What to Expect—An Auditee’s Guide to the Performance Audit Process
7. Handling and treating information
During the audit process, the Office of the Auditor General of Canada (OAG) and the audited entity exchange information that needs to be handled and treated with due care.
One underlying principle of auditing is a duty of confidentiality with respect to an audited entity’s affairs.
The OAG makes every effort to ensure that it keeps audit information in its direct possession. The OAG’s Code of Values, Ethics, and Professional Conduct requires that all staff be familiar with the security aspects of their work and consider it an important and essential individual responsibility.
For all information received from an entity, auditors must, at a minimum, comply with the same security arrangements that apply to the entity’s employees.
The following table shows various means by which the OAG ensures the confidentiality of entity documents.
Timeline | Documents from OAG | Documents from entity |
---|---|---|
Start of audit |
|
|
End of planning phase |
|
|
Reporting phase |
|
|
One week after tabling |
|
During the audit, the audit team provides the audited entity with controlled documents, such as the Audit Plan Summary, the principal’s (PX) draft report, and the deputy minister’s (DM) transmission draft report. These protected documents are OAG property.
Entity staff members are required to respect the confidentiality of the content of OAG-controlled documents and must ensure that these documents are not copied, reproduced, distributed, republished, downloaded, displayed, posted, or transmitted in any form or by any means without the prior written consent of the OAG.
References to controlled documents should contain only section and paragraph numbers. The contents of these documents must be treated with appropriate discretion. Disclosing the Auditor General’s findings prior to tabling is viewed as an infringement on the rights and privileges of Parliament.
By default, controlled documents are submitted electronically to the entity’s OAG liaison and to pre-identified recipients, and can only be accessed during a specific period of time, until their access expires.
When OAG-controlled documents in hard copy are submitted under exceptional circumstances, they are numbered and must be returned to the OAG within one week after the relevant report is tabled in the House of Commons.
Entities must track the internal distribution of the provided OAG-controlled documents in hard copy (if any) and return them to the OAG. Entities are not permitted to destroy or shred these documents and are expected to immediately inform the OAG if any are lost or made public.
The Access to Information Act, section 16.1(1), requires the Auditor General of Canada to refuse to disclose any record requested under the Act that contains information obtained or created by the OAG or on its behalf in the course of an investigation, examination, or audit conducted by the OAG or under its authority. Members of the public cannot access audit plan summaries, draft audit reports, or other audit documents, such as audit working papers, held by the OAG.
At the start of the audit, the entity’s OAG liaison confirms the preferred language of communication and the official language in which the entity requires the PX and DM drafts.