Citizenship and Immigration Canada
www.cic.gc.ca
Common menu bar links
Audit of the Buenos Aires
Immigration Program
Audit Report
Internal Audit and Accountability Branch
Citizenship and Immigration Canada
June 2007
1.0 Introduction
- 1.1 Background
- 1.2 Audit Objectives
- 1.3 Audit Scope
- 1.4 Audit Criteria
- 1.5 Audit Methodology
2.0 Audit Conclusion
3.0 Observations and Recommendations
- 3.1 Management Control Framework—Management Function
- 3.2 Compliance of the Immigration Program
- 3.3 Internal Control Framework—CAIPS Management
- 3.4 Internal Control Framework—Controlled Documents
- 3.5 Internal Control Framework—Cost Recovery
Appendix A: Management Action Plan
Appendix B: Audit Time Line
1.0 Introduction
The Citizenship and Immigration Risk-Based Audit Plan for 2006–2009 identifies the conduct of three mission audits a year. To fulfil this commitment, the Buenos Aires Immigration Program was selected in consultation with the International Region (IR) at Citizenship and Immigration Canada (CIC) national headquarters (NHQ) and was based on an assessment of the mission’s operations in relation to other offices. The on-site fieldwork was done from October 5 to 13, 2006.
1.1 Background
The Buenos Aires mission is a full-service visa office responsible for the delivery of immigration program services to Argentina, Uruguay and Paraguay. The Buenos Aires mission processes immigrant (permanent residence) and non-immigrant (temporary residence) cases. The majority of permanent residence cases are in the economic class and the majority of the temporary residence cases are for visitor visas.
In 2005, the Buenos Aires mission achieved 97 percent of its target, issuing 1,046 permanent resident visas, mostly in the economic category—skilled workers, business immigrants and provincial nominees. In addition, the office issued 130 student visas, 250 temporary worker visas and 10,694 temporary residence visitor visas. The Buenos Aires office’s 2006 permanent resident visa target is 775. By September 1 of that year, the mission had already achieved 71 percent of its target, having issued 549 such visas.
In early 2006, the office was downsized by two local staff as a result of its lower immigrant targets. At the time of our audit, the Buenos Aires mission had two Canada-based officers (CBO) and six permanent locally engaged staff (LES). The mission also hired temporary local staff in 2005 to address peak processing periods.
1.2 Audit Objectives
The audit objectives were to assess:
- The management framework in place at the mission to administer the immigration program;
- The degree of compliance of practices and procedures with applicable legislation and policies associated with the delivery of the immigration program; and
- The internal control framework in place to manage the operational delivery and administer the immigration program at the mission.
1.3 Audit Scope
The audit only involved operations at the Buenos Aires office. It covered all significant aspects of CIC operations at the Buenos Aires mission, including the full range of immigrant and non-immigrant program activities with associated financial and administrative components typically found in a full-service visa office. The audit examined the activities of the mission from July 1, 2005, to October 13, 2006, the end of the on-site examination period.
1.4 Audit Criteria
The criteria used in the audit are based on CIC legislation, policies and procedures. The audit expected to find that:
- For the management framework, which is used to administer the program provided for the effective delivery of services at the mission:
- roles and responsibilities facilitated the efficient and effective management of the immigration program;
- human resources were managed appropriately;
- risk management and quality assurance reviews were applied; and
- performance information was captured and used in decision making.
- For immigrant and non-immigrant case processing:
- decisions were adequately documented;
- processes and procedures in place at the mission were in compliance with the applicable legislation and policies;
- all decisions made complied with delegated authority; and
- practices and procedures were in place to ensure that adequate admissibility information was available and used at the mission level, and admissibility decisions were made by authorized personnel and documented.
- For the mission’s internal control framework, which is in place to manage the operational delivery and administer the immigration program at the mission:
- controls were in place to ensure the safeguarding of CAIPS (Computer-Assisted Immigration Processing System) assets;
- access controls for the management of CAIPS were adequate to ensure appropriate use of the system;
- an effective control framework was in place for the custodianship, safeguarding and control of controlled documents at the mission;
- appropriate roles and responsibilities were in place for controlled documents;
- roles, responsibilities and procedures were in compliance with policies for cost recovery;
- adequate controls over the cost-recovery process were in place; and
- an adequate monitoring regime was in place to ensure cost recovery controls were working and that funds collected were appropriate and properly accounted for.
1.5 Audit Methodology
There were three lines of enquiry: management control framework, compliance of immigration program and the internal control framework.
The audit tests were performed for each line of enquiry by reviewing files and documentation and observing operational activities. As part of the audit, interviews were also conducted with the CBOs responsible for the delivery of the immigration program, locally engaged immigration program officers and staff, and other embassy staff with links to immigration operations.
The audit of the compliance of the immigration program involved an examination of a random sample of 20 immigrant and 20 non-immigrant cases for the period of July 1, 2005, to June 30, 2006, to assess compliance with legislation, regulations and policy requirements.
The controls in place over CAIPS, the controlled documents and cost recovery were examined as part of the audit of the internal control framework. The audit examined the decisions in permanent resident and temporary resident cases finalized over the period July 1, 2005, to June 30, 2006, to test compliance with delegated authorities. The audit also examined samples of controlled documents inventory transactions and cost-recovery revenue transactions to assess compliance with applicable legislation, policies and procedures.
The audit was conducted in accordance with the Government of Canada’s Policy on Internal Audit as well as auditing standards set out by the Institute of Internal Auditors.
2.0 Audit Conclusion
Overall, the audit found that the Buenos Aires Immigration Program was well managed and was providing good service to its clients. It also found that the immigrant and non-immigrant programs were compliant with the applicable legislation, policies and procedures. While the mission has a good internal control framework in place, the audit identified some areas for improvement in quality assurance reviews and in the management of CAIPS, control documents and cost recovery.
3.0 Observations and Recommendations
3.1 Management Control Framework—Management Function
Overall, the audit found that the mission had a good management framework in place to administer the immigration program. It did, however, identify some weaknesses in quality assurance that the mission should address. This is discussed in the sections that follow.
3.1.1 Governance
The mission prepares an annual plan in compliance with the Department’s planning process. This document establishes the office’s objectives, is the main vehicle for resource allocation requests, and is therefore the foundation for the mission’s work plans for the coming year.
The audit found that the roles and responsibilities in the immigration section were clearly defined and generally in accordance with departmental policy. However, it identified some areas where better segregation of duties would strengthen the internal control framework in place for the mission, which will be addressed in the cost-recovery section of the report.
Overall, staff employed by the immigration section were very knowledgeable and worked very well as a team. The Immigration Program Manager (IPM) has an open-door policy and consults staff on a regular basis about cases and office policies and procedures. The audit found that there had been little turnover in the immigration section since the IPM arrived in the summer of 2004. However, the mission was downsized in the summer of 2006 through the elimination of one locally engaged officer and one program assistant position. The downsizing came as a result of decreasing immigrant targets at the mission in the last few years. The mission has seen an increase in its temporary resident applications over an equivalent period of time. It hires temporary local staff to manage peak processing times in the summer.
3.1.2 Human Resources Management
The audit found that LES and CBO performance appraisals and security clearances were up to date at the mission. The audit noted that staff were provided with French-language training and training on immigration work processes.
Although the audit found that there were no formal training plans for the immigration staff, it found no deficiencies that could or should be addressed by future training. That being said, training should be offered not only to allow management to plan for future requirements in a more strategic manner, but also to document these needs and achievements for future management to take into consideration.
3.1.3 Quality Assurance
While the mission does not have a formal risk management system in place to monitor risks, all staff at the mission know the risks in the delivery of the program, and the mission has captured these risks in its International Region Immigration Management Plan. Quality assurance (QA) refers to a set of ongoing, planned and systematic activities designed to provide adequate confidence that a particular system or program satisfies given requirements for quality. QA looks at a particular group of cases to gather information that validates or refines current knowledge. A QA toolkit and guidance issued by the International Region to all missions explains the requirement for each mission to develop and run their QA initiatives in response to their particular program environments. The audit found no evidence that the mission had undertaken any quality assurance reviews over the course of the past two years.
