INTRODUCTION

According to the Office of the Auditor General of Canada (OAG), “Immigration, Refugees and Citizenship Canada [IRCC or the Department] and the Canada Border Services Agency [CBSA or the Agency] share the responsibility of facilitating travel to Canada and the entry of people and goods into Canada.”[1] Specifically, the “Department facilitates travel to Canada by arranging visas for eligible visitors.” The Agency facilitates the flow of people and goods across our borders while supporting national security and public safety, as required by the Immigration and Refugee Protection Act and the Customs Act.”[2]

The OAG also noted that a “risk for any organization is that employees could misuse their influence in a business transaction and violate their duty to the organization to gain a direct or indirect benefit. The Department and Agency also face this possibility. According to the Immigration and Refugee Protection Act, an officer or employee of the Government of Canada is guilty of an offence if he or she ‘knowingly makes or issues any false document or statement, or accepts or agrees to accept a bribe or other benefit, in respect of any matter under this Act or knowingly fails to perform their duties under this Act.’ In this report, [the OAG refers] to such actions as corruption. The Agency primarily calls these actions ‘fraud,’ and the Department calls these actions ‘malfeasance.’”[3]

According to the OAG, in order for an organization to “understand which controls will be most effective to address the risk of corruption,” it must “first understand and identify its unique corruption risks.”[4] This can be done in various ways, such as conducting risk assessments and using available data to determine where its greatest weaknesses exist.[5] Then, the organization must develop specific means to address them.[6]

The OAG further explained that CBSA’s “border services officers are responsible for assessing travellers to determine foreign nationals’ admissibility, to determine whether further examination is required of both foreign and Canadian travellers, and to assess the admissibility of all travellers’ goods. Superintendents are responsible for overseeing border services officers and ensuring they follow the Agency’s code of conduct, policies, and procedures.”[7]

Similarly, IRCC “issues visas to foreign nationals who need them to enter Canada. It also delivers Canada’s immigration program abroad through its International Network branch. Its visa officers make final decisions on visa applications, processing visas in 50 missions around the world, with about 280 Canadian immigration officials (known as Canada-based staff) and about 1,100 locally engaged staff.”[8]

In the spring of 2017, the OAG released a performance audit that aimed to determine “whether [IRCC and CBSA] implemented selected controls–meaning policies, procedures, processes, and activities–to address the risk that immigration and border services staff could be corrupted.”[9]

On 29 May 2017, the House of Commons Standing Committee on Public Accounts (the Committee) held a hearing to study this audit.[10] In attendance from the OAG was Michael Ferguson, Auditor General of Canada and Nicholas Swales, Principal; representing CBSA were John Ossowski, President and Caroline Xavier, Vice-President, Operations Branch; from the Department were Marta Morgan, Deputy Minister and Robert Orr, Assistant Deputy Minister, Operations; and, from the Department of Foreign Affairs, Trade and Development was Diane Jacovella, Associate Deputy Minister.[11]

FINDINGS AND RECOMMENDATIONS

Key Terms

With respect to the audit studied herein, the following terms are used:

• Primary inspection line: the point where travellers entering Canada report themselves and their goods to border services officers, as required under the Customs Act and the Immigration and Refugee Protection Act.[12]
• Integrated Primary Inspection Line: the system used to query travellers and to provide information to border services officers to help them process and vet travellers at the first point of contact.[13]
• Lookout: an automated message entered into the Integrated Primary Inspection Line system to alert border services officers at land border crossings that a person or vehicle may pose a threat to Canadians.[14]

Identifying Corruption Risks and Controls

A. Effectiveness of CBSA Corruption Controls

The OAG found that CBSA’s “Enterprise Risk Profile, Fraud Risk Profile, and Departmental Security Plan all identified the risk that its employees could engage in unethical or illegal activities. The Fraud Risk Profile further defined the risk as the chance that employees could illegally allow inadmissible people or goods into Canada.”[15] Furthermore, the OAG found that the “Agency had designed controls to reduce the risk of corruption. Some, like awareness training, were meant to inform officers of appropriate actions on the job, while others–such as randomly assigning border services officers to the primary inspection line–were meant to make it difficult for corrupt activity to happen.”[16]

According to the OAG, border services “officers collect information about travellers entering Canada. For example, they scan passports into the Integrated Primary Inspection Line system. The system records the actions taken by an officer, such as when an officer corrects traveller information.”[17] However, the OAG found that CBSA “kept information by region, land border crossing, and officer, but that it did not use this information to identify possible corrupt activity by its officials. For example, it did not conduct tests similar to those [the OAG] conducted during [its] audit (described in paragraphs 3.48 to 3.52 and 3.60 to 3.67); it relied instead on allegations made by staff, other government officials, or the public to identify possible corruption. This meant the Agency missed opportunities to detect improper actions in a timely way, leaving it vulnerable to corruption.”[18]

Additionally, the OAG found that “Agency border services officers did not input information about all travellers into the Agency’s system. [The OAG’s] analysis of a sample indicated that out of about 19 million vehicles that entered Canada during a 12-month period, about 300,000 vehicles [2%] were admitted to Canada without border services officers having entered traveller information from documents of the people in the vehicles. [The OAG] also found instances of officers sharing their system log-in information with other officers. Both of these practices were against Agency policy.”[19]

Lastly, the OAG found that CBSA’s “superintendents did not adequately supervise border services officers. They did not spend enough time on supervisory activities to detect potential corruption at land border crossings. Some weaknesses were related to superintendents’ monitoring of lookouts: there were instances in which individuals who had been identified for closer inspection entered Canada without such inspections being completed. Other weaknesses were related to temporary resident permits–individuals who would not normally have been permitted to enter the country did so without the Agency’s written justification.”[20]

Consequently, the OAG recommended that CBSA “develop a monitoring strategy that specifies how the Agency will systematically:

• assess its corruption mitigation controls to ensure they are applied appropriately and are achieving the intended results, and
• define superintendents’ responsibilities to enable them to fulfill their control function at land border crossings.”[21]

In response, CBSA agreed with these recommendations and stated in its action plan that the Agency will “integrate the assessment of key controls on corruption into the Management Practices Assessment framework as well as into the Port Program Assessments” and will also “review and confirm that Regional Frontline Management profiles, responsibilities, and accountabilities are in place with regard to their control function and will add relevant questions to the Port Program Assessment exercise to ensure that Regional Frontline Management meets these responsibilities.”[22] Furthermore, CBSA commits to completing these actions by July 2017.[23]

When questioned about this matter, Caroline Xavier, Vice-President, Operations Branch, CBSA, also added the following:

The intention here, in keeping with the recommendation by the Office of the Auditor General, is that we ensure that we do more active monitoring of our IT systems, do regular reports on it, and identify some anomalies that may come to our attention.

With the implementation of that strategy, as the president outlined, we are now having a better opportunity to monitor our systems, conduct and review the reports, and determine whether individuals are accessing the systems as they should. That is one of the things.

The other part of that strategy is the overall improvement around our training as well.[24]

Notwithstanding this evidence and the steps outlined in the Agency’s action plan, the Committee recommends:

RECOMMENDATION 1

That, no later than 120 days after the tabling of this report, the Canada Border Services Agency present a report to the House of Commons Standing Committee on Public Accounts outlining the results of A) the integration of key controls on corruption into the Management Practices Assessment framework and Port Program Assessments; and B) changes designed to ensure that Regional Frontline Management meets these responsibilities.

B. Immigration, Refugees and Citizenship Canada’s International Network Branch’s Comprehensive Risk Assessment

The OAG found that IRCC`s departmental “risk profile and security plan identified improper actions by employees as a risk inherent to its overall operations. For example, the Department had identified the risk that staff could improperly disclose or share sensitive information. Also, in November 2015, the Department approved a Fraud Management Policy Framework that identified activities for fraud awareness, prevention, and detection.”[25]

Moreover, the OAG acknowledged that the Department’s “International Network branch had documented some processes to lessen the risk of corruption. In particular, [the OAG] noted that it supplied managers in its visa offices abroad with an annual checklist to help them review the risks in their local operating environments. For example, checklists covered measures to prevent collusion between locally engaged staff who were related, and to identify whether Canada-based staff were located in work areas in order to supervise locally engaged staff. Managers submitted the completed checklists to headquarters.”[26]

However, the OAG determined that the “International Network branch did not use the information gathered through the checklists to develop a comprehensive risk assessment. Nor did it use the Global Case Management System–the integrated, worldwide system used to process applications for citizenship and immigration–to analyze employees’ processing activities across all missions to inform risks and evaluate the effectiveness of its controls.”[27]

Therefore, the OAG recommended that IRCC “develop a comprehensive internal fraud risk assessment based on analysis of the effectiveness of its controls.”[28]

In response, IRCC stated in its action plan that it agrees with this recommendation and committed to the following:

The Department has developed the International Network Professional Conduct Standard (INPCS), which focusses on the comprehensive management of risks related to internal fraud in the international context of program delivery. The standard, which is based on a continuous cycle of awareness, prevention, detection, assessment, response and reporting, has already been incorporated into the International Network Integrated Management Plan and will be fully operational on a continuous basis beginning in the 2017-2018 fiscal year.[29]

When questioned about this issue, Marta Morgan, Deputy Minister, IRCC, added the following:

We have developed an international network professional conduct standard. This standard has enabled us to consolidate in one place all of our guidance for international program managers. Through this international standard, we're putting in place a cycle whereby we will be regularly reporting and following up on all of the issues raised by the Auditor General.

We're also putting in place a monthly calendar for each head of these program offices, for specific issues to be addressed each month in all offices. We're reporting back to headquarters on those, and then rolling that up in a report at the end of the year so we can track the baseline data. We can track it across our missions and we can see where there are anomalies or potentially emerging issues. It's really consolidation and tracking on what we were already doing. I hope that responds to the main recommendation of the Auditor General in this regard.[30]

Additionally, in response to questions about whether IRCC has in place systems that allow employees to report situations of possible misconduct to management (without having to fear professional repercussions – so-called “whistle-blower” provisions), Ms. Morgan offered the following:

We maintain very close communication with our locally engaged staff and close supervision. We do have issues raised at the management level. We are very prompt to address those issues when they are raised, as you heard from Mr. Orr's description of some of the disciplinary actions taken. Where there have been issues, sometimes they will be raised by other employees, either anonymously or not, and when that happens we will investigate in a way that protects the employee. We have a separate unit within the department that has been set up to do those investigations, separate from our operating structure.[31]

Given the importance of ensuring a robust system of internal fraud risk management, the Committee recommends:

RECOMMENDATION 2

That, no later than 120 days after the tabling of this report, Immigration, Refugees and Citizenship Canada provide the House of Commons Standing Committee on Public Accounts with a report detailing what progress has been made with regard to the implementation of the International Network Professional Conduct Standard.

C. Locally Engaged Staff’s Visa Records

The OAG explained that in foreign diplomatic missions, locally “engaged staff sometimes require visas to visit Canada. Staff are instructed not to process or view visa records for which they are not responsible, including their own. However, access rights to the Global Case Management System for locally engaged staff generally allow staff broad access to visa applications and records.”[32]

As part of its audit, the OAG “examined data from the Global Case Management System for the period 1 April 2015 to 2 November 2016 to check whether locally engaged staff members accessed their own records in the system, thus contravening the Department’s code of conduct prohibiting staff members from using their roles for their own advantage.”[33] Consequently, the OAG discovered “14 cases in which locally engaged staff members accessed their own records. Given the experience of the 2016 investigation, it is possible that employees who use their access to the system inappropriately to look at their own records may also use information about others inappropriately” and also found that the “International Network branch did not conduct regular monitoring to look for such cases.”[34]

Thus, the OAG recommended that IRCC “conduct systematic monitoring exercises to detect improper actions that can alert the Department to potential corruption.”[35]

In response, the Department agreed with this recommendation and stated in its action plan that INPCS will establish mechanisms to “capture baseline data with respect to allegations of misconduct, fact-finding activities, mandated investigations” and “track progress and identify trends or anomalies,” effective for the 2017-2018 fiscal year.[36]

Therefore, the Committee recommends:

RECOMMENDATION 3

That, no later than 120 days after the tabling of this report, Immigration, Refugees and Citizenship Canada provide the House of Commons Standing Committee on Public Accounts with a report detailing what progress has been made with regard to the International Network Professional Conduct Standard’s mechanisms for the systematic monitoring of improper actions related to potential corruption.

D. Mandatory Staff Training

According to the OAG, CBSA border “officers and superintendents are required to complete two mandatory courses related to mitigating the risk of corruption:

• 1) Values, Ethics and Disclosure of Wrongdoing (to be completed by 31 December 2016 to raise employees’ awareness and recognition of values and ethics in the workplace); and
• 2) Security awareness training (to be taken every two years to help employees understand their responsibilities in safeguarding employees, information, and assets).”[37]

With regard to this issue, the OAG found that 60% of border services officers “had completed the Values, Ethics and Disclosure of Wrongdoing course by 31 March 2016, and [58%] had completed the security awareness training. Just [40%] of border services officers had completed both. Only [69%] of superintendents had completed both.”[38]

Moreover, “Agency superintendents are also required to complete one managerial course on security awareness for managers. [The OAG found that 78%] of Agency superintendents had taken this course.”[39]

Consequently, the OAG recommended that CBSA “ensure that its land border crossing personnel complete mandatory training as required.”[40]

In response, CBSA agreed with this recommendation and stated the following in its action plan:

CBSA will continue to provide mandatory training and ensure that a communication plan is implemented and distributed to the CBSA Regions. Monitoring will also occur by annually reporting on training completion. These actions will be completed by June 2017.[41]

In response to questions about this matter, John Ossowski reported on the following improvements:

Completion rates have improved since the time frame of the audit. As the Auditor General himself said, this was at a point in time, so on any one given day you're never going to see 100%. But that said, as of March 31, 90.5% of officers have completed the values, ethics and disclosure of wrongdoing course, up from 60% in the report.

Seventy-two percent have completed the security awareness course, up from 58% in the report. For superintendents, 92.9% have completed the values, ethics and disclosure of wrongdoing course, and 62.9% have completed the security awareness course.

I would also mention that in addition, last October we promulgated a new course on insider threats, a mandatory course. As of March 31, 60% of my employees have competed that course.[42]

It should also be noted that as a general comment, Michael Ferguson, Auditor General of Canada, explained that the OAG comes “across this issue fairly regularly. Departments will have mandatory training, but then they don't always have the information to be able to indicate how many of their staff members have followed that type of training. It's an issue that comes up a number of times.”[43]

The Committee believes that the completion of any employee training deemed mandatory is vital for the proper function of CBSA, and thus recommends:

RECOMMENDATION 4

That, no later than 120 days after the tabling of this report, the Canada Border Services Agency provide the House of Commons Standing Committee on Public Accounts with a plan to ensure that all employees complete mandatory training, as well as a report detailing what progress has been made with regard to A) completion rates of mandatory employee training; and B) the collection of this information.

Finally, in order to examine whether locally engaged staff in IRCC’s visa program had completed mandatory training offered by Global Affairs Canada (GAC) related to the risk of corruption, the OAG “analyzed a sample (49 from a total of 1,130 locally engaged staff) for the period 1 April 2015 to 1 March 2016.”[44] However, due to incomplete data, the OAG could “only confirm that [20%] of locally engaged staff working in the visa program had completed a mandatory Global Affairs Canada course on values and ethics.”[45]

Therefore, the OAG recommended that “Global Affairs Canada should ensure that locally engaged staff working in IRCC’s visa program complete the Global Affairs Canada values and ethics mandatory training course.”[46]

In response, GAC agreed with this recommendation and stated in its action plan that it “recognizes the importance of ensuring that locally engaged staff working in [IRCC’s] visa program complete the Global Affairs Canada mandatory values and ethics course. As such, further steps will be taken to communicate this requirement to staff and monitor completion rates” by September 2017.[47]

Therefore, the Committee recommends:

RECOMMENDATION 5

That, no later than 120 days after the tabling of this report, Global Affairs Canada provide the House of Commons Standing Committee on Public Accounts with a plan to ensure that all locally engaged staff working in Immigration, Refugees and Citizenship Canada’s visa program complete mandatory training, as well as a report detailing what progress has been made with regard to A) completion rates of mandatory employee training; and B) the collection of this information.

ADDITIONAL COMMENTARY

It should be noted that the OAG examined the following matters and determined the following:

• [IRCC’s] controls (policies, procedures, processes, and activities) to prevent a single individual from completing all required visa processing and approval steps worked well; and, controls over access rights in the Global Case Management System were effective.[48]
• [S]ecurity screening was largely up to date both for [CBSA] staff at land border crossings and for [IRCC’s] Canadian and locally engaged staff working in the visa program at missions abroad.[49]

Consequently, the Office made no recommendations with regard to either of these two matters.

CONCLUSION

The Committee finds that IRCC and CBSA “identified the risk that border services and immigration staff could be corrupted, but that these organizations did not fully implement selected controls to address this risk.”[50] Consequently, the Committee has made five recommendations to these organizations, as well as GAC, aimed at preventing corruption in immigration and border services.

SUMMARY OF RECOMMENDED ACTIONS AND ASSOCIATED DEADLINES

Table 1 – Summary of Recommended Actions and Associated Deadlines

Recommendation	Recommended Action	Deadline
Recommendation 1	Canada Border Services Agency (CBSA) needs to present a report to the Committee outlining the results of A) the integration of key controls on corruption into the Management Practices Assessment framework and Port Program Assessments; and B) changes designed to ensure that Regional Frontline Management meets these responsibilities.	120 days after the tabling of this report in the House of Commons
Recommendation 2	Immigration, Refugees and Citizenship Canada (IRCC) needs to provide the Committee with a report detailing what progress has been made with regard to the implementation of the International Network Professional Conduct Standard.	120 days after the tabling of this report in the House of Commons
Recommendation 3	IRCC needs to provide the Committee with a report detailing what progress has been made with regard to the International Network Professional Conduct Standard’s mechanisms for the systematic monitoring of improper actions related to potential corruption.	120 days after the tabling of this report in the House of Commons
Recommendation 4	CBSA needs to provide the Committee with a plan to ensure that all employees complete mandatory training, as well as a report detailing what progress has been made with regard to A) completion rates of mandatory employee training; and B) the collection of this information.	120 days after the tabling of this report in the House of Commons
Recommendation 5	Global Affairs Canada needs to provide the Committee with a plan to ensure that all locally engaged staff working in Immigration, Refugees and Citizenship Canada’s visa program complete mandatory training, as well as a report detailing what progress has been made with regard to A) completion rates of mandatory employee training; and B) the collection of this information.	120 days after the tabling of this report in the House of Commons