Audit of postal operations

Introduction

The Canada Border Services Agency (the CBSA, or the agency) is legislated to provide integrated border services that support national security and public safety priorities, while facilitating the free flow of persons and goods, including animals and plants, that meet all requirements under the program legislation.

The agency and the Canada Post Corporation (CPC) both have legislative authorities^{Footnote 1} and responsibilities for processing the importation of international mail arriving in Canada. Their partnership was formalized in 1992 through the Postal Imports Agreement (PIA), which outlines the roles and responsibilities of each party related to the processing of postal imports through the postal customs clearance process.

Paragraph 99(1) (b) of the Customs Act^{Footnote 2} gives the CBSA the authority to examine imported mail where it is suspected, on reasonable grounds, that it contains dutiable goods or goods that are prohibited, controlled or regulated by legislation and applicable acts.

The CBSA international mail processing (postal) operations include primary and secondary examinations^{Footnote 3} and assessment of applicable duties and/or taxes. The CBSA performs these functions while simultaneously seeking to facilitate the movement of international mail processing and distribution by Canada Post. Mail items that do not require CBSA intervention or that are deemed admissible are released to CPC for delivery.

The CBSA postal program is managed by the Commercial Program Directorate within the Commercial and Trade Branch (CTB). The CBSA postal operations are conducted by the regions and operate within the CPC international mail processing facilities in Greater Toronto Area, Vancouver and Montréal. These facilities serve to centralize the importation of mail into Canada and to expedite its clearance and delivery.

Since 2012, the CBSA's postal mode has been undergoing transformation in order to modernize its operations. The Postal Modernization Initiative (PMI) includes an upgrade of both infrastructure (addition of conveyor belts) and Information Technology (IT) systems so that the CBSA can strengthen efficiencies and improve risk management capabilities for the interdiction of contraband and for collecting duties and taxes. This has been achieved through the implementation of a pre-arrival risk assessment system, the Postal Operations Support Tool (POST), and an automated tax and duty rating system Customs Declaration System (CDS). PMI is being completed in stages across the three mail centres—Vancouver in May 2014^{Footnote 4}, Greater Toronto Area and Montréal in fiscal year 2024 to 2025^{Footnote 5}.

About the audit

The objective of this audit was to assess whether controls in the international mail processing operations are designed to adequately mitigate risks, and whether governance and oversight mechanisms are in place to ensure that corrective actions are taken in a timely manner.

Audit scope inclusions

The scope period spanned from April 1, 2023 to March 31, 2024 and included:

• key postal operational controls and procedures, including security and fraud controls
• roles and responsibilities of internal CBSA stakeholders implicated in the postal operations, including the communication mechanisms amongst the stakeholders for information sharing
• governance committees exercising oversight over postal matters, including reporting and monitoring activities, performance management, risk management, and continuous improvement activities

Audit scope exclusions

The audit scope excluded the following:

• processes and management of seizures and exports
• controls / activities performed by CPC and other government departments (OGD)^{Footnote 6}
• specific processes and controls that are directly part of the Postal Modernization Initiative (PMI)^{Footnote 7}, including infrastructure and system improvements
• processes related to collection of duties and taxes

Audit methodology

Collaboration and on-site visits at the International Mail Centres in Greater Toronto Area, Vancouver and Montréal, to perform walkthroughs, carry out design effectiveness testing and develop process narratives describing the operations.

• 55+ Stakeholders consulted across regional operations (all three mail centres), national headquarter representatives in Commercial and Trade Branch, Intelligence and Enforcement Branch, Intelligence, and Science and Technology Branch.
• 100+ Supporting documents reviewed such as Acts, Policies, Agreements and standard operating procedures.

Significance of the audit

While fulfilling the agency's key priority of effective border protection for commercial goods, the CBSA also works to facilitate the movement of admissible goods. Identifying and interdicting contraband, particularly firearms and narcotics, are a part of this process.

Small parcel streams such as the postal mode are often perceived as key transport methods for the illegal importation of firearms, firearm parts and ammunition. This is because of the anonymity: senders can provide inaccurate information on the customs declaration, and receivers can choose to have their packages sent to a post office box.

The agency combats the cross-border movement of firearms, illicit drugs and precursor chemicals using an array of measures to intercept illegal goods and substances at ports of entry. These measures include enhanced controls in the postal stream, including targeting and intelligence development, as well as detection tools and technology for the safe examination of goods that are suspected to contain dangerous items and highly toxic substances.

The agency also collaborates with partners by sharing intelligence and information to identify and interdict illicit shipments. The postal mode plays an important role as a gateway to cross-departmental federal investigation and enforcement actions through trends analysis and evidence gathering. In many scenarios, an interdiction by the CBSA leads to the point of identification and arrest of persons involved in the importation or exportation and distribution of that contraband^{Footnote 8}.

The CBSA's 2024 to 2025 Departmental Plan^{Footnote 9} includes its commitment to work with the CPC to ensure streamlined and strengthened operations at international mail centres in order to manage postal volumes on a daily basis and during peak periods, indicating the agency's commitment to focus on postal operations.

Although volumes in the postal mode have been on a downward trend after peaking in January 2020^{Footnote 10} (on average the rate of decline has fluctuated, averaging around 20% annually), the agency is continuing to intercept large amounts of prohibited, restricted and controlled goods.

The Universal Postal Union^{Footnote 11} created the CDS to help streamline the postal customs clearance process. The CDS enables postal operators (CPC and other foreign post offices) and customs administrators (the CBSA and relevant administrators in other countries) to exchange and leverage advance electronic data (AED), perform data-driven risk analysis to support mail selection and examination, and expedite the calculation of required duties and taxes^{Footnote 12}. The Universal Postal Union mandated the provision of AED on January 1, 2021, which includes a list of countries with specific customs- and security-based requirements to which the customs declaration information is sent in advance of the physical arrival of the postal items^{Footnote 13}.

The CBSA's postal operations have undergone significant changes over the last decade, including risk exposures brought by the rise of e-commerce, changes in volumes, new systems, operating equipment/set-up, and reliance on AED. The CBSA Postal Program's modernization efforts have been the subject of previous internal audits and evaluations (refer to Appendix B, Previous reports with gaps and recommendations for details), which identified gaps in roles and responsibilities as well as oversight, monitoring, change management and strategic vision. Some of the recommendations are still outstanding.

Aside from a Lean exercise conducted between 2019 and 2021 (refer to Appendix B, Previous reports with gaps and recommendations for details), the operational controls at the three mail centres have not been examined. Given the importance of the postal processing function to the agency's core mandate, it was important to assess whether the agency has a well-designed control framework for managing risks, ensuring compliance, and enhancing efficiency. This Audit was approved as part of the 2024 to 2025 Risk-Based Audit Plan.

Statement of conformance

This audit engagement conforms to the Treasury Board's Policy and Directive on Internal Audit and the Institute of Internal Auditors' (IIA) International Professional Practices Framework. Sufficient and appropriate evidence was gathered through various procedures to provide an audit level of assurance. The agency's internal audit function is independent and internal auditors performed their work with objectivity as defined by the IIA's International Standards for the Professional Practice of Internal Auditing.

