The National Security and Intelligence Review Agency (NSIRA) recently released its review of the Canada Revenue Agency’s (CRA) Review and Analysis Division (RAD), the CRA unit responsible for assessing terrorism financing risks within the charitable sector. The report looked at how terrorism risk is assessed, how audits are initiated, and whether these processes are discriminatory on the basis of religion.

It concluded that there was “a lack of rigour in RAD’s processes” which resulted in a number of RAD audits where the charities did not present “credible risks of terrorist abuse.”

THE ESSENTIALS

Why This Report Matters

First, although buried in an annex, this report tells us that the number of religious charities is likely under reported in the CRA’s data. This is because charities are given only one code by CRA and a dual-purpose organization (advancing education and advancing religion) may have only an education-related coding.

Second, the report points out deficiencies in RAD’s audit processes, specifically that they need to be more consistent, better documented, and be regularly reviewed to ensure accuracy and relevance.

Third is CRA’s response to the report which shows it is willing to receive and act on some, but not all, recommendations from reviews of its activities.

Fourth, the impetus for the review was grounded in concerns about religious discrimination but it did not conclusively demonstrate that RAD audits are biased. The CRA does not collect this demographic information for the purposes of audit and could neither refute nor substantiate the claims. RAD’s “general scrutiny of the subset of charities may be justified” but only where it is based on credible risks of terrorist abuse, “using rigorous methodologies and practices” and these require attention and remediation.

Fifth, and finally, it provides a small but interesting window into RAD’s work.

What Comes Next?

CCCC takes the position that all charities should be treated fairly, respectfully and on the basis of a principled regulatory and policy framework. The NSIRA review is an important part of ensuring transparency in whether and how government agencies meet these expectations.

In this case, the CRA has committed to addressing important issues of process and documentation deficiencies. We will monitor how RAD and CRA implement changes in response to the recommendations because all charities, regardless of religious identity, should be treated with respect. Consistent, fair and principled oversight is in everyone’s interest.

THE DETAILS

What Is RAD and Why Does It Matter?

RAD was established in 2003 as a specialized division within CRA that focuses on risks of terrorism financing through registered charities. It manages a compliance program based solely on terrorism-related risk indicators. Its work is informed by leads from media, intelligence partners, internal referrals, and public tips. After assessing terrorism risks, RAD may complete a comprehensive assessment that will, in turn, leader to recommending a RAD audit, referring to CRA’s Compliance Division, continuing monitoring or discontinuing monitoring.

RAD audits represent less than 0.5% of all Charities Directorate audits.

What is NSIRA and Why Did It Complete this Review?

NSIRA is an independent body reporting to Parliament. Its role is to review national security activities to ensure they are lawful, reasonable, and necessary.

In this case, NSIRA reviewed how RAD selects charities for terrorism-related audits to assess whether its practices are discriminatory on the basis of religion.

The review focused on RAD’s pre-audit decision-making processes, analyzing 15 charity files (from a pool of 37 completed RAD audits), with “particular attention” paid to the eight charities selected for audit after 2016. It also sampled all risk assessments conducted from 2020 to mid-2024.

Overview of NSIRA’s Key Findings

Important Role but Process Problems

NSIRA affirmed that CRA audits help fulfill Canada’s international obligations to combat money-laundering and terrorist financing in the charitable sector. But in fulfilling this function, NSIRA concluded that there was “a lack of rigour in RAD’s processes” such as lack of documentation and not properly validating risks. In half of the 37 audit files reviewed, there was no record of why audit selection was approved for the charity and the files lacked consistency in how risks were captured and assessed. In some cases, the terrorism risks were based on outdated information, mitigating information was sometime sought after an audit began, or audits were not driven by credible risks of terrorist abuse.

Religious Discrimination

When it comes to the question of possible religious discrimination, the report concluded that RAD’s processes “place it at risk of breaching its non-discrimination obligations” under the Charter; however, CRA does not collect demographic data to either refute or substantiate claims of discrimination so NSIRA relied on contextual information.

At the same time, NSIRA explained that while CRA does not track demographic affiliations, “the one exception pertains to the ‘advancement of religion’ category code, where data does exist.” The report states that as of March 2025, “0.66% of registered charities are characterized as advancing Islam” but 35% of the charities audited by RAD were under this category code, a notable and significant difference.

The report also noted that “the religious affiliation of Canada’s listed terrorist entities and the NIRA’s terrorism financing threat group of actors reflects a roughly similar proportion to the charities audited by RAD.” The table below reflects how listed terrorist entities were characterized when the report was written, and those audited by RAD from 2009-2022 (paras 31-33; footnote 15).

RAD relies on the listed entities as identified by the Government of Canada but does not make decisions about listing.  NSIRA states that: “In the context of RAD’s mandate to protect the charitable sector against vulnerability to exploitation by terrorist actors, RAD’s general scrutiny of the subset of charities may be justified. However, this is only true insofar as RAD maintains strict attention on those charities that are credibly at risk of terrorist abuse, using rigorous methodologies and practices.”

In recent years, listed terrorist entities have become more diverse, and as a result RAD includes this diverse range of charities in its initial risk assessments. RAD explained that more recently listed entities are not currently known to use the charitable sector to finance their activities (para 34).

NSIRA’s Six Recommendations & CRA’s Response

On the same day that NSIRA released its report, the CRA released its response. It fully agreed with three of the recommendations (#2, #3, #5), generally agreed with one (#4), and disagreed with two (#1, #6).

1. That the CRA collect and evaluate demographic data from the sector to ensure its treatment of charities is not discriminatory.

The CRA disagreed with this recommendation, citing the Privacy Act, which governs collection and use of personal information. The CRA can only collect information that relates directly to an operating program or activity. If the information is not necessary to regulate the sector or serve a compliance-related purpose, the CRA cannot require it be disclosed. The CRA affirmed that “it does not select registered charities for audit, nor does it apply policies or procedures differently, based on any particular faith or denomination.”

On this point, it seems collecting this information outside of the context of a charity’s category code could be extremely complex, if it is even desirable or permitted by law. Is the demographic data that of the directors? Or is it the identity of the charity? In the case of the latter, the category code could already provide helpful data. If it is the former, it becomes problematic and complicated as directors may serve on a wide range of boards that reflect some, all, or none of their particular personal demographic identifiers.

2. That RAD develop an evidence-based way of validating its risk indicators.

The CRA agreed with this recommendation stating that its risk indicators are consistent with international standards which have remained relatively stable. Nonetheless, it will develop and implement a formal periodic review.

3. That RAD formally document its decisions about when, and on what basis, it audits.

The CRA agreed with this recommendation. Effective for 2025-26 fiscal, a formal tracking mechanism will be used to oversee audit referrals, refine processes, and formally document audit decisions.

4. That RAD update its process for assessing risk of terrorist abuse in a charity.

The CRA generally agreed with this recommendation. Its current practice is to evaluate information used in risk assessment against established research standards. NSIRA pointed to examples of using dated information, but the CRA explained that “this information alone did not serve as a primary or significant basis for audit referral.” Because of NSIRA’s concerns, the CRA will examine its process to identify further measures that could reduce risks of bias in decision-making.

5. That RAD ensure it decision-making pre-audit is supported by current, credible information.

The CRA agreed with this recommendation. It reflects CRA’s current practice for evaluating information used in risk assessments against established research standards. NSIRA found examples of RAD using dated information, but the CRA explained that information alone did not serve “as a primary or significant basis for an audit referral.” The CRA will examine current processes and procedures to reduce the risk of bias in decision-making.

6. That the CRA compare audit outcomes between RAD and the Compliance Division to determine whether any identified differences are justified.

The CRA disagreed with this recommendation. Audit outcomes are determined on a case-by-case basis and seek to enforce uniform regulations that apply to all registered charities, including risks related to terrorist abuse. Even so, the CRA committed to reviewing its audit program for any improvements that could support consistent, risk-based audit approaches.