Audit Report
Audit of Operation Syrian Refugee – CBSA Security Screening
April 2017

Note

[*] An asterisk appears where sensitive information has been removed in accordance with the Access to Information Act and the Privacy Act.

Table of contents

1.0 Introduction

1. The objectives of Canada's refugee program are to save lives, offer protection to the displaced and persecuted, meet Canada's international legal obligations with respect to refugees, and respond to international crises by providing assistance to those in need of resettlement.

2. In November 2015, the Government of Canada committed to welcoming 25,000 Syrian refugees into Canada by the end of February 2016. To support this priority, the Operation Syrian Refugee (OSR) strategy was developed. This effort was led by Immigration, Refugee and Citizenship Canada (IRCC) in collaboration with the Canada Border Services Agency (CBSA or the Agency), other federal partners, international partners, provinces and territories, municipalities, and non-government organizations.

3. OSR was managed in five phases:

4. The Government of Canada successfully achieved its objective by resettling 26,172 by February 29, 2016.

Identification and Processing of Syrian Refugees

5. The processing of refugees fits into a broader security continuum that includes activities which occur pre-border, at-border and post-border and involve multiple security partners.

6. For Phase 1, IRCC officials worked in consultation with international partners, such as the United Nations High Commissioner for Refugees and the Turkish Government, to identify potential Syrian Government-Assisted Refugees resettlement candidates based on established triage criteria for the partners to consider in referring potential refugees to apply to come to Canada as part of OSR.

7. For Phase 2 of OSR IRCC was responsible for determining Syrian refugee claimant eligibility for Canadian resettlement and admissibility. At this stage, interviews, medical examination, and security and biometrics screening were conducted.

8. The Agency's National Security Screening Division (NSSD) supported IRCC during Phase 2 by conducting security screening of refugees that were referred to the Agency by IRCC. The Agency's National Targeting Centre (NTC) also supported the formal security screening process by conducting open source security screening checks [*] for cases requiring expedited processing. An admissibility recommendation was then provided to IRCC based on the security screening conducted. IRCC used the recommendation to assess security admissibility and render a final decision.

9. During Phase 3, pre-border security screening system checks were conducted on flight manifests; and in Phase 4 all refugees were processed by border services officers upon arrival in Canada.

10. The Agency concept of operations is based upon a risk management approach during each phase of the operation that collectively aims to mitigate border security risks posed by refugeesFootnote 1. While the Agency played a role in other Phases of OSR as described, the audit focused on the formal security screening conducted during Phase 2 of the process by the NSSD and the NTC.

11. It is worth noting that the circumstance under which the work was performed by the Agency was extraordinary. The number of OSR cases needing processing and the short turnaround to meet the Government's priority added considerable pressure requiring extended hours of operation and the deployment of additional staff. Over and above this work, the Agency was still under the obligation to meet its obligations to process non-OSR cases within normal service standards.

2.0 Significance of the Audit

12. This audit is of interest to management due to the risk associated with processing a significant number of applicants within a compressed timeline, as well as the perceived sensitivity and public visibility of this area and strategic importance to the Agency.

13. The audit supported the IRCC Internal Audit and Accountability Branch by comparing security screening information in IRCC's case management system to information recorded in the Agency's case management system to ensure accuracy and consistency between the two data systems. In 2016, IRCC initiated an audit of OSR to assess whether processes were established and followed by IRCC for OSR to identify and process Syrian refugees. Due to the Agency's role in providing admissibility recommendations to IRCC, this audit sought to validate certain information related to the audit testing of security screening of refugee files.

14. The audit was approved as part of the 2016 CBSA Integrated Audit and Evaluation Plan which was approved in June 2016.

15. The audit objective was to provide reasonable assurance that effective security screening processes were established and followed by the Agency for OSR in making admissibility recommendations to IRCC.

16. The audit scope included an examination of the security screening and oversight processes applied by the Agency during Operation Syrian Refugee from November 4, 2015 to February 29, 2016.

17. The audit scope did not include:

3.0 Statement of Conformance

18. The audit conforms to the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program. The audit approach and methodology followed the International Standards for the Professional Practice of Internal Auditing as defined by the Institute of Internal Auditors and the Internal Auditing Standards for the Government of Canada, as required by the Treasury Board's Policy on Internal Audit.

4.0 Audit Opinion

19. The Agency developed formalized security screening procedures for OSR and conducted quality assurance and oversight activities throughout OSR. Key controls were designed and implemented to ensure that security screening of all OSR applicants referred to the Agency were completed. [*]

5.0 Key Findings

20. Standard Operating Procedures (SOPs) were developed and implemented specifically for OSR which also defined clear roles and responsibilities for the various individuals and divisions involved in the security screening process. Modifications to the OSR SOPs, however, affected who completed some security screening system checks and how the results were communicated and documented. [*]

21. [*]

22. [*]

23. [*]

24. In terms of oversight, clear procedures for oversight activities were established and carried out during OSR. An opportunity exists to implement the updated quality assurance program, which was under development during the audit.

6.0 Summary of Recommendations

25. [*]

7.0 Management Response

Management Response

Operations Branch agrees with the findings and recommendation of the Audit of the security screening process for Operation Syrian Refugees. Work is already underway to address the observations and recommendations which will result in a more effective and efficient security screening program.

8.0 Audit Findings

8.1 Security Screening Processes

Audit Criteria:

8.1.1 Process Design

26. The NSSD and its security partners are responsible for screening applicants seeking temporary and permanent residency in Canada for admissibility under sections 37 (organized crime), 35 (crimes against humanity and genocide), and 34 (terrorism, espionage and subversion) of the Immigration and Refugee Protection Act (IRPA). The security screening conducted by the NSSD is guided by the IRPA, carried out in coordination with the Agency's security partners, and has been established in a set of Standard Operating Procedures. Once security screening is complete, the NSSD consolidates the security screening results and provides an admissibility recommendation to IRCC, which is responsible for granting temporary or permanent residency in Canada.

27. When OSR came into effect on November 4, 2015, the NSSD became a key player in ensuring the Government's ability to reach its objective of welcoming 25,000 Syrian refugees by February 29, 2016. The NSSD was responsible for conducting comprehensive security screening on applicants referred to the Agency for security screening. Comprehensive security screening involves the completion of a series of mandatory system checks (four systems in addition to an integrated query check and open source checks) and a review of specific information provided on the applicant. Security information provided by other governmental security partners is also considered.

28. To support the OSR initiative, specific SOPs were developed and implemented for the accelerated screening process. We reviewed the OSR SOPs to identify modifications that were made to the standard security screening process.

29. The OSR SOPs outline the roles and responsibilities of various individuals and divisions involved in the comprehensive security screening process. They also identify the systems to be used and checks to be completed, as well as provide a template for how results should be documented in the Agency's case management system. Due to the volume of applicants to be processed for OSR and the timelines to be respected, the following key process modifications were made:

30. To identify the cases that needed to be sent to NTC for open source checks and to the analysts responsible for the integrated query checks, a new process was established. This involved the use of a data extract (or list of cases) from the Agency's case management system. The list was then used by the NTC and analysts completing the integrated query checks to track and perform their work. For cases to be included on this list, the Agency elected to use the "Syrian Refugee Processing" ('SRP') code entered by IRCC in the IRCC's case management system.

31. [*]

32. While the security screening continuum provided additional controls in terms of security checks that would have been conducted on these cases during other OSR phases, [*]

33. [*]

34. It is important to note that the process of providing a list to the NTC for open source checks and the use of integrated query checks are no longer used as the NSSD has returned to its standard process.

35. Two other process changes were made for OSR [*]

36. The process for recording the mandatory system check results in the case management system [*]

Recommendation 1:

The Vice-President Operations, in consultation with the Vice-President Information, Science and Technology, should explore the option [*]

8.1.2 Security Screening Compliance

37. Comprehensive security screening for OSR was conducted by the NSSD, with support from the NTC, on all applicants referred to the CBSA by IRCC. We expected security screening to be carried out in accordance with the established OSR SOPs, which came into effect December 4, 2015Footnote 3.

38.We reviewed a random sample of 54 OSR files that were referred to the NSSD for comprehensive security screening to determine whether the security screening process outlined in the OSR SOPs was applied. Audit testing confirmed that in all cases:

39. [*]

40. While there are other checks that form part of the security screening continuum, such as pre-border screening of flight manifests and passenger processing upon arrival in Canada, the potential impact of missed or undocumented security screening checks is that key information may not have been identified or considered when providing an admissibility recommendation to the IRCC. [*]

Case Management System Data Comparisons

41. In support of the IRCC Audit, various data comparisons were conducted by the Agency's Internal Audit Division. This involved the comparison of OSR data extracted from IRCC's case management system to OSR data extracted from the Agency's case management system. We expected to find a match between the number of files referred to the Agency for security screening and the number of files IRCC had recorded as having received security screening.

42. [*]

43. [*]

44. [*]

45. [*]

8.1.3 Oversight and Quality Assurance

Oversight

46. The relocation of Syrian refugees to Canada was managed in accordance with the Emergency Management Act. Within the Agency, the Operational Preparedness and Response Division, National Border Operations Centre Directorate, is responsible for Emergency Management. It also houses the Border Operations Centre, which played a key role in OSR.

47. The audit expected to find oversight procedures in place to ensure that the operation was carried out in an effective manner and managed according to plan.

48. The Agency's emergency management function was responsible for developing the Agency's Integrated Operational Plan (the Plan) for OSR. The objective of the Plan was to guide the Agency's internal preparations and service delivery throughout OSR. It was also developed to ensure horizontal synchronization between Agency branches and operational directorates, divisions and units involved in OSRFootnote 4.

49. The Plan clearly outlines the roles and responsibilities regarding oversight during OSR. It also details operational monitoring and coordination activities that were to be carried out for OSR by the Operational Preparedness and Response Division. Activities specified in the Plan includedFootnote 5:

50. The audit validated a sample of these activities to ensure that they were carried out as planned. No discrepancies or issues were noted.

Quality Assurance (QA)

51. Given the importance of this initiative, it was expected that quality assurance procedures around the security screening process be implemented. QA reviews provide comfort that admissibility recommendations made to IRCC are properly supported, that SOPs are applied consistently and it provides an opportunity to identify process weaknesses and/or issues and areas for improvement.

52. Two QA activities were in place during OSR: the NSSD QA program and supervisory reviews.

53. The NSSD Operational Support team is responsible for a QA program that was designed to perform a review of case files that occurred either before or after recommendations were provided to IRCC. The reviews assessed whether the appropriate information was considered in the admissibility recommendation and accurately recorded in the case management system.

54. During the audit period, the NSSD Operational Support team conducted their normal QA program, including a review of 20 OSR files. Although the QA reviewer identified opportunities for improvement and made recommendations to screening analysts, there were no specific QA procedures or checklists used to document the reviews conducted. The NSSD has indicated that they were currently updating their QA process and framework to provide a more robust program.

55. With respect to supervisory review for OSR, team lead review and approval were only required where a non-favorable admissibility recommendation was made to IRCC. Favorable cases did not require formal review or approval, as is the norm under standard process for the NSSD. Within the audit sample of 54 cases, the audit observed one non-favorable case that required and received team lead review and approval.

56. The audit recognizes that there were extreme pressures placed upon the teams involved in delivering OSR and that resources were working numerous hours of overtime in order to ensure the Operation's success. Although the high volume of cases processed for OSR and the tight deadlines faced by the NSSD may account for the revised supervisory review procedures, going forward, a more structured and formalized QA program would be beneficial [*]

Recommendation 2:

The Vice-President Operations should implement the updated quality assurance process and framework.

Management Response: Completion Date:

Operations Branch agrees with the findings and recommendation.

A rigorous and systematic QA framework and process have been implemented including a supervisor's review, and documenting of the results.

January 2017

Appendix A – About the Audit

Audit Objectives and Scope

The objective of the audit was to provide reasonable assurance that effective security screening processes were established and followed by the CBSA for OSR in making admissibility recommendations to the IRCC.

The audit scope included an examination of the processes followed by the Agency in order to make an admissibility recommendation to IRCC on Syrian refugees during the period from November 4, 2015 to February 29, 2016Footnote 6. This included applications that received favorable and non-favorable admissibility recommendations or applications that were deferred for further screening.

The audit also examined the Agency's security screening for applications initiated in OSR centres overseas. The audit focused on whether appropriate security screening processes and controls were designed by the AgencyFootnote 7, in consultation with other security partners, and whether the formal security screening processes were followed by the NSSD and the NTC.

Given the timeframe, the audit excluded the following:

Risk Assessment

A preliminary risk assessment was conducted during the planning phase to identify potential areas of risk and audit priorities; it included discussions with key personnel involved with OSR including representatives from the Operations Branch. It also included a walkthrough of the formal OSR screening process with security screening officers from the NSSD. As well, a review of corporate documents relating to OSR was performed. The following key risk areas were identified: [*]

Approach and Methodology

The audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada. Audit procedures included:

Audit Criteria

Given the preliminary findings from the planning phase, the following criteria were chosen:

Line of Enquiry Audit Criteria
Line of Enquiry 1:
Security Screening Process
1.1. Processes that were modified to support the security screening process for Syrian refugees were in compliance with the Agency's established security screening procedures and departmental policies;
1.2. Security screening conducted by the NSSD and NTC for OSR was conducted in accordance with established procedures; and
1.3. Oversight and quality assurance activities were performed during OSR in support of the accelerated security screening process.

Appendix B – List of Acronyms

CBSA
Canada Border Services Agency (the Agency)
GCMS
Global Case Management System
IRCC
Immigration, Refugee and Citizenship Canada
IRPA
Immigration and Refugee Protection Act
NSSD
National Security Screening Division
NTC
National Targeting Center
OSR
Operation Syrian Refugee
QA
Quality Assurance
SOP
Standard Operating Procedures
SRP
Syrian Refugee Program
VP
Vice-President
Date modified: