Final Audit Report - Audit of Paris Immigration Program

Final Audit Report
Citizenship and Immigration Canada
Internal Audit and Disclosures
October 2003

Table of Contents

• 1.0 BACKGROUND
• 2.0 AUDIT FINDINGS AND RECOMMENDATIONS
  • 2.1 MANAGEMENT FUNCTION
  • 2.2 MANAGING THE CASELOAD
    • 2.2.1 CAIPS Training
    • 2.2.2 Access to CAIPS Functions
    • 2.2.3 CAIPS Manager User Guide: Quality Issues
  • 2.3 PROGRAM INTEGRITY AND COMPLIANCE
    • 2.3.1 Transition to the Immigration and Refugee Protection Act
  • 2.4 COST RECOVERY
  • 2.5 CONTROL OVER KEY DOCUMENTS
  • 2.6 HUMAN RESOURCE MANAGEMENT
  • 2.7 RISK MANAGEMENT AND QUALITY ASSURANCE
  • 2.8 FOLLOW-UP TO THE 1995 AUDIT
• APPENDIX A – MANAGEMENT ACTION PLAN

1.0 BACKGROUND

We carried out the audit of the Immigration Program at the Paris Mission between January 20 and February 3, 2003. Our audit coincided with another audit carried out at the Mission by the Department of Foreign Affairs and International Trade.

The purpose of the audit was to:

• assess the strength of management practices in the areas of governance, organizational capability, operational delivery, risk management, and information for decision making and reporting; and
• identify opportunities for improving the existing management control framework.

The audit scope was limited to the Mission in Paris; we did not visit any satellite offices. Specifically, the scope included the management of the Mission’s immigration functions, caseload management, program integrity and compliance, cost recovery, control over key documents, human resource management, and risk management and quality assurance. Our scope also included an assessment of the Mission’s progress in making the transition to the new Immigration and Refugee Protection Act (IRPA). Finally, we followed up on the corrective actions taken in response to recommendations flowing from an audit of the Mission carried out in 1995.

In carrying out the audit, we reviewed files and documentation and interviewed the Immigration management team, Canada-based officers and locally engaged officers and staff. We also attended staff meetings and met with representatives from other Embassy programs and the Quebec Immigration Service (SIQ).

The Paris Mission is a Regional Program Centre and offers all immigrant and non-immigrant services. It is responsible for 13 countries and territories and has two satellite offices. The Immigration Program employs some 50 people, including an immigration control officer, two medical officers and 42 locally engaged staff (LES).

In 2002, the Paris Immigration Program issued 11,816 immigrant visas and received 8,384 immigrant applications (6,605 from skilled workers). Of the non-immigrant applications it received, 9,015 were for temporary residents, 5,997 for temporary workers, and 4,665 for students. About 70 percent of the immigration applications that it receives are for Quebec. Cost recovery revenue for 2002 amounted to some $11 million.

>2.0 AUDIT FINDINGS AND RECOMMENDATIONS

2.1 MANAGEMENT FUNCTION

We found that the Immigration Program at the Paris Mission has benefited from a highly experienced management team. The Immigration Program Manager (IPM) has been posted to Paris for the past six years and fully understands the operating environment. Management has established very good working relationships with other Embassy programs, with outside stakeholders such as the Quebec Immigration Service and with the NHQ geographic desk. Effective internal communications processes are in place, with regular staff meetings and close co-operation between management team members.

Paris work plans and objectives reflect the International Region’s planning priorities and the Department’s strategic objectives.

We found that management and staff had developed various tools and practices that contribute to effective day-to-day operations. These include form letters to enhance communications with clients, a website tailored to specific client groups and a voice mail messaging system for clients. The Mission has also developed training sessions for outside stakeholders, such as CSIS, the RCMP and the SIQ, on the new IRPA and its requirements. In addition, the Mission has provided extensive in-house IRPA training for all Immigration staff.

