What to Expect—An Auditee’s Guide to the Performance Audit Process
What to Expect—An Auditee’s Guide to the Performance Audit Process
Table of Contents
- A message from the Auditor General of Canada
- 1. Introducing performance audits
- 2. Phases of a performance audit
- 3. Key documents
- 4. Recommendations and responses
- 5. Tabling reports
- 6. After the audit
- 7. Access to entity information
- 8. Handling and treating information
- 9. Interactions with internal audit offices
- 10. Interactions with departmental audit committees
- 11. Long-term audit plan—Strategic Audit Plan
- A road map for performance audits
A message from the Auditor General of Canada
Questions often arise about how we conduct our performance audits. The organizations that we audit, entities, want to know what to expect from us and what we expect from them. The purpose of this document is to provide answers to these questions by outlining
- our objectives,
- the principles governing interactions between auditors and auditees, and
- information about our audit process.
The objectives of our relationships with the audited entities are to
- make an ongoing and consistent effort to understand the context in which government entities do their work,
- promote open two-way communication, and
- act professionally and objectively.
The underlying principles that guide the work of the Office of the Auditor General of Canada are to ensure respectfulness, trust, and integrity while maintaining our independence, professionalism, and objectivity.
Ultimately, the aim is to better serve Parliament by ensuring that our performance audit reports and recommendations are fair and objective. Moreover, we trust they are seen to be fair and objective by those responsible for making the necessary changes in how the federal government manages public funds.
We hope that this information provides entity officials with a valuable reference that will encourage productive and respectful relations between audited entities and my audit staff.
1. Introducing performance audits
Performance audits examine the government’s activities or programs against established criteria to answer the following questions:
- Are activities or programs being run with due regard for economy, efficiency, and environmental impact?
- Does the government have the means in place to measure the effectiveness of its activities or programs?
In other words, a performance audit is an independent, objective, and systematic assessment of how well the government is managing its activities, responsibilities, and resources.
Performance audits are planned, performed, and reported in accordance with professional auditing standards and with policies of the Office of the Auditor General of Canada (OAG). Audits are conducted by qualified auditors who
- establish an audit objectives and criteria for the assessment of performance,
- gather the evidence necessary to assess performance against the criteria,
- report both positive and negative findings,
- conclude against the established audit objectives, and
- recommend improvements when there are significant differences between criteria and assessed performance.
Performance audits contribute to a public service that is effective and a government that is accountable to Parliament and Canadians.
Performance audits do not question the merits of government policies. Rather, they examine the government’s management practices, controls, and reporting systems based on its own public administration policies and on best practices.
An audited organization or entity ("the auditee") is a federal department, agency, or other entity (for example, a foundation) that is subject to an audit under the Auditor General Act.
A performance audit may involves the following:
Audit team—A team of auditors at the OAG responsible for conducting an audit. The team reports to an engagement leader and may include contract staff assigned to the team.
Auditor—A member of an audit team who may be either an OAG employee or contract staff assigned to the team.
Engagement leader—Usually an OAG Audit Principal (PX) with the overall responsibility for conducting performance audits that may involve one or more entities. The engagement leader manages the entire audit cycle and ensures the quality of audit products produced by the team.
OAG entity principal—An OAG Audit Principal (PX) designated to serve as the senior liaison or point of contact between the OAG and the audited entity. The entity principal coordinates with other OAG teams on audits affecting the entities for which he or she is responsible.
Lead auditor—Usually an OAG Audit Director who manages the audit project and a team of auditors on a day-to-day basis.
A performance audit may also involve the following:
Adviser—An individual recognized as a leader in a field of expertise. Advisers are selected by the audit team to advise—but not decide—on the scope and significance of audit issues, lines of enquiry, identified risks, and audit scope. An adviser may be internal or external to the OAG and is selected on the basis of skills, expertise, relevant knowledge on a particular topic, and experience.
2. Phases of a performance audit
A performance audit consists of three phases:
- examination, and
The audit team of the Office of the Auditor General of Canada (OAG) acquires appropriate knowledge of the audited entity, the activities or programs to be audited, and the current issues facing the entity. The audit team makes various inquiries as part of the planning phase to get a good understanding of the subject being audited. In fact, some specific inquiries are required by auditing standards. The team uses this knowledge to develop its audit strategy, which includes an Audit Plan Summary and audit programs.
The team also identifies its initial information needs and specifies entity areas, locations, or sites where the team expects to conduct preliminary fact finding. The team may travel to specified locations to meet entity officials and acquire appropriate knowledge of the audited entity and the subject matter being audited.
Entity notification. To initiate the audit, the OAG sends a letter of notification and solicitor-client privilege to the deputy head of the entity. This letter formally notifies the deputy head of the OAG’s intention to conduct an audit and requests timely access to information and personnel. The entity will be asked to respond within five working days of its receipt of the letter.
Multiple entities. Issues may apply to more than one federal department or agency. When a performance audit includes many departments and agencies, the OAG
- sends letters of notification and solicitor-client privilege to all entities included in the audit scope, and
- informs each entity of the administrative arrangements to follow when meeting or communicating with the OAG.
The audit team gathers the evidence to support its findings and conclude against the audit objective. During the audit, the entity can expect the audit team to request documentation, interviews with personnel, and access to premises during site visits to ensure there is sufficient and appropriate evidence to assess the entity’s performance against the criteria. Early in this phase, the team would also indicate any plans to rely on work conducted by, or on behalf of, the entity’s internal audit unit.
The audit team formally presents, in writing, the findings against the criteria used, the conclusion against the audit objective, and the recommendations. There are two key audit drafts provided for the entity’s comments:
- the principal’s draft report (called the PX draft), and
- a final draft report (called the transmission draft).
Before publishing a final report, the OAG provides entities with the opportunity to review and comment on draft audit reports. This opportunity allows entities to validate facts and provide responses to the recommendations for inclusion in the audit report.
During this phase, the audited entity
- arranges timely meetings between the entity’s senior management, other staff, and the OAG to discuss the audit subject matter;
- provides the audit team with the information needed to understand the areas subject to audit, as well as information on lines of responsibility, sources for the criteria, risks, management concerns, and any related internal audits, evaluations, or studies; and
- facilitates any field visits and access to premises or project sites.
After receiving the notification and solicitor-client privilege letter, the deputy head of the entity is expected to acknowledge in writing that the entity will respect the confidentiality of the OAG-controlled documents to be provided during the course of the audit. This acknowledgement also confirms that the entity will comply with any requests that the OAG makes for access to relevant documents under the control of the entity, including those documents to which solicitor-client privileges are attached.
The entity is expected to identify one of its officials as its contact person for the audit. The contact person
- can facilitate the flow of information between entity officials responsible for the subject matter of the audit and the audit team to help advance the audit process and minimize miscommunication or misplacement of documents;
- informs the audit team by email of the entity’s language preference for the audit, in particular for the Audit Plan Summary, the PX draft, and the transmission draft; and
- provides a list of recipients who need electronic access to OAG controlled documents.
The entity is also expected to brief its staff on the audit’s purpose, process, and timetable.
At the end of the planning phase, the entity is also required to review the Audit Plan Summary and acknowledge its responsibilities for the subject being audited. The entity should also review the terms of the engagement, including the suitability of the criteria as a basis for assessing whether the audit objective has been met.
Entity officials are expected to review and sign off on documented meeting and interview minutes prepared by the OAG, if the OAG indicates its intention to rely on such records as audit evidence during the audit. Officials should normally sign off within five working days of receiving the minutes.
The entity is expected to review the draft reports, validate facts and provide responses to any recommendations made. The entity is also expected to confirm that it has provided the OAG with all information requested or information that could significantly affect the findings or the conclusion of the audit report.
The audit team reviews the audit schedule and key milestones with entity officials to determine whether any changes are needed. If changes are needed, the parties are expected to discuss how best to adjust deadlines to ensure the quality of reports within the OAG’s report production schedule.
The team also discusses how the OAG will brief the entity’s senior management (and if requested, the departmental audit committee) on the results of the audit.
Opening meeting. The team holds an opening meeting with entity officials, including the deputy head where appropriate, to
- discuss the planned audit, and
- gain a better understanding of the areas being audited.
Before the meeting, the audit team notifies the audited entity of the main topics to be discussed. The entity is expected to make every effort to ensure that the appropriate entity officials attend this meeting.
Audit meetings and briefings. The level of officials participating in audit meetings and briefing sessions depends on the subject matter discussed and on officials’ availability.
To reinforce ongoing communication, the contact person at the entity(ies) should have the authority and responsibility to
- set up regular meetings throughout the audit,
- ensure that appropriate individuals attend the meetings, and
- help resolve any problems or barriers to completing the audit.
The OAG will provide the entity with an opportunity to discuss the proposed audit plan.
The entity is expected to discuss issues with the audit team and indicate any changes that are underway that relate to the subject matter under audit. The entity should also be prepared to answer questions related to the main topics discussed at meetings with the team.
The team periodically briefs entity officials and senior management on emerging findings throughout this phase and ensures that it gets the deputy head’s views.
Officials are expected to participate in briefings to
- understand the nature and the implications of the findings,
- understand the proposed recommendations, and
- ask the OAG questions related to the audit.
The OAG’s engagement leader normally offers to consult with the entity’s senior management at the various decision points during the audit.
How the OAG will brief the audited entity should be agreed on before the examination phase ends. Appropriate senior entity officials are expected to participate in these briefings.
The audit team offers briefings to senior entity officials to seek their views on the validity and completeness of audit evidence, audit findings, conclusions, and recommendations, including corrective actions to be taken. The OAG makes every effort to resolve disagreements quickly, professionally, and respectfully.
3. Key documents
During the course of an audit, these are several key documents that the Office of the Auditor General of Canada (OAG) and the audited organization, or entity, will be responsible for.
|Timeline||Documents from OAG||Documents from entity|
Start of audit
End of planning phase
One week after tabling
At the end of the planning phase, the OAG provides entities with an Audit Plan Summary, a document that shows
- the audit objective;
- the audit scope and approach;
- the audit criteria and their sources;
- the responsibilities of the entity and the OAG;
- the plans, if any, to rely on the work of the entity’s internal audit; and
- the audit timetable and team.
Objective, scope, approach, and criteria
The OAG team meets to discuss the audit objective, scope and approach, and criteria as stated in the Audit Plan Summary. The OAG grants the entity’s contact person and identified recipients with electronic access to a controlled version of the Audit Plan Summary.
After the OAG sends the Audit Plan Summary to the audited entity, the OAG asks the deputy head to provide, within the established time frame, written acknowledgement of
- the entity management’s responsibility for the subject matter of the audit, and
- the suitability of the audit criteria against which the entity will be assessed.
The OAG asks each audited entity to formally acknowledge its responsibility for areas included in the audit scope.
The team informs the audited entity, in writing, of any significant changes made to the Audit Plan Summary and, if needed, issues a revised version to the entity.
The entity informs the OAG if these changes affect the entity’s position on management’s responsibility for the area under audit or the suitability of the criteria.
If required, the OAG discloses, with an appropriate explanation in the audit report, any unresolved disagreements about criteria or the entity management’s acknowledgement of its responsibility for the program or area being audited.
The audit team seeks written comments on the principal’s PX draft report. Auditing standards also require the team to seek written confirmation that the audited entity has provided all information of which it is aware that has been requested or that could significantly affect the findings or the conclusion of the audit report (excluding information classified as Cabinet confidence).
The team also asks for draft responses to the recommendations (modified, as appropriate, to reflect discussions).
The team provides electronic access to a controlled copy of the draft report to
- identified recipients, and
- the entity’s contact person (who needs to coordinate comments).
All audited entities receive the full PX draft if they all agree to this approach. This gives them the full context of the audit and allows them to see the complete findings and conclusions. Otherwise, they receive only the portions of the PX draft relevant to their own operations. Only entities mentioned directly in recommendations are required to respond to them.
Discussions about the draft report
The audit team may need to meet with entity officials to discuss the entity’s comments. Such meetings are scheduled with due consideration for the report production schedule.
If required, the OAG’s engagement leader meets with the entity’s deputy head or other senior management (usually at the assistant deputy minister level, as appropriate) to discuss the draft, including the suitability of the proposed audit recommendations and the potential responses to them.
Expectations for entities
Each audited entity is expected to
- review the draft report,
- provide its position on the accuracy of the text,
- flag any disputed facts (accompanied by all the supporting evidence it has),
- inform the team of any new developments,
- provide written confirmation that it has provided all information of which it is aware that has been requested or that could significantly affect the findings or the conclusion of the audit report (excluding information classified as Cabinet confidence), and
- provide written responses to the recommendations.
Updates to the report
After careful consideration, the team revises the PX draft if necessary to reflect the discussions and comments received from
- each audited entity, and
- applicable third parties (other organizations not included in the audit scope but identified directly or indirectly in the report).
If required, the deputy head or designate is expected to meet with the engagement leader to try to resolve any outstanding issues and reach either an agreement or a clear, shared understanding of points on which they “agree to disagree.”
Some sections of the draft are highlighted, indicating text that will b be reproduced in the OAG’s report communications products.
While acquiring audit evidence, the OAG encourages entity officials to validate facts. This validation will help to ensure the evidence’s accuracy, relevance, and completeness.
This validation process may require a series of meetings with entity officials to ensure they agree on the facts gathered during the audit examination and field work.
While validating facts, entity management, including senior entity officials, are expected to examine all statements of fact and provide corrections with appropriate supporting evidence if it identifies
- factual errors,
- context changes, or
- new information.
The entity is expected to review the PX draft and provide its position on any disputed facts, accompanied by all supporting evidence.
The audit team prepares an updated draft, called the transmission draft report. The transmission draft
- reflects the disposition of discussions between the OAG audit team and the entity at the PX draft stage, and
- includes the final recommendations and draft entity responses to recommendations.
The OAG audit team provides identified recipients and the entity’s contact person with electronic access to a controlled copy of the draft report.
The transmission draft is submitted in the preferred official language(s) of the entity (as per the agreement established with the audited entity during the planning phase).
Expectations for deputy heads
The deputy head is expected to
- confirm that the audit report is factually accurate,
- confirm the final responses to the recommendations, and
- specify areas of and reasons for disagreement.
After the facts in the PX draft are confirmed and validated, the OAG normally sends a complete copy of the transmission draft to all entities covered by the audit scope. The draft includes the draft entity responses to recommendations. The entities are expected to
- provide final comments, and
- confirm that their responses to the recommendations are final.
If the entity has requested the transmission draft in both official languages, both versions will be sent at the same time.
If the entity has requested the transmission draft in one official language only, the translation of the final report is provided a week before the report is tabled in the House of Commons.
No additional comments or sign-offs are required.
If required, the OAG discloses, with an appropriate explanation in the audit report, any unresolved disagreements around the validity of facts. This may include confirmation from the entity that it has provided all information of which it is aware that has been requested or that could significantly affect the findings or the conclusion of the audit report (excluding Cabinet confidences).
4. Recommendations and responses
Performance audits usually include recommendations that direct audited entities to positive changes they can make for the most serious deficiencies reported. Recommendations address areas where there are significant risks to the entity if deficiencies remain uncorrected.
Recommendations should be
- fully supported by and flow from the associated findings and conclusions,
- aimed at correcting the underlying causes of deficiencies, and
- directed specifically at the entities responsible for taking action on them.
During the examination phase of a performance audit, the audit team periodically offers to brief entity officials (and senior management as required) on emerging findings.
The team also encourages discussion of proposed recommendations as they are developed and seeks views on actions needed to correct problems.
At the end of the examination phase, the audit team seeks the views of entity officials to enable the development of clearly stated and action-oriented recommendations.
This gives the audited entity time to prepare responses and develop an action plan. The team asks the deputy head or other senior management to provide input to ensure that recommendations are practical and feasible to implement.
The principal’s PX draft report issued to the audited entity contains a complete set of draft recommendations. In a letter accompanying this draft, the OAG’s engagement leader offers to meet with the entity’s deputy head or other senior management officials (usually at the assistant deputy minister level) to discuss the recommendations. The discussion should include, among other things, how suitable and practical the draft recommendations are, and what the entity’s probable responses to them will be.
The letter asks the entity to send a formal, written draft response to the recommendations and provides a deadline for the response.
The subsequent transmission draft report contains the full text, the recommendations, and the entity’s draft responses. The team asks the deputy head to confirm in writing that the report is factually accurate and to comment on any disagreements. The team also asks the deputy head to confirm that the responses to the recommendations (in both official languages) are final.
Responses to recommendations are not a vehicle for disagreeing with the audit findings. The audit team and the audited entity must try to resolve any unsettled disputes. If this is not possible and the entity does not agree with the recommendation, the response must state the reason. This response will be included in the report.
If a matter has not been resolved by the time the transmission draft is issued, the team will raise it with the Assistant Auditor General or the Commissioner of the Environment and Sustainable Development. Failure to respond within the specified timeframe could result in the report being published without the entity’s responses.
Parliamentarians are more likely to react favorably to responses that are clear and concise and that describe specific actions and timeframes.
The OAG has established limits on the content and publication of entity responses and will not normally publish
- general responses or global comments to reports,
- entity responses where no recommendations were made, and
- entity responses where no new recommendations were made in a follow-up report from a previous audit.
The OAG determines whether the wording of the entity’s responses is appropriate and sufficient, and expects a response to
- clearly indicate whether the entity agrees or disagrees with the recommendation;
- have a maximum of 200 words;
- be consistent with the “Agreed” or “Disagreed” statement; and
- provide a basis for a potential future follow-up, including timelines and actions that the entity’s senior management intends to take to respond to the recommendations, and clear accountability from senior management.
Final responses to the transmission draft, in both official languages, must be received within OAG-specified timeframes to be published in the report.
Publishing an audited entity’s response to a recommendation gives the government the opportunity to inform Parliament whether the entity agrees with the recommendation, and how and when the entity intends to act.
The OAG reserves the right to
- edit responses;
- decline to include material that does not respond to a recommendation;
- omit material that repeats report content; and
- exclude from a published report responses, or parts of responses, that it believes false or misleading.
The audit team informs the entity of any significant changes made to final responses.
4. Tabling reports
Two weeks before a report tabling, the Office of the Auditor General of Canada (OAG) provides advance notice to audited entities and invites them to OAG premises to preview communications material it has prepared for tabling.
The OAG requests advance notice of the individuals the entity intends to send. The preview takes place a few days before the report is tabled.
On the day that a report of the Auditor General or the Commissioner of the Environment and Sustainable Development is tabled in the House of Commons, the OAG participates in
- a confidential preview for parliamentarians,
- a preview for journalists (media lock-up),
- a news conference for journalists, and
- media interviews.
Confidential preview for parliamentarians
All members of Parliament and senators are invited. Parliamentarians who attend the preview receive copies of the report and related communications material.
Accredited members of the Parliamentary Press Gallery who attend the media lock-up receive copies of the report and related communications material.
The news conference is open only to accredited members of the Parliamentary Press Gallery.
Entities should make their own arrangements to view the news conference, either with the National Press Theatre or by watching it online.
The Auditor General or the Commissioner of the Environment and Sustainable Development is available for interviews with journalists following the report tabling.
In some instances, members of Parliament, the Senate, the media, or the public may want additional information about the audited entities or audit subject matter not included in the report.
It is OAG policy to not provide such information. Any questions for further information or background are referred to the audited entity.
6. After the audit
To understand past performance and to identify possible areas for improvement, the Office of the Auditor General of Canada (OAG) believes that obtaining feedback from audited entities is important.
The OAG conducts post-audit surveys on various aspects of the audit experience after reports of the Auditor General or the Commissioner of the Environment and Sustainable Development have been tabled in the House of Commons.
The deputy head of the audited entity receives the survey and is expected to respond in a timely manner. Survey results are aggregated, analyzed, and included in a summary report produced annually. Results are reported to Parliament in the OAG’s performance report.
The Auditor General or the Commissioner of the Environment and Sustainable Development and other OAG officials often appear before House of Commons and Senate committees to answer questions about reports after they are tabled.
The Auditor General most frequently appears before the House of Commons Standing Committee on Public Accounts. This Committee has a specific mandate to review and report on all of the Auditor General’s reports, as well as on the OAG’s reports on plans and priorities, and annual performance reports. Other parliamentary committees also hold hearings on matters raised in the Auditor General’s reports.
The Commissioner of the Environment and Sustainable Development is usually called before the Standing Committee on Environment and Sustainable Development to answer questions about reports after they are tabled, and may also appear before other parliamentary committees.
Departmental and other entity representatives are also present at hearings.
The Standing Committee on Public Accounts has adopted the following motion:
That any organization that has been subject to a performance audit or a special examination by the Office of the Auditor General of Canada, provides a detailed action plan to address the audit recommendations which have been agreed to—including specific actions, timelines for their completion and responsible individuals—to the Public Accounts Committee and the Office of the Auditor General of Canada within six months of the audit being tabled in the House of Commons; and,
- That organizations that are invited to appear before the Public Accounts Committee to discuss the findings of an audit should, when feasible, provide an action plan to the Committee prior to the hearing; and
- That action plans and progress reports received by the Committee be published on the Committee’s website.
The Standing Committee on Fisheries and Oceans adopted the following motion:
That the department and agencies of Fisheries and Oceans Canada, and the Canadian Coast Guard, that have been subject to a performance audit by the Office of the Auditor General of Canada provide a detailed action plan to address the audit recommendations which have been agreed to, including specific actions, timelines for their completion, and responsible individuals, to the Committee and to the Office of the Auditor General of Canada, within six months of the audit being tabled in the House of Commons;
- That the department and agencies that are invited to appear before the Committee to discuss the findings of an audit should, when feasible, provide an action plan to the Committee prior to the hearing; and
- That departmental action plans and progress reports received by the Committee be published on the Committee’s website.
These action plans should include specific actions and timelines for addressing recommendations and specify the individuals responsible for addressing them. Departments and agencies invited to appear before those Standing Committees to discuss the audit findings should provide the plan to the Committee prior to the hearing and to the OAG.
To monitor progress on recommendations between audits, the OAG uses the monitoring process that exists within federal entities by accessing their monitoring records from time to time as required.
The Treasury Board of Canada Secretariat policy requires that chief audit executives routinely report to the departmental audit committee on whether the management’s action plans have been implemented. These monitoring records are expected to be in place so that auditors can review them as required.
Sometimes the OAG conducts follow-up audits of specific audit recommendations and issues of concern raised in past audit reports that continue to pose a significant risk or continue to be of interest to Parliament. The OAG completes these audits in the same manner as other performance audits, following professional auditing standards.
The audit team may identify issues that are less important than those included in the report tabled in the House of Commons, or that fall outside the audit scope but are of interest to the audited entity. The team communicates these issues to the entity, as appropriate, through a
- verbal communication, or
- formal management letter.
If a management letter is issued, the OAG may request a written response to the issues raised in it, including any proposed actions to be taken and a target completion date.
The OAG may also choose to follow up on these issues at a later date.
7. Access to entity information
Audit teams at the Office of the Auditor General of Canada (OAG) have a right to access the following within audited entities, in accordance with federal legislation:
- documents, and
OAG auditors are entitled to receive all information that they determine is relevant and necessary to enable them to carry out their audits and examinations. This may include documents, reports, data, or explanations from members of the public service and from officers, employees, or agents.
As OAG auditors identify the information they need and who they need to interview, the audited entity is to give them access. The information that the entity should supply, upon request, includes all forms of communication—written, visual, auditory, and electronic—whether in final or draft form, with the exception of draft Treasury Board submission material.
Guidance for deputy ministers from the Privy Council Office emphasizes that the role of deputy heads includes ensuring that
- their departments establish a respectful and constructive working relationship with a body such as the OAG, and
- entities supply the information needed to fulfill the body’s legislative mandates.
OAG auditors are entitled to access documents that may be subject to solicitor-client and other privileges. To ensure that this access does not affect the privilege attached to the documents, the OAG makes a formal written request for access to such documents at the start of the audit.
The OAG issues a letter of notification and solicitor-client privilege to the deputy head of the entity requesting timely access to information and personnel under the powers granted by the Auditor General Act and, among other things, to documents that may be subject to solicitor-client and other privileges.
The deputy head is expected to acknowledge in writing that the entity will comply with its duty under the Act and that providing the documents to the OAG does not constitute a waiver of any privilege attached to the documents. The exchange of letters maintains the privileged nature of the information provided to the OAG for audit purposes.
The OAG respects the confidentiality of the documents and does not refer to them in its reports.
When the audit team identifies entity staff for an interview, the staff must be made available. It is unacceptable and inappropriate for the entity to coach staff prior to an interview with auditors or filter information requested by the OAG. As a general rule, to encourage candour and complete responses, only entity staff being interviewed should be present during the interview. Under certain circumstances, the audit team and the audited entity may agree that observers at an interview are appropriate, but it is up to the OAG to decide when they are.
The Auditor General’s access to Cabinet confidences is set out in two orders-in-council: PC#2018-0535.
An audited entity is responsible for identifying the Cabinet confidences that are related to an OAG audit, such as:
- Final submissions to Cabinet,
- Decisions of Cabinet,
- Final submissions to Treasury Board,
- Decisions of Treasury Board, and
- Records presented to a Minister and related final documents containing explanations, analyses of problems or policy options.
