Audit of Physical Security

August 28, 2007

Executive Summary

Background

In fulfilling its mission, the Canadian Food Inspection Agency (CFIA or the "Agency") is "dedicated to safeguarding food, animals and plants, which enhances the health and well-being of Canada's people, environment and economy". The dedication of its employees and the integration of its key assets allow the CFIA to deliver on this mission. It is the reliance on these employees and assets that requires the Agency to consider their safety and protection as primary objectives.

Effective February 1, 2002, the Government Security Policy (GSP) was issued by the Treasury Board Secretariat (TBS) to "support the national interest and the Government of Canada's business objectives by safeguarding employees and assets and assuring the continued delivery of services". The CFIA is responsible for implementing the requirements of the GSP in order to safeguard its own employees and assets, and ensure the continued delivery of services to maintain the health, safety, security and economic well-being of Canadians.

The CFIA currently occupies space in 175 facilities within Canada, including laboratories, administrative offices, inspection stations, quarantine facilities and third party facilities.

Audit Objective and Scope

The Physical Security Audit was approved by the CFIA Sub-Committee on Audit and Risk Management (SCARM) as part of the Audit, Evaluation and Risk Oversight's risk-based audit plan for fiscal 2006/07. The purpose of this audit was to examine the CFIA's existing management controls over physical security within the Agency, assess the degree of compliance with relevant aspects of the GSP, and to identify opportunities for improvement, if any.

The scope of this audit included the CFIA's physical security program to ensure compliance with the GSP, specifically in relation to the prevention of unauthorized access to Agency facilities (including security management and physical security). A preliminary survey was conducted from November to December 2006, with the audit conducted between January and April 2007. Although the scope of the audit did not extend to compliance with bio-security and bio-containment requirements at CFIA laboratories, relevant bio-security and bio-containment guidelines and procedures were reviewed to determine if they include physical security provisions that would be relevant to this audit.

Audit Opinion

In our opinion, the management controls designed to provide baseline physical security over CFIA facilities are generally adequate and effective. However, the Agency is not in compliance with specific elements of the GSP relating to physical security, and improvements are required to enhance controls and formalize the governance structure over physical security within the Agency.

Our audit was conducted in accordance with both the International Standards for the Professional Practice of Internal Auditing, as prescribed by the Institute of Internal Auditors (IIA) and the Government of Canada's Policy on Internal Audit.

Recommendations

Additional effort is required to fully implement the physical security governance model to ensure compliance with the GSP, including more clearly defining and communicating roles and responsibilities for physical security. Specifically, we recommend that:

1. The Corporate Security Management Framework should be updated to ensure it reflects the Agency's current organizational and governance structure, to ensure its consistency with recent Corporate Security documentation and to ensure that it clearly defines roles and responsibilities for physical security. Once updated, the Framework and an appropriate communication strategy should be implemented in a timely fashion.
2. The draft CFIA Security Manual should be approved and fully implemented and a robust communication strategy should be developed. In addition, a program to regularly monitor, measure and report to the Executive Director, Assets and Security Management Directorate on the compliance with both the Security Management Program (SMP) and the GSP should be developed and implemented.
3. The Bio-security Guidelines for CFIA Containment Facilities should be finalized and approved in coordination with Corporate Security. The finalized guidelines should include an implementation plan for both communication and oversight/monitoring strategies.
4. Clearly defined roles and responsibilities for the conduct of Threat and Risk Assessments (TRAs) should be incorporated into the overall Corporate Security communication strategy and related plans. Further, a monitoring system should be developed to regularly track and report to the Executive Director, Assets and Security Management Directorate on the status of TRAs and related action plans across the Agency.
5. Standardized processes and templates should be developed for those physical security processes that are consistent across the Agency, including approval/granting access and exit forms, maintenance of logs related to access controls and ongoing monitoring/validation of access levels within the facilities. This should be carried out in conjunction with the implementation of the CFIA Security Manual.
6. An ongoing awareness program for physical security should be developed. This should be considered in conjunction with the Corporate Security communication strategy currently in development.
7. A training program should be developed for those individuals with enhanced security responsibilities within the Agency. This may be a combination of Agency-specific programs and external courses offered by security subject matter experts.

ACTION PLAN