Audit of the Immigration Program at the Canadian High Commission in London

Audit Report
Internal Audit and Accountability Branch
Citizenship and Immigration Canada
March 2008


Acronyms used in this report

1.0 Introduction

2.0 Audit Conclusion

3.0 Observations and Recommendations

Appendix A: Organizational Chart

Appendix B: Detailed Criteria for the Audit

Appendix C: Management Action Plan

Appendix D: Audit Time Line


Acronyms used in this report

CAIPS: Computer-Assisted Immigration Processing System
CBO: Canada-based officer
CBSA: Canada Border Services Agency
CRO: Cost-recovery officer
CSIS: Canadian Security Intelligence Service
CSU: Client Services Unit
DFAIT: Department of Foreign Affairs and International Trade
DIO: Designated Immigration Officer
FCO: Forms control officer
HR: Human Resources
IPM: Immigration program manager
IR: International Region
IRIMP: International Region Immigration Management Plan
LES: Locally engaged staff
NHQ: National headquarters
NIO: Non-Immigrant Officer
PSEA: Public Service Employment Act
QA: Quality assurance
RCMP: Royal Canadian Mounted Police
RPC: Regional program centre


1.0 Introduction

The Citizenship and Immigration Canada (CIC) Risk-Based Audit Plan for 2006–2009 identifies the conduct of one regional program centre (RPC) mission audit per year. The selection of the immigration program at the Canadian High Commission in London was done in consultation with the International Region (IR) Branch at CIC national headquarters (NHQ) and was based on an assessment of the mission’s operations in relation to other offices. The on-site field work was conducted between February 26 and March 9, 2007.

1.1 Background

1.1.1 Operations

CIC is responsible for the recruitment, selection and processing of foreign nationals who wish to come to Canada on a temporary or permanent basis and who will stimulate the economic growth of Canada and enrich its social and cultural life. Within the Department, this responsibility has been assigned to the Operations Sector, which is divided into domestic and overseas operations. Overseas operations fall under the responsibility of the IR Branch. IR accomplishes this through its network of visa offices (or missions) abroad. These are broken down into RPCs, full-service centres, satellites and specialized offices. RPCs and full-service centres are responsible for delivering the full range of immigration services for the countries they serve. The difference between these two is that RPCs are responsible for overseeing satellite offices. Satellites and specialized program offices do not deliver the full range of immigration services.

The RPC at the Canadian High Commission in London is responsible for delivering all immigration services. It is also responsible for three satellite offices, located in Abu Dhabi, Riyadh and Stockholm. According to the London International Region Immigration Management Plan (IRIMP) environmental overview for 2007–2008, the office had the following:

  • 11 Canada-based officers (CBO), including one medical officer and two migration integrity officers; and
  • 50 locally engaged staff (LES).

In its IRIMP, the mission indicates that in recognition of its increasing workload, five incremental positions were created in the 2006–2007 fiscal year (one officer and four support positions). In addition, the office underwent a reorganization aimed at improving processing, accountability and program efficiency at the mission. The office is now organized into three streams of work with associated units: the Immigration Unit, the Migration Integrity Unit and the Medical Unit. Appendix A presents the London immigration program organizational chart.

The Immigration Unit is the largest component of the mission’s immigration program and is the focus of this audit. This unit is comprised of one non-immigrant team, responsible for the processing of non-immigrant applications (e.g., applications for temporary residence, travel documents, etc.), and one immigrant team comprised of three new sub-teams, responsible for the processing of applications for permanent residence. Both teams are supported by a registry and the newly created Client Services Unit (CSU). The non-immigrant team’s territory is the United Kingdom, Ireland and the Nordic countries, while the immigrant team processes applications for permanent residence from citizens and legal residents of seven countries in north-western Europe, and economic applications for seven countries in the Gulf region.

The other two units are the Migration Integrity Unit and the Medical Unit. It is important to note that these two units have neither the same geographic responsibility as the Immigration unit nor each other. The Migration Integrity Unit is responsible for seven countries in Europe, and it performs interdiction duties for the area it serves. The Medical Unit is responsible for the largest area, including 13 countries in Europe, seven countries in the Persian Gulf region, two countries in North-East Africa, and nine countries in Asia. While it has a significant public service health function, its primary function is to oversee the medical screening of applicants for the geographic area it serves.

The immigration program at the Canadian High Commission in London manages refugee class, family class and economic class immigrant cases (skilled workers, business class and provincial nominees). As stated above, the immigration program has three sub-teams involved in the processing of these cases. All three teams are managed by one CBO. Each of the three sub-teams has a coordinator in place to oversee day-to-day operations. One of these teams (the Priority Team) is devoted to the processing of skilled workers with arranged employment, refugee cases and priority family class cases. The other two teams (Red and White teams) process all other permanent resident cases. The non-immigrant program at the RPC is comprised of one processing team headed by an experienced foreign service officer. The largest component of the non-immigrant program is student, temporary worker and temporary resident visitor processing.

In 2006, the mission’s overall visa target for permanent residence applications was 15,330 while in 2005, it had issued 14,472. The office’s visa target for 2007 is 15,910. The inventory of applicants awaiting a decision at the mission, as at January 5, 2007, is 74,188, of which approximately 93% are skilled workers. Processing times are estimated at 45 months. Reducing the inventory is a significant challenge the mission faces. With regard to temporary residence applications, the office saw some variation in the number of visas issued for the three main categories: students, temporary visitors and temporary workers. The mission statistics for 2006, 2005 and 2004 are summarized in Table 1 below.