Audit conclusion

The CBSA has established controls and procedures to conduct postal examinations and determine admissibility of international mail entering Canada. Although most of the key controls are designed effectively, opportunities exist to strengthen the postal program through updating and clarifying policy expectations, establishing risk management, and enhancing program monitoring and oversight. This will not only benefit the postal program as a whole by bringing greater consistency across operations, but it will also support the conclusion of PMI as it enters the "benefits realization" phase.

Additionally, gaps and risks highlighted in this report have been raised in previous engagements on the postal operations. The repetitive nature of these findings demonstrates a vulnerability in this area, some of which may be addressed by modernization efforts. However, modernization may also bring forward new risks and gaps that need to be considered in the context of outstanding findings. The risks and impacts are compounded when the gaps are consistently being identified but remain unaddressed.

While our recommendations mainly target the CBSA's operations, improvements should take into account all implicated postal stakeholders and their objectives, so that the overall risks and causes are addressed appropriately.

Key findings

• The roles and responsibilities are available and understood by the CBSA's postal internal and external stakeholders.
• The accountabilities for program oversight and risk management are not being executed by National Headquarters (NHQ) and regional operations to ensure compliance with issued policies and expectations. Some of the available postal agreements, policies and procedures are outdated and/or not reflective of the operating realities of the mail centres. Guidance is sometimes not clear or specific about how to implement the expectations. The lack of program monitoring and oversight has led to varying interpretations of the expectations for certain controls.
• A risk management process is not in place to formally communicate, identify and mitigate evolving and emerging postal risks. This is due to outdated policies, differing interpretations of expectations (or lack thereof), and changes to the postal mode as a result of modernization.
• Most of the key controls in the postal mode are designed effectively, but there is a lack of compensating and detective controls to identify and address potential gaps or risks in the control environment. This includes limited physical security controls and lack of program monitoring and oversight.
• Detection technology and tools were found to be available and leveraged by regional operations at the mail centres. However, there are opportunities where better oversight might help to determine whether the regions are optimizing the usage to improve effectiveness of the postal program.

Summary of recommendations

• Clarify and communicate the accountabilities of all key postal stakeholders, including program oversight and risk management for the postal program, so that postal-related issues, risks and best practices can be shared and used to inform strategic decision-making.
• Implement a postal control framework (based on updates to policies, procedures, regulations and postal agreements) as well as a monitoring framework to assess the effectiveness of the postal operations.

Management response

The Commercial and Trade Branch agrees to strengthen the management of the postal program by documenting and communicating updated roles and responsibilities, formalizing and communicating escalation protocols, documenting and tracking all risks, and assessing and implementing program and operational oversight accountabilities. A postal control framework will also be established to identify and monitor the effectiveness of the controls and processes in the postal operations.

Audit findings

The audit resulted in the findings below.

CBSA Postal mode management

The postal environment is a distinct aspect of the CBSA's business that requires guidance and collaboration from both NHQ and front-line operations. This includes ensuring that the agency meets its commitments to third parties and the Canadian public. A comprehensive postal management framework should include current policies and procedures, functional and operational accountabilities, and monitoring and oversight mechanisms to identify and mitigate evolving or emerging risks.

Key internal CBSA stakeholders that contribute to the framework are:

• the Commercial Program Directorate (identified as NHQ in this report) within the CTB, for overall postal program management
• the regional or front-line operations in the three mail centres, for executing postal operations
• the Intelligence and Investigation Directorate, including the Targeting Commercial Intelligence Unit, for performing postal targeting and intelligence activities for all three mail centres, and maintaining postal targets in the Postal Operations Support Tool (POST) system
• the Service Delivery Unit within the Information, Science and Technology Branch, for the maintenance and support of postal systems

Specific details of roles, responsibilities and accountabilities are covered in the sections that follow.

Additional stakeholders were excluded from the audit scope and are not part of the report. These include:

• the Regional Programs Directorate that liaises between NHQ and the regions as needed for specific tasking(s); and
• other government departments that help postal operations determine admissibility of goods.

Refer to About the audit section for details.

Postal agreements, policies and procedures

Documented agreements, policies, processes and guidance provide an authoritative reference for postal stakeholders to have a clear and common understanding of objectives, expectations and outputs in the delivery of the postal operations and related activities.

The PIA was established in 1992 to formalize the postal processing relationship between the CBSA and the Canada Post Corporation (CPC). To the extent that the agreement covers the work and responsibility of the CPC, it was excluded from this audit. But it is important to note that in the 32 years since it was first signed, the agreement remains a key reference point for determining the elements of the postal process that are within or outside of the CBSA's purview, despite the evolution of the international mail environment.

Throughout this audit we refer to previous reports that covered postal operations. Details on these can be found in Appendix B, Previous reports with gaps and recommendations, including the status of the recommendations issued in the reports.

The CBSA Enforcement Manual (Part 4, Chapter 12) outlines how to conduct postal examinations of international mail in accordance with the provisions set out in the Customs Act, various Departmental Memorandum and other regulations^{Footnote 14}. The manual provides generic guidance, and the officers and regional operations refer to it in the execution of their responsibilities. The manual is supplemented by standard operating procedures (SOP), operational and shift bulletins, Departmental Memorandum, and localized regional SOPs. These documents provide further precision on certain procedures and expectations related to postal examinations.

We found that elements of the manual have not been updated to align with the current operating reality in the postal mode^{Footnote 15}. For example, the manual has not been updated to reflect Bill C-37, which was passed in 2017 and grants the agency the authority to open and examine any mail, including mail weighing 30 grams or less, when it has reasonable grounds to do so. This change to the regulation has also not been updated in the PIA, which states that letter-class mail under 30 grams is to be screened by the third party^{Footnote 16}. As a result, despite Bill C-37, the third party may not be presenting or asked to present letter mail under 30 grams for examination. The manual and the PIA also refer to the Postal Import Control System (PICS), which was decommissioned in 2022 and replaced by the POST and CDS systems^{Footnote 17}.

During our audit, the Postal Courier Programs Unit (PCPU), in collaboration with other stakeholders, was working on updating and issuing policies and guidance that had become outdated as a result of the implementation of the PMI. The following materials were issued: Targeting SOP, POST System guidance and National Postal Imports Remission Order. We reviewed the materials relevant to the scope of our audit for the purposes of assessing of the postal control framework and related activities. This is covered in more detail in the CBSA Postal control framework section of this report.

In the absence of up-to-date and comprehensive national policies and procedures, some of the mail centres have also developed their own localized procedures (for example, guidance on how to process damaged mail) to assist their staff in carrying out postal examinations. These documents are available in local regional drives and/or Apollo (CBSA's information management system). Overall, the operations find the available policies and procedures to be adequate, but they have expressed that searching for information in various locations presents challenges and is time-consuming.

There is also an opportunity to leverage locally developed procedures and consolidate best practices within national guidance in a manner that can be adapted for each region's operations, where applicable. Using up-to-date and standard agreements, policies and procedures can reduce the risk of inconsistent policy implementation and potential operational inefficiencies.

Roles, responsibilities and accountabilities

Well-defined and documented roles, responsibilities and accountabilities that are aligned with an overarching management of the postal program, and policies and procedures that help enhance that consistency are essential for the smooth execution of postal operations. The roles and responsibilities of NHQ, regional operations and other internal stakeholders are documented in the various policies and guidance including: CBSA Enforcement Manual (Chapter 12) , SOPs, job descriptions and other agreements. All internal postal stakeholders have access to the reference materials via the CBSA's intranet and Apollo (that is, the CBSA's document management system). We found that the roles and responsibilities are generally understood by the internal stakeholders.

Some interviewees indicated that they are supporting the postal program without dedicated postal responsibilities attached to their job descriptions. For example, the Targeting Commercial Intelligence Unit (TCI) within Intelligence and Enforcement Branch facilitates the agency's enforcement mandate in the postal operations, however their postal responsibilities are not formally documented other than in standard operating procedures related to systems and/or targeting. TCI has developed and presented a business case to establish the need to formalize the role in NHQ. It is important to document and clearly communicate roles and responsibilities of all stakeholders in the postal continuum, to ensure effective collaboration, accountability, and business continuity.

NHQ developed and communicated a postal roles and responsibilities document^{Footnote 18} to provide the regions with designated points of contact for questions related to the postal program. Although this document does not describe in detail the roles and responsibilities of each internal postal stakeholder^{Footnote 19}, it serves as a communication mechanism, identifying main contacts and responsible parties, which may help should regions have questions on specific processes and systems.

Functional accountability

The PCPU and Commercial Operations Guidance and Support (COGS) Unit within the Commercial Program Directorate are responsible for managing the CBSA postal program and providing operational direction^{Footnote 20}. Based on our document review of their outputs (email interactions, deliverables prepared for committees, etc.) and interviews, it was clear that they understand their role. However, we have highlighted gaps in the execution of risk management, program monitoring and oversight responsibilities in the following sections of the report.

Operational accountability

The international mail centres in the regions are responsible for the delivery of postal operations based on available policies, guidance and direction provided by the Commercial Program Directorate. While they are generally aware and executing the roles and responsibilities per the current expectations, we have highlighted specific gaps in the following sections related to operational oversight responsibilities. Some of these gaps are the result of outdated policies and procedures as highlighted above.

Risk management, and postal program monitoring and oversight

Risk management

In the Treasury Board Secretariat's Framework for the Management of Risk, risk management activities are defined as a continuous, proactive and systematic process to understand, manage and communicate risk to support decision-making and achievement of an organization's mandate and objectives. As part of the overall postal program management framework, it is expected that there is adequate monitoring of risks and oversight over operations, as well as measurement of program performance against strategic objectives.

Our document reviews and interviews with NHQ and regional operations identified an absence of formal risk and issue management practices for the postal program. Currently, the COGS unit holds standing meetings with key stakeholders, which is the only available forum to facilitate discussions on postal operations. The meetings do not follow a formal structure and there is no agenda or record of decisions.

The COGS team also does not maintain a risk and issues tracker of postal matters raised by the regional operations and other postal stakeholders. Attendees from the regional operations expressed that some of the control gaps and/or operational differences identified in this audit report have previously been raised to the COGS Unit. When risks and gaps are raised, operational employees indicated that responses from the program are delayed or unclear, or that they are asked to refer to an outdated policy.

A further lack of comprehensive risk monitoring and risk management was demonstrated throughout our findings on the postal controls framework (covered in section CBSA Postal control framework of this report). That section of the report also lists several examples where operational controls and related risks are not communicated and/or documented in a consistent way to mitigate risks in the postal mode, where applicable. It is important that risk monitoring be formalized as part of the centralized management of the postal program. Delays in identifying and mitigating postal risks and issues may hinder the postal program in identifying evolving and emerging risks^{Footnote 21} or in applying lessons learned from specific operations. A lack of comprehensive risk monitoring can also impact overall program management and decision-making. For instance, the gaps related to CBSA security in primary examination areas at the mail centres have been raised by the regional operations to NHQ. However, these issues have not been mitigated or remain outstanding, posing security risks as well as the potential for fraud or misconduct to occur because high-risk illegal goods are moving through the primary examination areas. It would benefit NHQ as the postal program owner to document instances where risks have been accepted^{Footnote 22} or deferred^{Footnote 23}, particularly as a way to show that they have addressed employee concerns.

Program monitoring and oversight

Oversight is important at all levels involved in the postal continuum, regionally by frontline operations and regional management, and at a consolidated level for the entire postal mode by NHQ. Although each mail centre operates distinctly in the context of their own incoming mail mix (refers to the different types of mail that arrive in the mail centres, that is, registered mail, letter mail, large parcels, express/priority mail, etc.) and within the bounds of what is reasonable, the postal program would benefit from a consistent approach to program monitoring and oversight applied across all three mail centres.

Currently, NHQ provides the regional operations with policies and guidance, but the implementation and effectiveness of the policies to address gaps and risks are not overseen or monitored by NHQ. Oversight responsibilities by NHQ are currently not documented in any policies or guidance documents. The regional operations do not complete control self-assessments, which would help NHQ with program oversight, including identification of control gaps, national inconsistencies and areas of non-compliance with policies and regulations.

Through our document review and interviews with NHQ and regional operations, we noted that a few ad-hoc compliance or monitoring exercises^{Footnote 24} were performed by PCPU's postal compliance team, as well as relevant Operational Program Assessments and Threat and Risk Assessments (TRA). These exercises identified some risks and issues in the postal operations and proposed recommendations to address the gaps (an example of this is included in more detail under the Physical security controls section).

Based on recommendations issued to date on postal operations, NHQ developed the CBSA Postal Path Forward and the National Postal Strategy (reviewed and approved by CBSA senior management in fall 2021). These documents outlined the status of the postal program and related operations, summarized all the risks and challenges, and included recommendations that NHQ would like to pursue as a key priority in the Commercial and Trade Branch (CTB) Integrated Business Plan for 2021 to 2024, specifically to address the postal volumes that peaked in 2021 to 2022. The risks and challenges align with the observations made in this audit report.

Currently the CTB Integrated Business Plan (most recently approved for 2024 to 2027 fiscal years) does not identify a tentative date or timeline as to when the items in these documents will be actioned. As such, many of the issues identified remain unaddressed.

Without formal postal program monitoring and oversight processes, including clearly documented roles and responsibilities for NHQ and regional operations, there may be variation in the application of the policies and expectations. This can potentially result in control deficiencies being left undetected, as identified in the section CBSA Postal control framework.

Improved oversight would foster a degree of consistency across the postal mode where applicable, while still allowing for the varying realities of the different regions, operations and mail mixes. More formalized oversight, accompanied by better communication and risk monitoring might help identify risks, issues and best practices, and could also help to assess whether there is value in a national application of policies to improve or enhance postal operations.

Although the postal mode is included within the Commercial Facilitation and Compliance Departmental Results Framework, the agency is not reporting postal specific operational performance metrics. In response to previous findings, NHQ has developed key operational performance indicators intended to monitor and measure mail centre performance and overall program performance. However, at the time of the audit, we found no evidence of monitoring or reporting on these key performance indicators since they were established. Per interviews and previous reports, the POST system does not have reporting capability. This limits NHQ and the regional operations' ability to access, monitor and track performance statistics^{Footnote 25} and assess national performance as well as compliance. This lack of performance information could hinder the agency's ability to ensure priority setting and strategic decision making. However, NHQ could still leverage available data or resources to identify metrics to measure the performance of the postal program.

The absence of sufficient risk management, program oversight and reporting capabilities may increase the likelihood of fraud, non-compliance and potential legal or reputational damage to the agency. For instance, an occurrence of national inconsistency or poor control design and implementation could result in admitting or mishandling dangerous goods (for example, opioids, or firearms, etc.) threatening the health and safety of our officers and Canadians.

Two main elements that contributed to the risks and issues highlighted in this report were:

• the execution of some key postal activities such as physical security controls in the mail centres rely on a third party
• unaddressed recommendations from the previous reports issued on the postal program/operations (refer to Appendix B, Previous reports with gaps and recommendations, for details)

Recommendation 1

The Vice-President (VP), CTB in collaboration with VP, Intelligence and Enforcement and Regional Directors General (Greater Toronto Area, Pacific and Québec) should strengthen the management of the postal program by:

1. clarifying and communicating roles and responsibilities of all key postal stakeholders (internal and external)
2. developing a communication and escalation protocol for information sharing and raising postal issues, matters and risks; and
3. clarifying and executing program oversight, risk management and monitoring processes, including ensuring that all outstanding feedback and recommendations are being addressed and mitigated for the postal program

Management response: The VP, CTB in collaboration with VP, Intelligence and Enforcement and Regional Directors General (Greater Toronto Area, Pacific and Québec), agrees that better management of the Postal Program is needed. To this end, we will clearly define and share the roles and responsibilities of everyone involved, both internal and external to CBSA as it relates to the program. We will also put in place clear steps for raising, sharing, and resolving issues and risks. Finally, we will strengthen oversight of the program by identifying problems early, managing risks, and making sure feedback and recommendations are followed up and acted on.

Completion date: March 2026

CBSA Postal control framework

A control framework helps ensure appropriate execution of the agency's enforcement mandate in the postal mode. This includes the mapping of key controls to the control objectives and risks, as well as links to the related oversight and monitoring activities. The adequate design of internal controls across the agency's postal environment is necessary to mitigate operational risks^{Footnote 26} and ensure compliance with regulations, policies and procedures.

Throughout the audit, document reviews and interviews with NHQ and regional operations highlighted that the postal operations and related activities/controls were not documented in a postal control framework. In the absence of this framework, we completed walkthroughs of the postal operations, virtually and in-person, and conducted interviews with postal stakeholders to develop process narratives for the CBSA postal operations. The process narratives, developed in collaboration with stakeholders at NHQ and the regions, outline the postal activities and established key controls and/or expectations at the three mail centres.

Overview of the postal process - simplified^{Footnote 27}

When international mail arrives in Canada, it is brought to the mail centres and inducted^{Footnote 28} by third party staff. Two systems are leveraged in the postal operations—Custom Declaration System (CDS) and Postal Operational Support Tool (POST), which use AED to determine whether duties and taxes need to be collected, and to conduct risk assessments to determine whether the mail should be examined by the CBSA. The POST system also screens AED against all active targets^{Footnote 29}, which allows the agency to flag any suspected high-risk mail prior to its arrival in Canada. The start of the CBSA international mail process is when the mail is presented by the third party to CBSA officers working in the examination areas (primary, secondary and quality assurance verification).

Definitions of terms and systems can be found in Appendix D, Terms and definitions.

Figure 1 - Text version

Presentation of mail: CBSA POST System conducts an automated pre-arrival risk assessment of international mail by leveraging AED. When the mail arrives in Canada, it is inducted (barcode on mail is scanned) by Canada Post, and routed to the respective CBSA examination areas based on the system's pre-arrival risk assessment (currently only applicable to countries on-boarded in the system, as well as active targets in the system) or mail is directed to primary examination (applicable to countries sending mail without AED).

Primary examination: BSO visually inspect the mail by reviewing the declaration and comparing it with the x-ray image to assess whether the content(s) of the mail is prohibited, restricted, or subject to duties and taxes. The mail may go to secondary examination.

Quality assurance verification: BSO visually inspects mail that has been pre-cleared by the POST system. The mail may go to secondary examination.

Secondary examination: The mail is referred to a BSO who examines the contents of the mail thoroughly by opening it. Reason: customs declaration is inaccurate (including value); contents may be inadmissible in Canada. The mail may be held for determination; may be deemed inadmissible.

Held for determination: If necessary, the CBSA involves OGDs or agencies, such as Health Canada or Canadian Food Inspection Agency, etc. to ensure the mail complies with all regulations.

Inadmissible: If the mail is determined to be prohibited or restricted, it is seized or detained by CBSA or OGD. (Process out of scope; covered by the Audit of the Management of Seized Goods and Currency)

Release to Canada Post: Once the mail clears CBSA Customs inspection, it is handed over to Canada Post to release and/or collect duties and taxes on behalf of CBSA.

Primary Examination: A Border Services Officer (BSO) screens all inducted mail items presented by the third party to determine which are duty-free and/or tax-exempt importations and ensures the goods that require no further CBSA attention are released to the third party for delivery. All mail items containing goods that may be prohibited, controlled or regulated, subject to duties and/or taxes, or goods requiring examination by an OGD or agency are separated and forwarded to the secondary area for further review.

Quality Assurance (QA) Verification: The process by which the CBSA verifies mail shipments that have provided advanced electronic information, have undergone a CBSA risk assessment and have been determined to be low risk. Mail items that are determined to be low risk may be:

• recommended for release for delivery in Canada; or
• sent for application of an E14 (CBSA Postal Import Form) if duties and/or taxes are required.

For mail recommended for release, a BSO will have an opportunity to visually inspect mail items with advanced electronic information prior to release and BSOs will have an option to refer mail items to Secondary.

Secondary Examination: A BSO examines and verifies mail items to determine whether they are subject to duties and/or taxes, controls (such as permits or certificates), enforcement measures, or if they require examination by an OGD. Once the examination is complete, inadmissible goods are seized or detained and admissible goods are released to the third party for delivery.

Summary of the design assessment of postal operations and related control activities

Within the postal operation's examination process, the agency relies on internal controls to address risk and ensure that:

• all incoming international mail is thoroughly examined to prevent inadmissible or harmful items from entering Canada
• fraud or mishandling (health and safety risk) during examination of inadmissible goods is prevented and/or detected with corrective actions taken to address the gaps

Through the combination of on-site and virtual walkthroughs, interviews and document reviews, we identified 18 key postal operational controls^{Footnote 30} (listed in Appendix E, Design assessment of postal controls) that help mitigate the postal risks and ensure the efficiency and security of postal operations, as well as compliance with policies and regulations. We assessed whether the key postal controls were designed effectively (control is in place), not designed (control is missing), or ineffectively designed (appropriate control is not in place per the operating reality).

• design effectiveness refers to how well a control / procedure or system is structured to achieve its objectives or address specific risks
• design ineffectiveness is when a control may appear to be in place but fails to achieve its intended purpose(s), leaving an organization exposed to risks
• not designed refers to when a control necessary to meet the control objective is missing

We found that most of the key controls have been designed effectively (that is, controls were in place to mitigate the risks in the postal continuum), with a few exceptions (details provided in the sections that follow). We observed that most of the controls are manual in nature, that is, the control is dependent on a BSO or staff for execution rather than being automated. There is thus an inherent potential for errors due to possible lack of experience or knowledge, situational pressure to complete tasks quickly, and/or resistance to change, to name a few. Given the nature of the agency's officer-led facilitation and enforcement work, manual controls and processes are necessary. However, where possible, the risk of manual processes and controls can be addressed through compensating or detective controls, which could help identify, or non-compliance with regulations or SOPs in the examination procedures performed.

For example, there were no oversight and monitoring controls (such as peer review) to check for instances of non-compliance in the use of visual indicators for examination or adherence to healthy and safety measures when inspecting mail. Without sufficient detective controls, the agency may be exposed to security, compliance, and fraud risks that will remain unidentified and unaddressed. We have highlighted some areas where detection and/or monitoring controls could address gaps. Additionally, we observed there is a strong reliance on third party stakeholders for CBSA to be able to effectively execute the key controls. Per the PIA and legislative requirements, the third party should ensure that mail is inducted and presented, including providing a strong, secure environment in order for CBSA operations to be performed effectively. As such, the CBSA is limited in the design of controls for some parts of the process, particularly the induction and presentation of mail, and certain physical and process controls.

The agency's key postal controls and the results of the design assessment are documented in the following sections. An overall summary of the assessment is included in Table 1 (refer to Appendix E, Design assessment of postal controls, for further breakdown of the controls and results).

Table 1: Summary of the control assessment results of the audit

The following sections outline some of the key postal operating activities (primary, secondary and quality assurance verification examinations), as well as related supporting activities (detection tools and technology, intelligence, targeting and physical security controls)^{Footnote 32}.

Key postal operating activities

The key postal operating activities are primary examination, quality assurance verification and secondary examination.

Primary examination

The Postal Examination Policy and the International Mail Processing Memorandum state that all incoming international mail, irrespective of mail types (for example, registered mail, large packages, letter mail and e-packet^{Footnote 33}), is subject to CBSA customs examination. Our expectation, based on the understanding of the process, was that BSOs in the primary examination area are to examine each mail item presented to them using visual indicators and/or the detection technology available.

Across all three mail centres, we observed that most of the inspection lanes in the primary examination area were fitted with an x-ray machine to help eliminate the risk of releasing mail with inadmissible items into Canada. The BSOs working in primary do not open the mail for examination; any mail suspected to be inadmissible is referred to the appropriate area for a thorough examination. Mail that is deemed to require no further examination is released to the third party for delivery. Overall, the control has been designed adequately across the three mail centres.

Risk assessment of mail types for examination

During our in-person observation of BSO examinations, we observed that letter mail and e-packet mail types are risk assessed differently across the three mail centres. Two mail centres were actively targeting certain countries' letter mail for examination, while at the time of the audit, the third mail centre had not inspected letter mail since February 2024 because they considered it low risk^{Footnote 34}. For context, NHQ and regional operations interviewees noted that: 1) AED is not received on letter mail, and 2) available detection technology in the mail centres is not effective in examining the contents of letter mail. Since mail is not opened in the primary examination areas, letter mail is sorted separately by the third party and the targeted mail is brought to respective CBSA secondary examination areas. The BSO working in secondary will manually inspect the letter mail and refer the mail for examination if they find potentially inadmissible items. We observed one instance where a BSO inspected letter mail under 30 grams that contained suspected drugs.

The CBSA's 2024 Strategic Border Threat Assessment^{Footnote 35} also notes an emerging risk of a potential increase in personal imports of recreational drugs^{Footnote 36} through the small parcel streams, such as the postal mode. For example, the assessment identified that ketamine smuggling may increase due to its growing popularity as a recreational drug and its value as an adulterant^{Footnote 37} in the illicit drug market. The assessment also highlighted that "ideologically motivated violent extremism" will continue to be a border threat for Canada. This applies in the postal mode as extremist groups can fundraise, support extremist-aligned businesses and radicalize individuals abroad through the import of prohibited hate propaganda and merchandise (e.g. books, clothing, and stickers). Intelligence risks such as this should be considered by NHQ and regional operations when risk assessing mail types for examination and the rationale should be documented.

With regards to e-packets, one mail centre is x-raying e-packets on a primary belt, but the other mail centres have BSOs visually examining this mail type without the aid of any detection tools. Some BSOs expressed concerns that smaller firearm parts or other high-risk items can be sent via these mail types.

The agency as a whole works to interdict the illicit trafficking of firearms and firearm parts across the border in all modes, which also includes the postal mode^{Footnote 38}. During our interviews with the regional operations, we were informed that three-dimensional (3D) printing^{Footnote 39} of firearms parts sent via the postal mode pose a risk^{Footnote 40} [redacted]. For example, BSOs at the international mail processing facilities intercepted multiple falsely declared packages destined to the same address^{Footnote 41}. The packages were allegedly found to contain various prohibited firearm devices and 3D manufacturing equipment to build firearms. Without the vigilance of the BSOs, there is a risk that mail containing high risk items may be released into Canada, thereby impacting the health and safety of citizens.

"As general technology evolves and becomes more readily available, ghost guns are being added to an arsenal of illegal weapons that are trafficked across the border, often in smaller parts to foil our efforts."

Source: Internal email from CBSA President and Executive Vice President sent to all staff on April 29, 2024

Per discussions with NHQ and regional operations, the currently available documentation (manual, SOPs, etc.) does not prescribe specific expectations for the examination of these mail types. It is understood that the mail centres can make operational decisions about which type, and how, they choose to examine, based on their intelligence analysis, past enforcement actions/trends, postal volumes, mail mix, country of origin, etc.

NHQ referred to the PIA which cites that letter class mail under 30 grams, newspapers and magazines, flat printed materials and advertising materials may be screened out by the third party and not presented to the CBSA. As noted earlier in the Postal agreements, policies and procedures section, Bill C-37 has amended the requirement related to letter mail weighing less than 30 grams, which is not reflected in this agreement. Previous reports have also highlighted that the agreement is outdated. As a result of outdated agreements, the third party may not be presenting certain mail types for CBSA examination and/or regional operations may be applying outdated policies when making decisions on examining mail. In both these scenarios, the agency could be non-compliant with regulations in exercising its mandate and may unintentionally release inadmissible mail or goods.

As described in the Postal agreements, policies and procedures section, the general expectation related to letter mail could be updated in the policy and procedures to reflect the current environment, with an indication that it can be applied as feasible given the operational realities of each mail centre. Additionally, increased program monitoring and oversight activities by NHQ would help identify other instances where there are different interpretations of the policies. It would also assist with evaluating the regional operational decisions and assessing whether to accept the risk. As noted in the Risk management section above, NHQ should monitor, identify, assess and mitigate emerging risks presented by the advancement in technology and/or identified by intelligence to support the effectiveness of the postal mode.

System notifications when advanced electronic data is not available or incomplete

During our observation of primary examination operations on-site, sometimes BSOs received a notification in CDS: "Rating Status – Incomplete" when they scanned the barcode of the mail they were examining. NHQ informed us that CDS has been designed to identify mail with incomplete advanced declaration data. In these instances, the system issues a notification so the BSOs can pay more attention to these mail items^{Footnote 42}.

We observed that BSOs' responses to this system notification varied across all mail centres. Some BSOs would refer the mail to secondary examination by choosing the "Rating Review Required" decision in CDS. However, some BSOs ignored this message and relied on the x-ray image and/or customs declaration information on the shipment (if x-ray machines were not available and the BSO had to rely on visual examination) to determine if the mail required further examination.

NHQ expressed that regional operations were provided training, as well as a document outlining various scenarios to assist BSOs in determining the referral decision to select in CDS. This training was expected to ensure there is consistency in the approach taken by each BSO and across each mail centre. During our interviews, the BSOs at two mail centres stated they were unfamiliar with guidance or training provided and referred to this as a system "error", meaning they thought the system's risk assessment was not working. They expressed concerns with this notification, citing that:

• mail may be released without charging duties and taxes
• more mail may be referred to secondary, which can create a backlog that may impact the efficiency of the secondary operations
• potential targets/lookouts may not be intercepted

Following the implementation of any new expectations or procedures, the CBSA's postal program should oversee to ensure that the changes have taken effect per the new requirements. Regional operations should also monitor adherence to the updated procedures and identify any operational challenges or gaps that may arise during the transition. Failing to communicate and monitor change management activities in a prompt manner can lead to confusion, potentially causing disruptions and inefficiencies in the mail centres.

We also observed and confirmed through interviews with mail centre staff that shift briefings amongst regional operations were either not occurring or were not conducted in a structured manner. It was shared with us that reoccurring topics of value such as highlights of information on trends, patterns, intelligence, or what happened on the previous shifts could be incorporated for the benefit of all. The shift briefings could also be a forum to share reminders with the BSOs on available guidance, health and safety checks, or change management activities, etc.

Quality assurance verification

A QA process can be performed on mail that has been determined to be low risk through the verification of mail shipments that have provided advanced electronic information and have undergone a CBSA risk assessment. For mail recommended for release via the CBSA risk assessment in the POST system, a BSO will have an opportunity to visually inspect mail items with advanced electronic information prior to release with an option to refer these mail items to Secondary for examination.

The POST system has been performing the pre-clearance risk assessment and automatic referral since 2014 (on United States (US) mail only for many years) in one mail centre. In 2022, POST was implemented in the remaining two mail centres and AED from more countries is now being leveraged^{Footnote 43}. As of the end of the examination phase of this audit (October 2024), there has not been a documented quality assurance verification process and there were no formal procedures to perform checks on the mail that is automatically cleared to ensure the system decision was appropriate. NHQ reported that they are developing the quality assurance verification policy and procedures as part of PMI and that they expect it to be implemented by mail centres in quarter four of fiscal year 2024 to 2025.

We observed and also heard from BSOs that customs declaration information can sometimes be missing, written in a foreign language, inaccurate or falsely declared in an effort to avoid customs examination/duties. The BSOs are not equipped with resources to translate declarations in a foreign language.

In the absence of a formal quality assurance verification process, mail centres have recently taken their own approaches to performing spot checks on pre-cleared mail. For example:

• One mail centre uses a "sample approach" to vet a cart of pre-cleared mail and tracks the results to share with NHQ.
• The remaining two perform "visual checks" at their primary examination belts. Meanwhile, BSOs assigned to this work expressed concerns that the visual inspection is not effective because they have to rely on customs declaration data rather than detection technology.

As an example of quality assurance benefitting from detection technology: In one mail centre during the conduct of a special project^{Footnote 44} on US mail, an x-ray image revealed that there were firearms concealed inside a karaoke machine. We were informed by the regional operations (BSO, Superintendent) that without this special project, the mail would have been diverted to the QA verification process where the BSOs are not equipped with x-ray machines. A visual check of the outside of the box may not have been adequate to suspect firearms and the mail would have likely been released.

Gathering the results (including resultant and non-resultant) of these quality checks and sharing them widely with all internal postal stakeholders could help regional operations as well as intelligence and targeting stakeholders to tailor their approaches to mitigating controls (such as the choice of which special projects to prioritize, gathering trends on modus operandi, setting targets in the POST system to redirect mail with specific risk indicators from the QA examination, etc.).

CBSA's 2024 Strategic Border Threat Assessment also highlighted that firearms smuggling from the US via post is a concern. Per in-person observations and discussions with NHQ and regional operations, the agency has been leveraging advance data from the US mail (only from certain US states) in one mail centre since 2014. However, without special projects or additional BSO vigilance during QA verifications, there is a risk that high-risk items may be released. As such, collecting and reporting on these results could also demonstrate to the regional operations that they can have confidence in the advance electronic data leveraged by the agency to conduct pre-risk assessments.

Evaluation Study of PMI (2019) recommended NHQ establish and implement national practices or guidelines to ensure that QA is performed consistently (with an expected implementation date of September 2021). During our audit the recommendation was outstanding.

Based on our audit work, it was determined the QA verification control was not designed effectively (that is, the control appears to be in place, but it does not meet the control objective) across the three mail centres. The implementation of the QA verification policy and procedures ought to address the effectiveness of the design of the controls. Until then, the agency may be missing an opportunity to mitigate the risks associated with relying on automated system screening based on importer-provided AED without a policy that includes:

• specific guidelines on how the process should be performed
• consideration for the operational reality at each mail centre
• optimization of the resources and the detection tools readily available

Secondary examination

The CBSA Departmental Memorandum D5-1-1: International mail processing outlines that mail should be separated and forwarded to the CBSA secondary area for further review if mail contains goods that:

• may be prohibited, controlled or regulated, subject to duties and/or taxes or
• goods requiring examination by an OGD or agency

Our expectation was that mail suspected to be inadmissible is thoroughly examined by a BSO, target instructions adhered to (if applicable)^{Footnote 45}, and the results of the examination are recorded in the POST system.

Through our in-person observations and walkthrough of the process, we found that mail referred for secondary examination was opened, and its contents were inspected by BSO(s) to ensure compliance with the various acts and legislation on admissibility. Additionally, we also observed that the BSOs were making referrals to the laboratories and OGDs to confirm the admissibility of goods into Canada. As such, the secondary examination control process has been effectively designed in all three mail centres.

During our observation of target mail examination in the secondary area, some BSOs in all three mail centres expressed that they did not know where to find the target instructions in the POST system. Some of them highlighted that the target interceptions were more obvious in the old PICS system^{Footnote 46} because targets were emphasized with an alert. Through our document review, it was determined that there were no procedures available for BSOs regarding what to do when targets are intercepted (that is, which screens to review to obtain more information on the target hit, what to do next, etc.). Due to the lack of documentation and our observations while on site, we found that the control to ensure target instructions are adhered to by BSOs when target mail is intercepted has not been designed to function effectively^{Footnote 47}.

By not following target instructions, there is a risk that inadmissible mail may be released by error, and that the agency may be non-compliant with regulations and acts which prohibit or restrict the goods that were released. If this risk is realized, it could harm the agency's reputation and credibility to protect Canada. In the absence of an effective control, there should be regional oversight over the execution of examination procedures to ensure that critical steps are not missed.

Supporting activities

Supporting activities include Detection technologies and tools, Designated safe examination area, Designated safe sampling area, Detector dogs services, Intelligence, Targeting and Physical Security Controls.

Detection technologies and tools

A range of detection technologies and tools are available for BSOs to use in the mail centres. These include detector dogs, x-ray machines, narcotic detection devices such as ion scanners, and personal protective equipment such as gloves, masks, eye wash, and the like. Additionally, mail centres also have access to:

• Designated Safe Examination Areas (DSEA) for BSOs to examine and identify packages containing suspected highly toxic substance (HTS) for further analysis
• CBSA chemists working in Designated Safe Sampling Areas (DSSA) who can test for the presence of HTS/precursor chemicals

The enforcement manual outlines that the BSOs should determine through indicators when the use of detection technology and tools is appropriate and that they can leverage detector dogs as long as it is safe for the dogs and the mail centre environment.

Designated safe examination area

We expected the BSOs to use necessary personal protective equipment and/or the DSEA to safely inspect packages suspected of containing HTS. Although there is training on the policy and expectations, we observed some BSOs did not follow the protocols when opening parcels, particularly at their desks in secondary when they did not wear gloves or masks. During our discussions with BSOs, chemists, Superintendents and Chiefs in all the mail centres and supported by our observations while on site, it was highlighted that the DSEA may be under utilized because:

• the mail centre staff prefer leveraging the chemists in the laboratory who are trained and have the necessary tools to conduct the tests of HTS / precursor chemicals safely and there is trust in their results; and
• some BSOs were not familiar with operating the DSEA due to lack of regular (refresher) training

Designated safe sampling area

We expected that samples sent to the DSSA laboratories are handled in a secure manner and that the lab testing results are communicated to the BSOs. We visited the laboratories for the three mail centres and observed that the controls pertaining to the DSSA are designed effectively and consistently. The samples are referred and sent to the DSSA in a safe and secure manner. All BSOs fill out a referral form that documents the details of the mail and potential reasons for the referral, and it also supports the chain of custody. The chemists complete their tests and log and track their results in their designated system. The results are shared via email with the BSO, Superintendent and Intelligence Analyst and Intelligence Officer.

Detector dogs services

The enforcement manual and the agreement between the CBSA and the third party on the use of detector dogs' services (DDS) both highlight that the DDS can be leveraged as long as it is safe for the dogs as well as for the mail centre environment.

In two mail centres, we observed there is a dedicated fenced zone in the primary area where suspicious mail can be presented for examination to the DDS, who will refer items to secondary if they identify any suspected inadmissible goods. At the third mail centre, a dedicated fenced zone was not available, and the detector dogs were not used to assist with primary examination. Instead, the detector dogs are leveraged only in secondary operations for enforcement activities over high risk or target mail, a practice which also occurs in the other two mail centres.

NHQ and PMI teams expressed that investments have been made to allow detector dogs to inspect the mail directly on the primary conveyor belts, and also noted that the use of the detector dogs would make the primary operations more efficient by reducing risks related to the transfer of high risk mail between CBSA examination areas by third party staff. They also mentioned that there is no NHQ policy, and that it is up to the mail centres to make operational decisions on the use of detection technology and tools.

The regional operations expressed challenges with leveraging the DDS on the belts directly. These have been raised to NHQ. Some issues shared include:

• detector dog handlers expressed that not all conveyor belts can accommodate the larger dogs who need wider belts for examination; and
• regional operations expressed that the "non–CBSA personnel" have raised concerns with DDS inspecting them or their possessions, and do not want the DDS around their areas, despite there being a memorandum of understanding between the CBSA and the third-party regarding detector dog teams being present at the facilities^{Footnote 48}

Governance structure and related roles and responsibilities for the third party and CBSA were clarified and implemented (in 2020) per a recommendation issued in a previous report. However, during our interviews with NHQ and regional operations it was indicated that the governance meetings between the third party and CBSA have not occurred after 2021. The recommendation was implemented to address the gaps in the relationship between the two parties and raise postal issues. As such, without formal mechanisms, NHQ may not be able to advocate for the regional operation's postal matters.

Due to the absence of risk management and program oversight, the solution of a dedicated fenced zone, implemented at one mail centre has not been more widely applied at the other centre(s). This impacts each mail centre's extent of optimally leveraging the DDS in their examination activities. NHQ should work with the regional operations to demonstrate that DDS may be leveraged on the belts or appropriate mitigating measures could be identified to improve the effectiveness of detection tools and technologies in the postal operations. This includes managing the relationship with the third party to ensure the CBSA is able to leverage available detection tools and technology as applicable.

Intelligence

The CBSA's Intelligence function, via regional Intelligence Analysts, Intelligence Officers and Criminal Investigators from the Intelligence and Investigation Directorate, play a crucial role in postal operations through gathering and analyzing intelligence information^{Footnote 49} to establish a set of indicators and profiles. This intelligence is leveraged by the mail centres to conduct enforcement projects using detection technology/tools like x-rays and detector dogs in order to identify prohibited or restricted items such as firearms or drugs from targeted countries.

The intelligence and enforcement policies and procedures, as well as specific expectations for Intelligence Officers, were not part of the scope of this audit, and as such our work does not highlight findings specific to this function. However, through walkthroughs, observations and interviews on site, some of the BSOs and Superintendents in the mail centres expressed that there are gaps in after-hours services, particularly when targets are intercepted, such as limited availability or access to designated regional Intelligence and Investigations Officers. The latter expressed that they are not frequently available at the mail centre because they are conducting surveillance or reporting to other ports of entry. An Intelligence Officer is available on site once a week at one mail centre.

The absence of established feedback loops and clear communication of intelligence work across the mail centres may reduce BSO awareness of the importance of gathering intelligence (changes to modus operandi, origin country, receiver address, etc.), which can impact agency's ongoing and/or future surveillance activities, including controlled deliveries^{Footnote 50}.

Intelligence staff and the chemists working in DSSA expressed interest in participating in meetings with the regional operations to share their own feedback on referrals made for firearms/high risk mail or testing highly toxic substances, respectively.

One mail centre implemented a best practice, whereby a BSO has been given responsibilities to liaise between the BSOs, Superintendents and the regional intelligence staff, sharing information in a timely manner between the stakeholders, and tracking and monitoring all communications. BSOs in this mail centre reported this practice improved their vigilance during inspections because they had a single point of contact to vet their observations. By centralizing the point of contact for this mail centre, the region's intelligence staff reported this practice reduced the number of BSOs reaching out to them with information on inspections or interceptions. There is an opportunity to integrate similar roles across the other mail centres by delegating BSOs with similar responsibilities. Mechanisms to improve communication and information sharing may encourage more vigilance amongst the BSOs.

Targeting

The POST Standard Operating Procedure (SOP) and Targeting SOP for target maintenance outlines the procedures that the TCI follow for the management of targets or alerts requested by the mail centres. The unit is responsible for entering, deleting and modifying targets or alerts in the POST system, as well as providing timely distribution of intelligence information (that is, targeting briefs, threats or risks assessments and seizures analysis and reviews).

We expected that target requests can be submitted to the TCI by authorized persons from the operations, who will then complete their due diligence^{Footnote 51} prior to entering the target in POST and communicating that the target request is active.

In all three mail centres, we received examples of target request submissions to TCI, including the response back as to whether the target was approved or not. Once the target is approved, it is added in the POST system with an "active" status, whereby any mail containing attributes identified in the target ought to be intercepted at the mail centre(s). Our interviews, document reviews and observations highlighted that the targeting controls have been designed effectively across the three mail centres to ensure that high risk target mail is intercepted and thoroughly inspected for admissibility into Canada.

Missed target

Operations, TCI and Intelligence staff mentioned that targets on incoming mail entering Canada are sometimes missed (that is, not intercepted). Some of the potential reasons for missing targets per the regional operations and TCI include:

• target instructions in the POST system are not addressed and the mail is released without thorough examination
• mail is examined thoroughly however the target status is not closed in the POST system; and
• due to the manual nature of the postal operations, the ability to identify and intercept targets is also challenging (this could be for a variety of reasons for example, unclear target instructions, conflicting priorities, postal volumes at primary/secondary examination areas, limited/unavailable detection capabilities, etc.); and
• the third party has not inducted^{Footnote 52} and/or presented the mail to the CBSA for examination. If mail is not inducted, targets may not be intercepted at the mail centre and the mail may be released without any CBSA intervention.

The POST system does not have the capability to generate data on missed targets. Currently, if they are aware of a missed target, TCI or regional operations will have to use a manual process to track the mail^{Footnote 53}. This is an operational inefficiency with an impact to the agency's ability to action enforcement efforts in a timely manner. Without tracking missed targets, the agency may be missing areas of risk or potential control deficiencies. NHQ can leverage program oversight measures to monitor frequency and cause of missed targets and compare with other operations or business lines to determine if the gap is reasonable and risk can be accepted.

Physical security controls

We expected that physical security controls were designed to prevent and deter security and fraud risks in the three mail centres, per CBSA Security Program Management Framework (effective February 27, 2020) and CBSA Policy on Physical Security (effective December 15, 2020) in conjunction with the Treasury Board Secretariat's Directive on Security Management.

The CBSA Physical Security team completed a National Postal TRA (June 2020)^{Footnote 54}, which highlighted the lack of segregation of CBSA operations from the third-party operations in the three mail centres. [redacted]. The TRA recommended that all three mail centres use privacy screens on the computer monitors and x-ray machine monitors used by BSOs to protect the images from non-CBSA personnel. We observed that one mail centre has put privacy screen dividers around CBSA personnel in primary, while in the other two mail centres^{Footnote 55}, the primary operations remain exposed.

[redacted]

[redacted]

[redacted]. CBSA CCTV footage is retained for 30 days per CBSA policy^{Footnote 56} (we did not audit CCTV footage retention and back up controls). The CCTV feed is not actively monitored during the shifts.

• [redacted]
• This risk is being mitigated in two mail centres, where management has adopted a "Clean Secondary" local practice. At the close of each shift, the BSOs remove any mail on the belts or inside x-ray machines and set it aside in carts (secured in CBSA-only areas) to be inspected during the next shift.
• The CBSA Fraud Risk Profile^{Footnote 57} has identified the agency has a risk related to "illegally facilitated border crossings (people and prohibited goods)". Specifically, regarding the postal mode, risk drivers and some controls have been identified in the risk profile. For instance, "CCTV cameras in some areas" has been identified as a control to prevent fraud, however it does not specify where the CCTV is or should be located for maximum coverage and prevention of fraud. As such NHQ and/or regional operations may not be aware of the gaps in this control at the mail centres [redacted], which can impact the agency's ability to adequately safeguard the mail centre operations and goods and prevent or detect fraud.

Furthermore, CBSA staff in two mail centres shared that they do not conduct security risk and threats assessments and exercises to identify and mitigate against potential security threats at the facilities. One mail centre has an enforcement team that conducts roving activities and security exercises to assess their physical environment.

Given the above weaknesses, we found that the physical security controls may not be designed effectively to mitigate the risk that mail centre operations are adequately safeguarded. [redacted]. With increased program monitoring and oversight, NHQ and/or regional operations in collaboration with CBSA Security team have the opportunity to assess the state of physical security across the mail centres. They can then leverage the proposed recommendations in the TRA as well as guidance on best practices to safeguard the regional operations' resources as well as the mail subject to CBSA inspection.

Recommendation 2

The VP, CTB in collaboration with VP, Intelligence and Enforcement and Regional Directors General (Greater Toronto Area, Pacific and Quebec), should strengthen the postal control environment by:

1. formalizing the postal control framework and revising or adding control activities based on changes to policies/expectations (including compensating process to address identified gaps and risks); and
2. developing a regular monitoring framework, to ensure the controls are effective at addressing risks

Management response: The VP, CTB in collaboration with VP, Intelligence and Enforcement and Regional Directors General (Greater Toronto Area, Pacific and Quebec) agrees that stronger controls are needed in the Postal Program. We will build a clear and formal control framework and update it when policies or processes change. We will also put a monitoring system in place to regularly check if these controls are working well, and make changes as needed to reduce risks and improve how the postal program operates.

Completion date: December 2026

Appendix A: Audit criteria

Appendix B: Previous reports with gaps and recommendations

Appendix C: Acronyms

3D

Three-dimensional

AED

Advance Electronic Data

BSO

Border Services Officer

CBSA

Canada Border Service Agency

CPC

Canada Post Corporation

CCTV

Closed Circuit Television

CDS

Custom Declaration System

COGS

Commercial Operations Guidance and Support

CTB

Commercial and Trade Branch

DDS

Detector Dog Services

DSSA

Designated Safe Sampling Area

DSEA

Designated Safe examination Area

HTS

Highly Toxic Substances

IT

Information Technology

NHQ

National Headquarters

OGD

Other Government Departments

PCPU

Postal Courier Programs Unit

PIA

Postal Imports Agreement

PMI

Postal Modernization Initiative

POST

Postal Operations Support Tool

PICS

Postal Import Control System

QA

Quality Assurance

SOP

Standard Operating Procedure

TCI

Targeting Commercial Intelligence

TRA

Threat and Risk Assessment

US

United States

VP

Vice President

Appendix D: Terms and definitions

Appendix E: Design assessment of postal controls