Management also showed strength in a number of other key areas: accountability for decision making was clearly defined, and we noted that comprehensive information was available for making decisions and reporting on performance. Finally, a number of transition measures were in place to deal with the turnover of key positions expected during 2003. Accordingly, we have concluded that the Mission is well managed, and we have no recommendations with respect to the management function.

2.2 MANAGING THE CASELOAD

Our file review indicated that immigrant and non-immigrant cases were very well managed. For all cases in our sample, the Mission had met standards for processing times. Management monitored case processing closely, and the Paris Mission was meeting all of its targets. Files were found to be in order and complete. The file review reflected very positively on the management of the program.

We identified three issues relating to the use of the Computer-Assisted Immigration Processing System (CAIPS): insufficient training, improper access to a number of the system’s functions, and weaknesses in the “CAIPS Manager User Guide”.

2.2.1 CAIPS Training

At the time of our audit, the CAIPS Manager had not received CAIPS training appropriate to a CAIPS Manager. Incoming CAIPS Managers should receive training either in Ottawa or from the outgoing CAIPS Manager, or possibly both. Although issues relating to the training of the CAIPS Manager at the Paris Mission have been resolved, we were concerned because the CAIPS Manager had not initially been properly trained. The lack of training led him to depend heavily on a locally engaged CAIPS operator, to whom the Mission had delegated considerable responsibility. We noted that some practices resulting from the ensuing dependence were continuing at the Mission. These practices entail a degree of risk, as discussed under 2.2.2, below.

(1) Recommendation
Whenever a new CAIPS Manager is assigned to a posting, the International Region, in collaboration with IMTB, should ensure that he or she receives CAIPS training appropriate to this position.

Management Response
It is not always possible to identify who will be the CAIPS Manager prior to a posting. Some are given the responsibility after their first year at a mission and some are cross-posted. IR and IMTB will work together to develop a training package for those individuals who are identified in advance. CAIPS Manager Workshops will be held to provide additional training. The CAIPS manual will also be improved to clarify functions

2.2.2 Access to CAIPS Functions

Improperly Shared Password

CAIPS is the key system for processing immigration applications at Canadian missions around the world. Accordingly, access to the system and its functions must be strictly controlled. Central to controlling who uses CAIPS for what purpose is maintaining strict control over the password of CAIPS Managers. At the Paris Mission, we found that an LES employee, the Mission’s CAIPS operator, had access to this password. For security reasons it should have been restricted to a limited number of Canada-based officers only, since access requires Canadian citizenship and a security clearance at the ‘secret’ level.

We found no evidence that anyone had abused the system. However, in our opinion, improperly providing an LES employee (no matter how competent) with a high-level password introduces the risk that a key processing system could be vulnerable to misuse. The risk is increased by the fact that the LES CAIPS operator is physically removed from his supervisor because they work on different floors at the Mission.

(2) Recommendation
The Immigration Program Manager should ensure that access to the CAIPS Manager’s password is restricted exclusively to Canada-based officers, who have the required Canadian citizenship and security clearance at the ‘secret’ level.

Management Response
The CAIPS Manager’s password has now been restricted exclusively to Canada-based officers, who have the required Canadian citizenship and security clearance at the ‘secret’ level.

User Accounts Set Too High

We found that 16 of the 42 LES at the Mission had access to CAIPS functions beyond the level of authority that their position required. In essence, they could access functions beyond those, which were consistent with their job descriptions and security levels.

All staff members have a user account or profile that defines their authority level — i.e., which CAIPS functions they can access. The CAIPS Manager is responsible for controlling user accounts and ensuring that staff have access only to those functions required to do their work. However, we found that some user accounts were not in line with the good risk management practices presented in the “Program Integrity and Risk Identification Guide” made available by the International Region. As a result, some employees had access to visa-processing functions that exceeded their authority. For example, they could access functions that allowed them to refuse, issue or reprint temporary or permanent resident visas. Enabling such access for these employees poses a risk that an unauthorised person could make a decision with respect to a visa application or have access to restricted information contained in immigration databases.

We found no evidence that anyone had abused the system. Nevertheless, this issue is of concern because of the potential for such abuse to occur.

This situation has resulted, in part, from certain characteristics of the CAIPS system itself and the addition of a number of functions that make user accounts somewhat time-consuming and difficult to administer. As noted in 2.2.3 below, another cause stems from weaknesses in the content and presentation of information on user accounts in the “CAIPS Manager User Guide” issued by the Information Management Technology Branch (IMTB).

(3) Recommendation

(a) The Immigration Program Manager should identify potential, post-specific risks to program integrity by completing and updating annually, with the assistance of the CAIPS Manager, the “Program Integrity and Risk Identification Guide”. This guide sets out management responsibilities and accountabilities for the various risk areas at a mission, such as CAIPS security.

(b) The CAIPS Manager should take steps to ensure that staff have access only to those CAIPS functions appropriate to their level of authority.

Management Responses

(a) The “Program Integrity and Risk Identification Guide” was fully completed by the Acting Immigration Program Manager on May 30, 2003. The new Immigration Program Manager, who arrived mid-summer 2003, has accepted full responsibility for ensuring all aspects of CAIPS security are addressed at the Mission level. Additionally, on June 10, 2003, the International Region, NHQ, sent instructions to all missions to underline the importance of having appropriate measures in place to address Program Integrity and Risk Identification, which includes CAIPS authority levels, key documents control and cost recovery monitoring.

(b) Mission staff have access only to CAIPS functions appropriate to their level of authority. This was reviewed as part of the exercise to complete the “Program Integrity and Risk Identification Guide” described in (a) above.

2.2.3 CAIPS Manager User Guide: Quality Issues

The Guide is the main source of functional guidance from Headquarters for CAIPS Managers. We found that the information in the Guide on creating user accounts and setting authority levels for accessing particular CAIPS functions was outdated and incomplete. Other parts of the Guide appeared to contradict or be inconsistent with the International Region (IR) “Program Integrity and Risk Identification Guide”. This latter document was designed to help Program managers identify mission-specific risks to the Immigration Program’s integrity.

We note that as CAIPS has evolved since it came into service in the mid-1980s, new functions have been added to the system which have various levels of authority associated with them. However, the “CAIPS Manager User Guide” does not adequately cover all the new functions and their corresponding authority levels. We have concluded, therefore, that inaccuracies in the content and presentation of the “CAIPS Manager User Guide” have contributed to the problems associated with user accounts, as noted above.

Quality issues related to the instructions for CAIPS Managers add to the difficulty that they face in managing user accounts at overseas missions. Any anomaly in monitoring these accounts creates a potential risk to the integrity of the Immigration Program.

In February 2003, the audit team asked IMTB to confirm the level of authority required to access various CAIPS functions. This information — along with other material in the “Program Integrity and Risk Identification Guide” — would then be added to the “CAIPS Manager User Guide” to help CAIPS Managers monitor user accounts and set authority levels. IMTB is currently reviewing the issue.

(4) Recommendation
IMTB and the International Region should collaborate to ensure that CAIPS Managers are informed about the authority levels associated with various functions of the system.

Management Response
A new version of the “CAIPS Manager’s Guide” including changes on the authority levels was posted on CIC Explore on May 29, 2003. IMTB and IR will continue to work together to refine the CAIPS manual as required.

2.3 PROGRAM INTEGRITY AND COMPLIANCE

2.3.1 Transition to the Immigration and Refugee Protection Act

Implementing the new IRPA has posed significant operational challenges for missions. Nevertheless, our file review showed that the Paris Mission had managed the transition competently, and that staff were applying the new Act’s provisions properly. There was some indication that new procedures relating to client passports were more onerous in terms of Mission resources. At the time of our audit, it was too early for us to assess how the Mission was applying the new selection criteria for skilled workers. However, the limited information available at the time of our audit was positive.

2.4 COST RECOVERY

Our audit showed that the cost recovery (CR) function at the Mission is generally well managed. We have, however, suggested some measures that could improve controls and reduce risk, and which could be dealt with at the Mission level.

One other issue to be resolved is a lack of both formal procedures for monitoring the CR function and documentation of the results of monitoring

The CRO is required to formally monitor the CR process to ensure that all cost recovery fees for the Immigration Program are properly accounted for. Our audit indicated that the CRO does monitor all aspects of the CR process. However, we found little in the CRO’s files clearly documenting either monitoring activities or the results of those activities. The CRO did provide examples of formal sampling procedures that he is working on for future monitoring. However, workload has delayed his efforts to complete this task.

(5) Recommendation
The Paris Mission should both develop formal procedures for monitoring the cost recovery function and document the results of its monitoring activities.

Management Response
Formal procedures for monitoring the cost recovery function have been developed and are in place, including the monthly verification tests. IR was provided with a copy of these procedures. The IPM understands and assumes the responsibility for supervising the CRO and ensuring the monitoring activities are documented.

Note also the management response for Recommendation #3 (Ref. 2.2.2), that instructions on cost recovery monitoring were sent to all missions by IR on June 10, 2003.

2.5 CONTROL OVER KEY DOCUMENTS

The Mission has managed this function effectively, and we found no significant deficiencies. We made some suggestions for minor improvements that could be dealt with at the Mission level.

2.6 HUMAN RESOURCE MANAGEMENT

We reviewed human resource management practices relating to training and development, annual performance appraisals, and use of overtime and contract or emergency staff.

Most of the training effort in the past year was geared to preparing and delivering IRPA training for all Immigration staff. Generally, training needs are discussed as part of annual appraisal process or self identified by staff. Several of the LES whom we interviewed said that they wanted more training. Management was aware of their needs. Following on the model of IRPA training, we suggested that the Mission develop a formal training plan each year to track training needs and what will be done to meet them. This plan would include the training needs for back-up personnel in such functions as cost recovery and key documents.

We found that the appraisal process was timely and provided good feedback to managers, supervisors and employees on their performance. With respect to overtime and extra staff, we found that the office is able to manage operations with a policy of no overtime for LES, although emergency staff are needed to handle seasonal variations in workload that occur primarily in the summer months.

2.7 RISK MANAGEMENT AND QUALITY ASSURANCE

Our audit examined the Mission’s risk management and quality assurance practices. Risk management practices were very evident in the control unit. We suggested management utilize a risk assessment approach in the cost recovery area to address any risk associated with a POS+ failure, and to determine the appropriate level of monitoring for the function.

Paris carries out both ongoing informal monitoring and specific exercises to verify the quality of decision making. Some of the recent targeted areas for quality assurance included offshore applications, requests for additional documentation, and the consistency of refusal rates. The IPM also indicated that there is a need for a national quality assurance framework, including guidelines for strengthening the current limited efforts the Mission is now able to carry out. This latter point was addressed with the May 2003 launch of the IR Quality Assurance and Anti-Fraud Framework to provide guidance and support to the overseas processing network.

2.8 FOLLOW-UP TO THE 1995 AUDIT

The scope of the current audit included a follow-up to assess what the Mission had done to respond to the recommendations that we made in our 1995 audit. We found that the Mission had dealt with most issues that were raised at that time, but noted a few areas that continue to need attention. Our follow-up emphasized primarily cost recovery and key documents.

With respect to cost recovery we noted that formal monitoring procedures were still lacking for cost recovery (see section 2.4). Training is still needed for new staff, such as the back-up CRO, when they are assigned to this area, or when procedures change.

Regarding key documents, we continued to find that two CBOs were not always present when key documents were being destroyed, a situation the Forms Control Officer is now aware off.

(6) Recommendation
Two Canada-based officers should be present when key documents are destroyed.

Management Response
The IPM and staff are aware of this requirement and the practice has been put in place.

Note also the management response for Recommendation #3 (Ref. 2.2.2), that instructions on key document control were sent to all missions by IR on June 10, 2003.

Appendix A: Management Action Plan