cases (4 percent) where Agency staff issued temporary resident permits without appropriate justification. In many cases, the permits were issued to people with criminal convictions, some of which were deemed serious (punishable by a prison term of at least 10 years under Canadian law).

3.68 Effective monitoring of both missed lookouts and the temporary resident permits issued would allow the Agency to know whether procedures are being followed and to detect potential corruption in a timely way.

3.69 Recommendation. The Canada Border Services Agency should develop a monitoring strategy that specifies how the Agency will systematically

The Canada Border Services Agency’s response. Agreed. The Canada Border Services Agency will integrate the assessment of key controls on corruption into the Management Practices Assessment framework as well as into the Port Program Assessments. The Management Practices Assessment framework is a tool designed to support sustainable change by focusing on the overall management capabilities needed at the workplace to support current and future service requirements, expectations, and priorities of the Agency whereas the Port Program Assessments are used to assess and measure operational adherence to Agency priorities and high-risk areas of business at ports of entry nationally. The Agency will also review and confirm that Regional Frontline Management profiles, responsibilities, and accountabilities are in place with regard to their control function and will add relevant questions to the Port Program Assessment exercise to ensure that Regional Frontline Management meets these responsibilities. These actions will be completed by July 2017.

Visa processing procedures successfully prevented unauthorized staff from issuing visas

3.70 We found that Immigration, Refugees and Citizenship Canada’s controls (policies, procedures, processes, and activities) to prevent a single individual from completing all required visa processing and approval steps worked well. We also found that the Department’s controls over access rights in the Global Case Management System were effective.

3.71 Our analysis supporting this finding presents what we examined and discusses the following topics:

3.72 This finding matters because proper separation of duties reduces the risk that staff could be asked or tempted to engage in illegitimate activities.

3.73 We made no recommendations in this area of examination.

3.74 What we examined. We examined all 1.4 million temporary and student visas approved by Canadian missions from 1 April 2015 to 1 March 2016 to determine whether there were cases where just one individual completed all the steps needed to generate a visa. We also examined 6,190 Global Case Management System user records in missions from 1 April 2015 to 1 March 2016 to determine whether there were any access rights that had been assigned not to individuals, but to regions or job descriptions.

3.75 Processing visas. A key control to prevent corruption in visa processing is to ensure that one person cannot process a visa on their own. Depending on the size of the mission, at least two staff with specifically assigned duties will process one visa application. However, in special circumstances, Canada-based staff and some locally engaged staff do have the authority to undertake all steps to complete a visa. The Department states that this can happen when there are compelling personal or national interest reasons to process and issue a visa quickly.

3.76 Out of 1.4 million student and temporary visas approved in missions for the period 1 April 2015 to 1 March 2016, we identified 69 cases in which one person completed all the processing steps to issue a visa. The Department explained that these exceptions were made so that

We found that these 69 exceptions were justified.

3.77 Assigning and monitoring access rights to the Global Case Management System. Immigration, Refugees and Citizenship Canada assigns access rights to the Global Case Management System to specific individuals. This allows the Department to trace the actions completed in the system back to specific individuals.

3.78 We examined 6,190 Global Case Management System user records in missions from 1 April 2015 to 1 March 2016 to determine whether any access rights had been assigned to regions or job descriptions rather than to individuals. We found that accounts were assigned to individuals as required.

3.79 We found that the Department was monitoring user accounts. In 2016, it decided to automatically deactivate users who had not logged in to the system within six months.

Locally engaged staff viewed their own visa records, contrary to the code of conduct

3.80 At Immigration, Refugees and Citizenship Canada, we found that 14 locally engaged staff had viewed their own visa records. These actions contravened the Department’s code of conduct prohibiting staff from using their roles for their own advantage.

3.81 Our analysis supporting this finding presents what we examined and discusses the following topic:

3.82 This finding matters because the existing controls involving access to the Global Case Management System did not prevent staff from engaging in unauthorized activities.

3.83 Our recommendation in this area of examination appears at paragraph 3.87.

3.84 What we examined. We examined locally engaged staff access to visa applications and records in the Global Case Management System to determine whether locally engaged staff viewed their own visa applications and records.

3.85 Visa records for locally engaged staff. Locally engaged staff sometimes require visas to visit Canada. Staff are instructed not to process or view visa records for which they are not responsible, including their own. However, access rights to the Global Case Management System for locally engaged staff generally allow staff broad access to visa applications and records. In 2016, the Department investigated cases at a mission where locally engaged staff had accessed the Global Case Management System to verify the status of their own visa applications or to inappropriately share other visa information with people not authorized to receive it.

