Audit of the Indian Registration System

Notice

This website will change as a result of the dissolution of Indigenous and Northern Affairs Canada, and the creation of Indigenous Services Canada and the eventual creation of Crown-Indigenous Relations and Northern Affairs Canada. During this transformation, you may also wish to consult the updated Indigenous and Northern Affairs home page.

Date: April 2014
Project #:13/43

PDF Version (139 Kb, 31 Pages)

 

Table of contents

Acronyms

AANDC

Aboriginal Affairs and Northern Development Canada

BCP

Business Continuity Plan

CIS

Certificate of Indian Status

EC

Enrolment Committee

FNI

Federation of Newfoundland Indians

HQ

Headquarters

IRS

Indian Registration System

IRA

Indian Registration Administrator

IRC

Indian Registration Clerk

IRO

Indian Registration Officer

IT

Information Technology

M&C

Monitoring & Compliance

NCR

National Capital Region

SCIS

Secure Certificate of Indian Status

SIRCU

Secure Integrated Registration and Certification Unit

WPU Winnipeg Processing Unit
 

 

Executive Summary

Background

The Audit and Evaluation Sector (AES) of Aboriginal Affairs and Northern Development Canada (hereon referred to as "AANDC" or "the Department") identified an audit of the Indian Registration System for inclusion in the 2013-2014 to 2015-2016 Risk-based Audit Plan approved by AANDC's Deputy Minister on February 27, 2013. The audit was identified as a "very high" priority since the accuracy and integrity of Indian Registration System (IRS) data supports a number of AANDC activities including the issuance of Certificates of Indian Status (status cards), making the IRS important to stakeholders and to AANDC's credibility.

The IRS is the computer system that tracks Indian registration information, Band membership and demographic statistics. The integrity of IRS data depends on the processes used to collect information and to protect stored data with effective security controls. Equally important is the enforcement of the entitlement policy and associated criteria in identifying who is entitled to Indian status. Entitlement criteria are governed by the Indian Act, which was recently amended under Bill C-3: Gender Equity in Indian Registration Act.

In June 2008, the Agreement for Recognition of the Qalipu Mi'kmaq Band was signed by the Minister of Indian Affairs and Northern Development and the President of the Federation of Newfoundland Indians (FNI). The Agreement principally identified the process for the creation of a Band (for the Mi'kmaq communities of Newfoundland) under the Indian Act, and the enrolment of its founding members. By November 30, 2009, following the conclusion of the first stage of the Band enrollment process, close to 26,000 applications for membership had been received. By November 30, 2012 the number of applications for Band membership had grown to 101,743. On July 4, 2013, a Supplemental Agreement was announced, that clarifies the process for enrolment in the Qalipu Mi'kmaq First Nation and resolves issues that emerged from the implementation of the 2008 Agreement. The Supplemental Agreement specifies that all applications received during the Enrolment Process (between December 1, 2008 and November 30, 2012) and not rejected by the Enrolment Committee or the Appeal Master will be assessed or reassessed by the Enrolment Committee by August 31, 2015.

Audit Objective and Scope

The objective of this audit was to provide assurance to management on the adequacy and effectiveness of process and IT application controls in place to ensure the integrity of information contained in the IRS.

The scope of the audit covered the period November 2011 to November 2013, and included assessments of controls used to ensure that: (i) Qalipu applications were accurately processed and recorded in Phase I (design and operational effectiveness) and are appropriately assessed in Phase II (design only); (ii) information entered into the system through various sources, including IRAs and IROs, is reliable and access to it is protected; and, (iii) remediation has taken place or there is a plan in place to remediate issues identified during the IRS System Under Development audit in 2011, including as assessment of the Secure Integrated Registration and Certification Unit (SIRCU) initiative.

Statement of Conformance

The audit conforms to the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program.

Observed Strengths

The following section describes areas where significant progress and/or strengths were identified during the course of this audit. Strengths are categorized according to the applicable line of enquiry, as follows:

Qalipu Registration Process

  • Despite the short timeframe allocated for assessing Qalipu applications, the assessment was observed to be on track with established milestones; and,
  • We noted that actions to address our recommendations for improvements to processes and process documentation had been implemented following our preliminary visit to the Winnipeg Processing Unit (WPU) on August 22, 2013.

Regional and Band office Registration Processes

  • An intranet site has been established by HQ to disseminate policies/directives to Regional Offices;
  • A delegation of authority matrix that defines the authorities officers, clerks and administrators when performing registration tasks, including entry into IRS, has been developed; and,

Follow-up on Previously Identified Weaknesses

  • Short-term stabilization initiatives to bolster the current IRS infrastructure, in the form of increased memory and bandwidth, have been implemented; and,
  • A physically segregated Adoption Unit has been created at HQ, which has resulted in improved restrictions on the accessibility of adoption records (though it was noted that areas for improvement still exist).

Conclusion

While areas for improvement exist, in general, the Qalipu application processing controls were found to be designed and operating effectively. The conduct of this audit, at a time when improvements can be made to the system during its implementation is considered a best practice.

While some progress has been made, there continue to be significant gaps related to security, training, document handling and monitoring of life event changes. Neither the IRS controls over restricting access nor compensating manual controls over life event changes are designed and operating effectively. As such, unmitigated data risks remain to be addressed.

Recommendations

The audit team identified areas where management control practices and processes could be improved, resulting in the following four recommendations:

  1. The Assistant Deputy Minister of Resolution and Individual Affairs should ensure that:
    • an effective monitoring procedure is established to ensure the segregation of duties between Indian Registration Officers entering data into IRS and those performing quality checks on the data entered. Monitoring should also be implemented over the final Enrolment Committee decision to ensure that the decision on each Qalipu application is correctly captured in the IRS.
    • a) lessons learned from the Qalipu application process are logged and assimilated into future registration projects; for example, b) when shipping application files, manifests should be created with unique identifiers so that transported applications can be accurately and completely reconciled.
    • registration applications are stored in accordance with AANDC's Standards on Protecting and Handling Information, and logical access to scanned data is restricted in accordance with the least privilege principle.  
  2. The Assistant Deputy Minister of Resolution and Individual Affairs, with the support of the Senior Assistant Deputy Minister of Regional Operations and the Assistant Deputy Minister of the Northern Affairs Organization, should a) ensure that the proposed approach to monitoring and compliance activities, as defined in the Office of the Indian Registrar's Monitoring and Compliance Framework, is implemented. An effective monitoring and compliance program would mitigate the majority of risks being faced as a result of aging technologies and IRS control deficiencies. This should include b) the review of life event changes, registrants whose files have been inactive for a significant period; the appropriateness of IRS user access, and compliance with policies and directives that are issued by the Indian Registrar.