Table 1 – London Statistics
    2006 2005 2004
Number % change Number % change Number
Permanent Resident Applications Target 15,330 5.7% 14,500 0% 14,500
Visas Issued 15,152 4.7% 14,472 -1.8% 14,744
Inventory 74,188 6% 69,973 15.3% 60,667
Students Visas Issued 2,148 4.8% 2,049 5.6% 1,941
Visitors Visas Issued 11,376 -10.7% 12,733 6.0% 12,009
Temporary Workers Visas Issued 9,455 2.6% 9,218 -7.6% 9,974
Cost-Recovery Revenue $14.1 M $20.8 M $22.1 M

Note 1. Visas issued, as per IR processing statistics for the calendar year.
Note 2. Inventory, as per IR records on January 5, 2007, December 30, 2005, and December 31, 2004, respectively.
Note 3. Cost-recovery revenue, as per DFAIT fiscal year records for 2006–2007 (to January 31, 2007), 2005–2006 and 2004–2005 respectively.

In addition, given the importance of the immigration program at the High Commission, it has additional responsibilities, such as promotion, recruitment, reporting, advocacy, liaison and regional leadership. Management noted that all of these responsibilities are taking on greater importance at the mission, resulting in more time and resources being devoted to functions that would otherwise be used in processing applications. The mission also faces facility layout challenges, with offices on three separate floors of the chancery.

1.1.2 Environmental Context

This section of the report highlights some of the operating environment issues facing the mission. They are presented here for information purposes only and are not given in any particular order.

London is one of the largest missions in CIC’s network of overseas offices. Consequently, it faces the following challenges:

  • Managing a large inventory of applications;
  • Increasing targets and volumes;
  • Large geographic area of responsibility and the variety and complexity of cases that accompany this scope of operations;
  • Increasing international security concerns; and
  • The continuing importance of the additional responsibilities (promotion, recruitment, advocacy, liaison and regional leadership) the mission undertakes and the constraints these place on the mission with respect to the use of its resources.

1.2 Audit Objectives

The audit objectives are to assess the following:

  • the management framework in place at the mission to administer the immigration program;
  • the degree to which practices and procedures comply with the applicable legislation and policies associated with the delivery of the immigration program; and
  • the internal control framework in place to support the operational delivery at the mission and safeguard assets and revenues.

1.3 Audit Criteria

The criteria that were used in the audit are based on applicable Treasury Board and CIC legislation, policies and directives. The detailed criteria for the audit are presented in appendix B.

1.4 Audit Scope

The audit only involved operations at the Canadian High Commission in London and excluded satellite operations. The audit scope covered all significant aspects of CIC operations at the High Commission, including the full range of immigrant and non-immigrant program activities with associated financial and administrative components typically found in an RPC. The audit examined mission activities from January 1, 2006, to the end of the on-site examination period on March 9, 2007.

1.5 Audit Methodology

There were three lines of enquiry: management framework, compliance of the immigration program and the internal control framework.

As part of our examination of the management framework, we interviewed immigration staff and other embassy staff with links to immigration operations; reviewed documents; observed processes; documented controls; tested information; and reviewed samples of management files to test for compliance.

As part of our examination of program integrity, we examined all decisions related to permanent resident determination travel documents, temporary resident and permanent resident cases, and temporary resident permits finalized over the period of January 1 to December 31, 2006, to test compliance with delegated authorities. We also conducted interviews with immigration staff and other embassy staff with links to immigration operations, reviews of documentation, observation of processes and documentation of controls. The audit also examined a judgmental sample of 10 permanent resident determinations, 30 temporary resident cases and 60 permanent resident cases that were finalized between January 1 and December 31, 2006, to assess compliance with legislation, regulations and policy requirements of the case file. The sample size was judgmentally determined taking into consideration the mission processing volumes. The selection of individual sample cases was done randomly from the population. The file review of sample cases was done to validate our observations from interviews, documentation reviews and the procedures in place at the mission.

As part of our examination of the internal control framework, we examined controls over the Computer-Assisted Immigration Processing System (CAIPS), controlled documents, cost recovery, and travel and hospitality expenditures. To this end, as part of the audit of internal controls, we interviewed immigration staff and other embassy staff with links to immigration operations, reviewed documents, observed processes, documented controls, tested information and reviewed samples of management files to test for compliance. Specifically, we examined CAIPS user profiles, tested CAIPS inventory controls, tested samples of controlled documents inventory transactions, tested cost-recovery revenue controls and reviewed a sample of travel and hospitality claims to assess compliance with applicable legislation, policies and procedures and conclude on the state of controls in place.

The audit was conducted to be in accordance with the Government of Canada’s Policy on Internal Audit as well as with auditing standards set out by the Institute of Internal Auditors.

2.0 Audit Conclusions

Overall, the audit found that:

  • the management framework had been strengthened under the current mission management and that the office was well managed;
  • the immigration program was compliant with applicable legislation and staff understood their role; and,
  • with respect to compliance with operational policies and the internal control framework, practices at the mission were adequate. However, in these areas, we have identified opportunities for improvement.

Our detailed observations and recommendations in these areas are discussed in the next section of the report. We made a total of eight recommendations as part of our audit report. Management’s action plan, along with proposed implementation dates for our recommendations, can be found in appendix C.

3.0 Observations and Recommendations

3.1 Management Framework

The audit examined seven areas of the management framework: governance and strategic direction; public service values and ethics; people/human resources; client-focused service; risk management; results and performance; and learning, innovation and change management.

The audit found that the management framework had been strengthened under the current mission management and that the office was well managed. However, with respect to the management framework, we found that risk management and performance measurement could be further strengthened. Our findings are discussed in the following sections.

