This document is also available in PDF (926 Kb) [help with PDF files]
Note: [*] An asterisk appears where sensitive information has been removed in accordance with the Access to Information Act and the Privacy Act.
Table of contents
- 1.0 Introduction
- 2.0 Significance of the audit
- 3.0 Statement of conformance
- 4.0 Audit opinion
- 5.0 Key findings
- 6.0 Summary of recommendations
- 7.0 Management response
- 8.0 Audit findings
- Appendix A – About the audit
- Appendix B – List of acronyms
1. The Canada Border Services Agency (CBSA/the Agency) is responsible for facilitating legitimate trade and interdicting inadmissible goods into Canada. In fiscal year 2016–2017, there were 4.4 million air shipments that arrived in Canada while the CBSA processed a total of 17.3 million commercial shipments from all modes. As part of its priority to “Secure the Border Strategically,” one of the initiatives is to collect advance commercial data in order to risk assess goods before they arrive at the border.
2. The Advance Commercial Information (ACI) program was introduced under the Customs Action Plan and the Shared Border Accord in April 2004 and was implemented in July 2006 for the air mode. It requires that air carriers and freight forwarders electronically transmit data to the CBSA four hours prior to arrival in Canada or at wheels up, depending on the flight length. At the time of the audit, the CBSA was not enforcing freight forwarder compliance due to Information Technology (IT) challenges.
3. The Customs Act and the Reporting of Imported Goods Regulations establish when, how, and who is responsible for sending ACI data on commercial cargo importations including in-transit, freight remaining on board, and conveyances entering or moving through Canada. The requirements for ACI data are defined in the Electronic Commerce Client Requirements Document (ECCRD). To transmit ACI data, carriers must be issued a carrier code by the CBSA.
4. The receipt of pre-arrival data enables the CBSA to more effectively manage higher-risk goods and identify threats to health, safety, and security prior to the arrival of those goods in Canada and allow lower risk goods a more efficient, streamlined process at the border. When data does not meet the requirements, the Agency may choose to resolve the issue with the carrier, issue a penalty, implement an action plan to remedy non-compliance or suspend the carrier from moving commercial goods. After a penalty is issued, carriers may appeal the validity of the penalty with the CBSA.
5. The Customs Electronic Commerce Platform (CECP), Accelerated Commercial Release Operations Support System (ACROSS) and TITAN are three legacy IT systems used by the CBSA to receive, store and assess ACI data. The operational criticality of these systems has been acknowledged in the CBSA IT Plan 2018–2021 and the systems have been identified as aging applications which will be decommissioned.
6. At the time of the audit, four branches within the CBSA are involved in the ACI program. The Programs Branch is responsible for establishing and maintaining policies for the ACI Program and for administering carrier codes. When ACI is submitted, the Operations Branch is responsible for risk-assessing commercial goods and examining high-risk shipments. The identification of non-compliance with the policies is a shared responsibility between the Operations Branch and the Programs Branch. The Recourse Directorate of the Corporate Affairs Branch, on behalf of the Minister, reviews appeals made following the issuance of penalties and manages all associated litigation before the Federal Court. Finally, the Information, Science and Technology Branch is responsible for managing the IT systems which support the commercial risk assessment process. Since the completion of the audit, the CBSA undertook an organizational restructuring which resulted in a new structure and branch names. For the purpose of this report, the observations and findings use branches names in effect at the time of the audit while recommendations and resulting management responses use the new branch names.
2.0 Significance of the audit
7. ACI data is transmitted electronically by carriers and freight forwardersFootnote 1 to the CBSA. Timely and complete data is important to the Agency as the data is used by targeting officers in the Operations Branch to assess whether goods are high risk before they arrive at the border. [*] The Agency’s reliance on data is increasing as the Agency works towards implementing the CBSA Renewal vision of leveraging technology and intelligence to expedite the flow of legitimate goods by identifying high-risk cargo with more precision.
8. The audit objective was to provide assurance that an adequate management control framework and systems were in place to ensure that the receipt of ACI data in the air mode was compliant with policies and of sufficient quality to allow the CBSA to conduct an effective pre-arrival risk assessment of commercial goods.
9. The audit scope covered the management control framework in place for data quality and integrity for the commercial risk-assessment process in the air mode. It also focused on the adequacy of the systems in place to support the receipt of electronic ACI data submitted to the CBSA. The audit planned to assess ACI data in the air mode from April 2016 to November 2017. However, limitations accessing archived data prevented the audit team from conducting all procedures within the planned scope.
10. The audit excluded the targeting process, the operational processes related to the release of goods, referrals for examinations, secondary examinations, conveyance examinations, and the collection of duties and taxes on imported goods, as they have been addressed by previous assurance work and for which CBSA management action plans were developed.
3.0 Statement of conformance
11. The audit conforms to the Mandatory Procedures for Internal Auditing in the Government of Canada, as supported by the results of the quality assurance and improvement program. The audit approach and methodology followed the International Standards for the Professional Practice of Internal Auditing as defined by the Institute of Internal Auditors and the Mandatory Procedures for Internal Auditing in the Government of Canada, as required by the Treasury Board’s Directive on Internal Audit.
4.0 Audit opinion
12. The Agency has established some aspects of a management control framework, however, improvements are needed in the management of non-compliance, planning, monitoring and reporting of ACI, as well as in the management of the information technology applications which support the commercial risk assessment process. The improvements can help ensure complete and timely data is obtained and that resources are used to conduct effective pre-arrival risk assessments of commercial goods.
5.0 Key findings
13. Policies have been established for ACI in the air mode and are consistent with legislation and regulation.
14. Processes to identify non-compliance and manage non-compliant carriers more effectively should be improved to ensure the CBSA obtains complete and timely ACI data.
15. The Agency will continue to use legacy IT applications to support ACI in the air mode in the near and medium term. Improvements are required to manage user access controls to ACROSS and to ensure that an audit trail exist for emergency changes to systems.
16. Strategic direction for ACI, including the identification of priorities and risks, is not defined. With the exception of the reporting of penalties issued, monitoring and reporting of ACI results is not taking place and the extent of ACI non-compliance is not known. A clear plan for the future of the IT systems in support of ACI is required to fully implement the Agency’s vision for an efficient, risk-based compliance model.
6.0 Summary of recommendations
17. The audit makes six recommendations relating to:
- Updating the Commercial Compliance Strategy and developing and implementing clear and comprehensive guidelines for the management of carrier non-compliance;
- Reviewing the access controls related to ACROSS;
- Ensuring that approval for IT emergency changes to applications is documented;
- Establishing a clear plan to stabilize the commercial applications and initiatives required to efficiently process and assess ACI data;
- Developing and implementing a strategic plan to articulate the Agency’s vision and to address the current gaps in program integrity associated with the legacy systems; and
- Implementing a regular monitoring and reporting process to ensure that management can benefit from performance results required for sound decision-making.
7.0 Management response
The Vice-President of the Commercial and Trade Branch and the Vice-President of the Information, Science and Technology Branch are committed to ensuring that effective processes and systems are in place to allow the CBSA to conduct an effective pre-arrival risk assessment of commercial goods. As such, we agree with the audit report and accept all six recommendations. The Vice-President of the Commercial and Trade Branch and the Vice-President of the Information, Science and Technology Branch, in collaboration with the Vice-President of the Intelligence and Enforcement, will continue to implement the changes required to improve the risk assessment process of commercial goods arriving in the air mode. Several initiatives have already been undertaken to start addressing the audit recommendations.
8.0 Audit findings
8.1 ACI policies
18. The Customs Act and the Reporting of Imported Goods Regulations establish when, how, and who is responsible for submitting to the CBSA ACI data on commercial cargo importations, including in-transit, freight remaining on board, and conveyances entering or moving through Canada. Communicating up-to-date policies is important to ensure compliance requirements are well articulated and that stakeholders understand their responsibilities. Our audit assessed whether internal policies were developed, reviewed, updated and communicated to ensure the ACI data received in the air mode is compliant with legislation and regulations.
19. We found that CBSA policies and ACI requirements were clearly defined and aligned to legislation and regulations. The Programs Branch has defined the requirements for data completeness in the ECCRD and has implemented a process to manage carrier codes. The updates to policies and procedures are also defined and changes are communicated to stakeholders through various types of products such as emails, operational bulletins and customs notices.
8.2 Data completeness and timeliness
20. ACI data is used by targeting officers to conduct pre-arrival risk assessments. The Customs Act mandates that the ACI be true, accurate and complete and the Reporting of Imported Goods Regulations specify time of reporting. Goods deemed as being high risk to the health, safety and security of Canadians are referred to be examined by border services officers (BSOs) working at airports. Data timeliness and completeness is critical, as the decision to refer a shipment for examination or to authorize the goods to move is based on the data submitted. The ECCRD specifies the requirements with which carriers must comply for each data field of an ACI submission.
21. We selected 14 mandatory data fields to assess, based on their importance to the work of the targeting officers. In a sample of 60 randomly selected cargo records, we found that 25 records were not compliant, as the information submitted did not meet one or more of the requirements defined in the ECCRD. While all fields contained data, 22 of 25 records were considered incomplete to perform a thorough risk assessment. The most problematic data fields related to shipper street name and address, shipper postal code and description of goods. Examples of non-compliance observed were information not provided in the proper field, postal code not meeting the format prescribed in the ECCRD and insufficient description of goods. Current systems controls relate to the number of characters allowed for the fields. As these fields are free text fields, the system control does not improve compliance related to the quality of the information submitted.
22. Timely receipt of data is important as targeting officers prioritize their workload according to when flights are expected to arrive. [*]
23. The audit reviewed timeliness of ACI air cargo data submissions to assess whether timelines were respected by carriers. The audit team encountered an issue with performing this procedure using data from the identified scope period, as we learned that once ACI data is archived in CBSA systems after a period of 120 days, the time-stamp associated with transactions (hour and minutes of the transaction) can no longer be retrieved from the systems. As a result of this limitation, a more recentFootnote 2 random sample of 60 records was selected for our procedures.
24. We found that 55 of 60 records had been provided to the CBSA in a timely manner. One submission did not include the estimated departure date and time, and therefore the audit team could not assess timeliness. The remaining four records were found to be non-compliant, as they were flights under four hours and data was submitted after the flight had departed. When data is not received in a timely manner, goods may arrive in Canada before having been risk-assessed. This was the case for two of the four ACI submissions which had not been received in a timely manner.
25. In summary, incomplete and untimely receipt of data presents operational challenges. [*]
26. Concerns related to data completeness and timeliness are addressed under recommendation 1 of this report.
8.3 Identification of ACI non-compliance and issuance of penalties
27. The identification and management of non-compliance is important for the Agency, because data completeness and timeliness can only be improved if the carriers are made aware that they do not meet the ACI requirements, and remedy the situation for future submissions.
28. Currently, the responsibility for identifying non-compliance is shared between targeting officers at the National Targeting Center (NTC), border services officers (BSOs) in the Operations Branch and the Transporter Compliance Unit (TCU) within the Programs Branch:
- The NTC has the mandate to identify suspected high-risk people, goods and conveyances through the Targeting Program. Although this mandate is not specifically related to identifying non-compliance, the Enforcement ManualFootnote 3 requires Targeting Officers who encounter data quality issues to refer ACI non-compliance to the TCU. [*]
- BSOs are in a position to confirm the accuracy of the data provided when examining goods following a referral from the NTC. As such, BSOs can identify ACI non-compliance if actual goods do not match the reported ACI. Interviews with BSOs indicated that while they are aware of their responsibilities regarding identification of non-compliance, they would benefit from additional guidance on how to correctly document cases of ACI non-compliance.
- TCU responsibilities include conducting monitoring of all data submitted by carriers to identify potential ACI non-compliance. Detailed procedures exist and include sampling and assessing transactions for non-compliance. However, no evidence of proactive monitoring of carriers, such as sampling, was implemented during the scope of the audit.
29. As a result of limited non-compliance identification by all three groups, the extent of ACI non-compliance is not known.
Issuance of penalties and appeals
30. The Administrative Monetary Penalty System is used by the CBSA as a means to correct non-compliance and ultimately improve data quality and timeliness. The Master Penalty Document contains descriptions for all penalties that may be applied to commercial clients including importers, exporters, brokers, warehouse and duty-free shop operators, carriers, freight forwarders or their representatives.
31. Table 1 presents the five penalties specific to ACI data that we examined as part of the audit.
|C378||Person failed to submit the prescribed pre-load/pre-arrival information relating to their cargo and/or conveyance.|
|C379||Person failed to submit advance information in the prescribed time or prescribed manner to the Agency.|
|C380||Person failed to comply with a notification issued by the CBSA regarding the goods on board or expected to be on board the conveyance.|
|C381||Person failed to notify the Agency within prescribed timeframes and without delay of any correction to any pre-arrival or pre-load information sent to the Agency.|
|C382||Person submitted information prescribed by the Reporting of Imported Goods Regulations that was not true, accurate and complete.|
32. During the scope of the audit, both BSOs and TCU staff were authorized to issue ACI penalties. As of June 1, 2018, program management re-centralized the issuance of penalties with TCU to ensure a better management of non-compliant carriers and a more standardized approach in the issuance of penalties.
33. We reviewed a random sample of 30 ACI penalties issued to carriers to assess whether the amount, type and level of the penalty was appropriately applied. For all penalties reviewed, no gaps were noted.
34. Carriers can appeal penalties issued against them if they believe they are not warranted. The Recourse Directorate ultimately determines whether penalties are upheld or overturned. We examined appeals related to ACI to understand the reasons for appeals and the resulting decision.
35. Twenty-two appeals received by the Agency within the audit scope were related to ACI penalties. Of these, 14 cases were upheld by the Recourse Directorate. The remaining eight cases were overturned for various reasons, including a lack of supporting documentation, the issuance of the incorrect penalty or because it was found that the CBSA experienced a systems outage at the time of the ACI submission, preventing the data from being submitted in a timely manner.
36. Aside from issuing a penalty, other means exist to encourage carriers to improve compliance, ranging from outreach to the issuance of sanctions. The Programs Branch developed a Commercial Compliance Strategy in 2015, to provide high-level information on managing stakeholder compliance in the commercial stream. However, detailed guidelines that establish a clear continuum of actions required based on the level of non-compliance were not developed. As such, a risk exists that carriers may not all be penalized consistently, potentially creating an uneven playing field in the industry.
Recommendation 1: The Vice-President of the Commercial and Trade Branch, in collaboration with Intelligence and Enforcement Branch, should update its Commercial Compliance Strategy and develop and implement clear and comprehensive guidelines for the management of carrier non-compliance related to ACI.
The Vice-President of the Commercial and Trade Branch agrees with the recommendation and will ensure, through collaboration with the Intelligence and Enforcement Branch, that the Commercial Compliance Strategy is updated and that clear and comprehensive guidelines for the management of carrier non-compliance related to ACI, are developed and implemented.
8.4 Information Technology Systems
37. CECP, ACROSS and TITAN are the three CSBA IT applications used to receive, store and assess ACI data. Their operational criticality has been acknowledged in the CBSA IT Plan 2018–2021. [*] TITAN and the majority of ACROSS were expected to be decommissioned with the implementation of eManifest. At this time, functionalities expected with eManifest have not been fully stabilized, and there are no clear timelines for replacing and decommissioning the applications. Additionally, although some planning and analysis has begun, plans for CECP replacement are undefined due to lack of funding.
38. Our assessment included a review of controls of the three applications to ensure that the right people have access to the data, that systems were secure and stable, and that data integrity was preserved as data moved through the various systems.
39. User access controls can help ensure that only individuals with the need to access, modify or save data can perform these actions. The Operational Security Standard: Management of Information Technology Security 16.4.3 requires that user access be reviewed periodically. Table 2 presents the number of users for each system, by type of account. The team noted that 632 generic accounts existed in ACROSS. Generic accounts do not allow for accountability of actions performed in the application, as transactions cannot be associated with a particular user.
40. We selected a random sample of 40 users with regular access users and 10 users with privilegedFootnote 6 access for ACROSS and TITAN to assess whether users were CBSA employees. The audit team’s observations are consistent with the weaknesses identified in the 2011 Threat and Risk Assessments (TRAs) conducted for each system. Like the TRAs, we found that access was not regularly monitored by application owners, and that consequently, many of the users sampled were not current CBSA employees. Of particular note, 7 of 10 users with privileged access to ACROSS reviewed were not current CBSA employees. Table 3 presents the results for each system, for regular and privileged access.
|Systems||Users with Privileged Access||Users with Regular Access|
|CBSA Employee||Not currently a CBSA Employee||CBSA Employee||Not currently a CBSA Employee|
41. We also assessed all users of CECP and did not identify any gaps with respect to access for regular and privileged access. Application owners grant access to new users for a period of six months and conduct semi-annual monitoring of CECP user access thereafter, which helps to ensure that access is appropriate.
42. We reviewed whether the roles and related systems rights assigned to users in all three systems were reasonable for their duties. User roles assigned to TITAN and CECP were reasonable. Although 51 out of the 66 ACROSS roles found in the user list were documented, 15 roles and associated access rights were not. Therefore, we could not assess reasonableness of access for ACROSS.
43. Although weaknesses in user access were noted, compensating controls exist to protect the network and applications from unauthorized access, such as locking network access when a user’s network profile is inactive and providing mainframe access only to users listed in the system. Furthermore, the Agency started implementing the Access Review and Certification Application in October 2017, which requires managers to review their employees’ permissions to ensure their systems access is appropriate. TITAN is included in this process.
Recommendation 2: The Vice-President of the ISTB, in collaboration with the Commercial and Trade and the Intelligence and Enforcement Branches, should review the access controls related to ACROSS, including expired accounts, generic user identification and documentation of user access roles.
Agreed. The Vice-President of the ISTB, in collaboration with the Commercial and Trade and the Intelligence and Enforcement Branches, will conduct a review of the ACROSS expired accounts, of the ACROSS generic user identification, and of the documentation of ACROSS user access roles.
As a result of that review, the Vice-President of the ISTB, in collaboration with the Commercial and Trade and the Intelligence and Enforcement Branches, will define a strategy to expire the ACROSS expired accounts, define when generic user identification can be authorized, and document the ACROSS user access roles.
44. The Security Management Control Method (SMCM) has been established at the CBSA to ensure that sufficient security safeguards are implemented before systems are put on the network.
45. As the three applications are legacy systems which predate the SMCM, we found that they were assessed under older processes and that recommendations were made by IT security to improve the information security of the applications. However, documentation supporting the closure of these recommendations was not available. [*] During the audit, we were informed that standards have since been established to improve the retention of documentation.
Application releases, patches and segregation of duties
46. The Release Management Method and Operations Management Method, and supporting procedures, require that changes to applications be approved and tested. Approvals, embedded in the processes, need to preserve segregation of duties between application development and production.
47. We reviewed documentation for a sample of eight changes related to CECP, ACROSS and TITAN. For the most part, releases complied with departmental processes. However, in the two emergency changes reviewed, the approval was not documented. Approvals were said to have been granted verbally or by text messages. Because the emergency changes procedures document does not specify whether verbal or written approval is acceptable, the approval of all emergency changes could not be demonstrated.
Recommendation 3: The Vice-President of the ISTB should review the procedure for emergency changes to IT systems to specify that sufficient documentation is retained to demonstrate the approval of the change.
Agreed. The Vice-President of the ISTB will ensure that the procedures for emergency changes to IT systems are reviewed, and if necessary amended, to ensure that sufficient documentation is retained to demonstrate the approval of the change.
48. Once received by the CBSA, ACI data is transmitted from CECP, through ACROSS and TITAN. A random sample of 30 transactions was tested to assess whether data integrity was preserved during transmission. No gaps related to integrity of data flowing between CECP, ACROSS and TITAN was found.
49. CECP and ACROSS also have data validation rules, which assess data to ensure they meet certain parameters and to prevent syntax errors (such as incorrect number of characters or alpha-numerical requirements). We tested four validations rules to assess whether they were working as intended.
50. We found that three of four validation rules reviewed were operating effectively. One validation rule, designed to ensure United States zip codes met the appropriate parameters, was not working as expected; it had been developed but had not been put into production. [*]
8.5 Strategic planning, monitoring and reporting
51. The effective management of public funds depends on the collection of reliable data and is supported by effective planning, monitoring and reportingFootnote 7. The audit looked at whether plans were in place to support the strategic direction for ACI, and whether monitoring and reporting was taking place.
52. For many years, through Blueprint 2020, Border Modernization and more recently via the CBSA Renewal initiative, the Agency has communicated the desire to establish a risk-based compliance model where technology and intelligence will be used to expedite the flow of legitimate goods and people with more precision in identifying higher and unknown risk cargo for greater scrutiny. The use of data analytics was also identified as a key priority driving the vision for ACI, as it would allow targeting officers to better leverage information, such as intelligence, when making decisions to refer cargo for examination. This approach is expected to be more comprehensive and efficient than current practices.
53. However, this vision is dependent on the complete roll-out of specific functionalities associated with eManifest. [*] At the time of the audit, these functionalities were on hold for lack of funding, and a strategic plan had not been developed to outline priorities, activities and associated timelines to demonstrate how the vision for ACI would be achieved.
55. Without a clear plan and sufficient resources to implement the plan, the Agency may not succeed in implementing the changes necessary to achieve its vision for commercial risk assessment.
Recommendation 4: The Vice-President of the ISTB, in collaboration with the Commercial and Trade and Intelligence and Enforcement Branches, should establish and implement a plan to stabilize the commercial applications and initiatives required to efficiently process and assess ACI data.
Agreed. The Vice-President of the ISTB, in collaboration with the Commercial and Trade and the Intelligence and Enforcement Branches, will establish and implement a plan to stabilize the commercial applications and initiatives required to efficiently process and assess ACI data.
As a result of that plan, the Vice-President of the ISTB, in collaboration with the Commercial and Trade Branch and the Intelligence and Enforcement Branches will define a strategy to stabilize the commercial applications to allow for efficient processing and risk assessment of ACI data.
Recommendation 5: The Vice-President of the Commercial and Trade Branch, in collaboration with the ISTB, should develop and implement a strategic plan to articulate the Agency’s vision for ACI in the air mode. This plan should include a strategy to address the gaps in program integrity associated with the current challenges around ACI IT systems.
The Vice-President of the Commercial and Trade Branch agrees with the recommendation and will ensure, through collaboration with ISTB and other areas as appropriate, that the Commercial and Trade Branch will develop a strategic plan for ACI in the air mode. The strategic plan will include consideration to address program integrity related to IT systems issues.
Monitoring and reporting
56. The audit assessed whether monitoring of trends, issues, results and performance for ACI activities was reported to management on a regular basis.
57. Through the Agency Performance Summary, the Programs Branch presents quarterly results on volumes of penalties issued, results of appeals, referrals, and the CBSA performance against the three day standard for issuing carrier codes. While performance results were not mode-specific at the time of the audit, the Programs Branch began presenting mode-specific results of internal key performance indicators in June 2018.
58. The NTC in Operations Branch proactively tracks ACI performance information. Monthly reports are produced on ACI non-compliance in the air mode. The NTC has also recently started performing data analysis to compare information provided in the release documents, a source of information related to accounting of goods, to the ACI data, submitted earlier in the process. This analysis aims to demonstrate and quantify the benefits of obtaining the release data at the time of pre-arrival to better inform the targeting risk-assessment.
59. Although the Agency has established capabilities to monitor and report on ACI activities, it has not implemented measurement or reporting of the overall data quality and the results of the different actions taken in the management of non-compliance related to the ACI data. Therefore, program management may not be informed of trends, risks, results and performance of the ACI program and appropriate adjustments to the ACI program may not be made.
Recommendation 6: The Vice-President of the Commercial and Trade Branch should implement regular monitoring and reporting of ACI performance to provide program management with timely information for decision-making.
The Commercial and Trade Branch agrees to develop a performance measurement strategy to enable the collection of performance data for program monitoring and management of ACI in air mode. This will include the review of available data elements, reviewing priorities and the development and inclusion of performance indicators within the Agency Performance Summary.
Appendix A – About the audit
Audit objective and scope
The audit objective was to provide assurance that an adequate management control framework and systems are in place to ensure that the receipt of Advance Commercial Information (ACI) in the air mode is compliant with policies and of sufficient quality to allow the CBSA to conduct an effective pre-arrival risk assessment of commercial goods.
The audit scope covered the management control framework in place for data quality and integrity for the ACI program in the air mode. It also focuses on the adequacy of the systems in place to support the receipt of electronic ACI data submitted to the CBSA. The audit includes all ACI data in the air mode that was submitted from April 2016 to November 2017.
An audit of Advance Commercial Information System Data Quality/Integrity – Air was approved by the Agency’s Audit Committee as part of the Risk-Based Audit Plan 2017–2022.
A preliminary risk assessment was conducted during the audit planning phase to identify potential areas of risk as well as audit priorities. Risk assessment activities included interviews with stakeholders from the ACI program – Air mode, reviews of relevant documentation and preliminary analysis of ACI data. As a result of this assessment, the following key risks were identified:
- [*] – Air mode in receiving quality data and in maintaining data integrity.
- Applications and data security controls may not be established and implemented to ensure ACI data quality and integrity.
- Applications supporting the receipt of ACI data in the air mode may not be maintained and updated according to industry best practices and agency processes.
Compliance with legislation and policies
- Mandatory ACI data requirements identified in the CBSA policies may not be aligned with legislation, regulations, and pre-arrival risk assessment needs.
- Preventive and corrective mechanisms in place may not be sufficient in deterring non-compliance in ACI.
Data quality (timeliness and completeness) of ACI data submitted
- Strategic direction and planning related to data quality may not be sufficient to ensure the success of the program.
Monitoring and reporting
- Formal monitoring and reporting processes may not be established to provide senior management with timely information related to the ACI program – Air mode for decision-making.
Approach and methodology
The examination phase of this audit was performed using the following approach:
- Review of legislation, regulations, policies, directives, procedures and other documents governing the ACI program.
- Interviews with various stakeholders on their roles and responsibilities, compliance and monitoring functions, and operating controls in relation to the ACI program and IT systems.
- Review and analysis of the quality and integrity of ACI data submitted to CBSA and review of available documents and reports related to the ACI programs and IT systems.
- Site visits including walk-throughs of processes and systems with the National Targeting Centre, Air Cargo Services Centre from three locations including the Ottawa International Airport, the Montreal International Airport and the Toronto International Airport.
The audit criteria are aligned with the Government’s Management Accountability Framework (MAF), the framework of Core Management Controls and Audit Criteria (CMC) established by the Office of the Comptroller General and the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Principles of Effective Internal Control and Control Objectives for Information and Related Technologies (COBIT).
Given the preliminary findings from the planning phase, the following criteria were selected:
|Lines of enquiry||Audit criteria|
1. IT Systems – Application controls, Sustainability, data integrity and security.
1.1 Applications have been adequately reviewed to validate security controls and access controls and segregation of duties are appropriate.
1.2 Application releases and patches are implemented and tested in compliance with departmental processes.
1.3 CECP and ACROSS validation checks are reviewed periodically and data integrity of information within the ACI process is preserved between CECP, ACROSS and TITAN.
1.4 Strategic direction and planning related to the ACI systems have been defined to address the issue of aging infrastructure.
2. Compliance with legislation, regulations and procedures
2.1 CBSA ACI policies are developed, reviewed, updated and communicated to ensure the ACI program – Air mode is in compliance with legislation and regulations.
2.2 An effective mechanism to identify and manage non-compliance is in place and is supported by trained resources.
2.3 The Administrative Monetary Penalty System is in place to identify, validate, issue, and monitor penalties issued to non-compliant carriers.
2.4 Carrier codes are issued, validated and revoked according to legislation and monitoring is in place to ensure proper management of the carrier identification requirement.
3. Data Quality
3.1 ACI data submitted by the carriers is complete and timely to ensure that targeting activities can be performed.
3.2 Strategic direction and planning for the ACI program – Air mode have been defined, documented, implemented and communicated to ensure the improvement of data quality and the success of the program.
4. Monitoring and Reporting
4.1 A monitoring and reporting process is in place to inform senior management about the ACI program – Air mode trends, issues, results, and performance.
Appendix B – List of acronyms
- Advance Commercial Information
- Accelerated Commerce Release Operations Support System
- border services officer
- Canada Border Services Agency
- Customs Electronic Commerce Platform
- Electronic Commerce Client Requirements Document
- Information, Science and Technology Branch
- Information Technology
- National Targeting Centre
- Security Management Control Method
- Transporter Compliance Unit
- Threat and Risk Assessment
- Date modified: