OTTAWA — Canada's tax collectors are the latest group of public servants to come under fire from federal auditors for sloppy security since the Sept. 11, 2001 terrorist attacks.

The newly released findings, alongside previous audits of other federal departments, suggest that Ottawa's vaunted security program is not percolating down to the front lines.

The latest report, which investigated computers at the Canada Revenue Agency, found that laptops used outside the office were not locked up properly; confidential information was kept on computers that were vulnerable to hacking; and workers did not know they're required to report criminal activity.

The audit, dated December 2004 and obtained under the Access to Information Act, was based on an employee survey, random testing and inspection of computers across the country. Parts of the released document were censored.

The survey of some 3,000 workers found that more than half did not know how to report a security incident, and about one-quarter "did not realize that reporting criminal or unlawful activity was mandatory."

Managers who were interviewed said they were unsure about whether - or even how - to monitor the department's electronic systems.

Auditors found unapproved software on 38 per cent of the computers they checked, and determined that department laptops too frequently lack updates in their virus-fighting programs.

The 2004 survey also found that about one of every 10 laptop users did not lock up their computers when out of the office, as required.

The auditors found other problems as well, including sloppy control of the user IDs that employees are assigned to give them access to confidential tax files.

The document refers obliquely to "security incidents" that have occurred at the agency, but does not provide details.

However, 15 agency laptops were reported stolen in 2003 from a Calgary office. Officials said at the time that none of the sensitive data on the laptops could be accessed by outside parties.

A month earlier, four computers were stolen from an agency office in Laval, Que., containing information on 120,000 Canadians, including their social insurance numbers.

Canada Revenue Agency spokesman Christian Girouard said that in response to the audit findings, the department has revised security policies and sent 1,200 workers to "security awareness sessions" as of last month.

He added that the audit was routine. "We do these things to see where we can better our efforts."

Other federal departments have come under fire for sloppy security since Sept. 11, 2001:

• A 2004 audit of the Fisheries Department found that most of its employees "are still unaware of basic security requirements and responsibilities."
• A 2002 audit of the Defence Department found that military security officers were poorly prepared and badly trained. "A general lack of awareness regarding security issues seemed to prevail at each of the five facilities visited," said the report.
• A 2002 audit of Transport Canada found up to 5,000 confidential documents - some related to airport security - mistakenly posted on a widely accessible database that was vulnerable to hackers.

In March last year, Auditor General Sheila Fraser reported on other security problems across government, despite a $7.7-billion, post-Sept. 11 program to improve security.

Information about the 25,000 Canada passports lost or stolen each year was not made available to key border officials, she found. Watch lists used to screen visa applicants and others were in disarray. And 4,500 people working at airports were found to have possible criminal associations.

"The government as a whole did not adequately assess intelligence lessons learned from critical incidents such as September 11," Fraser concluded.