3.86 We examined data from the Global Case Management System for the period 1 April 2015 to 2 November 2016 to check whether locally engaged staff members accessed their own records in the system, thus contravening the Department’s code of conduct prohibiting staff members from using their roles for their own advantage. We found 14 cases in which locally engaged staff members accessed their own records. Given the experience of the 2016 investigation, it is possible that employees who use their access to the system inappropriately to look at their own records may also use information about others inappropriately. We also found that the International Network branch did not conduct regular monitoring to look for such cases.

3.87 Recommendation. Immigration, Refugees and Citizenship Canada should conduct systematic monitoring exercises to detect improper actions that can alert the Department to potential corruption.

Immigration, Refugees and Citizenship Canada’s response. Agreed. The International Network Professional Conduct Standard, which has been developed by Immigration, Refugees and Citizenship Canada, is based on a continuous cycle of awareness, prevention, detection, assessment, response, and reporting. Mechanisms are in place to capture baseline and ongoing data related to activities associated with internal fraud. Establishing baseline data provides information to not only report against, but also to track progress and identify trends or anomalies. Full implementation of the standard will be effective in the 2017–18 fiscal year.

Training staff and updating security screening

Overall message

3.88 Overall, we found that many of the Canada Border Services Agency’s border services officers and superintendents at land border crossings had not completed mandatory courses related to corruption awareness. Also, we could only confirm that 20 percent of locally engaged staff processing visas had completed a Global Affairs Canada mandatory course related to values and ethics. We also found that almost all security screening was updated as required.

3.89 This is important because training helps staff understand what actions are appropriate and when and how to report potentially corrupt activities.

3.90 Various methods can be used to inform staff and promote ongoing awareness about corrupt activities, including offering training and requiring staff members to confirm they have read the values and ethics code.

3.91 Treasury Board security policy requires government organizations to assess that staff members handling sensitive information are sufficiently reliable and loyal to perform their duties. Organizations are also required to update these assessments periodically.

Many border services officers and superintendents did not complete mandatory training

3.92 We found that only 40 percent of border services officers and 69 percent of superintendents at land border crossings had completed mandatory training related to mitigating the risk of corruption as of 31 March 2016. We also found that 78 percent of superintendents had completed the mandatory course on security awareness for managers.

3.93 Our analysis supporting this finding presents what we examined and discusses the following topic:

3.94 This finding matters because awareness training contributes to preventing corruption by teaching staff members what actions are acceptable and what to do if they notice inappropriate actions.

3.95 Our recommendation in this area of examination appears at paragraph 3.100.

3.96 What we examined. We looked at whether Agency border services officers and superintendents working at land border crossings had completed mandatory training related to the risk of corruption. We selected samples (50 from a total of 2,670 border services officers and 45 from a total of 292 superintendents) for the period 1 April 2015 to 31 March 2016 to determine whether they had completed mandatory courses.

3.97 Completion rates for mandatory training. Border services officers and superintendents are required to complete two mandatory courses related to mitigating the risk of corruption:

3.98 We found that 60 percent of border services officers had completed the Values, Ethics and Disclosure of Wrongdoing course by 31 March 2016, and 58 percent had completed the security awareness training. Just 40 percent of border services officers had completed both. Only 69 percent of superintendents had completed both.

3.99 Agency superintendents are also required to complete one managerial course on security awareness for managers. We found that 78 percent of Agency superintendents had taken this course.

3.100 Recommendation. The Canada Border Services Agency should ensure that its land border crossing personnel complete mandatory training as required.

The Canada Border Services Agency’s response. Agreed. The Canada Border Services Agency will continue to provide mandatory training and ensure that a communication plan is implemented and distributed to the Agency’s regions. Monitoring will occur by annually reporting on training completion. These actions will be completed by June 2017.

Information on locally engaged staff training was incomplete

3.101 We could only confirm that 20 percent of locally engaged staff working in the visa program had completed a mandatory Global Affairs Canada course on values and ethics.

3.102 Our analysis supporting this finding presents what we examined and discusses the following topic:

3.103 This finding matters because training helps locally engaged staff understand what actions are acceptable.

3.104 Our recommendation in this area of examination appears at paragraph 3.107.

3.105 What we examined. We looked at whether locally engaged staff working in Immigration, Refugees and Citizenship Canada’s visa program had completed mandatory training offered by Global Affairs Canada related to the risk of corruption. We analyzed a sample (49 from a total of 1,130 locally engaged staff) for the period 1 April 2015 to 1 March 2016.

