What to Expect—An Auditee's Guide to the Performance Audit Process

4—Handling and treatment of information

One of the underlying principles of the auditing profession is a duty of confidentiality with respect to the affairs of the entity subject to audit. The Office of the Auditor General (the Office or OAG) ensures the confidentiality of its audited entities' documents in a number of ways.

The OAG makes every effort to ensure that audit information is kept in its direct possession. For all information that the auditors receive from an audited entity, the auditors must, as a minimum, comply with the same security arrangements that apply to employees of that entity. The OAG's Code of Values, Ethics, and Professional Conduct requires that all staff be familiar with the security aspects of their work and consider it an important and essential individual responsibility.

The Access to Information Act, Section 16.1 (1), requires the Auditor General of Canada to refuse to disclose any record requested under the Act that contains information obtained or created by the Office or on its behalf in the course of an investigation, examination, or audit conducted by the Office or under its authority. Members of the public cannot obtain access to entity plan summaries, draft audit reports/chapters, or other audit documents, such as audit working papers, held by the Office. This is why OAG audit documents that are circulated externally are numbered and why the Office asks that they be returned within one week after tabling of the relevant report in Parliament.

Early in the audit. Early in a performance audit, the audit team will provide the audited entity's OAG contact/liaison person with the names and security clearance levels of OAG and contract staff who will require access to the entity. If any changes are required to be made to this list during the audit, the audit team will notify the entity's OAG contact/liaison person in a timely manner.

The OAG will also issue a letter to the deputy head or other senior management requesting access under the powers granted by the Auditor General Act to, among other things, documents that may be subject to solicitor/client and other privileges. The deputy head or other senior management responds in writing that the entity will comply with its duty under the Act and that provision of the documents to the OAG will not constitute a waiver of any privilege attached to the documents. The exchange of letters maintains the privileged nature of the information provided to the OAG for audit purposes. The OAG respects the confidentiality of the documents and does not refer to them in its reports.

Examination phase. Early in the examination phase of the audit, the OAG provides entities subject to audit with a report (entity plan summary) on the objectives, scope, approach, and criteria of the audit. The OAG sends numbered/controlled copies of this report on the Office's "protected" red-bordered paper to the entity's OAG contact/liaison person. This person coordinates comments on the suitability of the criteria and the entity management's responsibility for the subject area.

Reporting phase. During the reporting phase of the audit, the OAG initially sends copies of the principal (PX) draft chapters to audited entities for confirmation and validation of facts. These draft chapters are numbered and printed on the Office's "protected" red-bordered paper and are normally distributed through the entity's OAG contact/liaison person.

Audited entities are required to consider the entity plan summary, draft audit chapters, and other audit documents as "controlled" documents and to respect the confidentiality of their contents.

After tabling of the report. Audited entities are required to track the internal distribution of all controlled documents and return them to the OAG no later than one week after tabling of the report. Audited entities are no longer permitted to destroy or shred such documents. In addition, they are expected to immediately inform the OAG if any numbered/controlled audit document is lost or made public.

Additional resource

Related information sheets