Recommendation 1
The mission should incorporate a program of ongoing and systematic quality assurance reviews in order to assure management of the quality of the program and provide input into future program improvement initiatives.
Management Response
The mission agrees that a quality assurance review mechanism should be instigated.
3.1.4 Performance Information
The mission uses some of the tools at its disposal to monitor performance. It also has a good system to record information requests from Canada, such as case status requests from members of Parliament. However, the audit found that the mission did not use some functions in CAIPS to monitor performance. Because staff had only a basic understanding of CAIPS, it was not being used to the extent possible as a management tool at the mission.
The CAIPS command mode function is a tool that managers have at their disposal to generate reports that may help management gain insight into application processing at the mission. Discussions with management revealed that the limited use of CAIPS as a management tool was due in large part to the loss of the CAIPS operator, one of the individuals lost as part of the downsizing initiative earlier that year. To compensate, the IPM is heavily involved in application processing, directly supervising the immigrant unit, and tracks performance through others means. As well, the senior immigration officer supervises the non-immigrant unit and meets with the IPM frequently to discuss mission-related issues in that unit. In addition, the small number of staff and the decrease in volume reduce the level of risk associated with not utilizing this function. However, this non-utilization is still a weakness that should be addressed in the future.
Recommendation 2
The mission should work toward developing capabilities to better utilize performance management tools in order to better manage program resources.
Management Response
The manager and the officers will teach themselves additional CAIPS techniques.
3.2 Compliance of the Immigration Program
As part of our audit of the Buenos Aires mission, we examined the program integrity of the application processing and whether statutory and policy requirements were met. To this end, the audit reviewed the documentation of policies and procedures, conducted interviews and examined a random sample of case files comprised of applications for permanent residence and applications for temporary residence.
Overall, the audit found that immigrant and non-immigrant decisions were in compliance with legislation and departmental policies. We also found that decisions were adequately documented and that supporting documents were maintained as required. However, the audit noted some areas for improvement that the mission could address to further enhance its program integrity.
3.2.1 Immigrant Program—Permanent Residents
The immigrant program at the Buenos Aires mission consists of family class and economic immigrant cases—skilled worker, business class, provincial nominee and permanent resident determinations. The audit reviewed a sample of permanent resident cases: skilled worker, family class and business class cases.
Overall, the audit found that the immigrant program at the mission was well managed and that good internal controls were in place to ensure program integrity.
3.2.2 Non-Immigrant Program—Temporary Residents
The non-immigrant program at the Buenos Aires mission is comprised of student, temporary worker and temporary resident visitor processing. The audit reviewed a sample of non-immigrant cases as part of the case file review: visitor, student and temporary worker files.
The audit found that the non-immigrant program at the mission was well managed, decisions were generally adequately documented, and supporting documents were maintained as required. However, during the review, the audit found some minor issues which were discussed with the mission for their consideration.
3.2.3 Admissibility
Immigration legislation stipulates that applicants must meet security, criminality and medical requirements in order to come to Canada. Missions should have an admissibility framework in place that complies with authorities and that provides staff with the necessary information to discharge their responsibilities.
Overall, the audit found that admissibility activities at the mission were in compliance with legislation and departmental policies and procedures. The roles and responsibilities for admissibility screening were clear. In general, CBOs made admissibility decisions, while LES provided support through their knowledge of the cultural, social and financial environment. Key strategic partners in the admissibility network were also established and in general, functioning together as intended. However, the audit found that a formal Migration Integrity Officer (MIO) was only just assigned to deliver these duties on behalf of the mission within the last year. In the absence of a formal MIO, the mission resorted to a variety of risk management practices and leveraged staff knowledge and other network links to ensure that these duties were adequately discharged.
At the mission, the audit found an excellent practice of documentation of admissibility decisions. The mission employed standardized notations when documenting the decision, which was clear and concise. This practice not only efficiently summarized the procedures taken to reach the decision, but ensured that the requirements were met, that all staff were familiar with the process, and that no confusion arose when decisions were taken by different officers. As well, the mission had developed various templates that facilitated the collection of information from clients in order to more efficiently process admissibility decisions.
3.3 Internal Control Framework—CAIPS Management
CAIPS is the main system used to facilitate immigration work in visa offices abroad. As part of our examination, interviews were conducted, user profiles were reviewed, mission facilities were observed and decision-making statistics were analysed for cases finalized during the period July 1, 2005, to June 30, 2006.
In general, the audit found that the control framework for the CAIPS function was adequate and that most controls to safeguard assets were in place. However, some areas needed improvement. The audit identified some missing components of access controls, but audit testing found no indication of inappropriate use in the absence of these controls. It also identified a low risk deficiency that was easily remedied. The detailed findings are discussed in the following sections.
3.3.1 CAIPS Assets
The audit found that system backups were being done on a weekly basis. Moreover, it found that the backup tapes were securely stored in the filing cabinet when not in use. Observation at the mission revealed that the CAIPS room and the server room, which houses the main CAIPS terminal, had restricted access. However, regularly scheduled maintenance in the form of tape cleaning was not occurring as required. This is discussed further in the next section.
3.3.2 Access Controls
As part of the audit, the list of CAIPS profiles at the mission was reviewed. The audit found that accounts of former staff had not been systematically deleted, that some unassigned accounts had not been reset, that one remote account that had been created in error remained in the system, and that some staff had access to certain functions they should not have had access to. These issues increase the risk of unauthorized access and inappropriate use of the system. Prior to arrival on site but after the start of our audit, a message from NHQ was sent requesting a clean-up of CAIPS user accounts. As a result, all accounts of former staff were eliminated, but all other issues observed prior to this clean-up were still present at the time of the audit. These issues were addressed while the audit team was on site.
To test the authority levels, the audit reviewed the decisions on all cases finalized between July 1, 2005, and June 30, 2006. The audit found that all the decisions over this review period were in compliance with delegated authorities, despite the presence of these additional accounts.
The audit found that periodic monitoring of accounts did not occur and that when changes were made, hard copies of deleted user profiles and charge-out tables were not maintained for a period of time to ensure there would be a record of CAIPS users at the mission for accountability purposes. Regular CAIPS monitoring, as per departmental policy, would likely have revealed these issues and the fact that regular maintenance was not occurring as intended.
Recommendation 3
The mission should ensure that adequate records are maintained to facilitate periodic CAIPS monitoring, and that this periodic monitoring is occurring to assure management that CAIPS use is appropriate and that CAIPS assets are safeguarded at the mission.
Management Response
The mission has begun to, and will continue to, document on paper all CAIPS users and their profiles.
3.4 Internal Control Framework—Controlled Documents
Controlled documents are official documents used by CIC. At the mission, these documents are used to produce official government visas that allow certain foreign nationals to enter Canada and that therefore require a higher level of security than other documents.
Overall, the audit found that the mission had a good internal control framework in place to safeguard controlled documents. It also found that some practices at the mission could be strengthened to enhance the control framework for the controlled documents, including a more appropriate segregation of duties and performing regular physical inventory counts. /p>
3.4.1 Control Framework
Controlled document inventory transactions include the consistent recording of controlled documents transferred, the recording of controlled document use in the mission, and the reporting of this information on the appropriate forms. The audit identified errors in these transactions. In some instances, the errors affected the paper record for the level of inventory recorded by the mission and in other instances, the errors resulted in the incorrect disclosure of controlled document use by the mission. Due to errors in the recording of controlled documents transferred, the audit was unable to reconcile the mission’s controlled documents inventory to the last quarterly inventory report.
The audit noted that the mission did not always perform a physical inventory count before reporting its quarterly inventory, which is part of the monitoring requirements for controlled documents. Instead, a physical inventory was only done once a year and quarterly reporting was based on paper records. Performing regular quarterly inventory counts is a control to prevent errors being carried through multiple periods. At the time of the audit, the mission’s inventory count had not been reconciled to the last quarterly inventory report. If the mission had performed physical inventory counts when it reported its quarterly inventories, it would likely have detected the errors noted above and reconciliation may then have been possible.
Recommendation 4
The mission should ensure compliance with controlled document procedures at the mission by periodically monitoring the function to ensure that controlled documents are properly accounted for.
Management Response
This was implemented at the time of the visit of the audit team. The mission will continue to account for controlled documents by a quarterly physical count and, for the documents held by the Canadian Embassy in Montevideo, Uruguay, approximately twice a year, depending on CBO travel to these missions.
3.5 Internal Control Framework—Cost Recovery
The Buenos Aires mission accepts the payment of fees by direct deposit in Argentine or Uruguayan pesos and certified cheques, or cash in Canadian dollars. Cost-recovery revenue at the mission totaled $2.167 million in fiscal year 2005–2006 and approximately 93 percent of the fees were paid by direct deposit. The audit examined the controls for the cost-recovery function at the mission by interviewing staff, reviewing files, documenting the process and work flows, and conducting tests to ensure the integrity of the cost-recovery program.
Overall, the audit found that the cost-recovery control framework at the mission could be improved to safeguard cost-recovery revenues received at the mission. These improvements will be discussed in the sections below.
3.5.1 Roles and Responsibilities
The audit tests confirmed that the cost-recovery staff demonstrated sound practices in safeguarding revenues collected at the mission. However, the audit tests revealed no segregation of duties since the duties of the cost-recovery officer (CRO) and the forms control officer (FCO) were the responsibility of one CBO. While the audit found no evidence that this had an impact on mission operations, segregation of the CRO and FCO duties would ensure that no one person would be responsible for both functions, which are linked. In simple terms, making one person responsible for both functions increases the risk that either the funds will not be properly collected or controlled documents will not be properly accounted for. The segregation of duties also serves to protect employees when errors do occur, and reduces the extent of the follow-up work required.
Recommendation 5
The duties of the CRO and the FCO should be segregated between the two CBOs at the mission.
Management Response
As the mission has two CBOs and three functions that must be performed by them (CRO, FCO and CAIPS management), the segregation of all these duties would not be possible.
Consequently, the mission will adopt a rotation of duties to ensure that no one officer will perform both FCO and CRO duties.
3.5.2 Internal Controls
Overall, 93 percent of applicants in fiscal year 2005–2006 paid their fees through direct deposit at local financial institutions. At missions with banking arrangements in place, applicants submit a direct deposit receipt with their application form as proof of payment. Once processed, applicant direct deposit receipts are kept by the cost-recovery clerk. However, during the processing of the application, the mission does not verify an applicant’s direct deposit receipt against the mission’s immigration bank account. Without the validation of bank receipts, the mission has no internal control in place to ensure that only valid receipts where funds have been collected are accepted by the mission.
The audit obtained similar findings in our 2005 audit of the Bucharest mission and 2006 audit of the Seoul mission. In the Bucharest audit report, it was recommended that IR initiate a review of the adequacy of guidance on the subject of verification of direct deposit receipts so that missions are informed of their roles and responsibilities. Management agreed to establish clearer guidelines for missions in this area. At the time of the current audit, this guidance had not been issued.
3.5.3 Cost-Recovery Monitoring
The mission is responsible for performing monitoring procedures in the area of cost recovery to ensure that procedures are performed correctly and in accordance with CIC policies and procedures.
The audit found that the mission does not conduct monitoring of the cost-recovery function in a systematic manner, nor does it maintain a cost-recovery monitoring file. The only monitoring that takes place is a spot check of immigrant applications to ensure that POS+ receipts are on file and that the correct fee was paid as cases are processed by officers. This monitoring activity was not conducted on non-immigrant cases.
While on site, the audit noted that some system maintenance functions were not being performed. These are preventative controls to safeguard the main tool used by immigration for cost recovery.
The absence of sufficient monitoring increases the risk that cost-recovery funds may not be collected by the immigration section. Periodic monitoring of procedures ensures compliance with policies and provides assurance to the mission management that the office is safeguarding immigration funds and that controls are functioning. Furthermore, by not performing the required system maintenance, the office increases the risk that the POS+ system may experience a system failure, during which time the mission would lose processing capacity.
Recommendation 6
The mission should perform the required monitoring procedures as per the Single Officer Mission Manual and maintain a cost-recovery monitoring file to ensure that the cost-recovery function complies with CIC policies and procedures.
Management Response
The mission will implement the suggested monitoring system by taking a random 1% sample of all payments between January 1, 2007, and May 31, 2007, covering the two currencies of operations.
The mission will regularly perform similar monitoring procedures to ensure compliance with CIC policies and procedures.
Appendix A: Management Action Plan
| # | Recommendations | Action Plan | Responsibility | Target Date |
|---|---|---|---|---|
| 1. | The mission should incorporate a program of ongoing and systematic quality assurance reviews in order to assure management of the quality of the program and provide input into future program improvement initiatives. |
The mission agrees that a quality assurance review mechanism should be instigated. |
Personnel (RIR) |
|
The temporary resident program has been chosen first: a 1% sample of all cases received in April 2007 will be reviewed for the quality of the processing and the speed of decision making, and the references on a further 20% of cases that were successful will be verified, where possible. A target group has been planned and a random selection of temporary resident files will be drawn and analysed. | September 30, 2007 | |||
An immigration quality assurance target will be set in November 2007. |
November 30, 2007 | |||
| 2. | The mission should work toward developing capabilities to better utilize performance management tools in order to better manage program resources. |
The manager and the officers will teach themselves additional CAIPS techniques. Officers will be given 20 hours to work with materials on CIC intranet to identify tools in CAIPS that they can use. First meeting with officers will be by end of June 2007. |
IPM |
October 31, 2007 |
| 3. | The mission should ensure that adequate records are maintained to facilitate periodic CAIPS monitoring, and that this periodic monitoring is occurring to assure management that CAIPS use is appropriate and that CAIPS assets are safeguarded at the mission. |
The mission has begun to, and will continue to, document on paper all CAIPS users and their profiles. The mission’s monitoring of the status of accounts will be quarterly. |
IPM/CAIPS Manager |
Implemented and ongoing |
| 4. | The mission should ensure compliance with controlled document procedures at the mission by periodically monitoring the function to ensure that controlled documents are properly accounted for. |
This was implemented at the time of the visit of the audit team. The mission will continue to account for controlled documents by a quarterly physical count and, for the documents held by the Canadian Embassy in Montevideo, Uruguay, approximately twice a year, depending on CBO travel to these missions. |
FCO |
Implemented and ongoing |
| 5. | The duties of the CRO and the FCO should be segregated between the two CBOs at the mission. |
As the mission has two CBOs and three functions that must be performed by them (CRO, FCO and CAIPS management), the segregation of all these duties would not be possible. Consequently, the mission will adopt a rotation of duties to ensure that no one officer will perform both FCO and CRO duties. The CAIPS manager duties will alternate between CBOs.
|
IPM |
Implemented |
| 6. | The mission should perform the required monitoring procedures as per the Single Officer Mission Manual and maintain a cost-recovery monitoring file to ensure that the cost-recovery function complies with CIC policies and procedures. |
The mission will implement the suggested monitoring system by taking a random 1% sample of all payments between January 1, 2007, and May 31, 2007, covering the two currencies of operations. The Visa Section will ask Mission Administration to show corresponding proof of deposits in the Mission banks in Buenos Aires and Montevideo and confirmation of receipt in DFAIT HQ and deposit to the Receiver General account for Foreign Affairs. The mission will regularly perform similar monitoring procedures to ensure compliance with CIC policies and procedures. |
CRO |
Implemented and ongoing |
Appendix B: Audit Time Line
Audit planning |
July 2006 |
Site visit to Buenos Aires mission |
October 5-13, 2006 |
Clearance draft to IPM and IR for comments |
March 19, 2007 |
Management action plan finalized |
May 29, 2007 |
Report approved by Audit Committee |
June 25, 2007 |