3.1.1 Governance and Strategic Direction

In reviewing governance and strategic direction, we expected that structures would be in place to ensure that accountabilities were adequately discharged. Specifically, we expected to find clear reporting and accountability lines that demonstrated appropriate delegations. We also expected to find integrated planning, budgeting and monitoring, and established communication protocols for partner stakeholders in place and functioning as intended.

The audit found that clearly defined reporting and accountability lines were established. In August 2006, the office underwent a restructuring, at which time new teams were established and some positions were reclassified. The new organizational structure resulted in clearer reporting relationships at the mission. This is discussed further in Section 3.1.7. The audit also found that all positions had a job description. A review of job descriptions for LES revealed that generic job descriptions were created for major classifications. In addition, we found that supervisors were expected to oversee their staff to ensure the discharge of their responsibilities. Consequently, we found that delegations were clear and appropriate in relation to responsibilities and available resources. We also found that formal relationships had been established and were functioning as intended with partner agencies.

Our audit also found that processes existed for integrated planning, budgeting, monitoring and performance management. A review of planning and budgeting documents revealed that linkages could be seen between high-level and mission-level performance expectations. We found that, at the mission, performance information was captured and progress toward the achievement of targets established in planning documents was monitored. Performance measurement is discussed further under 3.1.6.

Lastly, the audit found that communication protocols for employees, clients, partners and other external stakeholders were in place at the mission. As discussed earlier, the office established a CSU which now serves as the main point of contact for enquiries from the public.

3.1.2 Public Service Values and Ethics

As part of our audit in this area, we expected to find that management promoted public service values and ethics and employees were aware of these.

The audit found that values and ethics were promoted and understood at the mission. Our interviews and the documents we reviewed indicated that mission management reinforced and promoted values and ethics. The audit found that the main vehicle for the communication of values and ethics was staff meetings, but that they were also reinforced through the management of the human resources (HR) process.

Interviews with staff and our documentation review found that employees were aware of public service values and ethics and the code of conduct as a result of management’s efforts. Our review of HR staff files found that evidence supported management’s assertion that values and ethics were promoted through the management of the HR function.

3.1.3 People/Human Resources

The audit expected to find that the management of the people/human resources function ensured employees received the appropriate support, were aware of their responsibilities, received feedback on their performance and that staffing was in compliance with appropriate legislation and policies.

The audit found that appropriate controls were in place to ensure an effective workplace for staff to contribute to the work objectives. Processes existed to provide employees with the necessary training, tools and resources to discharge their responsibilities. Discussions with the immigration program manager (IPM) revealed that the majority of training is delivered with the support of IR at NHQ. Our interviews with staff confirmed that staff training was adequate to ensure that they are able to discharge their duties.

Our audit found that processes and procedures were in place to ensure that staffing actions were in accordance with the Public Service Employment Act (PSEA). The office held 26 staffing actions during the 2006 calendar year. A review of five of those actions confirmed that all material steps required were performed. Given this, the process in place in London appears to be complete and reflects the Act’s goals of a fair, transparent and open process. The audit also found that processes were in place to assess individual performance and to hold individuals or management accountable for their actions.

3.1.4 Client-Focused Service

We expected to find that services delivered by the office reflected the requirements of its clients. Specifically, we expected to find that processes were in place to establish, maintain and monitor service principles and standards for clients. We also expected to find that processes were in place for the effective tracking and resolution of complaints.

The audit found appropriate controls were in place to ensure the delivery of client-focused service. Consequently, services delivered by the office reflect the requirements of its clients. As part of its efforts to improve operations and address client service issues, the office created the CSU in 2006. This unit is the main point of contact for responding to client enquiries and is the group responsible for reporting to management on performance. The CSU, along with the front counter, are the immigration program’s core team for client service. Centralizing this function in this unit demonstrates an understanding of the importance of delivering client-focused services. The unit’s commitment to client service is also demonstrated by the fact that one of the CSU’s main initiatives under way at the mission is to update the mission’s website. We found that this unit tracked office performance and responded to client needs.

3.1.5 Risk Management

We expected to find that the mission periodically assessed the risk to the delivery of its program and that risk assessments were considered in mission planning.

The audit found that the office engaged in appropriate risk management practices and that it benefited from an extensive library of resources to support quality assurance (QA) efforts. That being said, we found that while operational risk is regularly discussed among staff and in meetings, it is only formally documented in the mission’s IRIMP, the main annual planning document for missions abroad. Consequently, the audit found opportunities for improvement in the mission’s documentation of risk management practices.

As risk is not static, it should be updated more frequently than on an annual basis. Without this documentation, some management practices, such as QA, have not systematically and consistently been carried out. The documentation of risk may serve as input to management on program design. It may also serve as input into QA, which can then be used to validate management’s decisions, including program design. Lastly, as staff rotate throughout the network of missions abroad, this documentation would serve as a form of corporate memory for future management.

Recommendation 1

Management should periodically assess, document and use program risk as input in order to guide management practices such as program design and quality assurance.

Management Response

While there are frequent and regular discussions of risk and QA, the mission agrees that a more rigorous and formal QA program would enhance integrity and risk management, and it is in the process of developing such a methodology. Efforts are being made to extend initiatives that are already under way and to document results more formally. In order to further strengthen integrity and risk management, the mission is strengthening partnerships with internal partners, such as the Canada Border Services Agency (CBSA), the Canadian Security Intelligence Service (CSIS) and the Royal Canadian Mounted Police (RCMP), and external partners, including law enforcement authorities.

3.1.6 Results and Performance

The audit expected that relevant information on results had been gathered, used to make decisions and reported. Specifically, we expected that performance measures were in place and monitored, measures were updated to reflect the work carried out by the mission, and results were analysed and used in decision making.