    Additionally, the Assistant Deputy Minister of Resolution and Individual Affairs, with the support of the Senior Assistant Deputy Minister of Regional Operations and the Assistant Deputy Minister of the Northern Affairs Organization, should ensure that the initiative underway to update the training material for Indian Registration Officers (IROs) and Indian Registration Administrators (IRAs) is finalized. Upon completion, all IROs and IRAs should be provided with training and made fully aware of their roles and responsibilities for registration activities along with the consequences of not fulfilling their requirements. This should include training on CIS card handling, physical access, security over Protected B documents, how to handle backlogs, and how to stay informed of new directives and process changes.
  3. The Assistant Deputy Minister of Resolution and Individual Affairs should develop a plan to remediate any weaknesses related to IRS general system controls, core application controls, system stabilization, IRS governance, and project management.
  4. The Assistant Deputy Minister of Resolution and Individual Affairs should review audit work to date and assess the issues identified with the intention of addressing them as SIRCU is implemented.

Management Response

Management is in agreement with the findings, has accepted the recommendations included in the report, and has developed a management action plan to address them. The management action plan has been integrated in this report.

 

 

1. Background

The Audit and Evaluation Sector (AES) of Aboriginal Affairs and Northern Development Canada (hereon referred to as "AANDC" or "the Department") identified an audit of the Indian Registration System for inclusion in the 2013-2014 to 2015-2016 Risk-Based Audit Plan approved by AANDC's Deputy Minister on February 27, 2013. The audit was identified as a "very high" priority since the accuracy and integrity of Indian Registration System (IRS) data supports a number of AANDC activities including the issuance of Certificates of Indian Status (status cards), making the IRS important to stakeholders and to AANDC's credibility.

Indian registration underpins many of AANDC's programs, initiatives and operational activities spanning both national headquarters and Regions. Registration information is central to many AANDC programs, including the Certificate of Indian Status (including the secure version), as well as to other government departments, such as Health Canada, that administer benefits. As a result, the integrity of registration data is crucial to ensuring that only eligible individuals receive access to federal government programs and services.

1.1 Resolution and Individual Affairs

Resolution and Individual Affairs Sector (RIAS) has a dual mandate resulting in two distinct business areas: Residential Schools Resolution and Managing Individual Affairs. Residential Schools Resolution is responsible for meeting the Government of Canada's obligations under the Indian Residential Schools Settlement Agreement. The Individual Affairs Branch, which is the branch relevant to this audit, aims to ensure responsible federal stewardship of the provisions of the Indian Act that pertain to registration and Band membership, estates, and Indian moneys. Through direct client-services, as well as partnerships with First Nations, the Individual Affairs Branch: determines eligibility for registration under the Indian Act, issues the Secure Certificate of Indian Status (SCIS), ensures responsibility for management of Indian moneys and estates under the Indian Act, and honours treaty annuity obligations to First Nations. The management of Individual Affairs is supported by the Regional Operations Sector, which acts as the regional delivery arm, providing services to First Nations clients south of the 60th parallel, and by the Northern Affairs Organization for north of the 60th parallel.

In 2012-13, the actual expenditures related to the Department's Registration and Membership Program totalled $28.8 million. The total budgeted expenditures for the Program in 2013-14 were $23.0 million.Footnote 1

1.2 Indian Registration System (IRS)

The IRS is the computer system used by the Department to track Indian registration information, Band membership and demographic statistics. Indian registration information helps AANDC service many of its clients that provide educational, health and funding services to First Nation communities and individuals. The IRS specifically supports the following business functions:

  • Register eligible First Nations individuals as Status Indians under the Indian Act in the Indian Register;
  • Record "life events" (e.g., birth, death, marriage, adoption, etc.) in the Indian Register; and,
  • Issue new, renewal or replacement Certificates of Indian Status to identify First Nations individuals as eligible for services and benefits that are specifically designed for Status Indians.

The integrity of IRS data depends on the processes used to collect information and to protect stored data with effective security controls. Equally important is the enforcement of the entitlement policy and associated criteria in identifying who is entitled to Indian status. Entitlement criteria fall under the purview of the Indian Act and have been amended over time.

Currently, two types of Indian Status cards exist: Certificates of Indian Status (CIS) and Secure Certificates of Indian Status (SCIS):

  • CIS cards use an older technology of a laminated paper card with an affixed photo, signed by the cardholder and the Issuing Officer. This type of CIS is only being issued by Indian Registration Administrators in First Nation communities.
  • SCIS cards are composed of polycarbonate substrate with a digital photo and the cardholder's digital signature (no signature by the Issuing Officer). The border-crossing version of the card also contains a machine-readable zone on the back that allows for electronic validation of the cardholder's identity and place of birth. Individuals can only apply for the SCIS at AANDC HQ and regional offices, or at the Treaty 7 office located in Alberta.

One of the IRA's responsibilities is to record life events, such as death or marriage. This is done by direct system access, if delegated, or by batching the supporting documents manually and sending them to their AANDC Regional Office for entry. The Regional Offices also have the same delegated functions to enter life events and are responsible for training and monitoring the work of IRAs.

The decentralized nature of CIS issuance and the limited nature of controls in place to ensure proper authentication of individual identities, safeguarding against conflicts of interest, and valid production of manual cards, has resulted in an increased risk of error and fraud in CIS cards and the related registration data within the IRS.

In 2010, a departmental initiative to modernize the IRS, led by the Resolution and Individual Affairs Sector, was brought into force. These actions coincided with the SCIS implementation and key legislative amendments, which had led to greater focus being placed on registration. These legislative amendments required extensive remediation to the existing IRS. The modernization initiative is being rolled out in two phases. Phase I will see the integration of Indian registration and card issuance processes through the implementation of common business processes, known as the Secure Integrated Registration and Certification Unit (SIRCU) model, and a linkage between the two system applications that are used to support Indian registration and secure card issuance (IRS and SCIS Web Application). Phase I is expected to be implemented by April 1, 2014. Phase II will see the development and implementation of a replacement system for IRS and the SCIS Web Application. The replacement system will also have expanded functionalities for estate management and treaty payment activities, which are currently supported by the Estates Reporting System and the Treaty Payment System, respectively. Phase II of the project has recently entered stage three of the Department's gating process, where the project's business case and general readiness will be assessed. As of November 30, 2013, a final implementation date for Phase II was not yet established for the replacement system.

1.3 Indian Registration Officers / Indian Registration Administrators

The ability to access the IRS and to perform specified tasks therein is granted by the Indian Registrar, an AANDC employee who reports to the Director General of the Individual Affairs Branch. Currently, two main groups have access to the IRS to enter and update registration information: Indian Registration Officers (IROs) – located in AANDC Regional Offices and at AANDC headquarters – and Indian Registration Administrators (IRAs) – located in select First Nation communities. IROs are employees of the Department who have read/write access to the IRS to enter new applicant information and to update registration information to reflect life event changes. IRAs are employed by FN and have responsibilities related to registration assigned to them by the Indian Registrar to support the administration of Indian registration activities in their community and to support the maintenance of the community's Band list. The role of the IRA can vary greatly depending on the community, ranging from IRAs with no access to the IRS (managing with a paper-based Band list), IRAs with read access to the IRS, and IRAs with read/write access to the system to process life event changes. IRAs may also issue Certificates of Indian Status (paper laminate cards) to Status Indians from their community.

1.4 Qalipu Mi'kmaq First Nation

In 1989, the Federation of Newfoundland Indians (FNI), representing approximately 7,800 members from the nine Mi'kmaq communities across the island, along with Chiefs of six affiliated groups began a Federal Court Action seeking eligibility for registration under the Indian Act.

Official negotiations between the FNI and the Government of Canada for the creation of a Band with no reserve land took place between 2004 and 2006. In June 2008, the Agreement for Recognition of the Qualipu Mi'kmaq Band was signed by the Minister of Indian Affairs and Northern Development and the President of the FNI. The Agreement principally identified the process for the creation of a Band (for the Mi'kmaq communities of Newfoundland) under the Indian Act, and the enrolment of its founding members. By November 30, 2009, following the conclusion of the first stage of the Band enrolment process, close to 26,000 applications for membership had been received. By November 30, 2012 the number of applications for Band membership had grown to 101,743.

The significant increase in the number of applications and the fact that these applications could not have been considered prior to the end of the enrolment process led Canada and the FNI to agree to discuss next steps regarding the consideration of applicants and the appropriate implementation of the 2008 Agreement. On July 4, 2013, a Supplemental Agreement was announced, that clarifies the process for enrolment in the Qalipu Mi'kmaq First Nation and resolves issues that emerged from the implementation of the 2008 Agreement. Specifically, the Supplemental Agreement:

  • Extends the timelines for review of the applications, ensuring all previously unprocessed applications could be reviewed;
  • Ensures that all applications received during all phases of the enrollment process, except those previously rejected, would be assessed or reassessed;
  • Provides that all those individuals whose applications would be assessed or reassessed would be sent written notification and be given an opportunity to provide additional documentation, if necessary;
  • Provides clarity regarding the assessment of an applicant's self-identification as a member of the Mi'kmaq Group of Indians of Newfoundland; and,
  • Provides guidance related to an individual's acceptance by the Mi'kmaq communities of Newfoundland, particularly as it relates to individuals not residing in the communities of the Mi'kmaq Group of Indians of Newfoundland.

All enrolment applications to become founding members of the Qalipu Mi'Kmaq Band are being processed by AANDC's Winnipeg Processing Unit (WPU). Applications that were previously received in Corner Brook, Newfoundland were transported to the WPU, where processing is being conducted in two phases. Phase I, which is now complete, was designed to assess the validity of the application and Phase II is designed to assess the eligibility of the applicant to become a founding member. At the end of each phase, files are referred to an Enrolment Committee (EC) for review and for recommendation by the Committee Chair. The Committee is comprised of two representatives appointed by the Government of Canada, two representatives appointed by the FNI and a Chair jointly appointed by the Government of Canada and the FNI. Under the Supplemental Agreement, all enrolment applications are to be reviewed and a decision of their eligibility should be issued by August 31, 2015.

1.5 Monitoring and Compliance

While elements of Monitoring and Compliance (M&C) have been included in the scope of this audit, the Office of the Indian Registrar (OIR) has been in the process of defining a new M&C Framework that will allow AANDC to assess and report on the integrity of the IRS. A review of the OIR's current practices with respect to M&C activities was performed in the spring of 2013 with the goals of achieving the following:

  • Defining the scope of activities conducted by the M&C Unit (Review Universe);
  • Developing a Risk-Based M&C Framework to inform and drive monitoring and compliance activities;
  • Developing a defensible sampling approach and strategy; and,
  • Developing a Compliance Reporting template for future reporting by the M&C Unit.
 

 

2. Audit Objective and Scope

2.1 Audit Objective

The objective of this audit was to provide assurance to management on the adequacy and effectiveness of process and IT application controls in place to ensure the integrity of information contained in the Indian Registration System.

2.2 Audit Scope

The time period covered by this audit was November 2011 to November 2013. The audit scope included assessments of the design and operational effectiveness of manual and automated controls used to ensure that: (i) Qalipu applications were accurately processed and recorded in Phase I (design and operational effectiveness) and will be appropriately assessed in Phase II (design only); (ii) information entered into the system through various sources, including IRAs and IROs, is reliable and access to it is protected; and, (iii) remediation has taken place or there is a plan in place to remediate issues surrounding IRS general system controls, core application controls, system stabilization, registration process controls, IRS governance, and project management.

The scope of the audit also included an assessment of key documentation produced for Phase I (the SIRCU initiative) and for Gates I and II of Phase II (the Indian Registration and Estates Management System) of the IRS modernization initiative in order to identify potential weaknesses and gaps that can be addressed prior to the implementation of these phases. Key documentation produced for Gates III to VII of Phase II was not included in the scope of the audit nor was key documentation for the SIRCU initiative produced after November 1, 2013.

Note that this audit did not include a review of the operating effectiveness nor a complete review of design effectiveness of controls in Phase II of the Qalipu founding member application decision process since the complete process was not yet implemented at the time of the review.

 

 

3. Approach and Methodology

The audit of the IRS was planned and conducted in accordance with the requirements of the Treasury Board Policy on Internal Audit and followed the Internal Auditing Standards for the Government of Canada.

The audit team examined sufficient, relevant evidence and obtained sufficient information to provide a reasonable level of assurance in support of the audit conclusion.

The audit methodology used for this audit included performing various audit procedures necessary to address the audit objectives. The audit approach included but was not limited to:

In order to develop a sampling methodology that addressed the audit criteria, as identified in Appendix A, a sample of Regions, users and transactions were selected for testing. The following outlines the approach used to select samples from each of the three categories.

3.1 Selection of Regions for Site Visits

To conclude on the effectiveness of the controls and processes across the Department, a sample of Regions was selected for the application of the audit program. Factors in the selection of the Regions and Bands visited included the following:

  • Number of registered Indians in the Regions;
  • Previous history of exceptions related to life event change processing; and,
  • Number of IRA users in Regions with "write" access in IRS.

Based on the above criteria and with the objective to assess adequacy and effectiveness of process and IT application controls in place in the IRS horizontally across the Regions, the following Regional and Band offices were selected for on-site field testing:

Regional Offices

  • Manitoba Regional Office (October 7 to October 11, 2013);
  • Quebec Regional Office (October 28 to October 30, 2013); and,
  • Alberta Regional Office (November 13 to November 15, 2013).

Band offices

  • Kahnawake Band Office and Service Centre (October 31, 2013);
  • Wendake Band Office (October 29, 2013); and,
  • Enoch Band Office (November 14, 2013).

On-site fieldwork was also conducted at HQ and at the Winnipeg Processing Unit during the following dates:

  • AANDC HQ located in the National Capital Region (September to December 2013); and
  • Winnipeg Processing Unit (August 22 and October 7 to October 11, 2013).

3.2 Selection of Sample Size per Region

A further element of the approach was the determination of the samples tested at the Regional sites visited and at the WPU. The following samples were selected for testing during the fieldwork phase:

  • Life event changes made in IRS – A sample of 25 changes was selected and traced to supporting documents at each Regional site visited to gain sufficient coverage of life event changes made in the IRS. At one Regional office visited, an additional sample of 10 life event changes was selected making the total number reviewed 85.
  • Personnel that are processing Indian Registration files – A sample of three to four IRS users, with read/write access, responsible for processing Indian registration files was selected at each Regional site visited (including IRAs located on reserve) to determine whether the individual had the appropriate security clearance and had received approval to access the IRS.
  • IRS user access – A sample of 39 users with access equivalent to that of an IRO was selected across the three selected Regions to determine that access to make changes in IRS is restricted, aligned with delegated authorities, and that Indian registration information is protected.
  • Invalid and valid Qalipu application forms recorded in IRS – A sample of 25 application forms was selected and traced to supporting documents.
  • Boxes containing the unprocessed Qalipu application forms – A sample of five boxes was selected and inspected to determine that the categorization of the boxes was appropriate to help prevent lost or missing applications.
  • Manifests used in boxes to track transported Qalipu applications – A sample of 25 boxes/manifests was selected and reviewed for completeness of the applications.
  • Personnel who are processing Qalipu applications – A sample of five personnel was selected from the WPU to determine whether personnel processing Qalipu application forms had the appropriate security clearance and had approval to access the IRS.
 

 

4. Conclusion

While areas for improvement exist, in general, the Qalipu application processing controls were found to be designed and operating effectively.

While some progress has been made, there continue to be significant gaps related to security, training, document handling and monitoring of life event changes. Neither the IRS controls over restricting access nor compensating manual controls over life event changes are designed and operating effectively. As such, unmitigated data risks remain.

 

 

5. Findings and Recommendations

Based on a combination of the evidence gathered through the examination of documentation, analysis and interviews, each audit criterion was assessed by the audit team and a conclusion for each audit criterion was determined. Where differences between the audit criteria and the observed practice were found, the risk of the gap was evaluated and used to develop a conclusion and to document recommendations for improvement initiatives.

This section describes the findings and recommendations identified by the audit. Findings are categorized according to the following three lines of enquiry:

5.1. Qalipu Registration Processes

We expected to find a combination of manual and automated controls, including clear and detailed process documentation, adequate and timely training of application processing staff, application forms being recorded, transported and stored in a complete, accurate and secure manner, and diligent monitoring of application processing progress, to ensure an appropriate assessment of the validity and decision over enrolment.

Overall, we found that effective operating controls have been established for the processing of Qalipu registration application forms. However, during the review, the following weaknesses were observed:

Spot Checks: The WPU has implemented a control wherein after an Indian Registration Clerk (IRC) enters key application data into the IRS, a second IRC will check it for accuracy. While operating effectiveness testing of this control found no exceptions of IRCs performing a quality check on their own data entry, there was a lack of formal monitoring or spot checks to ensure that IRCs were not performing quality checks of their own data entry.

Manifests: Manifests were used to verify the completeness of the contents of the boxes of applications that were shipped from Cornerbrook to the WPU. However, it was determined that there were insufficient details recorded on the manifests, such as lack of a unique identifier, to perform an effective reconciliation, and as a result, only limited overall reconciliation of manifests to the received forms could be performed to ensure the completeness of the applications received by the WPU.

Physical Security: After receipt and collection of all Qalipu application forms in Cornerbrook, the documents were shipped to the WPU for processing. We were informed that the vehicles used to transport the 1,162 boxes containing Qalipu applications were secured and that visual checks were performed to ensure that all transported boxes were received at the WPU. During our visit to the WPU, we noted that access to the building is controlled by proximity cards and only authorized visitors are permitted entry to the processing unit. As an additional level of security, there is a monitored security system in place within the WPU. However, the 1,162 boxes containing completed Qalipu applications were not all stored in accordance with AANDC's policy on protecting and handling Protected B information, which requires that they be kept in an RCMP storage container with a padlock. While there is a significant quantity of applications which represents a challenge for storage, and management has procured an external storage solution that is/will be used to store the processed Qalipu applications, this policy should not be overlooked. During our visit to the WPU, we also noted that the fire suppression system in place was inadequate to prevent the destruction of application forms being stored at the WPU facility in the event of a fire.

Scanned Document Access: In relation to the protection and privacy of Qalipu applicant information, the audit noted some security issues around the Imaging Utility system to prevent and/or detect unauthorized changes to key images, client confidentiality data and image integrity. Some x employees with access rights to folders containing scanned application forms should have had their access removed. Some scanned copies of Qalipu applications were not removed from the local drives and remained accessible by a number of users who did not require access to the data.

Final Decision: The final decision to determine an applicant's eligibility for founding membership entitlement to be registered is a key control in the Qalipu enrolment process. The IRS is not configured with application controls to enable Enrolment Committee (EC) members to directly enter the final decision as to whether an application is recommended for enrolment or denied into the system. This part of the process will be performed by the Enrolment Committee Chair. The Quality Assurance (QA) process for ensuring that the entry in IRS agrees with the EC decision is not clear at this point.Footnote 2

While control and process improvements have been implemented as of the conclusion of this audit in 2013 to address known issues, weaknesses were noted at the time in the areas of data entry quality checks, physical and logical security to applicant information, and the process to implement the final EC decision on each Qalipu application into the IRS. If left unaddressed these weaknesses could have the unintended result of inappropriate enrolment eligibility decisions, unauthorized access to application information and invalid IRS data, which may support a number of c activities, including the issuance of (Secure) Certificates of Indian Status (status cards).

Recommendation

1. The Assistant Deputy Minister of Resolution and Individual Affairs should ensure that:

  • an effective monitoring procedure is established to ensure the segregation of duties between Indian Registration Officers entering data into IRS and those performing quality checks on the data entered. Monitoring should also be implemented over the final Enrolment Committee decision to ensure that the decision on each Qalipu application is correctly captured in the IRS.
  • a) lessons learned from the Qalipu application process are logged and assimilated into future registration projects; for example, b) when shipping application files, manifests should be created with unique identifiers so that transported applications can be accurately and completely reconciled.
  • registration applications are stored in accordance with AANDC's Standards on Protecting and Handling Information, and logical access to scanned data is restricted in accordance with the least privilege principle.

5.2. Regional and Band office Registration Processes

We expected to find that information entered into IRS through various sources, including IRAs and IROs, was reliable and access to it was protected, and that Certificate of Indian Status cards were being handled securely.

Policy/Directive Updates: While an intranet site has been established by HQ for dissemination of new policies/directives, the various clerks, officers, administrators, and managers interviewed at the Regional and Band offices visited, had varying levels of awareness about the policies and guidelines that are in place and relevant to their roles. While some demonstrated a sufficient understanding, others were entirely unaware of the existence of key policies, directives and guidelines. At one of the Regions visited, communication of an important directive related to Band transfers had not been disseminated to registration personnel, and consequently, no action had been taken. It was also noted that monitoring programs to ensure that Regions and Bands implement the relevant changes have not been introduced.

Training: We noted that the training material currently used by IROs and IRAs is not up-to-date. Further, there are inconsistencies between AANDC policies and directives and the Regional Training Manual, which has not been revised since 2006. It was also noted that work flow documents related to the registration process had not been communicated to the Band offices or Regional staff in a timely manner.

Based on the guidelines in place, access to the IRS is to be contingent on the successful attendance at the relevant IRS training course(s) and the completion and approval of an IRS access form. During our visits to Regional and Band offices, we found these guidelines to be inconsistently applied. In some cases, staff were receiving training on-the-job rather than in a formal capacity prior to them undertaking their roles as IRO or IRA. Formal records of training were not available at any of the Regions visited and it was confirmed that training is not being logged centrally at HQ. It was therefore not possible to determine with a reasonable level of assurance that access to the system was granted on the basis of formal training having been completed.

Roles and Responsibilities: Based on the relevant AANDC guidelines, access to the IRS is only granted on a "need to know" basis, appropriately tailored to the needs of the user's role. This access is granted based on the authority of the Indian Registrar or a delegate. In support of this, the Registrar's office has created a delegation of authority matrix that defines the tasks officers, clerks and administrators have the authority to perform. It was noted during visits to Regions and Bands that on some occasions the tasks and authorities performed by IRS users exceeded the delegated levels of authority and responsibilities. Specifically, we noted the following exceptions:

  • At all Regions visited, we identified IRCs who were responsible for interacting with the public, including registrants and applicants and who were regularly entering life event changes beyond their level of authority into IRS. This is intended to be the role of personnel at the officer-level or higher;
  • Out of 39 users with IRA level of access to the IRS from the Regions and Bands visited, there were 8 users for whom such access was not appropriate;
  • At two of the Regions visited, there was an indication of IRS user ID and password sharing amongst individuals. This included sharing an IRS user ID and password that had IRA-level access with employees that had insufficient training and knowledge to use the privilege appropriately;
  • Two instances were observed of summer students being granted full Read/Write access without receiving the requisite level of training;
  • In a test sample of four active IRS accounts at one Region, one did not have evidence to demonstrate appropriate approval; and,
  • The IRS access role definitions that were being used by the Regions and Bands are out of date.

Life Event Change Supporting Documents: Life events (e.g., birth, death, marriage, adoption, etc.) that affect a Registered Indian's record within the Indian Register are entered into IRS by personnel in HQ and in Regional Offices. According to AANDC Policies on Indian Registration, all entry or deletion of IRS information must be supported by independent documents signed by appropriate parties, or by evidence deemed satisfactory by the Indian Registrar. Indian life event change documents include certified copies of birth certificates, marriage/divorce certificates, court orders, and other documents containing Protected B information.

During our visits to Regional and Band offices, we noted that for 24 out of 85 life event samples selected, no supporting documentation for the changes could be provided. Of these, 12 were entered by IRAs and 12 were entered by Regional staff. At one of the Regions visited, while documentation was provided for all 25 life event changes selected, some of the documentation was not initially located and was provided substantially after the initial request.

Physical security and storage of life event change documents: Based on the AANDC and Treasury Board (TB) policies for safeguarding information, life event change supporting documents which contain information classified as Protected B, must be locked in an RCMP approved cabinet. The audit noted that insufficient physical security capacity was available to prevent unauthorized access. The following was observed:

  • The use of keyed padlock cabinets was not consistent at the Regions and Bands visited. The findings ranged from keys being shared with all individuals in an office, to keys being stored insecurely. In one case, the cabinet containing unprocessed documents was left unlocked overnight;
  • At one of the Bands visited, the main door to the membership area within the administration building was open when it should have been locked at all times, as was the door to the inner room where application registration documents were stored;
  • At one Region, individuals who should not have access to the mail room containing life event change supporting documents did;
  • At one Region, there was no fire suppression system (sprinkler) in the mail room containing life event change supporting documents;
  • At one Region, keys to the lockers/cabinets that are used to store the processed applications are kept on top of the locker itself. Although access to the premises was restricted, it was noted that cleaning personnel were present on site during and after office hours without supervision, which is not appropriate for a facility that houses Protected B documents; and,
  • At one of the Band offices visited, Band records were not kept separate from other Indian registration records. It was noted that all the files were being kept in the same folder for individuals.

Security gaps: Under the Privacy Act, personal information is disclosed only to the person to whom it refers, and is protected from disclosure to other parties. Given that the nature of information collected from Indian registrants is considered Protected B, it is important that the information be secured from unauthorized use. The following security weaknesses were identified:

  • In one Region, the shared drive where incoming faxes are stored was available in read access to a wide range of users who did not require such access;
  • In one Region, temporary scanned life event change files are stored on a temporary server that was accessible to a wide range of users on the network who did not require such access; and,
  • A number of documents in CIDM, the Department's record management system, were noted to have group access rights granted, which allows any user within that Region to access such documents and is not in accordance with the principle of least privilege.

Monitoring of life event changes: Monitoring and Compliance (M&C) is a key control area in the registration and life event change process. During the audit, we found that while a QA check was occurring at some Regions, overall the monitoring being performed was not as described in the Policies on Indian Registration. In Regions where QA checks were being performed, evidence was not always available to demonstrate that they were occurring. Only one of the Regions visited was performing monitoring of life events entered directly in the Indian Register by IRAs at Band offices and Regions did not provide the semi-annual summary report to the Indian Registrar, as required by the AANDC Policies on Indian Registration.

While there is an ongoing initiative to improve and replace the existing approach to monitoring and compliance (M&C), currently most Regions are not familiar with their monitoring responsibilities regarding life event changes made in IRS. We noted that personnel were new to their roles and that the monitoring effort was getting underway. A backlog exists relating to monitoring of life event changes, reviews are not being performed in a timely manner. No reviews of individuals with long periods of inactivity has taken place to determine if the registrants are deceased, as is specified by the Entitlement Manual.

CIS card handling and security: To maintain the accuracy of the IRS and the integrity of the CIS issued by the Indian Registrar, a specific procedure has been established for the destruction of cards. The procedure calls for all cards that are returned to Regions and Bands to be logged and sent directly to the Office of the Indian Registrar (OIR) at HQ. During the audit, we found that the return/destruction of CIS cards was being handled inconsistently across Regions with some returning the cards to HQ and others destroying cards on site. At one Band visited, it was noted that the returned and void CIS cards had not been returned to the Regional Office for over a year. Further, inconsistent methods for logging returned cards were observed at the Regions visited, while at the NCR, all relevant information is not being recorded in accordance with the Entitlement Manual.

Blank CIS cards are considered Protected B documents since possession of these blank cards could enable an individual to produce fraudulent cards using a laminating device (and to potentially procure benefits). The audit noted that insufficient physical security mechanisms were in place to prevent unauthorized access to blank CIS cards. The following was observed:

  • In multiple instances at Regions and Bands, blank CIS cards were not stored in locked storage containers; and,
  • Guidelines related to operational zone security requirements were not respected.

Opportunities for Efficiency: The following opportunities for efficiency improvements were identified:

  • During the scanning of life event change supporting documents, some Regions are scanning the documents once while other Regions are scanning them twice, once into the Department's electronic document repository (CIDM) and once into the IRS, which is less efficient than uploading the original scan into the IRS.
  • Extensive backlogs of life event change requests existed at some of the Regions visited, with no action plan existing to reduce the backlog. An action plan, using a risk-based approach to determining the priority for the timing of event reviews, would help ensure that life event changes are processed in a timely manner resulting in accurate and up-to-date information in the Indian Register.
  • No HQ monitoring of the progress of reducing the backlogs was occurring and backlogs have not decreased.

The audit of the Regional and Band Office registration processes has concluded that the lack of consistent communication, training and education of operations staff has resulted in departures from established AANDC policies and guidelines. This systemic gap has resulted in issues related to segregation of duties, monitoring and compliance, document handling, security, and overall process effectiveness.

Recommendation

2. The Assistant Deputy Minister of Resolution and Individual Affairs, with the support of the Senior Assistant Deputy Minister of Regional Operations and the Assistant Deputy Minister of the Northern Affairs Organization, should a) ensure that the proposed approach to monitoring and compliance activities, as defined in the Office of the Indian Registrar's Monitoring and Compliance Framework, is implemented. An effective monitoring and compliance program would mitigate the majority of risks being faced as a result of aging technologies and IRS control deficiencies. This should include b) the review of life event changes, registrants whose files have been inactive for a significant period; the appropriateness of IRS user access, and compliance with policies and directives that are issued by the Indian Registrar.

Additionally, the Assistant Deputy Minister of Resolution and Individual Affairs, with the support of the Senior Assistant Deputy Minister of Regional Operations and the Assistant Deputy Minister of the Northern Affairs Organization, should ensure that the initiative underway to update the training material for Indian Registration Officers (IROs) and Indian Registration Administrators (IRAs) is finalized. Upon completion, all IROs and IRAs should be provided with training and made fully aware of their roles and responsibilities for registration activities along with the consequences of not fulfilling their requirements. This should include training on CIS card handling, physical access, security over Protected B documents, how to handle backlogs, and how to stay informed of new directives and process changes.

5.3. Follow-up on Previous Weaknesses

In relation to IRS IT General Controls, overall we observed that while many noted weaknesses have been addressed and improvements have been made, there continues to be a need for attention to some of these areas.

Remediated items included the development and dissemination of delegation of authority matrices; the establishment of an intranet site to communicate updates to policies, directives and guidelines; the implementation of short term stabilization initiatives to bolster the current IRS infrastructure in the form of increased memory and bandwidth; the creation of a physically segregated adoption unit at HQ and corresponding restrictions on accessibility of adoption records in the Regions and Band offices; and the decommissioning of the Arrival system.

Weaknesses that were still in the process of being remediated included: the clarification roles and responsibilities for IROs and IRAs going forward; the implementation of a consistent approach to the delivery of training and the receipt of approvals for access to the IRS system; the timeliness and consistency in onward communication of updated policies, directives and guidelines to Regional staff and Bands; the appropriateness of access rights granted within IRS; restrictions on access to the adoption unit even though physical segregation was implemented; and, a number of system architecture related findings for which a more permanent solution was being defined as part of the IRS modernization initiative.

In relation to the assessment of key documentation produced for Phase I (the SIRCU initiative) and for Gates I and II of Phase II (the Indian Registration and Estates Management System) of the IRS modernization initiative, we did not identify any potential weaknesses and gaps at this stage. The documentation provided to date primarily included the documents used to obtain approval to proceed with the proposal, high level approach and business requirements documents and presentations to executive management, and do not provide a sufficient level of detail to enable the identification of weaknesses, gaps or recommendations at this time.

Recommendations

3. The Assistant Deputy Minister of Resolution and Individual Affairs should develop a plan to remediate any weaknesses related to IRS general system controls, core application controls, system stabilization, IRS governance, and project management.

4. The Assistant Deputy Minister of Resolution and Individual Affairs should review audit work to date and assess the issues identified with the intention of addressing them as SIRCU is implemented.

 

 

6. Management Action Plan

Recommendations Management Response / Actions Responsible
Manager (Title)
Planned
Implementation Date
Note: At Management's request, this Audit also considered the Qalipu Registration process, even though that process was at the very early stages of being set up in late summer 2013. The goal of including that issue in this Audit was to help ensure, at the onset of that process, that rigorous processes and control mechanisms had been developed and implemented. Since then, all of the recommendations and issues in this Audit relating to the Qalipu Registration process have been instituted or corrected. Likewise, all of the recommendations relating to other issues raised in this Audit have been, or are in the process of being, instituted or corrected.
1. The Assistant Deputy Minister of Resolution and Individual Affairs should ensure that:
  • an effective monitoring procedure is established to ensure the segregation of duties between Indian Registration Officers entering data into IRS and those performing quality checks on the data entered. Monitoring should also be implemented over the final Enrolment Committee decision to ensure that the decision on each Qalipu application is correctly captured in the IRS.
Regarding the establishment of a monitoring procedure to ensure the segregation of duties between those entering data and those performing quality checks, a process had been put in place from June to November 2013 to verify quality control of a randomly selected sample of applications. No problems were found, and, as part of the ongoing, planned staffing for this project, in accordance with this Audit, a formal quality assurance team is now in place. Assistant Deputy Minister, RIA

Director General, IAB
Completed: Qalipu Phase 1, November 2013
A formal process for monitoring of final decisions was not in place at the time of the audit because efforts were focused on ensuring rigour for the initial phases of the project. To ensure that the final Enrolment Committee decision is correctly captured in the IRS,a process will be in place by the time final Enrolment Committee decisions are rendered. As part of this, a randomly selected sample will undergo quality assurance. A quality assurance team has been hired and staffed to do this work. Status: Underway
  • a) lessons learned from the Qalipu application process are logged and assimilated into future registration projects; for example,
    b) when shipping application files, manifests should be created with unique identifiers so that transported applications can be accurately and completely reconciled.
In partnership with the Head of Winnipeg Processing Unit, the Office of the Indian Registrar will summarize lessons learned from the Qalipu application process for use in future registration projects.   Status: Expected completion date: June 2016
(a) Guidelines and directives have been developed for use in the broader registration context based on best practices in Qalipu such as file virtualization. General protocols have also been developed for file transfers and reconciliation (including the use of manifests with unique identifiers). Status: Expected completion August 2015
(b) In the Qalipu Registration process, manifests were used in the initial shipment of applications between Corner Brook and Winnipeg in July 2013. During that shipment, stringent precautions were taken to ensure that all Qalipu applications were securely transported and received at the Winnipeg Processing Unit. Thereafter, between September 2013 and February 2015, scanned files were transferred to an external security-approved storage location, in coordination with the Departmental Records Management group. During these transfers, manifests used unique identifiers for each box, and electronic records were used to track and reconcile all applications transferred between locations. Status: Completed-Already in effect
  • registration applications are stored in accordance with IAB's Standards on Protecting and Handling Information, and logical access to scanned data is restricted in accordance with the least privilege principle.
At all times, files in the Winnipeg Processing Unit have been stored in an access-controlled workplace to which only a limited number of security-cleared Departmental employees had access. In addition to the use of proximity cards, a monitored security system exists within the Unit. Initially, files were stored in a further locked room within this access-controlled environment, to which a very few select employees had access. Subsequent to being scanned, files were either moved to the external security-approved storage location or stored on-site in secure filing cabinets. The scanning of the files has negated the risk of applications being destroyed by fire.   Completed, February 2014
Both in the course of the audit and after the audit period, measures have been taken to enhance physical and IT security generally in the Winnipeg Processing Unit. For instance, security cameras have been installed at the Unit. In addition, the access rights of employees to scanned documents have been restricted to ensure that electronic access is limited to only those who require it. RIA will continue to work with Information Management Branch to ensure robust IT security measures are applied. Status: Completed, February 2014
2. The Assistant Deputy Minister of Resolution and Individual Affairs, with the support of the Senior Assistant Deputy Minister of Regional Operations and the Assistant Deputy Minister of the Northern Affairs Organization, should (a) ensure that the proposed approach to monitoring and compliance activities, as defined in the Office of the Indian Registrar's Monitoring and Compliance Framework, is implemented. An effective monitoring and compliance program would mitigate the majority of risks being faced as a result of aging technologies and IRS control deficiencies. This should include (b) the review of life event changes, registrants whose files have been inactive for a significant period; the appropriateness of IRS user access, and compliance with policies and directives that are issued by the Indian Registrar. (a) Regarding monitoring and compliance, the Office of the Indian Registrar’s Monitoring and Compliance Unit has begun to implement the approaches and recommendations outlined in the Monitoring and Compliance Framework. As this framework was specific to registration activities, its span is being extended to the Secure Certificate of Indian Status operations. The emphasis in 2015-16 will be on Indian Register compliance actions in order to determine when SCIS monitoring and compliance integration should begin. Assistant Deputy Minister, RIA


Senior Assistant Deputy Minister, RO


Assistant Deputy Minister, NAO


Director General, IAB
Status: Underway: all aspects will be completed September 2015.
(b) Regarding registrants whose files have been inactive for a significant period, a project plan, developed with Health Canada, was implemented. Last summer, staff was hired to implement the first phase of this project. This exercise will be an annual exercise. The 2015-16 exercise will be repeated in Q2/3. Also, a joint Technical Working group has been established with representatives from the First Nations and Inuit Health Branch at Health Canada in order to examine issues of mutual interest, such as updates on GEIRA and leveraging our MOU for Indian Register update purposes. Status: The pilot with HC was completed. This will be a recurring yearly project.
Regarding IRS user access, the new Indian Registration and Estates Management System – a system under development to replace the existing Indian Registration System – will ultimately provide modern mechanisms and controls with enhanced ability to track access to the system. In the interim, the Office of the Indian Registrar will continue to manually conduct quarterly reviews of access to the IRS. All accounts that are inactive for more than three months are deactivated. System users are only granted access by the system administrator to the fields required to do their work. Access is password protected and includes an automated lock-out function. Status: To be completed by March 2017.
Regarding compliance with the policies and directives issued by the Indian Registrar, the Office of the Indian Registrar held a national working group meeting in June 2014, where Audit results were fully discussed with the Regional Directors responsible for Indian Registration, in order to develop both an overall action plan and region specific action plans. Their action plans cover this Audit, and are designed to ensure that on-site physical and security controls are strengthened and that employees are fully aware of their roles and responsibilities. The working group meeting was followed by monthly conference calls with regions and stakeholders to follow up on the Audit recommendations. Status: Completed June 2014
The next national working group meeting is scheduled for June 2015. Status: June 2015
Additionally, the Assistant Deputy Minister of Resolution and Individual Affairs, with the support of the Senior Assistant Deputy Minister of Regional Operations and the Assistant Deputy Minister of the Northern Affairs Organization, should ensure that the initiative underway to update the training material for Indian Registration Officers (IROs) and Indian Registration Administrators (IRAs) is finalized. Upon completion, all IROs and IRAs should be provided with training and made fully aware of their roles and responsibilities for registration activities along with the consequences of not fulfilling their requirements. This should include training on CIS card handling, physical access, security over Protected B documents, how to handle backlogs, and how to stay informed of new directives and process changes. Regarding training, the Office of the Indian Registrar is currently formulating a training analysis and strategy for ROs and IRAs, scheduled for completion in Fall 2015, which will be implemented as part of the ongoing SIRCU learning strategy. As part of this, the Office of the Indian Registrar has begun implementing its newly developed e-learning and blended learning modules across the country, beginning with pilot training in the Winnipeg Processing Unit for approximately 50 people, in June 2014. Cross-training for SCIS and registration is available on an Adobe platform which allows for virtual training. WPU is still testing the virtual process, which will be integrated into the training package once completed. End of phase 1 of the test pilot is expected by the end of April 2015.   Status: Summer 2015
3. The Assistant Deputy Minister of Resolution and Individual Affairs should develop a plan to remediate any weaknesses related to IRS general system controls, core application controls, system stabilization, IRS governance, and project management. The Office of the Indian Registrar has made several amendments to the IRS IT controls to stabilize operations pending new system development. (If weaknesses are identified they will be resolved as part of the implementation of a new computerized registration system, scheduled to be completed in 2017).

Individual Affairs Branch is currently developing a new computer system to replace the existing Indian Registration System. The proposed Indian Registration and Estates Management System (IREMS) will actually replace four existing, separate and aging systems -- the Indian Registration System, the Secure Certificate of Indian Status, the Estates Reporting System, and the Treaty Payment System – with a streamlined and integrated data management capacity. The IREMS project is currently at Gate 3 of the TBS 8 gate process and has taken the recommendations and findings of the audit into consideration during project business requirement development.
Assistant Deputy Minister, RIA


Director General, IAB
Status: An integrated IM/IT plan has been developed for FY2015-16 which determines the priorities for systems enhancements before the implementation of the new integrated system (IREMS) in March 2017.
Building on lessons learned from the Winnipeg Processing Unit as well as on the outcomes of the June 2014 national working group meeting with regional directors, measures will be taken to enhance physical and IT security in all Registration processing centres. RIA will work with Information Management Branch and Regional Operations to ensure robust IT measures continue to be applied. As well, the Department will evaluate enhanced IT authentication tools for files access to IRS and IREMS. Status: Underway Spring 2015
4. The Assistant Deputy Minister of Resolution and Individual Affairs should review audit work to date and assess the issues identified with the intention of addressing them as SIRCU is implemented. In addition to the work noted above, the Individual Affairs Branch is reviewing previous audit findings and responses, and will review those issues not addressed as part of the response to the current Audit recommendations.

Further, the new IREMS systems, which will replace the IRS, includes new business processes intended to address the residual issues.
Assistant Deputy Minister, RIA

Director General, IAB
Status: March 2017
 

 

Appendix A: Audit Criteria

To ensure an appropriate level of assurance to meet the audit objectives, the following criteria were developed to address the objectives as follows:

Qalipu registration processes

Criterion #1: The application processing centre is capable of managing a high volume of Qalipu applications.


Criterion #2: Effective management of information and supporting documentation for registration applications, particularly between the hand-over from Qalipu Head Office (Corner Brook, NL) to the Winnipeg Processing Unit.


Criterion #3: Alignment between legislation, policies, processes and technology for Qalipu registration.


Criterion #4: Continuous improvement of processes throughout the Qalipu roll-out to leverage lessons learned and adapt to demands.


Criterion #5: Adequate imaging process to facilitate registration processing and support Qalipu registration.


Criterion #6: Ability to track applications and respond to applicant inquiries using the Call Centre.


Criterion #7: Appropriate assessment regarding invalid application forms.


Criterion #8:The Phase 2 process for assessing whether an applicant is accepted as a Qalipu founding member has been designed effectively to ensure assessments are made appropriately.

Regional and Band office registration processes

Criterion #9: Effective monitoring of changes to IRS data fields made in Regions and Band offices.


Criterion #10: Alignment between legislation, policies, processes and technology for registration in Regional and Band offices.


Criterion #11: Identification and management of life event changes (for on-reserve and off-reserve Band members as well as non-Band-member Status Indians).


Criterion #12: Administration of sufficient training for AANDC officers and IRAs involved in registration.


Criterion #13: Timely response to legislation of policy changes.


Criterion #14: Consistent enforcement of policies in alignment with headquarters program requirements.


Criterion #15 Ability to manage backlog, track application status and respond to applicant inquiries.

IRS access management, data management, architecture, and change management

Criterion #16: Remediation of gaps related to IRS general system controls, core application controls, system stabilization, registration process controls, IRS governance, and project management.

 

 

Appendix B: Relevant Policies/Directives

The following authoritative sources (i.e. Policies/Directives) were examined and used as a basis for this audit:

  1. Agreement for the Recognition of the Qalipu Mi’kmaq Band
  2. Amendment to the Agreement for the Recognition of the Qalipu Mik’maq Band in relation to Conne River
  3. Directive to the Enrolment Committee and the Appeal Master(s)
  4. Security Clearance: Secret Staff involved in determination of entitlement to Registration
  5. Entitlement Manual/Guide
  6. Entitlement Officers Manual
  7. Indian Act
  8. Indian Registration Administrator training manual
  9. Life event changes process flows
  10. Policies on Indian Registration
  11. Privacy Act
  12. Public Notice for all applicants and members of the Qalipu Mi’kmaq first nation
  13. Qalipu process flows
  14. Supplemental Agreement to the Agreement for the Recognition of the Qalipu Mik’maq Band
 
 
Date modified: