Based on a combination of the evidence gathered through the examination of documentation, analysis and interviews, each audit criterion was assessed by the audit team and a conclusion for each audit criterion was determined. Where differences between the audit criteria and the observed practice were found, the risk of the gap was evaluated and used to develop a conclusion and to document recommendations for improvement initiatives.
This section describes the findings and recommendations identified by the audit. Findings are categorized according to the following three lines of enquiry:
5.1. Qalipu Registration Processes
We expected to find a combination of manual and automated controls, including clear and detailed process documentation, adequate and timely training of application processing staff, application forms being recorded, transported and stored in a complete, accurate and secure manner, and diligent monitoring of application processing progress, to ensure an appropriate assessment of the validity and decision over enrolment.
Overall, we found that effective operating controls have been established for the processing of Qalipu registration application forms. However, during the review, the following weaknesses were observed:
Spot Checks: The WPU has implemented a control wherein after an Indian Registration Clerk (IRC) enters key application data into the IRS, a second IRC will check it for accuracy. While operating effectiveness testing of this control found no exceptions of IRCs performing a quality check on their own data entry, there was a lack of formal monitoring or spot checks to ensure that IRCs were not performing quality checks of their own data entry.
Manifests: Manifests were used to verify the completeness of the contents of the boxes of applications that were shipped from Cornerbrook to the WPU. However, it was determined that there were insufficient details recorded on the manifests, such as lack of a unique identifier, to perform an effective reconciliation, and as a result, only limited overall reconciliation of manifests to the received forms could be performed to ensure the completeness of the applications received by the WPU.
Physical Security: After receipt and collection of all Qalipu application forms in Cornerbrook, the documents were shipped to the WPU for processing. We were informed that the vehicles used to transport the 1,162 boxes containing Qalipu applications were secured and that visual checks were performed to ensure that all transported boxes were received at the WPU. During our visit to the WPU, we noted that access to the building is controlled by proximity cards and only authorized visitors are permitted entry to the processing unit. As an additional level of security, there is a monitored security system in place within the WPU. However, the 1,162 boxes containing completed Qalipu applications were not all stored in accordance with AANDC's policy on protecting and handling Protected B information, which requires that they be kept in an RCMP storage container with a padlock. While there is a significant quantity of applications which represents a challenge for storage, and management has procured an external storage solution that is/will be used to store the processed Qalipu applications, this policy should not be overlooked. During our visit to the WPU, we also noted that the fire suppression system in place was inadequate to prevent the destruction of application forms being stored at the WPU facility in the event of a fire.
Scanned Document Access: In relation to the protection and privacy of Qalipu applicant information, the audit noted some security issues around the Imaging Utility system to prevent and/or detect unauthorized changes to key images, client confidentiality data and image integrity. Some x employees with access rights to folders containing scanned application forms should have had their access removed. Some scanned copies of Qalipu applications were not removed from the local drives and remained accessible by a number of users who did not require access to the data.
Final Decision: The final decision to determine an applicant's eligibility for founding membership entitlement to be registered is a key control in the Qalipu enrolment process. The IRS is not configured with application controls to enable Enrolment Committee (EC) members to directly enter the final decision as to whether an application is recommended for enrolment or denied into the system. This part of the process will be performed by the Enrolment Committee Chair. The Quality Assurance (QA) process for ensuring that the entry in IRS agrees with the EC decision is not clear at this point.Footnote 2
While control and process improvements have been implemented as of the conclusion of this audit in 2013 to address known issues, weaknesses were noted at the time in the areas of data entry quality checks, physical and logical security to applicant information, and the process to implement the final EC decision on each Qalipu application into the IRS. If left unaddressed these weaknesses could have the unintended result of inappropriate enrolment eligibility decisions, unauthorized access to application information and invalid IRS data, which may support a number of c activities, including the issuance of (Secure) Certificates of Indian Status (status cards).
1. The Assistant Deputy Minister of Resolution and Individual Affairs should ensure that:
- an effective monitoring procedure is established to ensure the segregation of duties between Indian Registration Officers entering data into IRS and those performing quality checks on the data entered. Monitoring should also be implemented over the final Enrolment Committee decision to ensure that the decision on each Qalipu application is correctly captured in the IRS.
- a) lessons learned from the Qalipu application process are logged and assimilated into future registration projects; for example, b) when shipping application files, manifests should be created with unique identifiers so that transported applications can be accurately and completely reconciled.
- registration applications are stored in accordance with AANDC's Standards on Protecting and Handling Information, and logical access to scanned data is restricted in accordance with the least privilege principle.
5.2. Regional and Band office Registration Processes
We expected to find that information entered into IRS through various sources, including IRAs and IROs, was reliable and access to it was protected, and that Certificate of Indian Status cards were being handled securely.
Policy/Directive Updates: While an intranet site has been established by HQ for dissemination of new policies/directives, the various clerks, officers, administrators, and managers interviewed at the Regional and Band offices visited, had varying levels of awareness about the policies and guidelines that are in place and relevant to their roles. While some demonstrated a sufficient understanding, others were entirely unaware of the existence of key policies, directives and guidelines. At one of the Regions visited, communication of an important directive related to Band transfers had not been disseminated to registration personnel, and consequently, no action had been taken. It was also noted that monitoring programs to ensure that Regions and Bands implement the relevant changes have not been introduced.
Training: We noted that the training material currently used by IROs and IRAs is not up-to-date. Further, there are inconsistencies between AANDC policies and directives and the Regional Training Manual, which has not been revised since 2006. It was also noted that work flow documents related to the registration process had not been communicated to the Band offices or Regional staff in a timely manner.
Based on the guidelines in place, access to the IRS is to be contingent on the successful attendance at the relevant IRS training course(s) and the completion and approval of an IRS access form. During our visits to Regional and Band offices, we found these guidelines to be inconsistently applied. In some cases, staff were receiving training on-the-job rather than in a formal capacity prior to them undertaking their roles as IRO or IRA. Formal records of training were not available at any of the Regions visited and it was confirmed that training is not being logged centrally at HQ. It was therefore not possible to determine with a reasonable level of assurance that access to the system was granted on the basis of formal training having been completed.
Roles and Responsibilities: Based on the relevant AANDC guidelines, access to the IRS is only granted on a "need to know" basis, appropriately tailored to the needs of the user's role. This access is granted based on the authority of the Indian Registrar or a delegate. In support of this, the Registrar's office has created a delegation of authority matrix that defines the tasks officers, clerks and administrators have the authority to perform. It was noted during visits to Regions and Bands that on some occasions the tasks and authorities performed by IRS users exceeded the delegated levels of authority and responsibilities. Specifically, we noted the following exceptions:
- At all Regions visited, we identified IRCs who were responsible for interacting with the public, including registrants and applicants and who were regularly entering life event changes beyond their level of authority into IRS. This is intended to be the role of personnel at the officer-level or higher;
- Out of 39 users with IRA level of access to the IRS from the Regions and Bands visited, there were 8 users for whom such access was not appropriate;
- At two of the Regions visited, there was an indication of IRS user ID and password sharing amongst individuals. This included sharing an IRS user ID and password that had IRA-level access with employees that had insufficient training and knowledge to use the privilege appropriately;
- Two instances were observed of summer students being granted full Read/Write access without receiving the requisite level of training;
- In a test sample of four active IRS accounts at one Region, one did not have evidence to demonstrate appropriate approval; and,
- The IRS access role definitions that were being used by the Regions and Bands are out of date.
Life Event Change Supporting Documents: Life events (e.g., birth, death, marriage, adoption, etc.) that affect a Registered Indian's record within the Indian Register are entered into IRS by personnel in HQ and in Regional Offices. According to AANDC Policies on Indian Registration, all entry or deletion of IRS information must be supported by independent documents signed by appropriate parties, or by evidence deemed satisfactory by the Indian Registrar. Indian life event change documents include certified copies of birth certificates, marriage/divorce certificates, court orders, and other documents containing Protected B information.
During our visits to Regional and Band offices, we noted that for 24 out of 85 life event samples selected, no supporting documentation for the changes could be provided. Of these, 12 were entered by IRAs and 12 were entered by Regional staff. At one of the Regions visited, while documentation was provided for all 25 life event changes selected, some of the documentation was not initially located and was provided substantially after the initial request.
Physical security and storage of life event change documents: Based on the AANDC and Treasury Board (TB) policies for safeguarding information, life event change supporting documents which contain information classified as Protected B, must be locked in an RCMP approved cabinet. The audit noted that insufficient physical security capacity was available to prevent unauthorized access. The following was observed:
- The use of keyed padlock cabinets was not consistent at the Regions and Bands visited. The findings ranged from keys being shared with all individuals in an office, to keys being stored insecurely. In one case, the cabinet containing unprocessed documents was left unlocked overnight;
- At one of the Bands visited, the main door to the membership area within the administration building was open when it should have been locked at all times, as was the door to the inner room where application registration documents were stored;
- At one Region, individuals who should not have access to the mail room containing life event change supporting documents did;
- At one Region, there was no fire suppression system (sprinkler) in the mail room containing life event change supporting documents;
- At one Region, keys to the lockers/cabinets that are used to store the processed applications are kept on top of the locker itself. Although access to the premises was restricted, it was noted that cleaning personnel were present on site during and after office hours without supervision, which is not appropriate for a facility that houses Protected B documents; and,
- At one of the Band offices visited, Band records were not kept separate from other Indian registration records. It was noted that all the files were being kept in the same folder for individuals.
Security gaps: Under the Privacy Act, personal information is disclosed only to the person to whom it refers, and is protected from disclosure to other parties. Given that the nature of information collected from Indian registrants is considered Protected B, it is important that the information be secured from unauthorized use. The following security weaknesses were identified:
- In one Region, the shared drive where incoming faxes are stored was available in read access to a wide range of users who did not require such access;
- In one Region, temporary scanned life event change files are stored on a temporary server that was accessible to a wide range of users on the network who did not require such access; and,
- A number of documents in CIDM, the Department's record management system, were noted to have group access rights granted, which allows any user within that Region to access such documents and is not in accordance with the principle of least privilege.
Monitoring of life event changes: Monitoring and Compliance (M&C) is a key control area in the registration and life event change process. During the audit, we found that while a QA check was occurring at some Regions, overall the monitoring being performed was not as described in the Policies on Indian Registration. In Regions where QA checks were being performed, evidence was not always available to demonstrate that they were occurring. Only one of the Regions visited was performing monitoring of life events entered directly in the Indian Register by IRAs at Band offices and Regions did not provide the semi-annual summary report to the Indian Registrar, as required by the AANDC Policies on Indian Registration.
While there is an ongoing initiative to improve and replace the existing approach to monitoring and compliance (M&C), currently most Regions are not familiar with their monitoring responsibilities regarding life event changes made in IRS. We noted that personnel were new to their roles and that the monitoring effort was getting underway. A backlog exists relating to monitoring of life event changes, reviews are not being performed in a timely manner. No reviews of individuals with long periods of inactivity has taken place to determine if the registrants are deceased, as is specified by the Entitlement Manual.
CIS card handling and security: To maintain the accuracy of the IRS and the integrity of the CIS issued by the Indian Registrar, a specific procedure has been established for the destruction of cards. The procedure calls for all cards that are returned to Regions and Bands to be logged and sent directly to the Office of the Indian Registrar (OIR) at HQ. During the audit, we found that the return/destruction of CIS cards was being handled inconsistently across Regions with some returning the cards to HQ and others destroying cards on site. At one Band visited, it was noted that the returned and void CIS cards had not been returned to the Regional Office for over a year. Further, inconsistent methods for logging returned cards were observed at the Regions visited, while at the NCR, all relevant information is not being recorded in accordance with the Entitlement Manual.
Blank CIS cards are considered Protected B documents since possession of these blank cards could enable an individual to produce fraudulent cards using a laminating device (and to potentially procure benefits). The audit noted that insufficient physical security mechanisms were in place to prevent unauthorized access to blank CIS cards. The following was observed:
- In multiple instances at Regions and Bands, blank CIS cards were not stored in locked storage containers; and,
- Guidelines related to operational zone security requirements were not respected.
Opportunities for Efficiency: The following opportunities for efficiency improvements were identified:
- During the scanning of life event change supporting documents, some Regions are scanning the documents once while other Regions are scanning them twice, once into the Department's electronic document repository (CIDM) and once into the IRS, which is less efficient than uploading the original scan into the IRS.
- Extensive backlogs of life event change requests existed at some of the Regions visited, with no action plan existing to reduce the backlog. An action plan, using a risk-based approach to determining the priority for the timing of event reviews, would help ensure that life event changes are processed in a timely manner resulting in accurate and up-to-date information in the Indian Register.
- No HQ monitoring of the progress of reducing the backlogs was occurring and backlogs have not decreased.
The audit of the Regional and Band Office registration processes has concluded that the lack of consistent communication, training and education of operations staff has resulted in departures from established AANDC policies and guidelines. This systemic gap has resulted in issues related to segregation of duties, monitoring and compliance, document handling, security, and overall process effectiveness.
2. The Assistant Deputy Minister of Resolution and Individual Affairs, with the support of the Senior Assistant Deputy Minister of Regional Operations and the Assistant Deputy Minister of the Northern Affairs Organization, should a) ensure that the proposed approach to monitoring and compliance activities, as defined in the Office of the Indian Registrar's Monitoring and Compliance Framework, is implemented. An effective monitoring and compliance program would mitigate the majority of risks being faced as a result of aging technologies and IRS control deficiencies. This should include b) the review of life event changes, registrants whose files have been inactive for a significant period; the appropriateness of IRS user access, and compliance with policies and directives that are issued by the Indian Registrar.
Additionally, the Assistant Deputy Minister of Resolution and Individual Affairs, with the support of the Senior Assistant Deputy Minister of Regional Operations and the Assistant Deputy Minister of the Northern Affairs Organization, should ensure that the initiative underway to update the training material for Indian Registration Officers (IROs) and Indian Registration Administrators (IRAs) is finalized. Upon completion, all IROs and IRAs should be provided with training and made fully aware of their roles and responsibilities for registration activities along with the consequences of not fulfilling their requirements. This should include training on CIS card handling, physical access, security over Protected B documents, how to handle backlogs, and how to stay informed of new directives and process changes.
5.3. Follow-up on Previous Weaknesses
In relation to IRS IT General Controls, overall we observed that while many noted weaknesses have been addressed and improvements have been made, there continues to be a need for attention to some of these areas.
Remediated items included the development and dissemination of delegation of authority matrices; the establishment of an intranet site to communicate updates to policies, directives and guidelines; the implementation of short term stabilization initiatives to bolster the current IRS infrastructure in the form of increased memory and bandwidth; the creation of a physically segregated adoption unit at HQ and corresponding restrictions on accessibility of adoption records in the Regions and Band offices; and the decommissioning of the Arrival system.
Weaknesses that were still in the process of being remediated included: the clarification roles and responsibilities for IROs and IRAs going forward; the implementation of a consistent approach to the delivery of training and the receipt of approvals for access to the IRS system; the timeliness and consistency in onward communication of updated policies, directives and guidelines to Regional staff and Bands; the appropriateness of access rights granted within IRS; restrictions on access to the adoption unit even though physical segregation was implemented; and, a number of system architecture related findings for which a more permanent solution was being defined as part of the IRS modernization initiative.
In relation to the assessment of key documentation produced for Phase I (the SIRCU initiative) and for Gates I and II of Phase II (the Indian Registration and Estates Management System) of the IRS modernization initiative, we did not identify any potential weaknesses and gaps at this stage. The documentation provided to date primarily included the documents used to obtain approval to proceed with the proposal, high level approach and business requirements documents and presentations to executive management, and do not provide a sufficient level of detail to enable the identification of weaknesses, gaps or recommendations at this time.
3. The Assistant Deputy Minister of Resolution and Individual Affairs should develop a plan to remediate any weaknesses related to IRS general system controls, core application controls, system stabilization, IRS governance, and project management.
4. The Assistant Deputy Minister of Resolution and Individual Affairs should review audit work to date and assess the issues identified with the intention of addressing them as SIRCU is implemented.