The audit reviewed planning, reporting and performance information in order to measure progress toward objectives. We found that the office had a solid base of output performance information, which it captured on a periodic basis to monitor progress toward the achievement of targets. The office also does a good job of analysing application trends. This information is shared within the office and is considered in decision making and internal resource allocation.

The main reporting tool within the mission is its monthly performance report, produced by the CSU. The majority of the information management receives is focused on output. However, the information does not cover the full performance of the mission. For instance, the 2007–2008 IRIMP sets out the objective that routine student, visitor and temporary worker applications be processed within a certain time frame, depending on the application method. Capturing the number or the percentage of applications processed in a period that met this objective and combining that information with the details of the performance reports output would provide a view of the office’s productivity level as opposed to its production. Also, there are activities carried out by the mission that are not formally reported on. Examples include promotion, recruitment, reporting, advocacy and liaison activities. Measuring the resources devoted to these activities and reporting on them would allow the office to better plan for future requirements.

While the audit found that these aspects were not formally reported to management, they were captured at lower levels and, in some cases, reported informally. More formal measurement could improve the information available to management for decision making.

Recommendation 2

In order to further improve performance measurement, management should develop, capture and periodically report on performance measures that capture the full performance of the office. This information should then be used to guide management in assessing performance and support decision making.

Management Response

Such performance measures are largely captured already, but this will be done in a more formal manner. We appreciate the advice in other areas where the office can monitor its performance.

3.1.7 Learning, Innovation and Change Management

The audit expected to find that the office employed learning and development activities to promote innovation and change management in order to learn from its performance.

The audit found that an appropriate framework was in place to support learning, innovation and change management in order to learn from performance. The office recently underwent a reorganization, and interviews conducted and documents reviewed found that the mission had a proper process to support this reorganization and other changes implemented, thus ensuring that the future changes would be implemented successfully. Interviews carried out revealed in general that during the change process, staff were consulted and kept involved during the process. Moreover, the audit found that the office was continually looking at new and more efficient ways to carry out its workload, as demonstrated by the creation of the CSU.

3.2 Integrity of the Immigration Program

In examining the integrity of the immigration program, the audit expected to find that application decisions were adequately documented, processes and procedures complied with applicable legislation and policies, appropriate controls were in place at the mission to ensure that admissibility requirements were met, and delegated authorities for decisions were appropriate and in compliance with departmental policy.

The audit found that the immigration program at the mission complied with the applicable legislation and that staff understood their role. The audit also found that appropriate controls were in place to ensure that admissibility requirements were met. However, we identified some issues with respect to the documentation of processes and procedures and to the delegation of authorities for decisions. Our findings in these areas are discussed in greater detail in the following sections.

3.2.1 Documentation of Decisions

The audit found that final decisions were properly documented in the case notes for the samples of permanent resident determination travel documents and temporary resident applications.

However, in 23 of 60 sample permanent resident cases, the final decisions were not adequately documented. In all of these cases, the final decisions were entered by an authorized decision maker, but no notes were made in support of the decisions.

The Department’s overseas processing manual requires officers to ensure that case notes not only document any decisions taken during case evaluations, but also clearly indicate the process that the officers followed in reaching those decisions.

Unlike temporary resident applications, permanent resident applications must be subjected to a series of decisions prior to ultimate approval. These are the selection (if applicants meet the definition of the category they are applying under) and admissibility (medical, criminality and security) decisions. Our review found no issues with the documentation of these earlier decisions. Accordingly, the risk of not documenting the final decision is reduced if the final decision maker concurs with the earlier assessments. However, there was no evidence of concurrence in the notes. In most cases, an officer will rely on previous officers’ decisions. In rendering the final decision, we would expect officers to review and ensure the completeness of the previous decisions and, if needed, perform and document additional work. Without any acknowledgment of concurrence or any other notation when making a decision, there is a risk that some steps involved in the decision-making process may go undocumented.

In the past, we have noted this practice in other missions and have made recommendations. At that time, management accepted the recommendations and adjusted the documentation processes. We were informed by the immigration program management in London that when officers entering the final decisions are not satisfied that all requirements have been met, they act accordingly and make the appropriate entries in the case notes.

3.2.2 Compliance of Processes and Procedures

A review of standard operating procedures and interviews with staff found that the processes in place at the mission to support immigration program processing complied with the policies. In addition, staff generally understood the requirements of both the Immigration and Refugee Protection Act and its regulations and the policies created to support the Act.

After reviewing sample files, the audit found that processes and procedures were adequately documented for the sample of permanent resident determination travel document cases. However, the audit found that in 13 of the 30 sample of temporary resident cases, the processing steps taken to arrive at the decisions were not adequately documented. The reasons for non-compliance varied for the sample of temporary resident applications. Consequently, our review found no consistent systematic weaknesses indicating issues with any particular procedure. For permanent residents, we found that in 16 of 60 sample cases, some documents had not been retained or had not been sufficiently detailed in CAIPS notes to indicate that they had been received or verified. According to our review of documents and the interviews mentioned above, the procedures established by the office would likely have ensured that all required actions were carried out. However, because of time constraints, the documentation of these actions did not occur.

The Department’s overseas processing manual states that documentation that supports routine processing is not to be filed. Instead, the date of receipt and the nature of the contents, where applicable, are to be recorded in CAIPS notes. Support staff are typically responsible for carrying out these procedures, and officers render decisions based on the results of these procedures or, in this case, the documents reviewed. If these documents are not noted, the office may not be able to demonstrate the completion of all steps taken in arriving at its decisions. Good case notes are of critical importance because they serve as the official record of what transpired at an interview or the processing steps followed to reach a decision. Case notes are used to prepare refusal letters, to respond to enquiries, and as the record in the case of an appeal and for court challenges. In some instances, case notes are the only information available to the staff responsible for responding to these, like the staff at NHQ.

Recommendation 3

The mission must ensure that the results of the processes and procedures for temporary resident and permanent resident cases are documented in order to demonstrate that all the processing steps were completed.

Management Response

The importance of complete notes was reiterated at recent training sessions with all staff. As noted in this report, an officer making a final decision takes full responsibility for all aspects of the decision, and thus responsibility is fully understood even if it is not specifically stated in the notes.

3.2.3 Admissibility Requirements

After interviews with staff, the audit found the employees to be knowledgeable about the legislation and policy on admissibility requirements.

As part of our file review, we examined sample cases to determine whether the admissibility requirements were met and properly documented. The audit found that in all 10 permanent resident determination travel document cases and all 30 temporary resident applications, the office had complied with the admissibility requirements. Our review of permanent resident applications indicated that admissibility processes and procedures were diligently performed and documented.

3.2.4 Delegated Authorities for Decisions

As part of the audit, we extracted decision data from corporate databases at NHQ for all permanent resident determinations, temporary resident and permanent resident cases finalized in 2006. It is important to note that while our sample period was for cases finalized during 2006, in the case of permanent resident cases, some decisions may have been entered before 2006. Our review found some issues with respect to delegations of authorities.

In reviewing the security decisions, we found that 18 LES had rendered a significant portion of them. Security decisions are typically restricted to CBOs. While we were on site, management advised us that special permission to allow LES to make security decisions was sought and obtained. In approximately 50% of these cases, this involved designated immigration officers (DIO) or non-immigrant officers (NIO) who were either former CBOs or long-serving staff with dual Canadian and British citizenship whose security clearances had temporarily lapsed but had since been reobtained.

The mission management and IR have the authority to give special decision-making abilities, such as for security decisions. However, we found instances where LES had been making these decisions without the proper authority. Our review found no evidence that prior approval had been sought to allow these individuals to make these decisions, nor did these individuals have secret clearance to access some of the information required to make a security decision. We found that management was aware of a large number of these cases and had taken appropriate action prior to our on-site examination. Our review of a sample of these cases for compliance with delegated authorities reflects the results above. We did not find any instances that suggested that procedures had not otherwise been followed.

While on site, we also reviewed some temporary resident permit (formerly minister’s permit) decisions made in 2006. Temporary resident permits are issued to some foreign nationals who would otherwise be inadmissible to Canada on various grounds. Our review found that 33 permits were issued in the 2006 calendar year by seven different people. Of those permits, four were issued by two staff who didn’t have delegated authority. In these four instances, the notes indicated that the decisions were made under the direction of officers with authority to make the decisions. Our review of these cases also found that appropriate procedures appeared to have been otherwise followed.

We advised management of all issues described above, and management adjusted the CAIPS profiles where appropriate to ensure that these instances did not recur. According to discussions with IR management at NHQ, the expectation was that only those with delegated authority should be making (i.e., entering) the decisions.

We were also advised that all requests to designate an officer decision-making authority required the program manager to seek NHQ approval. In addition, other special delegations of decision-making authority also required approval from NHQ. Our review found that at the time of standard designation, records were maintained to demonstrate this, but in the case of the latter special authorities, no record was maintained at NHQ.

The mission management and IR have the authority to delegate special authorities, such as for security decisions. However, we are concerned that staff who do not have a minimum level of security clearance may not have access to the information they require to discharge their duties in making these decisions. In addition, our review found that while IR at NHQ maintains records of LES designations, special decision-making abilities were not being tracked. As a result, future managers may not have the corporate memory to know when some individuals were granted these authorities and may not be able to determine if and when these special authorities should be revisited. This also does not allow management to take these authorities into consideration when contemplating promotions or additional resources.

Recommendation 4

The mission must ensure that only those with delegated authority enter the decision in the case processing system.

Management Response

Action had been taken to rectify the situation prior to the audit. The mission will continue to monitor this situation and ensure appropriate delegation of authority.

Recommendation 5

When staff have been delegated authority to perform special tasks, management must ensure that the necessary clearances and approvals have been obtained and that staff are able to access the required materials to adequately discharge their duties. A record of these approvals should be maintained at NHQ and the mission to better control such changes.

Management Response

NHQ maintains a repository of all designation letters for NIOs and DIOs. Documents related to the granting of special designations or delegation of authority to locally engaged personnel are being added to the repository.

3.3 Internal Control Framework—CAIPS Management

As part of the audit of the internal control framework, controls over CAIPS were examined. We expected to find that there were appropriate controls in place to ensure the appropriate use of CAIPS at the mission and that CAIPS assets were safeguarded.

The audit found the current control framework for CAIPS access to be appropriate. However, it identified some issues for management’s consideration regarding controls to safeguard CAIPS assets. The detailed findings are discussed in the following two sections.

3.3.1 Access Controls

The list of CAIPS profiles at the mission was reviewed as part of the audit. The audit found a relatively small number of issues with user accounts relative to the number of active accounts. These issues included accounts with irregular access privileges and some accounts that had not been reset (e.g., former staff accounts, training accounts). This increases the risk of unauthorized access and inappropriate use of the system. Management was advised of these issues and resolved them while the audit team was on site.

Case decisions were tested as part of program integrity to validate the review of CAIPS user profiles. The results of those tests are discussed in 3.2.4. We noted that the mission undertook a review of CAIPS user accounts in the spring and summer of 2006, which resolved the majority of these issues.

The audit found that under the current CAIPS manager, the periodic monitoring of accounts did occur and that when changes were made, hard copies of historical user profiles and charge-out tables were maintained for a period of time to ensure a record of CAIPS users at the mission for accountability purposes.

3.3.2 Controls over CAIPS Assets

The audit found that while periodic system maintenance was performed, it was not done in full accordance with the policy. The CAIPS manual indicates that some of these functions are the exclusive duty of the CAIPS manager. In London, we found that all the tasks were performed, but that some of them were performed by the CAIPS operator because of his proximity to the CAIPS room.

In terms of the physical controls, the audit found that there was a CAIPS room where the CAIPS server was housed. This room is climatized to protect the hardware and has the capability to restrict access. However, the audit found that access to it was not restricted to the CAIPS manager, the IPM, the operations manager and the systems administrator. In addition, the audit found that CAIPS reports were stored in the server room. Increasing access to the CAIPS room increases the threat to the system. Moreover, the storage of CAIPS reports in the server room increases the risk that the office may not have these reports should something happen to the server. These reports are the record that the mission will need to reinstall CAIPS on a new system in the event of an emergency (e.g., a fire in the server room). If they are lost, the office will have a more difficult time returning to normal operations. We also found that CAIPS tapes were stored in the systems administrator’s office in a file cabinet and that it was the CAIPS operator who ran the backups. The CAIPS manager’s manual states that the CAIPS manager is the only person who should have access to the tapes.

Recommendation 6

Management conduct a review of the control environment in place at the mission to safeguard CAIPS assets and make adjustments where needed.

Management Response

Most of these issues have been resolved, within the physical constraints of the chancery. Efforts are being made to store all records appropriately.

3.4 Internal Control Framework—Controlled Documents

As part of the audit of the internal control framework, controls over controlled documents were examined. The audit expected to find that roles and responsibilities (duties) were appropriate and that there was an effective framework in place for the custodianship, safeguarding and control of controlled documents.

Overall, the audit found that, historically, the mission did not have an adequate internal control framework in place to safeguard controlled documents. Under current mission management, new procedures were implemented that have strengthened the internal control framework. However, our audit found that some practices at the mission could be further strengthened to enhance the control framework. This is discussed in the following two sections.

3.4.1 Roles and Responsibilities

The audit found that while roles had been delegated by the mission management, the responsibilities in place at the mission were not necessarily in agreement with these roles. The mission management had designated one CBO as the forms control officer (FCO) and another CBO, who is also the cost-recovery officer (CRO), as the backup.

The FCO is responsible for the requisition, receipt, custodianship, monitoring and reporting on the use of controlled documents at the mission; the backup’s duties are to replace the FCO when he or she is absent from the mission. In London, the FCO performs the duties of requisitioning, receiving and reporting on the use of controlled documents. However, the duties of custodianship are shared between the FCO and the backup. The FCO maintains the bulk of the mission’s supply in deep storage. The working storage is kept in the backup’s office and the inventory is segregated into two streams—immigrant and non-immigrant—to represent the two distinct uses for these documents at the mission. To facilitate processing, the CRO, who is the head of the Temporary Resident Unit, was assigned these duties given the unit’s processing duty responsibilities and its proximity to the front counter.

Where controlled documents and cost recovery are concerned, it is usually recommended that these functions be segregated to eliminate the opportunity for one individual to have direct access to clients paying for services while at the same time having access to the documents they are paying for. It is important to note that controls are not only designed to prevent inappropriate activities but also serve to protect staff from suspicion in the event that they do occur.

Recommendation 7

The mission must segregate the duties related to controlled documents and cost recovery.

Management Response

This recommendation has been implemented.

3.4.2 Control Framework

Inventory transactions for controlled documents include the consistent recording of controlled documents transferred in or out, the recording of controlled document use at the mission, and the reporting of this information on the appropriate forms. Following our other audit tests of controls over controlled documents at the mission, the audit found that these controls were appropriate.

However, we were unable to reconcile the mission’s controlled documents inventory with the last quarterly inventory report because we found issues in these areas in the mission’s practices. In some instances, the errors found affected the paper record for the level of inventory recorded by the mission. In other instances, the errors resulted in the incorrect disclosure of controlled document use by the mission. The audit noted the following issues with respect to the procedures in place at the mission that likely had an impact on our reconciliation of controlled documents inventory:

  • Items removed at the warehouse as part of QA initiatives are recorded in the mission’s inventory when received and recorded as used by the mission. This practice results in the reporting of artificially high levels of inventory and document use at the mission.
  • The monitoring of controlled document use was not as frequent as we had expected, given the volumes and the number of people involved in the process. There was also no QA performed for the function. However, the mission currently monitors the use at least quarterly.

That being said, the mission did have some sound practices in place, such as the use of electronic tools to facilitate the recording of controlled document use at the mission.

Guidance for controlled documents is fragmented over several policy manuals, and responsibility overseas is divided between two branches at NHQ (the International Region and Information Management and Technologies). Consequently, guidance can be difficult to navigate and, in some instances, contradictory. Recently, efforts have been made to improve this area, but the problems still persist and may be the cause of some of the issues observed in London, as well as in our previous audits of missions abroad. We have found similar issues in other offices, and we support NHQ’s recent efforts to improve the guidance, but would encourage them to continue to make improvements. As part of our audit planning, and in light of our experience in past mission audits and in-Canada audits, we have identified NHQ management of this function as an area to be audited and we will be doing this in the near future.

Recommendation 8

The mission must ensure compliance with the procedures for controlled documents by periodically monitoring the recording and reconciliation of controlled document use.

Management Response

There have been significant efforts made at the mission to improve the management of this function. The mission has appreciated the advice of the audit team in resolving these issues. Improved control measures are now in place.

3.5 Internal Control Framework—Cost Recovery

The London immigration program accepts payment of immigration fees in Canadian dollars or UK pound sterling depending on the payment method and the business line. Cost-recovery revenue at the mission totalled $20.8 million in fiscal year 2005–2006 and fees collected for the 2006–2007 period to the end of January 31 came to $14.1 million. The audit expected to find that the roles and responsibilities (duties) were in accordance with departmental policies for cost recovery, that adequate controls were in place to safeguard the cost-recovery revenues, and that an adequate monitoring regime was also in place.

Overall, the audit found that the cost-recovery control framework at the mission needed attention in some areas, but that management was well on its way to addressing these issues. These improvements are discussed in the three sections that follow.

3.5.1 Roles and Responsibilities

The audit found that roles and responsibilities for the cost-recovery function had been assigned and were understood. Staff involved in the process had signed an annual undertaking attesting to the duties they performed. As noted earlier, the CRO was the backup FCO.

3.5.2 Internal Controls

At the time of our audit, we found some practices in place that weakened the control framework for the cost-recovery function. These included issues with respect to POS+ user accounts, inconsistencies in the fee schedule, the time between receipt and recovery of fees, and issues with respect to end-of-day procedures. However, our audit found no examples of clients being charged inappropriate amounts, and no indication that funds had gone missing. In several instances, management was aware of these issues and had taken appropriate action prior to or while the audit team was on site. Management advised us that they would take appropriate action on the remaining areas that had not been addressed at the conclusion of our on-site examination. In addition, they have informed us that they are looking into introducing electronic payments as a method of payment in the future. If implemented appropriately, electronic payments have the potential to strengthen the control framework.

3.5.3 Cost-Recovery Monitoring

The mission is responsible for monitoring cost recovery to ensure that procedures are performed correctly and in accordance with CIC policies and procedures.

The audit found that the mission does monitor, to some extent, the cost-recovery function. However, because we found some issues with respect to cost-recovery procedures, monitoring of the function was not as effective as we had expected. Once the new procedures are incorporated into the process, internal controls in this area will be strengthened.

3.6 Internal Control Framework—Travel and Hospitality

Controls over travel and hospitality expenditures were examined as part of the audit of the internal control framework. The audit expected that controls would be in place to ensure that travel and hospitality transactions were processed in compliance with applicable policies and regulations.

The audit found that the internal controls over travel and hospitality expenditures were appropriate.

Appendix A: Organizational Chart

Organizational Chart of the Immigration Program at the Canadian High Commission in London

Appendix B: Detailed Criteria for the Audit

Objective 1: Management Framework

The management framework will be assessed under seven lines: governance and strategic direction; public service values and ethics; people/human resources; client-focused service; risk management; results and performance; and learning, innovation and change management. The detailed criteria and sub-criteria are:

  • Governance and strategic direction: governance structures are in place to ensure that accountabilities are adequately discharged.
    • Clearly defined reporting and accountability lines are established.
    • All positions have a job description that accurately describes the duties of the position.
    • Delegations are clear and appropriate in relation to responsibilities and available resources.
    • Processes exist for integrated planning, budgeting, monitoring and performance management.
    • Formal relationships are established and functioning as intended with partner agencies such as CBSA, CSIS and RCMP.
    • Communication protocols exist for clients, employees, partners and other external stakeholders.
  • Public service values and ethics: values and ethics are promoted and reinforced.
    • Management promotes and reinforces values and ethics.
    • Employees are aware of public service values and ethics, code of conduct.
  • People/human resources: the office is managed to ensure an effective workplace for staff to successfully contribute to the work objectives.
    • Processes exist to provide employees with the necessary training, tools and resources to discharge their responsibilities.
    • Processes and procedures are in place to ensure that staffing actions are in accordance with the PSEA.
    • Processes are in place for the assessment of individual performances and for holding individuals or management accountable for their actions.
    • Staff are informed and aware of their roles and responsibilities.
  • Client-focused service: services delivered by the office reflect the requirements of its clients.
    • Processes are in place to establish, maintain and monitor service principles and standards for clients.
    • Processes are in place for effective tracking and resolution of complaints.
    • Processes are in place to respond to clients.
  • Risk management: processes are in place at the office for the identification and development of risk mitigation strategies.
    • The mission periodically assesses the risk to the delivery of its program.
    • Risk assessments are considered in planning documents.
  • Results and performance: relevant information on results is gathered, used to make decisions and reported.
    • Processes are in place to monitor (including QA) and update performance measures as needed to reflect organizational changes.
    • Processes are in place to capture and use performance information in decision making.
    • Processes are in place to analyse planned versus actual results.
  • Learning, innovation and change management: the office employs learning and development activities to promote innovation and change management in order to learn from its performance.
    • Processes are in place to support major change or innovation initiatives.
    • Processes are in place to assess internal and external environments and to anticipate change.
    • Processes exist for the development and implementation of learning plans that address organizational and individual needs.

Objective 2: Program Integrity

The objective is to assess the degree of compliance of practices and procedures with applicable legislation, regulations and policies associated with the delivery of the immigration program. The detailed criteria are:

  • Decisions are adequately documented, and the required supporting documentation is maintained.
  • The processes and procedures of the office in the immigration application process comply with the applicable legislation and policies.
  • Appropriate controls are in place at the mission to ensure that admissibility requirements are met.
  • Delegated authorities for decisions are appropriate and in compliance with departmental policy.

Objective 3: Internal Controls

The audit objective is to assess the internal control framework in place to support operational delivery at the mission and safeguard assets and revenues. The detailed criteria and sub-criteria are:

  • CAIPS management: there is an effective control framework in place for the management and use of CAIPS functions at the mission.
    • Appropriate controls are in place for the management and use of CAIPS user accounts at the mission.
    • Appropriate controls are in place to safeguard CAIPS assets at the mission.
  • Controlled documents: there is an effective control framework in place to ensure compliance with legislation, policies and procedures associated with the handling of control documents.
    • Roles and responsibilities (duties) are appropriate for the custodianship, safeguarding and control of controlled documents.
    • An effective control framework is in place for the custodianship, safeguarding and control of controlled documents.
  • Cost recovery: there is an effective control framework in place to safeguard revenues collected in the Immigration Unit of the mission.
    • Roles and responsibilities (duties) assigned and procedures performed are in accordance with departmental policies for cost recovery.
    • Adequate controls are in place to ensure that the physical environment is in place to safeguard the cost recovery system.
    • An adequate monitoring regime is in place to ensure that controls are working and that funds collected are appropriately and properly accounted for and safeguarded while in the Immigration Unit.
  • Travel and hospitality: procedures related to travel and hospitality expenditures are in compliance with applicable policies.
    • Internal controls should be in place to ensure that travel and hospitality transactions are in compliance with policies and regulations to protect against fraud, financial negligence and other violations of rules and principles.

Appendix C: Management Action Plan

# Recommendations Action Plan Responsibility Target Date
1.

Management should periodically assess, document and use program risk as input in order to guide management practices such as program design and quality assurance.

QA will continue to be a regular point of discussion at biweekly officer meetings to consider (a) quality and consistency of decision making; (b) reliability of client information; and (c) reliability of process.

Mission management

Ongoing

    Specific anti-fraud activities are being recorded. Mission management Ongoing
    Regular meetings take place with internal and external partners to define risks more clearly and accurately. Mission management March 31, 2008
    The mission will undertake targeted reviews of certain types of cases, both refused and accepted, starting with skilled workers and family class cases. Mission management Ongoing
    Memorandums of understanding have been finalized with satellite offices in Riyadh and Abu Dhabi to outline respective responsibilities with regard to QA. London/Abu Dhabi/Riyadh Actioned November 2007
2.

In order to further improve performance measurement, management should develop, capture and periodically report on performance measures that capture the full performance of the office. This information should then be used to guide management in assessing performance and support decision making.

Information will continue to be reported, inter alia, during the IRIMP and cost management exercises.

Mission management

Annual

    Norms for work in registry are being developed. Registry supervisor March 2008
    Outputs, processing times, productivity and acceptance/refusal rates are regularly monitored and recorded. Mission management Ongoing
    Review of quality and timeliness of responses by the CSU. Mission management Ongoing
3.

The mission must ensure that the results of the processes and procedures for temporary resident and permanent resident cases are documented in order to demonstrate that all the processing steps were completed.

Officers have been and will continue to be reminded of this requirement.

Mission management

Ongoing

    Officers will be asked to include this item in their annual objective-setting exercise and they will be assessed on this point in their annual appraisals. Officers and supervisors April 2008
    Supervisors audit a prescribed number of cases each quarter to ensure that cases are appropriately documented. Immigrant and non-immigrant supervisors Ongoing
4.

The mission must ensure that only those with delegated authority enter the decision in the case processing system.

Action had been taken on this matter prior to the audit.

Mission management

Actioned January 2007

    CAIPS authorities are reviewed at least quarterly. Mission management Quarterly
5.

When staff have been delegated authority to perform special tasks, management must ensure that the necessary clearances and approvals have been obtained and that staff are able to access the required materials to adequately discharge their duties. A record of these approvals should be maintained at NHQ and the mission to better control such changes.

All necessary clearances are regularly updated and records are maintained at the mission and at DFAIT Ottawa (ISCT).

Mission/DFAIT

No change required

    Lists of all LES designations are maintained at NHQ (IR). Mission management and NHQ/IR No change required
    Action will be taken to ensure that records of special approvals in London are maintained at NHQ. Mission management and NHQ Ongoing
6.

Management conduct a review of the control environment in place at the mission to safeguard CAIPS assets and make adjustments where needed.

Access to the CAIPS room has been carefully restricted.

Mission management

Actioned March 2007

    The mission has identified a place for CAIPS records to be stored outside the CAIPS room and is in the process of making adjustments. CAIPS manager Actioned January 2008
    Only the CAIPS manager now has access to the CAIPS tapes, and these are secured in a locked safe. CAIPS manager Actioned September 2007
7.

The mission must segregate the duties related to controlled documents and cost recovery.

With the arrival of new CBOs this summer, it has been possible to separate the backup functions.

Mission management

Actioned August 2007

8.

The mission must ensure compliance with the procedures for controlled documents by periodically monitoring the recording and reconciliation of controlled document use.

A new electronic system has been developed and introduced to monitor forms control. This includes capacity for an up-to-the-minute inventory count.

Mission management

Actioned February 2007

    Written instructions have been issued to increase consistency between officers. Forms control officer Actioned May 2007 and as issues arise
    The working storage of permanent resident visa foils and seals has been separated from that of the temporary resident visa foils and seals. Forms control officer Actioned May 2007
    Rigorous checks are done on all documents at time of receipt from NHQ to ensure accurate reconciliation. Forms control officer Ongoing

Appendix D: Audit Time Line

Audit planning: January 2007

On-site examination: February 26 to March 9, 2007

Clearance draft to IPM and IR for comments: June 18, 2007

Management action plan finalized: February 25, 2008

Report approved by Audit Committee: March 25, 2008

Date Modified: