What to Expect—An Auditee’s Guide to the Performance Audit Process

A performance audit consists of three phases:

• planning,
• examination, and
• reporting.

Planning phase

The audit team of the Office of the Auditor General of Canada (OAG) acquires appropriate knowledge of the audited entity, the activities or programs to be audited, and the current issues facing the entity. The audit team makes various inquiries as part of the planning phase, to obtain a good understanding of the subject being audited. Some specific inquiries are in fact required by auditing standards. The team uses this knowledge to develop its audit strategy, which includes an Audit Plan Summary and audit programs.

The team also identifies its initial information needs and specifies areas in the entity and locations or sites where the team expects to conduct preliminary fact finding.

Entity notification. To initiate the audit, the OAG sends a letter of notification and solicitor-client privilege to the deputy head of the entity. This letter formally notifies the deputy head of the OAG’s intention to conduct an audit and requests timely access to information and personnel. The entity will be asked to confirm its understanding, in writing, within five working days of its receipt of the letter.

Multiple entities. Issues may apply to more than one federal department or agency. When a performance audit includes many departments and agencies, the OAG

• sends letters of notification and solicitor-client privilege to all entities included in the audit scope, and
• informs each entity of the administrative arrangements to follow when meeting or communicating with the OAG.

Examination phase

The audit team gathers the evidence to support its findings and conclude against the audit objective. Therefore, during the audit, the entity can expect the audit team to request documents and interviews to ensure there is sufficient and appropriate evidence to assess against the criteria. Early in this phase, the team indicates any plans to rely on work conducted by, or on behalf of, the entity’s internal audit unit.

Reporting phase

The audit team formally presents, in writing, the findings against the criteria used, the conclusion against the audit objective, and the recommendations through two key audit drafts provided for external comment:

• the principal’s (PX) draft report, and
• the deputy minister’s (DM) transmission draft report.

Before publishing a final report, the OAG provides entities with the opportunity to review and comment on draft audit reports to validate facts and provide responses to the recommendations for inclusion in the audit report.

Planning phase

During this phase, the audited entity

• arranges timely meetings between the entity’s senior management and other staff and the OAG to discuss the audit subject matter;
• provides the audit team with the information needed to understand the areas subject to audit, as well as information on lines of responsibility, sources of criteria, risks, management concerns, and any related internal audits, evaluations, or studies that were published previously; and
• facilitates any field visits to entity or project sites.

After receiving the notification and solicitor-client privilege letter, the deputy head of the entity is expected to acknowledge in writing that the entity will respect the confidentiality of the OAG-controlled documents to be provided during the course of the audit. This acknowledgement also confirms that the entity will comply with any requests that the OAG makes for access to relevant documents under the control of the entity, including those documents to which solicitor-client privileges are attached.

The entity is expected to identify one of its officials as its OAG liaison for the audit. The liaison

• coordinates the flow of information between entity officials responsible for the subject matter of the audit and the audit team, to help advance the audit process and minimize miscommunication or misplacement of documents;
• informs the audit team of the preferred language of communication, especially for audit documents provided to the entity;
• informs the OAG of the language requirements for the PX and DM drafts; and
• provides a list of recipients who need electronic access to OAG controlled documents.

The entity is also expected to brief its staff on the audit’s purpose, nature, and timetable.

At the end of the planning phase, the entity is also required to review the Audit Plan Summary and acknowledge its responsibilities for the subject being audited and the terms of the engagement, including the suitability of the criteria as a basis for assessing whether the audit objective has been met.

Examination phase

Entity officials are expected to review and sign off on documented meeting and interview minutes prepared by the OAG if the OAG indicates its intention to rely on such records as audit evidence during the audit. Officials should normally sign off within five working days.

Reporting phase

The entity is expected to review the draft reports, validate facts and provide responses to any recommendations made. The entity is also expected to confirm that it has provided the OAG with all information requested or information that could significantly affect the findings or the conclusion of the audit report.

Planning phase

The audit team reviews the audit schedule and key milestones with entity officials to determine whether any changes are needed. If changes are needed, the parties are expected to discuss how best to adjust deadlines to ensure the quality of reports within the OAG’s report production schedule.

The team also discusses how the OAG will brief the entity’s senior management (and if requested, the departmental audit committee) on the results of the audit.

Opening meeting. The team holds an opening meeting with entity officials, including the deputy head where appropriate, to

• launch the audit in the entity, and
• discuss the planned audit to gain a better understanding of the areas being audited.

Before the meeting, the audit team notifies the audited entity of the main topics to be discussed. The entity is expected to make every effort to ensure that the appropriate entity officials attend this meeting.

Audit meetings and briefings. The level of officials participating in audit meetings and briefing sessions depends on the subject matter discussed and on officials’ availability.

To reinforce ongoing communication, the liaison(s) at the entity(ies) should have the authority and responsibility to

• set up regular meetings throughout the audit,
• ensure that appropriate individuals attend, and
• help resolve any problems or barriers to completing the audit.

The OAG will provide the entity with an opportunity to discuss the proposed audit plan.

Examination phase

The entity is expected to discuss issues with the audit team and indicate any changes that are under way. The entity should also be prepared to answer questions related to the main topics discussed at meetings with the team.

The team periodically briefs entity officials and senior management on emerging findings throughout this phase and ensures that it gets the views of the deputy head.

Officials are expected to participate in briefings to

• understand the nature and the implications of the findings,
• understand the proposed recommendations, and
• ask the OAG questions related to the audit.

Reporting phase

The OAG’s engagement leader normally offers to consult with the entity’s senior management at the key decision points during the audit.

How the OAG will brief the audited entity should be agreed on before the examination phase ends. Appropriate senior entity officials are expected to participate in these debriefings.

The audit team offers briefings to senior entity officials to seek their views on the validity and completeness of audit evidence, audit findings, conclusions, and recommendations, including corrective actions to be taken. The OAG makes every effort to resolve disagreements quickly, professionally, and respectfully.

At the end of the planning phase, the OAG provides entities with an Audit Plan Summary (APS), a document that shows

• the audit objective(s),
• the audit scope and approach,
• the audit criteria and their sources,
• the responsibilities of the entity and the OAG,
• the plans, if any, to rely on the work of the entity’s internal audit, and
• the audit timetable and team.

Objective, scope, approach, and criteria

The OAG team meets to discuss the audit objective(s), scope and approach, and criteria as stated in the APS. OAG grants the entity’s OAG liaison and identified recipients electronic access to a controlled version of the APS.

Once the APS is sent to the audited entity, the OAG asks the deputy head to provide, within the established time frame, written acknowledgement of

• the entity management’s responsibility for the subject matter of the audit, and
• the suitability of the audit criteria against which the entity will be assessed.

Multiple entities

The OAG asks each audited entity to formally acknowledge its responsibility for areas included in the audit scope.

Significant changes

The team informs the audited entity, in writing, of any significant changes made to the APS and, if needed, issues a revised version to the entity.

The entity informs the OAG if these changes affect the entity’s position on management’s responsibility for the area under audit or the suitability of the criteria.

Unresolved disagreements

If required, the OAG discloses, with an appropriate explanation in the audit report, any unresolved disagreements about criteria or the entity management’s acknowledgement of its responsibility for the program or area being audited.

The audit team seeks written comments on the principal’s (PX) draft report. The team is also required by auditing standards to seek written confirmation that the audited entity has provided all information of which it is aware that has been requested or that could significantly affect the findings or the conclusion of the audit report (excluding information classified as Cabinet confidence).

The team also asks for draft responses to the recommendations (modified, as appropriate, to reflect discussions).

The team provides electronic access to a protected copy of the draft report to

• identified recipients, and
• the entity’s OAG liaison (who needs to coordinate comments by parties responsible for audited areas).

Multiple entities

All audited entities receive the full PX draft if they all agree to this approach. This gives them the full context of the audit and allows them to see the complete findings and conclusions. Otherwise, they receive only the portions of the PX draft relevant to their own operations. Only entities mentioned directly in recommendations are required to respond to them.

Discussions about the draft report

The audit team may need to meet with entity officials to discuss the entity’s comments. Such meetings are scheduled with due consideration for the report production schedule.

If required, the OAG’s engagement leader meets with the entity’s deputy head or other senior management (usually at the Assistant Deputy Minister level, as appropriate) to discuss the draft, including the suitability of the proposed audit recommendations and the potential responses to them.

Expectations for entities

Each audited entity is expected to

• review the draft report,
• provide its position on the accuracy of the text,
• flag any disputed facts (accompanied by all the supporting evidence it has),
• inform the team of any new developments,
• provide written confirmation that it has provided all information of which it is aware that has been requested or that could significantly affect the findings or the conclusion of the audit report (excluding information classified as Cabinet confidence), and
• provide written responses to the recommendations.

Updates to the report

After careful consideration, the team revises the PX draft if necessary to reflect the discussions and comments received from

• each audited entity, and
• applicable third parties (that is, federal entities—departments, agencies, Crown corporations—not included in the audit scope but identified directly or indirectly in the report).

If required, the deputy head or designate is expected to meet with the engagement leader to try to resolve any outstanding issues and reach either an agreement or a clear, shared understanding of points on which they “agree to disagree.”

Highlighted sections

Some sections of the draft are highlighted, marking text to be reproduced or repurposed in the OAG’s report communications products.

While acquiring audit evidence, the OAG encourages entity officials to validate facts to help ensure the evidence’s accuracy, relevance, and completeness.

This process may require a series of meetings with entity officials to ensure they agree on the facts gathered during the audit examination and field work.

While validating facts, entity management (including senior entity officials) is expected to examine all statements of fact and provide corrections with appropriate supporting evidence if it identifies

• factual errors,
• omissions,
• context changes, or
• new information.

The entity is expected to review the PX draft and provide its position on any disputed facts, accompanied by all supporting evidence the audited entity has.

The audit team prepares the deputy minister’s (DM) transmission draft report. The DM draft

• reflects the team’s disposition of discussions between the team and the entity since the conclusion of the PX draft stage, and
• includes the final recommendations and draft entity responses to recommendations.

Electronic access to a protected copy of the draft report is provided to identified recipients and to the entity’s OAG liaison.

The DM draft is submitted in one or both official languages (depending on the agreement established with the audited entity during the planning phase).

Expectations for deputy heads

The deputy head is expected to

• confirm the findings are factual,
• confirm the final responses to the recommendations, and
• specify areas of and reasons for disagreement.

Multiple entities

After the facts in the PX draft are confirmed and validated, the OAG normally sends a complete copy of the DM draft to all entities covered by the audit scope. The draft includes the draft entity responses to recommendations. The entities are expected to

• provide final comments, and
• confirm that their responses to the recommendations are final.

Translated report

If the entity has requested the DM draft in one official language only, the translation of the final report is provided a week before the report is tabled in the House of Commons.

If the entity has requested the DM draft in both official languages and the translated version is sent after the original version, the translated version is submitted within the established time frame. No additional comments or sign-off is required, since both English and French drafts undergo additional proofreading and formatting before being tabled in the House of Commons.

Unresolved Differences

If required, the OAG discloses, with an appropriate explanation in the audit report, any unresolved disagreements around the validity of facts and/or its ability to obtain confirmation from the entity that it has provided all information of which it is aware that has been requested or that could significantly affect the findings or the conclusion of the audit report (excluding Cabinet confidences).