Internal Audit - Values and Ethics Framework

Final Report
Audit, Evaluation, and Risk Branch
January 2024

Executive summary

The Canada Revenue Agency’s (CRA) Integrity Framework was developed to strengthen the management of integrity at the CRA. Employees are guided by the Values and Ethics Code for the Public Sector, and CRA policy instruments, such as the Code of Integrity and Professional Conduct, and the Directive on Conflict of Interest. Adherence to these policies and directives is part of the terms and conditions of employment for all CRA employees.

The objective of the audit was to provide the Commissioner, CRA management, and the Board of Management (Board) with assurance that a values and ethics framework is in place and working as intended to foster a culture of integrity and contribute to public trust.

Overall, the internal audit team found that a values and ethics framework is in place at the CRA and is communicated to CRA employees to encourage a culture of integrity and contribute to public trust. However, improvements are needed to strengthen the framework by implementing a process to increase awareness and application of values and ethics requirements and collaborating with relevant internal stakeholders to monitor data, and report on the state of values and ethics at the CRA.

Summary of recommendations

• The Human Resources Branch (HRB) should implement a process to ensure CRA employees complete the corporate mandatory training related to values and ethics.
• The HRB should develop and provide employees and delegated managers with more tools and guidance to raise employees’ awareness of their values and ethics obligations and to enhance their ability to report conflict of interest (COI) situations, including:
  • Enhancing training to provide COI scenarios that employees are likely to encounter in the performance of their duties, and
  • Improving tools and guidance for delegated managers to allow for more efficient review of their employees’ COI disclosures.
• The HRB, in collaboration with relevant internal stakeholders, should develop a process to identify and collaboratively monitor data, and report on the state of values and ethics at the CRA.

Management response

The HRB agrees with the recommendations in this report and has developed related action plans. The Audit, Evaluation, and Risk Branch has determined that they appear reasonable to address the recommendations.

Introduction

The Canada Revenue Agency (CRA) is responsible for upholding public trust in the administration of tax, benefits, and related programs for Canadians. Taxpayers and benefit recipients are entitled to accurate, fair, timely, and professional service. A values and ethics framework is therefore vital to ensuring that CRA employees^{Footnote 1}  conduct reflects CRA values and complies with the rules and guidance applicable to their duties and public service obligations. The CRA values and ethics framework includes the CRA Integrity Framework.

The CRA Integrity Framework maps out the Agency’s core integrity instruments which primarily protect integrity and prevent integrity lapses. The framework includes the CRA’s Code of Integrity and Professional Conduct (the Code)^[1], which identifies the values and ethical behavior expected of CRA employees. The framework also outlines the CRA’s mission, vision, and core enduring values of integrity, professionalism, respect, and collaboration.

Along with the Code, the CRA Directive on Conflict of Interest^{Footnote 2}  provides specific guidance to ensure that the private interests, outside activities, the offer or acceptance of gifts or hospitality and plans for post-employment that will or could give rise to a conflict of interest are identified, disclosed and managed.

In addition to the Code and the Directive, the Values and Ethics Code for the Public Sector (VECPS)^{Footnote 3}  outlines the five core values required of all members of the federal public service: respect for democracy, respect for people, integrity, stewardship, and excellence. Reading, acknowledging, and abiding by the requirements of the Code, Directive on Conflict of Interest, and the VECPS are part of the terms and conditions of employment for all CRA employees.

All branches and regions have roles and responsibilities in supporting and promoting values and ethics within the CRA. More specifically, the Values and Ethics Office within the HRB develops, maintains, and reviews corporate policy instruments, supporting tools, and learning products to support integrity management at the CRA, and the Security Branch oversees various security reporting mechanisms within the CRA.

Furthermore, CRA employees are regularly prompted to review the Code and Directive and are asked to affirm that they will abide by those terms and conditions of employment.

Focus of the audit

This internal audit was included in the Board of Management (Board) approved 2022-2023 Risk-Based Assurance and Advisory Plan, which was approved on March 30, 2022. The Assignment Planning Memorandum was approved by the Commissioner on January 17, 2023.

Importance

This audit is important because values and ethics are an integral part of the CRA’s priority to strengthen public trust through enhanced security, transparency, and accountability. Therefore, it is also important for the CRA to have a strong framework with effective corporate policy instruments that set the foundation to guide employees and uphold the highest standards of integrity and professional conduct.

Objective

The audit objective was to provide the Commissioner, CRA management, and the Board with assurance that a values and ethics framework is in place and working as intended to foster a culture of integrity and contribute to public trust.

Scope

The audit included a review of corporate policy instruments related to the governance, communication, awareness, and monitoring activities for the values and ethics framework at the CRA. The internal audit team also reviewed and analyzed data related to the annual affirmation of the Code, conflict of interest reporting and mandatory training.

The scope did not include a review or assessment of cases when employees failed to comply with the rules and expectations related to values and ethics.

The period covered in this audit was from April 1, 2019 to March 31, 2022.

Audit criteria and methodology

The audit criteria and methodology can be found in Appendix A.

The examination phase of the audit took place from December 2022 to May 2023.

The audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing, as supported by the results of the quality assurance and improvement program.

Findings, recommendations, and action plans

The recommendations presented in this report address issues of significance. The HRB agrees with the recommendations in this report The Audit, Evaluation, and Risk Branch has determined that they appear reasonable to address the recommendations.

Communication and awareness

The CRA has mandatory values and ethics related training courses that CRA employees must complete.

As part of the examination phase, the internal audit team reviewed values and ethics data to determine the percentage of employees who did not complete the mandatory training courses and it was noted that across three mandatory courses, some employees did not complete the mandatory values and ethics training in fiscal year 2021-2022.

The following is a breakdown of the mandatory training reviewed by the internal audit team along with the percentage of employees that did not complete the training in fiscal year 2021-2022:

• Security Awareness: 9%
• Code of Integrity and Professional Conduct: 5%
• Workplace Harassment and Violence Prevention for Employees (WMT101): 19%

The timely completion of the mandatory training plays a key role in raising awareness and application of the values and ethics obligations. Any gaps in this area can greatly impact an employee’s understanding of their expectations regarding values and ethics.

Recommendation #1

The HRB should implement a process to ensure CRA employees complete the corporate mandatory training related to values and ethics.

Management Response

HRB agrees with the need to track the completion rates of corporate mandatory training courses, and has been doing so for many years. HRB’s Leadership and Learning Directorate (LLD) recognizes the need to review its internal processes to improve the communicating, monitoring and reporting of Corporate Mandatory Training (CMT).

Action Plan #1

• Every quarter, LLD will include a reminder of the new Corporate Administration System (CAS) feature in the dashboard on the overall compliance rate for each CMT provided to CMC.
  • Timeline: next quarterly report, and each quarter thereafter
• The LLD will publish instructions on KnowHow as well as on Management Hub sections of InfoZone to guide supervisors to track employee CMT completion via the Manager Self-Service (MSS) portal, which is linked to CAS.
  • Timeline: January 2024
• Support Assistant Commissioners in managing their own branches or regions reporting and compliance by publishing and hosting the quarterly reports through SharePoint to provide easy access to the data.
  • Timeline: March 2024
• LLD will explore and test ways to enhance communication to employees and managers on their CMT accountabilities aligning with performance management cycles.
  • Timeline: November 2024
• LLD, in consultation with ITB, will test a new automated notification for CMT through CAS, and recommend whether the system feature is viable for national implementation.
  • Timeline: April 2024

Monitoring and enforcement

The CRA Directive on Conflict of Interest provides employees with principles for what constitutes a conflict of interest, and requires all employees, regardless of their roles and responsibilities, to report a wide range of private interests and outside activities. Employees are also required to update or submit a new disclosure any time there is a change in their private interests or outside activities and when they change jobs. Once an employee submits a disclosure, it is reviewed by a delegated manager (a member of senior management) to determine if a real, apparent, or potential conflict of interest exists. Delegated managers are required to review these disclosures and to action them within 25 business days.

The audit team conducted documentation reviews, data analysis, and interviews to examine the CRA’s confidential disclosure process. The interviews identified that the current conflict of interest policy approach creates a significant administrative workload for delegated managers.

The data analysis and tests performed during the audit identified the following:

• In 2022, delegated managers received an average of 44 COI disclosures, from as few as one disclosure, to as many as 652. 29 delegated managers (28 in 2021) had more than 100 COI disclosures to review, with two needing to review more than 400 disclosures in 2022.
• Managers take an average of 17 days to review disclosures. 1,626 reports (or 20% in 2022) and 2,009 reports (or 18% in 2021) took longer than 25 days to review.

The Internal Audit team reviewed 35 conflict of interest disclosures reviewed by delegated managers. Of these, only 11% (4 / 35) were determined as a real, apparent or potential COI. A study undertaken by the Values and Ethics Office within HRB indicated that a small proportion of the disclosures in 2021 constituted a real, apparent or potential conflict of interest that required a mitigation strategy (79 out of 7,618 disclosures).

Strong employee awareness of their values and ethics obligations combined with more concrete conflict of interest scenarios may better support employees and delegated managers in the disclosure process.  

Recommendation #2

The HRB should develop and provide employees and delegated managers with more tools and guidance to raise employees’ awareness of their values and ethics obligations and to enhance their ability to report conflict of interest situations, including:

• Enhancing training to provide COI scenarios that employees are likely to encounter in the performance of their duties, and;
• Improving tools and guidance for delegated managers to allow for more efficient review of their employees' COI disclosures.

Management Response

HRB concurs with this recommendation. The CRA has a large selection of awareness products (webpages, step-by-step instructions, questions and answers, and scenario-based learning) available to employees and leaders about values, ethics and conflicts of interest. HRB agrees to refresh existing products and to create new ones as required.

Action Plan #2

• The HRB-VEO will update the Code of Integrity and Professional Conduct mandatory training (TD-1528-000) with relevant conflict of interest-related scenarios add clarifying scenarios to KnowHow and other awareness vehicles for employees and delegated managers.
  • Timeline: November 2024

The CRA has multiple reporting mechanisms for employees to report misconduct cases, such as fraud, and misuse of CRA or taxpayer information and assets. CRA employees have the option to report directly to their manager, contact the Internal Affairs Division within the Security Branch, use the CRA anonymous Internal Fraud and Misuse Reporting Line or contact the Internal Disclosures Office within the Audit, Evaluation and Risk Branch. The Security Branch is responsible for managing some of the reporting mechanisms. The various reporting mechanisms are designed to handle very specific types of misconduct and are communicated to CRA employees. Moreover, additional data for values and ethics at CRA is captured by the HRB and the Security Branch, such as security incidents, confidential disclosures data, Internal Fraud and Misuse Reporting Lines data, discipline reports, training data, annual affirmation data, and staffing reports.

The internal audit team conducted interviews and documentation reviews to determine if the CRA has a process to monitor, in a collaborative and cross functional manner, the state of values and ethics at the CRA. It was determined that there is a need for cross-functional identification and tracking of the available data to provide management information on the state of values and ethics at the CRA as a whole. The difficulty of coordinating with multiple stakeholders, reporting structures or systems requirements was the main reason why integrated processes to identify, monitor, compile and report values and ethics data were not in place. By working collaboratively and maximizing the use of existing tools and data, capturing and assessing the level of employee compliance and awareness of CRA’s values and ethics framework could be improved. In turn, this could improve management’s ability to identify areas or processes within the CRA that require improvement.

Recommendation #3

The HRB, in collaboration with relevant internal stakeholders, should develop a process to identify and collaboratively monitor data, and report on the state of values and ethics at the CRA.

Management Response

HRB agrees and supports the concept of promoting regular collaboration on integrity-related information.  Sharing, monitoring and reporting on values and ethics-related indicators/data would contribute to the effective and proficient protection of CRA integrity, by facilitating the timely identification of trends, opportunities, and challenges.

Action Plan #3

• HRB will work with relevant internal stakeholders to create and publish an annual report on addressing employee wrongdoing and misconduct at CRA including fraud, unauthorized access to taxpayer information, harassment, conflict of interest and other breaches of CRA’s codes of conduct. While this data is currently tracked within the Agency, it is fragmented. An integrated annual report will increase transparency on how misconduct and wrongdoing is being addressed, improve agency-wide analysis and identification of gaps or issues for further action.
  • Timeline: June 2024
• As part of its planned modernization of CRA’s Values and Ethics Program and related corporate policy instruments to be completed in 2025, HRB will work with internal stakeholders to develop guidance to strengthen the identification and assessment of ethical risks to systematically inform corporate business planning across the Agency.
  • Timeline: November 2024

Conclusion

Overall, the internal audit team found that a values and ethics framework is in place at the CRA and is communicated to CRA employees to encourage a culture of integrity and contribute to public trust.

However, improvements are needed to strengthen the framework by implementing a process to increase awareness and application of values and ethics requirements and collaborating with relevant internal stakeholders to monitor data, and report on the state of values and ethics at the CRA.

Appendices

Appendix A: Audit criteria and methodology

Based on the Audit, Evaluation, and Risk Branch’s risk assessment, the following lines of enquiry were identified:

Lines of enquiry	Criteria
Governance	CRA leadership has established clear and effective roles, responsibilities, structures, and reporting lines to provide values and ethics oversight.
Communication and awareness	A comprehensive code of conduct, values and ethics framework, and related policies and procedures are documented, reviewed and updated regularly, and clearly explain values and ethics expectations in a manner accessible to all employees.
	Effective values and ethics training exists and is mandatory for all employees.
	There is regular and clear communication concerning values and ethics expectations, tools, and resources, including from senior leadership.
Monitoring and Enforcement	Easily accessible mechanisms exist for CRA employees to confidentially evaluate the ethical climate and report misconduct.
	Controls for the prevention of conflicts of interest exist and are designed and operating as intended.
	Key performance indicators exist to measure the state of integrity at the CRA and are monitored in a collaborative manner across branches.

Methodology

The methodology used in the examination included the following:

Document review: reviewed, analyzed, and compared values and ethics corporate policy instruments, processes and procedures, supporting documentation, courses, and tools.

Data analysis: used data analytics to review program statistics for trends in values and ethics monitoring and reporting processes.

Interviews: interviewed select management and staff at Headquarters and in the regions.

Appendix B: Glossary

Term	Definition
CAS-Commitment Application	The CAS-Commitment application was developed to increase the security of information submitted through a confidential disclosure form and to add rigour and timeliness to the management of conflict of interest confidential disclosure forms.
CommitmentFootnote 4	Employees are required to regularly affirm their adherence to the Code and disclose particular private interests and outside activities, gifts, hospitality and other benefits, and plans for post-employment in the appropriate confidential disclosure form as per the Directive on Conflict of Interest. Delegated managers are required to assess and manage real, apparent, or potential conflicts of interest.
Conflict of interestFootnote 5	A conflict of interest arises whenever an employee's private interests, outside activities, receipt of a gift, hospitality or other benefits, or plans for post-employment will impair, or could be perceived to impair, their ability to make decisions with integrity, impartiality, honesty, and in the best interests of the CRA and the Government of Canada. Real conflict of interest: A conflict exists between an employee's duties at the CRA and their private interests, outside activities, receipt of a gift, hospitality or other benefits, or plans for post-employment. Apparent conflict of interest: A conflict between an employee's duties at the CRA and their private interests, outside activities, receipt of a gift, hospitality or other benefits, or plans for post-employment that could be perceived to exist by a reasonable observer, whether or not this is the case. Potential conflict of interest: A conflict between an employee's duties at the CRA and their private interests, outside activities, receipt of a gift, hospitality or other benefits, or plans for post-employment that could reasonably be foreseen to exist.
Corporate Administrative System (CAS)Footnote 6	A commercial software from SAP that has been customized for the CRA to handle Human Resources and Finance and Administration data and processes. CAS is a system consisting of a combination of functional modules, integrated through a central database to allow the CRA to perform all its major business processes in one system providing real time data.
CRA Integrity FrameworkFootnote 7	Maps out the CRA’s core integrity instruments, which primarily protect integrity and prevent integrity lapses.
Internal Stakeholders (for the purposes of this Internal Audit)	All branches and regions have roles and responsibilities in supporting values and ethics at the CRA. The internal audit team referred to HRB and Security Branch as primary internal stakeholders during the course of the internal audit.
Misconduct	Misconduct is when an employee: engages in conduct that contravenes an act, a regulation, the Code of Integrity and Professional Conduct, or a CRA policy instrument/tool, and/or neglects and/or fails to act (omission) according to an act, regulation, the Code of Integrity and Professional Conduct, or a CRA policy instrument/tool.
Values and Ethics Framework (for the purposes of this Internal Audit)	Corporate policy instruments, legislation, methodologies, processes, procedures, and tools related to values and ethics, including the CRA integrity Framework.