Targeted control audit of CARM business readiness: Introduction, key findings and management response

1.0 Introduction

1. The Canada Border Services Agency (CBSA) is the second-largest revenue collector in the Government of Canada (GC) with revenue from duties and taxes on imports totalling $33 billion from approximately $568 billion of imports in 2019. Over time, the volume and value of commercial imports have increased; however, Canada's relative world ranking in trade facilitation and border management has declined, leaving a need for a new approach to revenue collection.

2. In 2009, the Office of the Auditor General (OAG) appeared before the Standing Committee on Public Accounts (PACP). The OAG noted that CBSA had difficulty in reconciling information in various reports taken from its tax program systems, which led to unexplained differences at year-end. The Committee was told that this was due to information technology systems not being able to share data, and it would take several years to fully fix. As a result, PACP recommended that the CBSA provide the Committee with a detailed plan specifying the steps it would take to improve its tax revenue accounting systems. It is from this recommendation that the CBSA Assessment and Revenue Management (CARM) project was created.

2.0 Significance of the audit

3. CARM seeks to:

• deliver a globally leading customs experience that is customer-centric
• simplify commercial assessment, introducing an online self-service for trade chain partners (TCPs) while providing small and medium TCPs greater ability to deal directly with the CBSA
• enhance compliance and revenue collection
• update an assortment of Information technology (IT) systems to support border management processes that are, in some cases, more than 30 years old

4. CARM is being released in three phases. Release 0 – R0 (January 2021) moved the Accounts Receivable Ledger (ARL) to the latest technology hosted within a cloud environment. Release 1 – R1 (May 2021) was the introduction of an internal portal which set the foundation for case management. Release 2 – R2 (ongoing) will transition from CBSA legacy revenue management systems and introduce new measures such as TCP registration and enrolment availability and increased portal functionality.

5. Many stakeholders are involved in the CARM project, including the CARM Directorate, Deloitte (the Vendor responsible for delivering the solution), the Strategic Policy Branch (SPB, supporting legislative and regulatory amendments), and the Information, Science and Technology Branch (ISTB, conducting security assessments for the CARM solution and liaising on IT issues), among others. A more detailed list of stakeholders can be found in Appendix A.

6. The objective of this audit was to assess the state of business readiness^{Footnote 1} activities to support the operations impacted for R2 release of CARM, originally scheduled for May 2022 (i.e. full implementation of the core CARM solution). However, the audit team became aware of a potential delay for CARM R2 in late July 2021. Within this context, the findings from this audit are presented as information the agency should consider in advance of launching CARM.

7. Given that the initial objective for this audit was to determine business readiness at a point in time, this engagement has not examined nor determined the underlying reasons behind the solution build delays. It should be noted that, as of October 20, 2021, the project monitoring report indicated the solution build was 130 days behind (more than 4 months).

8. The audit scope included risk management practices across the agency in order to address CARM R2 risks, internal and external business readiness initiatives and plans to support CARM R2, and IT processes surrounding system integration and IT security for CARM R2. The detailed audit scope and criteria can be found in Appendix B.

3.0 Statement of conformance

9. This audit conforms to related Treasury Board's Policy and Directive on Internal Audit and the Institute of Internal Auditors' International Professional Practices Framework. Sufficient and appropriate evidence was gathered through various procedures to provide an audit level of assurance. The agency's internal audit function is independent and internal auditors performed their work with objectivity as defined by the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing.

4.0 Audit opinion

10. While the agency has taken a number of positive steps toward internal and external business readiness, opportunities exist to better address project risks that hindered the agency's ability to be business ready for the launch of CARM R2. The agency needs to take steps to ensure the required legislative authorities are in place, TCPs are certified to adopt the system, and key IT solutions are implemented without further delays. There is also a need to improve the effectiveness of the current communication mechanism between the CARM project team and agency senior decision-makers to strengthen the management of key CARM R2 launch risks.

11. It is critical that the agency delivers upon CARM's intended objectives, not only to address obsolete and non-integrated accounting systems, but to ensure the system produces complete and reliable financial and trade data for the current age.

5.0 Key findings

12. Enabling legal authorities were not in place to facilitate e-payments and security, resulting in the agency not being business ready for the May 2022 R2 launch date.

13. TCP IT system certification was not effectively tracked. The absence of onboarding creates a risk that TCPs will not be ready to adopt CARM nor have the necessary certified IT systems in place when CARM is launched. As a consequence, there could be a negative impact on the flow of goods at the border.

14. Gaps exist in certain IT processes and systems necessary for the assessment of tariffs. These gaps increase the risk of not being able to assess the duties and taxes owed to the Crown by importers and exporters, thereby impacting the agency's ability to operate the CARM system and realize all expected benefits.

15. Continued solution build delays have compressed training timelines and critical IT system build activities that need to be completed prior to launching R2. These activities include IT integration, user acceptance testing, and IT Security Assessment and Authorization (SA&A). These delays could lead to the system not working as intended, posing legal and reputational risks to the agency.

16. While the CARM Business Readiness Implementation Board (CBRIB) provided effective oversight of the business readiness activities, the audit noted a gap with regard to CBRIB's reporting on risk management to senior decision-makers. This increases the likelihood that senior decision-makers are not provided with timely advice and/or feedback on CARM business readiness in order to manage risks appropriately.

6.0 Summary of recommendations

17. The audit makes one recommendation relating to revising the current set of project updates provided to senior management and governance committees to better highlight key risks, mitigation strategies, and budget considerations.

7.0 Management response