Audit of the Indian Registration System

Background

The Audit and Evaluation Sector (AES) of Aboriginal Affairs and Northern Development Canada (hereon referred to as "AANDC" or "the Department") identified an audit of the Indian Registration System for inclusion in the 2013-2014 to 2015-2016 Risk-based Audit Plan approved by AANDC's Deputy Minister on February 27, 2013. The audit was identified as a "very high" priority since the accuracy and integrity of Indian Registration System (IRS) data supports a number of AANDC activities including the issuance of Certificates of Indian Status (status cards), making the IRS important to stakeholders and to AANDC's credibility.

The IRS is the computer system that tracks Indian registration information, Band membership and demographic statistics. The integrity of IRS data depends on the processes used to collect information and to protect stored data with effective security controls. Equally important is the enforcement of the entitlement policy and associated criteria in identifying who is entitled to Indian status. Entitlement criteria are governed by the Indian Act, which was recently amended under Bill C-3: Gender Equity in Indian Registration Act.

In June 2008, the Agreement for Recognition of the Qalipu Mi'kmaq Band was signed by the Minister of Indian Affairs and Northern Development and the President of the Federation of Newfoundland Indians (FNI). The Agreement principally identified the process for the creation of a Band (for the Mi'kmaq communities of Newfoundland) under the Indian Act, and the enrolment of its founding members. By November 30, 2009, following the conclusion of the first stage of the Band enrollment process, close to 26,000 applications for membership had been received. By November 30, 2012 the number of applications for Band membership had grown to 101,743. On July 4, 2013, a Supplemental Agreement was announced, that clarifies the process for enrolment in the Qalipu Mi'kmaq First Nation and resolves issues that emerged from the implementation of the 2008 Agreement. The Supplemental Agreement specifies that all applications received during the Enrolment Process (between December 1, 2008 and November 30, 2012) and not rejected by the Enrolment Committee or the Appeal Master will be assessed or reassessed by the Enrolment Committee by August 31, 2015.

Audit Objective and Scope

The objective of this audit was to provide assurance to management on the adequacy and effectiveness of process and IT application controls in place to ensure the integrity of information contained in the IRS.

The scope of the audit covered the period November 2011 to November 2013, and included assessments of controls used to ensure that: (i) Qalipu applications were accurately processed and recorded in Phase I (design and operational effectiveness) and are appropriately assessed in Phase II (design only); (ii) information entered into the system through various sources, including IRAs and IROs, is reliable and access to it is protected; and, (iii) remediation has taken place or there is a plan in place to remediate issues identified during the IRS System Under Development audit in 2011, including as assessment of the Secure Integrated Registration and Certification Unit (SIRCU) initiative.

Statement of Conformance

The audit conforms to the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program.

Observed Strengths

The following section describes areas where significant progress and/or strengths were identified during the course of this audit. Strengths are categorized according to the applicable line of enquiry, as follows:

Conclusion

While areas for improvement exist, in general, the Qalipu application processing controls were found to be designed and operating effectively. The conduct of this audit, at a time when improvements can be made to the system during its implementation is considered a best practice.

While some progress has been made, there continue to be significant gaps related to security, training, document handling and monitoring of life event changes. Neither the IRS controls over restricting access nor compensating manual controls over life event changes are designed and operating effectively. As such, unmitigated data risks remain to be addressed.

Recommendations

The audit team identified areas where management control practices and processes could be improved, resulting in the following four recommendations:

1. The Assistant Deputy Minister of Resolution and Individual Affairs should ensure that:
   • an effective monitoring procedure is established to ensure the segregation of duties between Indian Registration Officers entering data into IRS and those performing quality checks on the data entered. Monitoring should also be implemented over the final Enrolment Committee decision to ensure that the decision on each Qalipu application is correctly captured in the IRS.
   • a) lessons learned from the Qalipu application process are logged and assimilated into future registration projects; for example, b) when shipping application files, manifests should be created with unique identifiers so that transported applications can be accurately and completely reconciled.
   • registration applications are stored in accordance with AANDC's Standards on Protecting and Handling Information, and logical access to scanned data is restricted in accordance with the least privilege principle.  
2. The Assistant Deputy Minister of Resolution and Individual Affairs, with the support of the Senior Assistant Deputy Minister of Regional Operations and the Assistant Deputy Minister of the Northern Affairs Organization, should a) ensure that the proposed approach to monitoring and compliance activities, as defined in the Office of the Indian Registrar's Monitoring and Compliance Framework, is implemented. An effective monitoring and compliance program would mitigate the majority of risks being faced as a result of aging technologies and IRS control deficiencies. This should include b) the review of life event changes, registrants whose files have been inactive for a significant period; the appropriateness of IRS user access, and compliance with policies and directives that are issued by the Indian Registrar.
   
   Additionally, the Assistant Deputy Minister of Resolution and Individual Affairs, with the support of the Senior Assistant Deputy Minister of Regional Operations and the Assistant Deputy Minister of the Northern Affairs Organization, should ensure that the initiative underway to update the training material for Indian Registration Officers (IROs) and Indian Registration Administrators (IRAs) is finalized. Upon completion, all IROs and IRAs should be provided with training and made fully aware of their roles and responsibilities for registration activities along with the consequences of not fulfilling their requirements. This should include training on CIS card handling, physical access, security over Protected B documents, how to handle backlogs, and how to stay informed of new directives and process changes.
3. The Assistant Deputy Minister of Resolution and Individual Affairs should develop a plan to remediate any weaknesses related to IRS general system controls, core application controls, system stabilization, IRS governance, and project management.
4. The Assistant Deputy Minister of Resolution and Individual Affairs should review audit work to date and assess the issues identified with the intention of addressing them as SIRCU is implemented.

Management Response

Management is in agreement with the findings, has accepted the recommendations included in the report, and has developed a management action plan to address them. The management action plan has been integrated in this report.

1.1 Resolution and Individual Affairs

Resolution and Individual Affairs Sector (RIAS) has a dual mandate resulting in two distinct business areas: Residential Schools Resolution and Managing Individual Affairs. Residential Schools Resolution is responsible for meeting the Government of Canada's obligations under the Indian Residential Schools Settlement Agreement. The Individual Affairs Branch, which is the branch relevant to this audit, aims to ensure responsible federal stewardship of the provisions of the Indian Act that pertain to registration and Band membership, estates, and Indian moneys. Through direct client-services, as well as partnerships with First Nations, the Individual Affairs Branch: determines eligibility for registration under the Indian Act, issues the Secure Certificate of Indian Status (SCIS), ensures responsibility for management of Indian moneys and estates under the Indian Act, and honours treaty annuity obligations to First Nations. The management of Individual Affairs is supported by the Regional Operations Sector, which acts as the regional delivery arm, providing services to First Nations clients south of the 60th parallel, and by the Northern Affairs Organization for north of the 60th parallel.

In 2012-13, the actual expenditures related to the Department's Registration and Membership Program totalled $28.8 million. The total budgeted expenditures for the Program in 2013-14 were $23.0 million.^{Footnote 1}

1.2 Indian Registration System (IRS)

The IRS is the computer system used by the Department to track Indian registration information, Band membership and demographic statistics. Indian registration information helps AANDC service many of its clients that provide educational, health and funding services to First Nation communities and individuals. The IRS specifically supports the following business functions:

• Register eligible First Nations individuals as Status Indians under the Indian Act in the Indian Register;
• Record "life events" (e.g., birth, death, marriage, adoption, etc.) in the Indian Register; and,
• Issue new, renewal or replacement Certificates of Indian Status to identify First Nations individuals as eligible for services and benefits that are specifically designed for Status Indians.

The integrity of IRS data depends on the processes used to collect information and to protect stored data with effective security controls. Equally important is the enforcement of the entitlement policy and associated criteria in identifying who is entitled to Indian status. Entitlement criteria fall under the purview of the Indian Act and have been amended over time.

Currently, two types of Indian Status cards exist: Certificates of Indian Status (CIS) and Secure Certificates of Indian Status (SCIS):

• CIS cards use an older technology of a laminated paper card with an affixed photo, signed by the cardholder and the Issuing Officer. This type of CIS is only being issued by Indian Registration Administrators in First Nation communities.
• SCIS cards are composed of polycarbonate substrate with a digital photo and the cardholder's digital signature (no signature by the Issuing Officer). The border-crossing version of the card also contains a machine-readable zone on the back that allows for electronic validation of the cardholder's identity and place of birth. Individuals can only apply for the SCIS at AANDC HQ and regional offices, or at the Treaty 7 office located in Alberta.

One of the IRA's responsibilities is to record life events, such as death or marriage. This is done by direct system access, if delegated, or by batching the supporting documents manually and sending them to their AANDC Regional Office for entry. The Regional Offices also have the same delegated functions to enter life events and are responsible for training and monitoring the work of IRAs.

The decentralized nature of CIS issuance and the limited nature of controls in place to ensure proper authentication of individual identities, safeguarding against conflicts of interest, and valid production of manual cards, has resulted in an increased risk of error and fraud in CIS cards and the related registration data within the IRS.

In 2010, a departmental initiative to modernize the IRS, led by the Resolution and Individual Affairs Sector, was brought into force. These actions coincided with the SCIS implementation and key legislative amendments, which had led to greater focus being placed on registration. These legislative amendments required extensive remediation to the existing IRS. The modernization initiative is being rolled out in two phases. Phase I will see the integration of Indian registration and card issuance processes through the implementation of common business processes, known as the Secure Integrated Registration and Certification Unit (SIRCU) model, and a linkage between the two system applications that are used to support Indian registration and secure card issuance (IRS and SCIS Web Application). Phase I is expected to be implemented by April 1, 2014. Phase II will see the development and implementation of a replacement system for IRS and the SCIS Web Application. The replacement system will also have expanded functionalities for estate management and treaty payment activities, which are currently supported by the Estates Reporting System and the Treaty Payment System, respectively. Phase II of the project has recently entered stage three of the Department's gating process, where the project's business case and general readiness will be assessed. As of November 30, 2013, a final implementation date for Phase II was not yet established for the replacement system.

1.3 Indian Registration Officers / Indian Registration Administrators

The ability to access the IRS and to perform specified tasks therein is granted by the Indian Registrar, an AANDC employee who reports to the Director General of the Individual Affairs Branch. Currently, two main groups have access to the IRS to enter and update registration information: Indian Registration Officers (IROs) – located in AANDC Regional Offices and at AANDC headquarters – and Indian Registration Administrators (IRAs) – located in select First Nation communities. IROs are employees of the Department who have read/write access to the IRS to enter new applicant information and to update registration information to reflect life event changes. IRAs are employed by FN and have responsibilities related to registration assigned to them by the Indian Registrar to support the administration of Indian registration activities in their community and to support the maintenance of the community's Band list. The role of the IRA can vary greatly depending on the community, ranging from IRAs with no access to the IRS (managing with a paper-based Band list), IRAs with read access to the IRS, and IRAs with read/write access to the system to process life event changes. IRAs may also issue Certificates of Indian Status (paper laminate cards) to Status Indians from their community.

1.4 Qalipu Mi'kmaq First Nation

In 1989, the Federation of Newfoundland Indians (FNI), representing approximately 7,800 members from the nine Mi'kmaq communities across the island, along with Chiefs of six affiliated groups began a Federal Court Action seeking eligibility for registration under the Indian Act.

Official negotiations between the FNI and the Government of Canada for the creation of a Band with no reserve land took place between 2004 and 2006. In June 2008, the Agreement for Recognition of the Qualipu Mi'kmaq Band was signed by the Minister of Indian Affairs and Northern Development and the President of the FNI. The Agreement principally identified the process for the creation of a Band (for the Mi'kmaq communities of Newfoundland) under the Indian Act, and the enrolment of its founding members. By November 30, 2009, following the conclusion of the first stage of the Band enrolment process, close to 26,000 applications for membership had been received. By November 30, 2012 the number of applications for Band membership had grown to 101,743.

The significant increase in the number of applications and the fact that these applications could not have been considered prior to the end of the enrolment process led Canada and the FNI to agree to discuss next steps regarding the consideration of applicants and the appropriate implementation of the 2008 Agreement. On July 4, 2013, a Supplemental Agreement was announced, that clarifies the process for enrolment in the Qalipu Mi'kmaq First Nation and resolves issues that emerged from the implementation of the 2008 Agreement. Specifically, the Supplemental Agreement:

• Extends the timelines for review of the applications, ensuring all previously unprocessed applications could be reviewed;
• Ensures that all applications received during all phases of the enrollment process, except those previously rejected, would be assessed or reassessed;
• Provides that all those individuals whose applications would be assessed or reassessed would be sent written notification and be given an opportunity to provide additional documentation, if necessary;
• Provides clarity regarding the assessment of an applicant's self-identification as a member of the Mi'kmaq Group of Indians of Newfoundland; and,
• Provides guidance related to an individual's acceptance by the Mi'kmaq communities of Newfoundland, particularly as it relates to individuals not residing in the communities of the Mi'kmaq Group of Indians of Newfoundland.

All enrolment applications to become founding members of the Qalipu Mi'Kmaq Band are being processed by AANDC's Winnipeg Processing Unit (WPU). Applications that were previously received in Corner Brook, Newfoundland were transported to the WPU, where processing is being conducted in two phases. Phase I, which is now complete, was designed to assess the validity of the application and Phase II is designed to assess the eligibility of the applicant to become a founding member. At the end of each phase, files are referred to an Enrolment Committee (EC) for review and for recommendation by the Committee Chair. The Committee is comprised of two representatives appointed by the Government of Canada, two representatives appointed by the FNI and a Chair jointly appointed by the Government of Canada and the FNI. Under the Supplemental Agreement, all enrolment applications are to be reviewed and a decision of their eligibility should be issued by August 31, 2015.

1.5 Monitoring and Compliance

While elements of Monitoring and Compliance (M&C) have been included in the scope of this audit, the Office of the Indian Registrar (OIR) has been in the process of defining a new M&C Framework that will allow AANDC to assess and report on the integrity of the IRS. A review of the OIR's current practices with respect to M&C activities was performed in the spring of 2013 with the goals of achieving the following:

• Defining the scope of activities conducted by the M&C Unit (Review Universe);
• Developing a Risk-Based M&C Framework to inform and drive monitoring and compliance activities;
• Developing a defensible sampling approach and strategy; and,
• Developing a Compliance Reporting template for future reporting by the M&C Unit.

2.1 Audit Objective

The objective of this audit was to provide assurance to management on the adequacy and effectiveness of process and IT application controls in place to ensure the integrity of information contained in the Indian Registration System.

2.2 Audit Scope

The time period covered by this audit was November 2011 to November 2013. The audit scope included assessments of the design and operational effectiveness of manual and automated controls used to ensure that: (i) Qalipu applications were accurately processed and recorded in Phase I (design and operational effectiveness) and will be appropriately assessed in Phase II (design only); (ii) information entered into the system through various sources, including IRAs and IROs, is reliable and access to it is protected; and, (iii) remediation has taken place or there is a plan in place to remediate issues surrounding IRS general system controls, core application controls, system stabilization, registration process controls, IRS governance, and project management.

The scope of the audit also included an assessment of key documentation produced for Phase I (the SIRCU initiative) and for Gates I and II of Phase II (the Indian Registration and Estates Management System) of the IRS modernization initiative in order to identify potential weaknesses and gaps that can be addressed prior to the implementation of these phases. Key documentation produced for Gates III to VII of Phase II was not included in the scope of the audit nor was key documentation for the SIRCU initiative produced after November 1, 2013.

Note that this audit did not include a review of the operating effectiveness nor a complete review of design effectiveness of controls in Phase II of the Qalipu founding member application decision process since the complete process was not yet implemented at the time of the review.

3.1 Selection of Regions for Site Visits

To conclude on the effectiveness of the controls and processes across the Department, a sample of Regions was selected for the application of the audit program. Factors in the selection of the Regions and Bands visited included the following:

• Number of registered Indians in the Regions;
• Previous history of exceptions related to life event change processing; and,
• Number of IRA users in Regions with "write" access in IRS.

Based on the above criteria and with the objective to assess adequacy and effectiveness of process and IT application controls in place in the IRS horizontally across the Regions, the following Regional and Band offices were selected for on-site field testing:

Regional Offices

• Manitoba Regional Office (October 7 to October 11, 2013);
• Quebec Regional Office (October 28 to October 30, 2013); and,
• Alberta Regional Office (November 13 to November 15, 2013).

Band offices

• Kahnawake Band Office and Service Centre (October 31, 2013);
• Wendake Band Office (October 29, 2013); and,
• Enoch Band Office (November 14, 2013).

On-site fieldwork was also conducted at HQ and at the Winnipeg Processing Unit during the following dates:

• AANDC HQ located in the National Capital Region (September to December 2013); and
• Winnipeg Processing Unit (August 22 and October 7 to October 11, 2013).

3.2 Selection of Sample Size per Region

A further element of the approach was the determination of the samples tested at the Regional sites visited and at the WPU. The following samples were selected for testing during the fieldwork phase:

• Life event changes made in IRS – A sample of 25 changes was selected and traced to supporting documents at each Regional site visited to gain sufficient coverage of life event changes made in the IRS. At one Regional office visited, an additional sample of 10 life event changes was selected making the total number reviewed 85.
• Personnel that are processing Indian Registration files – A sample of three to four IRS users, with read/write access, responsible for processing Indian registration files was selected at each Regional site visited (including IRAs located on reserve) to determine whether the individual had the appropriate security clearance and had received approval to access the IRS.
• IRS user access – A sample of 39 users with access equivalent to that of an IRO was selected across the three selected Regions to determine that access to make changes in IRS is restricted, aligned with delegated authorities, and that Indian registration information is protected.
• Invalid and valid Qalipu application forms recorded in IRS – A sample of 25 application forms was selected and traced to supporting documents.
• Boxes containing the unprocessed Qalipu application forms – A sample of five boxes was selected and inspected to determine that the categorization of the boxes was appropriate to help prevent lost or missing applications.
• Manifests used in boxes to track transported Qalipu applications – A sample of 25 boxes/manifests was selected and reviewed for completeness of the applications.
• Personnel who are processing Qalipu applications – A sample of five personnel was selected from the WPU to determine whether personnel processing Qalipu application forms had the appropriate security clearance and had approval to access the IRS.

5.1. Qalipu Registration Processes

We expected to find a combination of manual and automated controls, including clear and detailed process documentation, adequate and timely training of application processing staff, application forms being recorded, transported and stored in a complete, accurate and secure manner, and diligent monitoring of application processing progress, to ensure an appropriate assessment of the validity and decision over enrolment.

Overall, we found that effective operating controls have been established for the processing of Qalipu registration application forms. However, during the review, the following weaknesses were observed:

Spot Checks: The WPU has implemented a control wherein after an Indian Registration Clerk (IRC) enters key application data into the IRS, a second IRC will check it for accuracy. While operating effectiveness testing of this control found no exceptions of IRCs performing a quality check on their own data entry, there was a lack of formal monitoring or spot checks to ensure that IRCs were not performing quality checks of their own data entry.

Manifests: Manifests were used to verify the completeness of the contents of the boxes of applications that were shipped from Cornerbrook to the WPU. However, it was determined that there were insufficient details recorded on the manifests, such as lack of a unique identifier, to perform an effective reconciliation, and as a result, only limited overall reconciliation of manifests to the received forms could be performed to ensure the completeness of the applications received by the WPU.

Physical Security: After receipt and collection of all Qalipu application forms in Cornerbrook, the documents were shipped to the WPU for processing. We were informed that the vehicles used to transport the 1,162 boxes containing Qalipu applications were secured and that visual checks were performed to ensure that all transported boxes were received at the WPU. During our visit to the WPU, we noted that access to the building is controlled by proximity cards and only authorized visitors are permitted entry to the processing unit. As an additional level of security, there is a monitored security system in place within the WPU. However, the 1,162 boxes containing completed Qalipu applications were not all stored in accordance with AANDC's policy on protecting and handling Protected B information, which requires that they be kept in an RCMP storage container with a padlock. While there is a significant quantity of applications which represents a challenge for storage, and management has procured an external storage solution that is/will be used to store the processed Qalipu applications, this policy should not be overlooked. During our visit to the WPU, we also noted that the fire suppression system in place was inadequate to prevent the destruction of application forms being stored at the WPU facility in the event of a fire.

Scanned Document Access: In relation to the protection and privacy of Qalipu applicant information, the audit noted some security issues around the Imaging Utility system to prevent and/or detect unauthorized changes to key images, client confidentiality data and image integrity. Some x employees with access rights to folders containing scanned application forms should have had their access removed. Some scanned copies of Qalipu applications were not removed from the local drives and remained accessible by a number of users who did not require access to the data.

Final Decision: The final decision to determine an applicant's eligibility for founding membership entitlement to be registered is a key control in the Qalipu enrolment process. The IRS is not configured with application controls to enable Enrolment Committee (EC) members to directly enter the final decision as to whether an application is recommended for enrolment or denied into the system. This part of the process will be performed by the Enrolment Committee Chair. The Quality Assurance (QA) process for ensuring that the entry in IRS agrees with the EC decision is not clear at this point.^{Footnote 2}

While control and process improvements have been implemented as of the conclusion of this audit in 2013 to address known issues, weaknesses were noted at the time in the areas of data entry quality checks, physical and logical security to applicant information, and the process to implement the final EC decision on each Qalipu application into the IRS. If left unaddressed these weaknesses could have the unintended result of inappropriate enrolment eligibility decisions, unauthorized access to application information and invalid IRS data, which may support a number of c activities, including the issuance of (Secure) Certificates of Indian Status (status cards).

5.2. Regional and Band office Registration Processes

We expected to find that information entered into IRS through various sources, including IRAs and IROs, was reliable and access to it was protected, and that Certificate of Indian Status cards were being handled securely.

Policy/Directive Updates: While an intranet site has been established by HQ for dissemination of new policies/directives, the various clerks, officers, administrators, and managers interviewed at the Regional and Band offices visited, had varying levels of awareness about the policies and guidelines that are in place and relevant to their roles. While some demonstrated a sufficient understanding, others were entirely unaware of the existence of key policies, directives and guidelines. At one of the Regions visited, communication of an important directive related to Band transfers had not been disseminated to registration personnel, and consequently, no action had been taken. It was also noted that monitoring programs to ensure that Regions and Bands implement the relevant changes have not been introduced.

Training: We noted that the training material currently used by IROs and IRAs is not up-to-date. Further, there are inconsistencies between AANDC policies and directives and the Regional Training Manual, which has not been revised since 2006. It was also noted that work flow documents related to the registration process had not been communicated to the Band offices or Regional staff in a timely manner.

Based on the guidelines in place, access to the IRS is to be contingent on the successful attendance at the relevant IRS training course(s) and the completion and approval of an IRS access form. During our visits to Regional and Band offices, we found these guidelines to be inconsistently applied. In some cases, staff were receiving training on-the-job rather than in a formal capacity prior to them undertaking their roles as IRO or IRA. Formal records of training were not available at any of the Regions visited and it was confirmed that training is not being logged centrally at HQ. It was therefore not possible to determine with a reasonable level of assurance that access to the system was granted on the basis of formal training having been completed.

Roles and Responsibilities: Based on the relevant AANDC guidelines, access to the IRS is only granted on a "need to know" basis, appropriately tailored to the needs of the user's role. This access is granted based on the authority of the Indian Registrar or a delegate. In support of this, the Registrar's office has created a delegation of authority matrix that defines the tasks officers, clerks and administrators have the authority to perform. It was noted during visits to Regions and Bands that on some occasions the tasks and authorities performed by IRS users exceeded the delegated levels of authority and responsibilities. Specifically, we noted the following exceptions:

• At all Regions visited, we identified IRCs who were responsible for interacting with the public, including registrants and applicants and who were regularly entering life event changes beyond their level of authority into IRS. This is intended to be the role of personnel at the officer-level or higher;
• Out of 39 users with IRA level of access to the IRS from the Regions and Bands visited, there were 8 users for whom such access was not appropriate;
• At two of the Regions visited, there was an indication of IRS user ID and password sharing amongst individuals. This included sharing an IRS user ID and password that had IRA-level access with employees that had insufficient training and knowledge to use the privilege appropriately;
• Two instances were observed of summer students being granted full Read/Write access without receiving the requisite level of training;
• In a test sample of four active IRS accounts at one Region, one did not have evidence to demonstrate appropriate approval; and,
• The IRS access role definitions that were being used by the Regions and Bands are out of date.

Life Event Change Supporting Documents: Life events (e.g., birth, death, marriage, adoption, etc.) that affect a Registered Indian's record within the Indian Register are entered into IRS by personnel in HQ and in Regional Offices. According to AANDC Policies on Indian Registration, all entry or deletion of IRS information must be supported by independent documents signed by appropriate parties, or by evidence deemed satisfactory by the Indian Registrar. Indian life event change documents include certified copies of birth certificates, marriage/divorce certificates, court orders, and other documents containing Protected B information.

During our visits to Regional and Band offices, we noted that for 24 out of 85 life event samples selected, no supporting documentation for the changes could be provided. Of these, 12 were entered by IRAs and 12 were entered by Regional staff. At one of the Regions visited, while documentation was provided for all 25 life event changes selected, some of the documentation was not initially located and was provided substantially after the initial request.

Physical security and storage of life event change documents: Based on the AANDC and Treasury Board (TB) policies for safeguarding information, life event change supporting documents which contain information classified as Protected B, must be locked in an RCMP approved cabinet. The audit noted that insufficient physical security capacity was available to prevent unauthorized access. The following was observed:

• The use of keyed padlock cabinets was not consistent at the Regions and Bands visited. The findings ranged from keys being shared with all individuals in an office, to keys being stored insecurely. In one case, the cabinet containing unprocessed documents was left unlocked overnight;
• At one of the Bands visited, the main door to the membership area within the administration building was open when it should have been locked at all times, as was the door to the inner room where application registration documents were stored;
• At one Region, individuals who should not have access to the mail room containing life event change supporting documents did;
• At one Region, there was no fire suppression system (sprinkler) in the mail room containing life event change supporting documents;
• At one Region, keys to the lockers/cabinets that are used to store the processed applications are kept on top of the locker itself. Although access to the premises was restricted, it was noted that cleaning personnel were present on site during and after office hours without supervision, which is not appropriate for a facility that houses Protected B documents; and,
• At one of the Band offices visited, Band records were not kept separate from other Indian registration records. It was noted that all the files were being kept in the same folder for individuals.

Security gaps: Under the Privacy Act, personal information is disclosed only to the person to whom it refers, and is protected from disclosure to other parties. Given that the nature of information collected from Indian registrants is considered Protected B, it is important that the information be secured from unauthorized use. The following security weaknesses were identified:

• In one Region, the shared drive where incoming faxes are stored was available in read access to a wide range of users who did not require such access;
• In one Region, temporary scanned life event change files are stored on a temporary server that was accessible to a wide range of users on the network who did not require such access; and,
• A number of documents in CIDM, the Department's record management system, were noted to have group access rights granted, which allows any user within that Region to access such documents and is not in accordance with the principle of least privilege.

Monitoring of life event changes: Monitoring and Compliance (M&C) is a key control area in the registration and life event change process. During the audit, we found that while a QA check was occurring at some Regions, overall the monitoring being performed was not as described in the Policies on Indian Registration. In Regions where QA checks were being performed, evidence was not always available to demonstrate that they were occurring. Only one of the Regions visited was performing monitoring of life events entered directly in the Indian Register by IRAs at Band offices and Regions did not provide the semi-annual summary report to the Indian Registrar, as required by the AANDC Policies on Indian Registration.

While there is an ongoing initiative to improve and replace the existing approach to monitoring and compliance (M&C), currently most Regions are not familiar with their monitoring responsibilities regarding life event changes made in IRS. We noted that personnel were new to their roles and that the monitoring effort was getting underway. A backlog exists relating to monitoring of life event changes, reviews are not being performed in a timely manner. No reviews of individuals with long periods of inactivity has taken place to determine if the registrants are deceased, as is specified by the Entitlement Manual.

CIS card handling and security: To maintain the accuracy of the IRS and the integrity of the CIS issued by the Indian Registrar, a specific procedure has been established for the destruction of cards. The procedure calls for all cards that are returned to Regions and Bands to be logged and sent directly to the Office of the Indian Registrar (OIR) at HQ. During the audit, we found that the return/destruction of CIS cards was being handled inconsistently across Regions with some returning the cards to HQ and others destroying cards on site. At one Band visited, it was noted that the returned and void CIS cards had not been returned to the Regional Office for over a year. Further, inconsistent methods for logging returned cards were observed at the Regions visited, while at the NCR, all relevant information is not being recorded in accordance with the Entitlement Manual.

Blank CIS cards are considered Protected B documents since possession of these blank cards could enable an individual to produce fraudulent cards using a laminating device (and to potentially procure benefits). The audit noted that insufficient physical security mechanisms were in place to prevent unauthorized access to blank CIS cards. The following was observed:

• In multiple instances at Regions and Bands, blank CIS cards were not stored in locked storage containers; and,
• Guidelines related to operational zone security requirements were not respected.

Opportunities for Efficiency: The following opportunities for efficiency improvements were identified:

• During the scanning of life event change supporting documents, some Regions are scanning the documents once while other Regions are scanning them twice, once into the Department's electronic document repository (CIDM) and once into the IRS, which is less efficient than uploading the original scan into the IRS.
• Extensive backlogs of life event change requests existed at some of the Regions visited, with no action plan existing to reduce the backlog. An action plan, using a risk-based approach to determining the priority for the timing of event reviews, would help ensure that life event changes are processed in a timely manner resulting in accurate and up-to-date information in the Indian Register.
• No HQ monitoring of the progress of reducing the backlogs was occurring and backlogs have not decreased.

The audit of the Regional and Band Office registration processes has concluded that the lack of consistent communication, training and education of operations staff has resulted in departures from established AANDC policies and guidelines. This systemic gap has resulted in issues related to segregation of duties, monitoring and compliance, document handling, security, and overall process effectiveness.

5.3. Follow-up on Previous Weaknesses

In relation to IRS IT General Controls, overall we observed that while many noted weaknesses have been addressed and improvements have been made, there continues to be a need for attention to some of these areas.

Remediated items included the development and dissemination of delegation of authority matrices; the establishment of an intranet site to communicate updates to policies, directives and guidelines; the implementation of short term stabilization initiatives to bolster the current IRS infrastructure in the form of increased memory and bandwidth; the creation of a physically segregated adoption unit at HQ and corresponding restrictions on accessibility of adoption records in the Regions and Band offices; and the decommissioning of the Arrival system.

Weaknesses that were still in the process of being remediated included: the clarification roles and responsibilities for IROs and IRAs going forward; the implementation of a consistent approach to the delivery of training and the receipt of approvals for access to the IRS system; the timeliness and consistency in onward communication of updated policies, directives and guidelines to Regional staff and Bands; the appropriateness of access rights granted within IRS; restrictions on access to the adoption unit even though physical segregation was implemented; and, a number of system architecture related findings for which a more permanent solution was being defined as part of the IRS modernization initiative.

In relation to the assessment of key documentation produced for Phase I (the SIRCU initiative) and for Gates I and II of Phase II (the Indian Registration and Estates Management System) of the IRS modernization initiative, we did not identify any potential weaknesses and gaps at this stage. The documentation provided to date primarily included the documents used to obtain approval to proceed with the proposal, high level approach and business requirements documents and presentations to executive management, and do not provide a sufficient level of detail to enable the identification of weaknesses, gaps or recommendations at this time.