Common menu bar links
Audit of Trusted Traveller Programs
Final Report
December, 2012
This document is also available in PDF (716 KB) [help with PDF files]
Table of Contents
- 1.0 INTRODUCTION
- 2.0 SIGNIFICANCE OF THE AUDIT
- 3.0 STATEMENT OF ASSURANCE
- 4.0 AUDIT OPINION
- 5.0 KEY FINDINGS
- 6.0 SUMMARY OF RECOMMENDATIONS
- 7.0 MANAGEMENT RESPONSE
- 8.0 AUDIT FINDINGS
- APPENDIX A – ABOUT THE AUDIT
- APPENDIX B – LIST OF ACRONYMS
1.0 INTRODUCTION
The Trusted Traveller Programs (TTPs) are designed to simplify the border clearance process for pre-approved, low-risk travellers entering Canada.
The Canada Border Services Agency (the Agency) offers four programs for travellers. NEXUS is a joint initiative between the Agency and the United States Customs and Border Protection and covers air, land, and marine modes of transport. CANPASS is a Canadian program for travellers who enter Canada by commercial airline, corporate and private aircraft, and by private boat. Two other programs linked to trade are designed for trusted commercial truck drivers: FAST (Free and Secure Trade), a joint initiative with the United States Customs and Border Protection; and Commercial Driver Registration Program (CDRP), a Canadian program.
Trusted Traveller Programs are central to the Agency's risk-based approach to managing the border, and facilitating the movement of people between the United States and Canada.
2.0 SIGNIFICANCE OF THE AUDIT
This audit is of interest to management because the Trusted Traveller Programs are a key part of facilitating the movement of low-risk travellers across the border. As well, there is continued overall growth in membership in the TTPs and this is expected to continue as additional investment is being made in these programs through the Canada-United States Beyond the Border Action Plan. Program integrity issues in the TTPs are of interest because they could result in people using the programs to travel more easily between the United States and Canada to carry on illegal activities.
The audit objective was to provide assurance that the TTPs are appropriately managed. More specifically, objectives were to determine whether only eligible applicants were approved for membership; the mechanisms for monitoring existing trusted travellers, revoking membership and redress were effective; and program management had addressed issues stemming from previous audits.
3.0 STATEMENT OF ASSURANCE
The audit approach and methodology followed the International Standards for the Professional Practice of Internal Auditing as defined by the Institute of Internal Auditors and the Internal Auditing Standards for the Government of Canada as required by the Treasury Board Internal Audit Policy.
This audit provides a high level of assurance that the opinion provided therein is appropriate and reflects conditions that existed at the time of the audit.
4.0 AUDIT OPINION
In our opinion, the overall management of the Trusted Traveller Programs, including admittance, risking, re-risking, revocation and redress is functioning as intended, with the exception of monitoring for "above" low-risk members.
Monitoring of "above" low-risk members is important for program integrity, so that the Agency can rely on the programs to efficiently and effectively manage border passage. As a result, this translates to a moderate risk exposure to the Agency.
5.0 KEY FINDINGS
Only eligible applicants as defined by the programs were being admitted into the Trusted Traveller Programs. There is an opportunity to strengthen the eligibility process by clarifying the "good character" clause in the Presentation of Persons (2003) Regulations.
Risking, re-risking and revocation controls for members were functioning as intended. However, the program assumes all members are of the same risk level. The control framework for risking the applicants could be enhanced through the use of additional intelligence and criminal investigation information to assist in the determination of applicant's level of risk. Although all trusted travellers are subject to the controls of a normal border passage, there are no controls specifically designed to monitor "above" low-risk members as recommended by the Office of the Auditor General in 2007.
The processing of applications and the annual re-risking of files were generally done within acceptable timelines. A quality monitoring process was in place at the major Canadian Processing Centre that handled over 80% of the files. No quality monitoring process was in place at the other centres. While no major issues were noted, a quality monitoring process strengthens the data quality of the programs.
The redress mechanisms for the programs were well designed and were working as intended. There was one exception regarding the Remote Area Border Crossing (RABC) program operating in the Northern Ontario Region. As well, overall program accountability for this sub- program of the Trusted Traveller Programs was unclear and the RABC program was operating with procedures that had been developed locally.
Progress is being made on addressing previous audit recommendations. The recommendations of this audit are made in part to address these previous recommendations.
6.0 SUMMARY OF RECOMMENDATIONS
The audit makes five recommendations relating to:
- guidance to clarify the "good character" clause;
- establishing a process to identify and monitor "above" low-risk members;
- expanding the quality assurance process to all Canadian processing centres;
- implementing a formal redress mechanism for the RABC program and ensuring that Headquarters Pre-Border Programs fulfills its role as RABC program authority; and
- developing and updating standard operating procedures (SOPs) and policies to incorporate program developments and clarify areas of uncertainty.
7.0 MANAGEMENT RESPONSE
The Programs Branch agrees with the recommendations provided by the Internal Audit and Program Evaluation Directorate.
- The Programs Branch will continue to refine TTPs to incorporate recommendations such as quality assurance processes, monitoring mechanisms to ensure program integrity and mechanisms to address above low-risk members.
- In addition, the Programs Branch will continue to build on existing practices, such as conducting compliance blitzes, providing the Regions with updates on policy changes, seeking legal opinions on program enhancements, etc.
8.0 AUDIT FINDINGS
8.1 Admittance to the Trusted Traveller Programs
Audit Criterion: The Agency admits only eligible applicants to the Trusted Traveller Programs.
The process for determining applicant eligibility was functioning as intended. In a review of a sample of 215 applications, it was concluded that these were processed adequately against the eligibility requirements. Applicants who did not meet the requirements were refused membership.
The Agency is not routinely using the information in the Intelligence Management System (IMS) and the Criminal Investigations Information Management System (CIIMS) to determine eligibility and risk. While the information may not be sufficient to reject an applicant, it may assist in determining risk and whether additional monitoring of these members is required at border passage.
The program guidance for the "good character" clause in the Presentation of Persons (2003) Regulations was not clearly defined, making it difficult to deny membership to some applicants who may be considered "above" low-risk.
What constitutes good character is not clearly defined in legislation or policy. Staff is left to interpret the good character clause to the best of its ability and would prefer guidance from program management. Currently, there are inconsistencies in the interpretation between regional and Headquarters management. Program management is aware of this issue but had not established a timetable to provide guidance.
Recommendation 1:
The Vice-President of the Programs Branch should provide guidance on the interpretation and administration of the "good character" clause in the Presentation of Persons (2003) Regulations.
The Programs Branch agrees with this recommendation and will:
| Management Action Plan | Completion Date |
|---|---|
| Establish, in consultation with Legal Services Unit and Regulatory Affairs Section, a list of factors and language to clarify the wording "good character". | November 2012 |
| Distribute an Operational Bulletin to the Regions to confirm which elements to consider when assessing "good character". | November 2012 |
8.2 Program Monitoring
Audit Criteria: These criteria focused on the risking and monitoring of members and included the following:
- Monitoring mechanisms exist to ensure quality and timeliness.
- Risking and re-risking controls are well-designed and function as intended.
- Membership in the Trusted Traveller Programs is revoked for anyone who has been identified as posing an increased risk.
- "Above" low-risk members are monitored to ensure that their net risk level is reduced to low.
Monitoring is a cornerstone of delivering any program. Government departments and agencies are expected to monitor management practices and operational controls so that remedial action can be taken when control deficiencies are identified or improvements are needed.
Monitoring of application processing
Applications were processed within acceptable timelines and the annual re-risking of files was generally done within a 12 to15-month time frame. There were no significant backlogs and management in the processing offices ensured timeliness by monitoring the daily workload.
One processing office had implemented a formal regime for monitoring trusted traveller files to provide assurance on the quality of work and decisions on the part of processing staff. This office is the major processing office and handles over 80% of the applications. This is a notable practice and should be considered for the other processing offices.
Risking, re-risking and revocation
Applicants are risked before they are admitted to a TTPs. Once admitted, members are "re- risked" annually. If information is uncovered indicating that a person is, or has become, ineligible for membership in a program, then the application is rejected or the membership revoked.
The process of risking consists of assessing the risk that a traveller may pose by checking four law enforcement databases. They include the Integrated Customs Enforcement System, Field Operations Support System, Canadian Police Information Centre and National Crime Information Centre. The risking, re-risking and revocation controls were functioning as designed in accordance with the parameters of existing legislation. As noted above, there is a control design issue as IMS and CIIMS are not routinely checked at the time of the risking and re-risking process to determine those applicants who could be "above" low-risk.
Monitoring "above" low-risk members
In the 2007 audit by the Office of the Auditor General, Keeping the Border Open and Secure, it was recommended that members who are assessed "above" low-risk should be monitored to ensure their net risk level is reduced to low.
The program area considered options to address the Auditor General recommendation, such as having risking officers run applicant names in IMS and CIIMS, or running bulk queries between systems and then risking only those names. These options were not pursued by program management. In lieu, a read only profile was created in the trusted traveller databases for intelligence officers and criminal investigators, and the Canadian Processing Centres were instructed to refer "above" low-risk cases to Intelligence or Criminal Investigations.
Employees working in Canadian Processing Centres were making referrals, primarily to intelligence officers. However, there is no evidence this resulted in adequate or effective monitoring of "above" low-risk members.
The risk identified in the 2007 audit still exists. A key component of managing "above" low- risk members of TTPs is knowing who they are. Exactly how many people of the program membership pose an "above" low risk is not known.
Program management expressed the view that normal border crossing and intelligence processes were sufficient to monitor these "above" low-risk members. Members usually have contact with border services officers at some point when they cross the border. Border services officers are well aware that trusted travellers, while considered lower risk, cannot be considered as posing no risk for contraband. Therefore border services officers may refer the traveller for a detailed examination. However the results of these border examinations are not analyzed by the Trusted Traveller Programs.
The Agency has existing databases which could be used to monitor "above" low-risk members. For example, re-risking could be programmed to be done more frequently, or border passage history and examination results could be periodically retrieved and analyzed for "above" low- risk members. As well, time specific lookouts could be considered to enhance program integrity.
Recommendation 2:
The Vice-President of the Programs Branch should establish a process to identify and monitor "above" low-risk members.
The Programs Branch agrees with this recommendation.
Pre-Border Programs, in consultation with Enforcement and Intelligence Programs, and the Operations Branch will:
| Management Action Plan | Completion Date |
|---|---|
| Prepare a list of "above" low-risk members in the Trusted Traveller programs. | December 2012 |
| Develop various scenarios and assess against existing criteria to determine if amendments to criteria and regulations should be made. | January 2013 |
Complete a review of existing procedures and assess the options for regular monitoring of "above" low-risk members, including:
|
February 2013 |
| Implement a revised process to identify and monitor "above" low-risk members. | March 2013 |
Recommendation 3:
The Vice-President of the Programs Branch should implement a quality assurance process in all Canadian Processing Centres.
The Programs Branch agrees with this recommendation and will implement a quality assurance process in all Canadian processing centres.
| Management Action Plan | Completion Date |
|---|---|
| Complete the ongoing work of the review of the quality assurance process at the largest Canadian processing centre for best practices and opportunities for improvement. | January 2013 |
| Develop and implement a quality assurance process nationally in all Canadian processing centres. | May 2013 |
8.3 Redress Mechanisms
Audit Criterion: Mechanisms for handling requests for review of rejections, suspensions or cancellations are well-designed and work as intended.
The right to redress is legislated in section 23 of the Presentation of Persons (2003) Regulations. Program applicants/members may "request a review" of the decisions to reject their application or to suspend or cancel their membership. Each year the Agency receives and reviews hundreds of requests for review of rejections, suspensions and cancellations from the Trusted Traveller Programs. These are handled by a two-tier redress mechanism. If clients are not satisfied with the regional tier-one redress decision, they may request a tier-two review by the Headquarters Recourse Directorate.
The redress mechanisms for the program are well-designed and are working as intended. An exception to this was the Remote Area Border Crossing (RABC) program which is a sub- program of CANPASS and is operating in the Northern Ontario Region. It is designed to simplify border crossing for wilderness tourists and remote cottagers. There was no formal tier- one regional redress mechanism in place for the RABC program.
Remote Area Border Crossing program
Policy accountability for the RABC program was unclear. Regional management did not know who to contact at Headquarters and no policy owner came forward during the course of the audit. The RABC program was operating with procedures that had been developed locally.
Without a Headquarters policy owner, there is a risk that the RABC program could operate outside the parameters of legislation and Agency policy, and program decisions could be taken by regional management that would be inconsistent with national direction.
Recommendation 4:
The Vice-President of the Programs Branch should clarify the Headquarters accountability for the Remote Area Border Crossing program, ensure a formal tier-one redress mechanism is implemented and undertake a review of the RABC procedures, to ensure consistency with other trusted traveller programs.
The Programs Branch agrees with this recommendation and will undertake an analysis of the RABC to determine the program's future state.
| Management Action Plan | Completion Date |
|---|---|
| Programs Branch will determine the accountability of the RABC program and identify an owner. | October 2012 |
| A working group with representatives from the Programs Branch, Operations Branch and Recourse Directorate will analyze the current RABC program and its future state, including the procedures and redress mechanisms. | March 2013 |
| Subject to directions from the Programs Standing Committee, Programs Branch will implement revised RABC procedures and a redress mechanism. | June 2013 |
8.4 Follow-up
Audit criterion: The Agency has addressed findings from previous internal audits and the Office of the Auditor General relating to Trusted Traveller Programs.
Follow-up was conducted on four recommendations from two previous audits from 2007:
- Keeping the Border Open and Secure, conducted by the Office of the Auditor General.
- Audit of the NEXUS Application Process, conducted by Internal Audit.
The audit on Keeping the Border Open and Secure touched on multiple border security issues. One recommendation focused on monitoring "above" low-risk members of TTPs to ensure their net risk level is reduced to low. As noted earlier in the report, the program had implemented information sharing with Intelligence and Criminal Investigations, however had not instituted specific monitoring of "above" low-risk members with a view to demonstrating the net risk level was low for the Trusted Traveller Programs.
The Audit of the NEXUS Application Process had recommendations to update the standard operating procedures (SOPs), to provide training, and to establish a quality monitoring regime and performance measures. The establishment of a quality monitoring regime was addressed in section 8.2.
The SOPs were updated in 2009 and are available on the Agency's intranet (internal Web site). Some suggestions to strengthen the SOPs include:
- A national SOP or policy for tier-one redress committees to follow;
- Link the intranet site to the legislation; and
- As noted earlier, clarification of the good character clause.
Formal training was offered in the main processing office. Online courses were available and on- the-job training and mentoring were in place for all offices.
The 2007 audit also recommended that performance measures be established. This work is progressing as part of the Beyond the Border Action Plan.
Overall, progress is being made on addressing previous recommendations. Some additional work is required to fully address them. Recommendations 1, 2, 3 and 5 of this audit are made in part to fulfill these previous recommendations.
Recommendation 5:
The Vice-President of the Programs Branch should consult the Regions of the Operations Branch to determine what updates are needed and which SOPs and policies are missing. It should then develop or revise them as required and publish them on the intranet.
The Programs Branch agrees with this recommendation and will:
| Management Action Plan | Completion Date |
|---|---|
| Work with the Communications Directorate to link the intranet site to the legislation to strengthen the SOPs. | December 2012 |
| Consult with regional management regarding policy gaps and updates, including tier-one redress, and present recommendations for priority revisions to the Trusted Program Management Committee Table for approval. | March 2013 |
| Complete priority changes to SOPs and policies and publish on the Agency's intranet. | June 2013 |
APPENDIX A – ABOUT THE AUDIT
AUDIT OBJECTIVES AND SCOPE
The audit objective was to provide assurance that the Trusted Traveller Programs (TTPs) are appropriately managed. More specifically objectives were to determine whether only eligible applicants are approved for membership; the mechanisms for monitoring existing trusted travellers, revoking membership and redress are effective; and program management has addressed issues stemming from previous audits.
The audit scope covered the four TTPs: NEXUS, CANPASS, FAST and CDRP. The audit team visited offices and regional divisions involved in processing applications, enrolment, and risking and re-risking in the Southern Ontario, Pacific, Québec and Northern Ontario Regions. The audit covered the 2010 and 2011 years and excluded issues related to the deposit of revenues.
An audit of the Trusted Traveller Programs was approved by the Agency's Audit Committee as part of the Risk-Based Audit Plan 2011-12 – 2013-14.
RISK ASSESSMENT
Our risk assessment conducted during the planning phase identified the following key risk areas:
- If the process or legislation for approving applications for membership in the TTPs is deficient, this poses a risk that applicants – other than low-risk – could enter Canada under the programs.
- If the Agency does not continuously monitor existing trusted travellers to verify that they remain "low-risk", the Agency might not recognize a situation in which someone subsequently may pose an increased risk.
- If the process for revoking membership in the program is not working as intended, there is a risk that higher-risk people will retain their trusted traveller status.
- Any deficiencies in the redress processes create two risks. First, the Agency could inappropriately revoke someone's trusted traveller privileges. Second, the Agency could fail to revoke the trusted traveller status of someone who may pose other than a low risk.
APPROACH AND METHODOLOGY
The examination phase of this audit was performed using the following approach:
- reviewing legislation, policies, procedures, guidelines, performance information and reports;
- analysing and comparing data and information from various sources and systems;
- interviewing and surveying stakeholders;
- visiting four regions;
- reviewing trusted traveller files; and
- reviewing management action plans relevant to previous audits.
AUDIT CRITERIA
Given the preliminary findings from the planning phase, the following criteria were chosen:
| Lines of Enquiry | Audit Criteria |
|---|---|
| Admittance to the Trusted Traveller Programs | 1.1 The Agency admits only eligible applicants to the Trusted Traveller Programs. |
| Monitoring of existing trusted travellers | 2.1 Monitoring mechanisms exist to ensure quality and timeliness. |
| 2.2 Risking and re-risking controls are well-designed and function as intended. | |
| 2.3 Membership in the Trusted Traveller Programs is revoked for anyone who has been identified as posing an increased risk. | |
| 2.4 "Above" low-risk members are monitored to ensure their net risk level is reduced to low. | |
| Redress mechanisms | 3.1 Mechanisms for handling requests for review (of rejections, suspensions or cancellations) are well-designed and work as intended. |
| Follow-up to the previous audit recommendations | 4.1 The Agency has addressed findings from previous internal audits and the Office of the Auditor General relating to Trusted Traveller Programs. |
APPENDIX B – LIST OF ACRONYMS
- Agency
- Canada Border Services Agency
- Regions
- The Regions of the Operations Branch of the Canada Border Services Agency
- TTPs
- Trusted Traveller Programs
- CANPASS
- Canadian expedited passage program
- CDRP
- Commercial Driver Registration Program, a Canadian expedited passage program
- NEXUS
- US-Canada expedited passage program
- FAST
- Free and Secure Trade, a US-Canada expedited passage program for commercial drivers
- IMS
- Intelligence Management System
- CIIMS
- Criminal Investigations Information Management System
- RABC
- Remote Area Border Crossing program, a sub-program of CANPASS
- SOPs
- Standard operating procedures
