Archived - Audit of the Management of Export Certificates

March 2012

Table of Contents

• 1.0 Executive Summary
  • 1.1 Introduction
  • 1.2 Objective
  • 1.3 Scope
  • 1.4 Main Findings and Recommendations
    • Finding 1.0: Data Management
    • Recommendation 1.0
    • Finding 2.0: Security Practices
    • Recommendation 2.0
  • 1.5 Statement of Assurance
  • 1.6 Audit Opinion
• 2.0 About the Audit
  • 2.1 Background
  • 2.2 Objective
  • 2.3 Scope
  • 2.4 Methodology
• 3.0 Findings and Recommendations
  • 3.1 Introduction
  • 3.2 Main Findings and Recommendations
    • Finding 1.0: Data Management
    • Recommendation 1.0
    • Finding 2.0: Security Practices
    • Recommendation 2.0
• 4.0 Appendix A: Detailed Audit Criteria
• 5.0 Appendix B: Management Response and Action Plan

1.0 Executive Summary

1.1 Introduction

Export certification plays an important role in Canada's international trade and helps to protect the excellent international reputation of Canada's exports of food, plants, animals and associated products. The export activities supported by the Canadian Food Inspection Agency (CFIA) are significant. For example, Canada is the world's fourth largest exporter of food products, with 2010 exports estimated at $35.4 billion. The food export market accounts for approximately 350,000 Canadian jobs.

The CFIA is recognized by foreign governments as the competent authority in Canada for the regulation of food, plants and animals. The CFIA issues export certificates for commodities in all its business lines. These export certificates provide certification statements to meet foreign country import requirements.

1.2 Objective

The objective of this audit was to provide assurance that CFIA export certificates are well-managed and in accordance with relevant legislations, policies, directives and standards.

1.3 Scope

The scope of this audit included the three business lines of the CFIA - food, plant, and animal, and included the Operations Branch and Policies and Programs Branch, where the activity takes place. The scope covered all Areas, with field visits to each. The audit covered export certificates issued during the period from April, 2010 to September, 2011.

The audit assessed the processes and procedures used to issue CFIA export certificates from receipt of the request for certificate to the issuance of invoice for the service. The audit did not assess the following related activities in certificate process, namely:

• Registration of establishments;
• Inspections and compliance verifications;
• Licensing of exporters;
• Monitoring compliance with arrangements; and,
• Managing non-compliance.

1.4 Main Findings and Recommendations

Finding 1.0: Data Management

Data related to issued export certificates is not consistently recorded, is incomplete and may be at risk of being lost. The Agency may not have adequate information to appropriately monitor its export certification activities.

Recommendation 1.0:

The Vice President, Policy and Programs Branch, in collaboration with the Vice President, Operations Branch, should develop and implement a short-term solution to ensure that the required export certificates information is available, until the Enterprise Electronic Certification project is implemented.

Finding 2.0: Security Practices

Security standards have not been established for all programs with respect to export certificates and security practices are not consistent between programs. Programs that have less security may be exposed to risk.

Recommendation 2.0:

The Vice President, Policy and Programs Branch, in collaboration with the Vice President, Operations Branch, should assess the security risk related to export certificates, including stamps and crimps, and develop and implement the appropriate security guidelines.

1.5 Statement of Assurance

In my professional judgment as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided and contained in this report. The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria. The opinion is applicable only to the entities examined and within the scope described herein.

1.6 Audit Opinion^Footnote 1

In my opinion, the management of export certificates has weaknesses, with risk exposures related to control, and risk management.

Brian Smith
Acting Chief Audit Executive, CFIA

2.0 About the Audit

2.1 Background

Export certification plays an important role in Canada's international trade and helps to protect the excellent international reputation of Canada's exports of food, plants, animals and associated products. The export activities supported by the Canadian Food Inspection Agency (CFIA) are significant. For example, Canada is the world's fourth largest exporter of food products, with 2010 exports estimated at $35.4 billion. The food export market accounts for approximately 350,000 Canadian jobs.

As per 2010-2011 Report on Plans and Priorities, one of the CFIA commitments is to continue to provide scientific and technical expertise to facilitate trade and maintain market access for Canadian food, plant and animal exports. Export certification supports the CFIA in fulfilling its commitment by assuring importing countries that these goods meet safety and quality standards.

The CFIA is recognized by foreign governments as the competent authority in Canada for the regulation of food, plants and animals. The CFIA issues export certificates for commodities in all its business lines. These export certificates provide certification statements to meet foreign country import requirements.

Each commodity's export certification procedures are bound by distinct Acts and Regulations. Acts establish authorities for CFIA to inspect and certify exports, and for the creation of Regulations. Regulations do not spell out detailed conditions for export. Instead, they specify that shipments must meet importing country requirements. These requirements are used by inspectors in the everyday execution of export certification. Each commodity also has a manual, which outlines general export procedures, required information on export certificates, and roles and responsibilities.

As each commodity is governed by unique legislation, there is no standard export certification process across programs. Consequently, the certification process differs slightly from program to program.

2.2 Objective

The objective of this audit was to provide assurance that CFIA export certificates are well-managed and in accordance with relevant legislations, policies, directives and standards.

2.3 Scope

The scope of this audit included the three business lines of the CFIA - food, plant, and animal, and included the Operations Branch and Policy and Programs Branch, where the activity takes place. The scope covered all Areas, with field visits to each. The audit covered export certificates issued during the period from April, 2010 to September, 2011.

The audit assessed the processes and procedures used to issue CFIA export certificates from receipt of the request for certificate to the issuance of invoice for the service. The audit did not assess the following related activities in the certification process, namely:

• Registration of establishments;
• Inspections and compliance verifications;
• Licensing of exporters;
• Monitoring compliance with arrangements; and,
• Managing non-compliance.

Audit planning was initiated in April 2011 with audit fieldwork beginning July 2011 and completed September 2011.

2.4 Methodology

Audit criteria and detailed sub-criteria (see Appendix A) were developed to serve as standards against which our assessment could be made, clarify the audit objectives and form a basis for the work plan and the conduct of the audit. The audit focused primarily on the controls surrounding the management of export certificates. The issuance of certificates is an activity which is embedded in the programs. Therefore, most of the controls related to governance and risk management have only limited application to this audit. The following provides a summary of the Audit Criteria:

1. Management provides CFIA employees with the necessary tools, resources, information and training to support the issuance of export certificates.
2. Controls are in place to ensure the integrity of export certificates.
3. All export certificates are invoiced and fee is charged in accordance with the approved fee for services.
4. Controls surrounding the practice of pre-signed export certificates are effective.
5. Export certificates and related documentation are kept and are accurately recorded in the appropriate database.
6. Management monitors actual performance and adjusts course as needed.

The audit was conducted in a manner consistent with the TB Policy on Internal Audit. The following approach was used by the audit team to gather evidence and meet the audit objective:

• Interviews with key staff;
• Identification and collection of documents/data;
• Document review, evaluation and interpretation; and
• Sampling and analysis.

Field visits were conducted to all Areas, and covered the following programs: Terrestrial Animal Health, Plant, Meat and Poultry Products, Fish and Seafood, Fresh Fruit and Vegetables, Dairy, and Eggs and Egg Products. These programs issue over 95% of all CFIA export certificates.

3.0 Findings and Recommendations

3.1 Introduction

This section presents detailed findings from the Audit of the Management of Export Certificates. Findings are based on the evidence and analysis from both our initial risk analysis and the detailed audit conduct. In addition to the findings presented below, observations of conditions that were outside of the working scope of the audit and are non-systemic and of lower materiality and risk have been communicated to management for their consideration.

3.2 Main Findings and Recommendations

Finding 1.0: Data Management

Once issued, we expected copies of export certificates to be filed in a way that would permit retrieval and provide a documentation trail. We also expected that the export certificate information would be recorded to permit monitoring and analysis for decision making.

Most of the locations that we visited maintained a log of certificates issued, and filed a paper copy of the certificate in a way that would be easy to retrieve. Some locations have electronic copies.

The CFIA does not have a single system to maintain electronic data on export certificates. Systems differ between programs and commodities, and include the Export Certification System (ECS), the E-Cert System, the Multi Commodity Activity Program (MCAP) system, the Tracking Import and Export System (TIES). The TIES database is on software that is not supported by the Information Management and Information Technology Branch.

Data is used by CFIA for departmental reporting, supporting negotiations with foreign countries, and for planning. Some data from certificates is forwarded to Agriculture and Agri-Food Canada (AAFC); AAFC performs market analysis which is made available to interested groups in Industry.

Data capture for some programs such as Fish and Seafood and Plant Health is done in local offices. For other programs, such as Meat and Poultry Products, and exports of live animals, certificates are sent to Headquarters for entry into the system. Data collection is largely paper based and resource intensive requiring the transcription of paper based data into an electronic system.

We found that electronic data is incomplete:

• Some certificate types are not captured at all. For example, animal by-products and plant re-export certificates are not captured. Based on discussion with staff, we would estimate that thousands of certificates are not captured in electronic data bases.
• Staff in local offices has indicated to us that some data is not captured because of resource limitation. For example, one office did not enter a large number of pre-signed fish export certificates. Another office is not entering data on manual Phytosanitary certificates.

Some data is late in being recorded. In particular, we noted a time lag of several months in the recording of data related to our samples of live animal certificates.

In the absence of complete and readily available data, CFIA relies on other data sources (e.g. The U.S. Department of Agriculture provides data on Canadian meat exports to the U.S.) and ad hoc manual rollups or estimates from Agency area offices.

Management recognizes that there is a need to build a better agency wide system which would be more effective and efficient in maximizing the use of CFIA resources in tracking this information. The Agency has initiated the Enterprise Electronic Certification project which may address issues relating to the completeness of export certificate data. The project is in the initiation phase, and is forecasted to be implemented in 2016.

Until this project is implemented, the Agency's ability to appropriately monitor and resource its export certification activities is at risk. In addition, the Agency's reputation may be affected if data that is shared with external stakeholders is lost, late, or incomplete.

Recommendation 1.0:

The Vice President, Policy and Programs Branch, in collaboration with the Vice President, Operations Branch, should develop and implement a short-term solution to ensure that the required export certificates information is available, until the Enterprise Electronic Certification project is implemented.

Finding 2.0: Security Practices

We expected the Agency to take measures to ensure the authenticity of certificates. We also expected that access is controlled to pre-printed export certificates, export stamps and crimps.

Some CFIA export manuals speak to the requirement to exercise control over export certificates, the stamp, and other export related items. However, the CFIA does not have a security standard that would apply to all programs.

We found in our visits that offices that use pre-printed certificate forms control their usage by locking them up, and maintaining logs of who received the certificates. However, some certificates can be printed through the use of desktop e-Forms or ordered from a printer via the CFIA Intranet by any CFIA user.

Except for one location, all offices visited kept stamps and crimps in places that were inaccessible to the public. The one office locked up the stamp after our visit. Offices kept the stamps and crimps in the reception area, or locked up in a box, or assigned them to authorized staff. However, offices did not maintain a record of issued stamps and crimps.

We observed several good practices that help to ensure the authenticity of export certificate documents including the use of colour or special paper and thermo chromic ink where reproduction of the document results in the word "copy" appearing on the certificate. Certificates contained CFIA logo and some certificates contained unique sequential numbers. Other certificates are crimped so that the original paper has an uneven surface. Another good practice was advising importing countries in advance of issued certificates. Generally, we found that certificates for the meat program had the strongest control to ensure export certificates authenticity.

Security practices relating to export certificates vary from program to program, and within programs depending on the certificate type. We were advised that the Agency has better security practices where inappropriate use has been discovered in the past. Staff indicated an awareness of the risks associated with inappropriate use of certificates. However, this risk has not been formally quantified, and some programs that have less security may be exposed to risk.

Recommendation 2.0:

The Vice President, Policy and Programs Branch, in collaboration with the Vice President, Operations Branch, should assess the security risk related to export certificates, including stamps and crimps, and develop and implement the appropriate security guidelines.

4.0 Appendix A: Detailed Audit Criteria

1. Management provides CFIA employees with the necessary tools, resources, information and training to support the issuance of export certificates

1.1 Necessary tools and resources (e.g. export manuals, certificates, software and relevant information) are available, up-to-date and CFIA staff is able to access them easily.

1.2 There is a systemic process to update foreign country requirements, and all changes are approved.

1.3 Updates and changes related to export certificates are communicated regularly to employees issuing export certificates.

1.4 Training related to issuance of export certificates, formal or informal, is well defined and provided to inspection staff.

2. Controls are in place to ensure the integrity of export certificates

2.1 Export certificates and its supporting documentation (e.g. request/application, inspection report) are available and filled according to relevant guidelines.

2.2 Access to pre-printed export certificates, export stamp and/or crimp is controlled.

2.3 Measures are taken to ensure authenticity of certificates.

3. All export certificates are invoiced and fee is charged in accordance with the approved fee for services

4. Controls surrounding the practice of pre-signed export certificates are effective

5. Export certificates and related documentation are kept and are accurately recorded in the appropriate database

5.1 Certificates are filed in a way that would permit timely retrieval of information.

5.2 Certificates are completely and accurately logged, or entered into the appropriate data base.

6. Management monitors actual performance and adjusts course as needed

6.1 Active monitoring is demonstrated. Results of performance measurement are documented, reported to required authority level and factor into decision making.

6.2 Complaints from exporters and foreign importers are analyzed and addressed.