3.106 Completion rates for mandatory training offered to locally engaged staff by Global Affairs Canada. Global Affairs Canada is responsible for missions abroad, where Immigration, Refugees and Citizenship Canada staff work. Locally engaged staff members working in Immigration, Refugees and Citizenship Canada’s visa program must complete Global Affairs Canada’s mandatory values and ethics course, which is offered online. Staff members are required to take this training once in their careers. Two Global Affairs Canada systems had data on training courses; however, we found that one of the systems did not have complete data on course completion rates. Therefore, we could only confirm that 20 percent of the staff had completed the course.

3.107 Recommendation. Global Affairs Canada should ensure that locally engaged staff working in Immigration, Refugees and Citizenship Canada’s visa program complete the Global Affairs Canada values and ethics mandatory training course.

Global Affairs Canada’s response. Agreed. Global Affairs Canada recognizes the importance of ensuring that locally engaged staff working in Immigration, Refugees and Citizenship Canada’s visa program complete the Global Affairs Canada mandatory values and ethics course. As such, further steps will be taken to communicate this requirement to staff and monitor completion rates. The actions associated with this recommendation will be completed by April 2017.

Almost all security screening was updated as required

3.108 We found that security screening was largely up to date both for Canada Border Services Agency staff at land border crossings and for Immigration, Refugees and Citizenship Canada’s Canadian and locally engaged staff working in the visa program at missions abroad. Screening for two staff members from the Agency and three Canadian staff members from the Department took longer than allowed. There were two instances in which security screening for Global Affairs Canada locally engaged staff took many years to update.

3.109 Our analysis supporting this finding presents what we examined and discusses the following topic:

3.110 This finding matters because security screening allows an organization to assess whether its staff pose a security risk.

3.111 We made no recommendations in this area of examination.

3.112 What we examined. We looked at whether security screening for Canada Border Services Agency staff at land border crossings and for Immigration, Refugees and Citizenship Canada’s Canadian and locally engaged staff working in the visa program at missions abroad were up to date.

3.113 Security screening for land border and visa staff. Each security clearance level has a specific risk tolerance that establishes how often it must be updated. Agency border services officers and superintendents need secret clearances, which must be updated every 10 years. Canadian immigration officials stationed abroad are required to have top secret security clearances, which must be updated every five years. Locally engaged staff require reliability status, which must be updated every 10 years. Treasury Board’s security screening standards allow a further six months to complete the update process.

3.114 For the Canada Border Services Agency, we examined 65 border services officers and 15 superintendents whose security screenings required updating during the 2015–16 fiscal year to determine whether they were updated on time. We found that all 80 security screenings were updated, although in two cases, the updates were done more than six months after they were due.

3.115 For Immigration, Refugees and Citizenship Canada, we examined whether the security screenings for all 287 Canada-based staff working in missions as of 28 April 2016 had been updated within six months of the due date. We found 3 screenings that had been updated more than six months after they were due.

3.116 For Global Affairs Canada, we examined whether the security screenings for all 1,130 locally engaged staff working in the Immigration, Refugees and Citizenship Canada visa program as of 28 April 2016 had been updated within six months of the due date. We found two cases in which a locally engaged staff member’s reliability status had not been updated in many years: In one case, the update was due in 2008; in another, it was due in 2013. Both were updated in 2016 after we brought the situation to the attention of Global Affairs Canada.

Conclusion

3.117 We concluded that Immigration, Refugees and Citizenship Canada and the Canada Border Services Agency identified the risk that border services and immigration staff could be corrupted, but that these organizations did not fully implement selected controls to address this risk. We found no evidence that the improper actions we observed during the audit were the result of corruption at either the Department or the Agency.

About the Audit

This independent assurance report was prepared by the Office of the Auditor General of Canada on preventing corruption in immigration and border services. Our responsibility was to provide objective information, advice, and assurance to assist Parliament in its scrutiny of the government’s management of resources and programs, and to conclude on whether the management of corruption risks complies in all significant respects with the applicable criteria.

All work in this audit was performed to a reasonable level of assurance in accordance with the Canadian Standard for Assurance Engagements (CSAE) 3001—Direct Engagements set out by the Chartered Professional Accountants of Canada (CPA Canada) in the CPA Canada Handbook—Assurance.

The Office applies Canadian Standard on Quality Control 1 and, accordingly, maintains a comprehensive system of quality control, including documented policies and procedures regarding compliance with ethical requirements, professional standards, and applicable legal and regulatory requirements.

In conducting the audit work, we have complied with the independence and other ethical requirements of the Rules of Professional Conduct of Chartered Professional Accountants of Ontario and the Code of Values, Ethics and Professional Conduct of the Office of the Auditor General of Canada. Both the Rules of Professional Conduct and the Code are founded on fundamental principles of integrity, objectivity, professional competence and due care, confidentiality, and professional behaviour.

In accordance with our regular audit process, we obtained the following from management:

Audit objective

The objective of this audit was to determine whether Immigration, Refugees and Citizenship Canada and the Canada Border Services Agency had implemented selected controls to address the risk of corruption of immigration and border services staff who conducted selected activities related to authorizing travel to Canada and the entry of people and goods into Canada.

Scope and approach

The entities audited were Immigration, Refugees and Citizenship Canada (the Department) and the Canada Border Services Agency (the Agency). The Department is primarily responsible for managing the authorization of travel to Canada; the Agency is primarily responsible for managing the processing of people and goods permitted to enter Canada.

Specific activities of Global Affairs Canada were examined in the context of its support to Immigration, Refugees and Citizenship Canada’s activities. Global Affairs Canada is responsible for missions abroad, where Immigration, Refugees and Citizenship Canada staff work, as well as for hiring and maintaining security screening for locally engaged staff.

The audit focused on the authorization of travel to Canada (Immigration, Refugees and Citizenship Canada) and the entry of people and the goods they carry into the country (Canada Border Services Agency).

The Department’s audited activities were those performed in the visa program for entry of people into Canada for temporary residence, specifically the issuing of visas for international students and visitors.

The Agency activities audited were those performed at land border crossings for people and goods attempting to enter Canada. Activities included the issuing of temporary resident permits.

The audit approach included document review and interviews with entity officials at headquarters, in selected regional Agency offices, and at two missions abroad. In addition, the audit team tested selected controls put in place by the entities to mitigate risks of corruption to determine whether these controls operated as intended. A survey of Agency superintendents was also conducted.

For certain audit tests, results were based on representative sampling. Where probability sampling was used, sample sizes were sufficient to report on the sampled population with a confidence level of 90 percent and a margin of error of +10 percent. For one test, results were based on judgmental sampling. As such, results cannot be extrapolated to the entire population.

Criteria

To determine whether Immigration, Refugees and Citizenship Canada and the Canada Border Services Agency had implemented selected controls to address the risk of corruption of immigration and border services staff who conducted selected activities authorizing travel to Canada and the entry of people and goods into Canada, we used the following criteria:

Criteria Sources

Immigration, Refugees and Citizenship Canada identifies risks related to the corruption of its officials and designs key controls to mitigate those risks.

  • Framework for the Management of Risk, Treasury Board
  • Guide to Integrated Risk Management, Treasury Board of Canada Secretariat
  • Policy on Internal Control, Treasury Board
  • Policy on Integrated Risk Management, Immigration, Refugees and Citizenship Canada
  • Guideline for the Audit of Corruption Prevention, International Organization of Supreme Audit Institutions, September 2016
  • Auditing Anti-bribery and Anti-corruption Programs, The Institute of Internal Auditors
  • Fraud and Corruption Control (Australian StandardAS 8001—2008), Standards Australia

The Canada Border Services Agency identifies risks related to the corruption of its officials and designs key controls to mitigate those risks.

  • Framework for the Management of Risk, Treasury Board
  • Guide to Integrated Risk Management, Treasury Board of Canada Secretariat
  • Policy on Internal Control, Treasury Board
  • Integrated Risk Management Policy Directive, Canada Border Services Agency, 2015
  • Guideline for the Audit of Corruption Prevention, International Organization of Supreme Audit Institutions, September 2016
  • Auditing Anti-bribery and Anti-corruption Programs, The Institute of Internal Auditors
  • Fraud and Corruption Control (AS 8001—2008), Standards Australia

Immigration, Refugees and Citizenship Canada’s key controls to address the risk of corruption of immigration staff operate as intended.

  • Framework for the Management of Risk, Treasury Board
  • Guide to Integrated Risk Management, Treasury Board of Canada Secretariat
  • Policy on Internal Control, Treasury Board
  • Program Integrity Framework, Immigration, Refugees and Citizenship Canada

The Canada Border Services Agency’s key controls to address the risk of corruption of border services staff operate as intended.

  • Framework for the Management of Risk, Treasury Board
  • Guide to Integrated Risk Management, Treasury Board of Canada Secretariat
  • Policy on Internal Control, Treasury Board
  • Integrated Risk Management Policy Directive, Canada Border Services Agency, 2015

Immigration, Refugees and Citizenship Canada uses the results and lessons learned from implementing key controls to modify risk assessments and controls.

  • Framework for the Management of Risk, Treasury Board
  • Guide to Integrated Risk Management, Treasury Board of Canada Secretariat
  • Policy on Internal Control, Treasury Board

The Canada Border Services Agency uses the results and lessons learned from implementing key controls to modify risk assessments and controls.

  • Framework for the Management of Risk, Treasury Board
  • Guide to Integrated Risk Management, Treasury Board of Canada Secretariat
  • Policy on Internal Control, Treasury Board

Period covered by the audit

The audit covered the period between 1 April 2015 and 15 October 2016. This is the period to which the audit conclusion applies. However, to gain a more complete understanding of the subject matter of the audit, we also examined certain matters that preceded the starting date of the audit.

Date of the report

We obtained sufficient and appropriate audit evidence on which to base our conclusion on 28 February 2017, in Ottawa, Ontario.

Audit team

Principal: Nicholas Swales
Director: Susan Gomez

Jared Albu
Jan Jones
Isabelle Marsolais
David Normand

List of Recommendations

The following table lists the recommendations and responses found in this report. The paragraph number preceding the recommendation indicates the location of the recommendation in the report, and the numbers in parentheses indicate the location of the related discussion.

Identifying corruption risks and controls

Recommendation Response

3.35 Immigration, Refugees and Citizenship Canada should develop a comprehensive internal fraud risk assessment based on analysis of the effectiveness of its controls. (3.26–3.34)

Immigration, Refugees and Citizenship Canada’s response. Agreed. Immigration, Refugees and Citizenship Canada has developed the International Network Professional Conduct Standard, which focuses on the comprehensive management of risks related to internal fraud in the international context of program delivery. The standard, which is based on a continuous cycle of awareness, prevention, detection, assessment, response, and reporting, has already been incorporated into the International Network Integrated Management Plan and will be fully operational on a continuous basis beginning in the 2017–18 fiscal year.

Applying controls to mitigate corruption

Recommendation Response

3.69 The Canada Border Services Agency should develop a monitoring strategy that specifies how the Agency will systematically

  • assess its corruption mitigation controls to ensure they are applied appropriately and are achieving the intended results; and
  • define superintendents’ responsibilities to enable them to fulfill their control function at land border crossings. (3.16–3.25, 3.44–3.68)

The Canada Border Services Agency’s response. Agreed. The Canada Border Services Agency will integrate the assessment of key controls on corruption into the Management Practices Assessment framework as well as into the Port Program Assessments. The Management Practices Assessment framework is a tool designed to support sustainable change by focusing on the overall management capabilities needed at the workplace to support current and future service requirements, expectations, and priorities of the Agency whereas the Port Program Assessments are used to assess and measure operational adherence to Agency priorities and high-risk areas of business at ports of entry nationally. The Agency will also review and confirm that Regional Frontline Management profiles, responsibilities, and accountabilities are in place with regard to their control function and will add relevant questions to the Port Program Assessment exercise to ensure that Regional Frontline Management meets these responsibilities. These actions will be completed by July 2017.

3.87 Immigration, Refugees and Citizenship Canada should conduct systematic monitoring exercises to detect improper actions that can alert the Department to potential corruption. (3.80–3.86)

Immigration, Refugees and Citizenship Canada’s response. Agreed. The International Network Professional Conduct Standard, which has been developed by Immigration, Refugees and Citizenship Canada, is based on a continuous cycle of awareness, prevention, detection, assessment, response, and reporting. Mechanisms are in place to capture baseline and ongoing data related to activities associated with internal fraud. Establishing baseline data provides information to not only report against, but also to track progress and identify trends or anomalies. Full implementation of the standard will be effective in the 2017–18 fiscal year.

Training staff and updating security screening

Recommendation Response

3.100 The Canada Border Services Agency should ensure that its land border crossing personnel complete mandatory training as required. (3.92–3.99)

The Canada Border Services Agency’s response. Agreed. The Canada Border Services Agency will continue to provide mandatory training and ensure that a communication plan is implemented and distributed to the Agency’s regions. Monitoring will occur by annually reporting on training completion. These actions will be completed by June 2017.

3.107 Global Affairs Canada should ensure that locally engaged staff working in Immigration, Refugees and Citizenship Canada’s visa program complete the Global Affairs Canada values and ethics mandatory training course. (3.101–3.106)

Global Affairs Canada’s response. Agreed. Global Affairs Canada recognizes the importance of ensuring that locally engaged staff working in Immigration, Refugees and Citizenship Canada’s visa program complete the Global Affairs Canada mandatory values and ethics course. As such, further steps will be taken to communicate this requirement to staff and monitor completion rates. The actions associated with this recommendation will be completed by April 2017.