What to Expect—An Auditee’s Guide to the Performance Audit Process

7. Handling and treating information

During the audit process, the Office of the Auditor General of Canada (OAG) and the audited entity exchange information that needs to be handled and treated with due care.

One underlying principle of auditing is a duty of confidentiality with respect to an audited entity’s affairs.

The OAG makes every effort to ensure that it keeps audit information in its direct possession. The OAG’s Code of Values, Ethics, and Professional Conduct requires that all staff be familiar with the security aspects of their work and consider it an important and essential individual responsibility.

For all information received from an entity, auditors must, at a minimum, comply with the same security arrangements that apply to the entity’s employees.

The following table shows various means by which the OAG ensures the confidentiality of entity documents.

Timeline Documents from OAG Documents from entity
Start of audit
  • Letter of notification and solicitor-client privilege
  • Acknowledgement letter from deputy head
End of planning phase
  • Audit Plan Summary
  • Acknowledgement letter from deputy head
Reporting phase
  • Principal’s (PX) draft report
  • Deputy minister’s (DM) transmission draft report
  • Confirmation letter from the Assistant Deputy Minister (or Deputy Minister) on information provided
  • Letter acknowledging that the report is based on facts and is containing final responses to recommendations
One week after tabling

  • Return of OAG-controlled documents in hard copy, if any

During the audit, the audit team provides the audited entity with controlled documents, such as the Audit Plan Summary, the principal’s (PX) draft report, and the deputy minister’s (DM) transmission draft report. These protected documents are OAG property.

Entity staff members are required to respect the confidentiality of the content of OAG-controlled documents and must ensure that these documents are not copied, reproduced, distributed, republished, downloaded, displayed, posted, or transmitted in any form or by any means without the prior written consent of the OAG.

References to controlled documents should contain only section and paragraph numbers. The contents of these documents must be treated with appropriate discretion. Disclosing the Auditor General’s findings prior to tabling is viewed as an infringement on the rights and privileges of Parliament.

By default, controlled documents are submitted electronically to the entity’s OAG liaison and to pre-identified recipients, and can only be accessed during a specific period of time, until their access expires.

When OAG-controlled documents in hard copy are submitted under exceptional circumstances, they are numbered and must be returned to the OAG within one week after the relevant report is tabled in the House of Commons.

Entities must track the internal distribution of the provided OAG-controlled documents in hard copy (if any) and return them to the OAG. Entities are not permitted to destroy or shred these documents and are expected to immediately inform the OAG if any are lost or made public.

The Access to Information Act, section 16.1(1), requires the Auditor General of Canada to refuse to disclose any record requested under the Act that contains information obtained or created by the OAG or on its behalf in the course of an investigation, examination, or audit conducted by the OAG or under its authority. Members of the public cannot access audit plan summaries, draft audit reports, or other audit documents, such as audit working papers, held by the OAG.

At the start of the audit, the entity’s OAG liaison confirms the preferred language of communication and the official language in which the entity requires the PX and DM drafts.