The submissions and decisions referred to above are not to be provided directly to OAG auditors. The OAG obtains access to the submissions and decisions through a process that involves the Privy Council Office or the Treasury Board of Canada Secretariat, as appropriate.
The audited entity is responsible for providing OAG auditors with all other Cabinet confidences that are covered by the order-in-council. The audited entity should refer any questions about the order-in-council to their legal services group.
The fact that a document is not accessible to the public through an Access to Information request, is not a valid reason for denying access to OAG staff. The provisions of the Access to Information Act do not apply to the Auditor General’s access to information for audit purposes.
Auditors who encounter problems obtaining information during an audit, such as delays, will report the problems to the engagement leader. If the problems continue, the engagement leader will attempt to resolve the issue with the entity’s contact person, or if necessary, with senior management.
In some circumstances, a delay in providing requested documents or information can amount to a denial of access. The Auditor General may report such cases to Parliament.
Electronic information is preferred, but paper copies are acceptable.
Information can include all forms of communication—written, visual, auditory, and electronic—whether in final or draft form.
This information includes but is not limited to any relevant
- pictorial or graphic work,
- sound recordings,
- videotapes, or
Auditors may take extracts and make photocopies, unless security classifications dictate otherwise.
The audit team maintains a register of documents requested and received during an audit.
Access to information and to privileged information begins once
- the entity has been notified of the start of a performance audit or of the strategic audit planning exercise, and
- the deputy head has responded to the OAG’s letter of notification and solicitor-client privilege.
Entity officials should instruct their employees to make themselves and information available, as they would for any other important business. Timely access to information is essential for the Auditor General to meet reporting obligations to Parliament. Entity officials should respond expeditiously to OAG requests for information.
The time required to produce information varies. It can be affected by such factors as the information’s format and location, and an individual’s availability.
|Type of information||Time frame to produce|
|Easily accessible||Five working days|
|Additional work to compile (such as data manipulation or archive searches)||Audit team and audited entity discuss and agree on time frame.|
Audit team members have access to an audited entity’s
- information for which they have the required level of security clearance, and
- staff who can provide the information.
Auditors must comply with the same security requirements that apply to the entity’s employees. Most OAG auditors have, at a minimum, the federal public service’s “secret” level designation.
At the start of an audit, the audit team provides the entity’s contact person with the names and security clearance levels of OAG and contract staff initially assigned to the audit. If any changes need to be made to this list during the audit, the team notifies the contact person.
- Access to Information Act
- Auditor General Act
- Guidance to deputy heads, departmental and entity legal counsel, and OAG audit liaisons on providing the Auditor General access to information in certain confidences of the Queen’s Privy Council (Cabinet confidences)
- 2010 Protocol Agreement on Access by the Office of the Auditor General to Cabinet Documents
- Communiqué (Treasury Board of Canada Secretariat-Office of the Auditor General of CanadaTBS-OAG): Office of the Auditor General’s Access to Records and Personnel for Audit Purposes (distributed by email to deputy heads on 7 August 2007)
- Order-in-Council PC#2018-0535 dated 11 May 2018
- Order-in-Council PC#1985-3783 dated 27 December 1985
- Order-in-Council PC#2006-1289 dated 6 November 2006
8. Handling and treating information
During the audit process, the Office of the Auditor General of Canada (OAG) and the audited entity exchange information that needs to be handled and treated with due care.
One underlying principle of auditing is a duty of confidentiality with respect to an audited entity’s affairs.
The OAG makes every effort to ensure that it keeps audit information in its direct possession. The OAG’s Code of Values, Ethics, and Professional Conduct requires that all staff be familiar with the security aspects of their work and consider it an important and essential individual responsibility.
For all information received from an entity, auditors must, at a minimum, comply with the same security arrangements that apply to the entity’s employees.
During the audit, the audit team provides the audited entity with controlled documents, such as the Audit Plan Summary, the principal’s PX draft report, and the transmission draft report. These protected documents are OAG property.
Entity staff members are required to respect the confidentiality of the content of OAG-controlled documents. They must ensure that these documents are not copied, reproduced, distributed, republished, downloaded, displayed, posted, or transmitted in any form or by any means without the prior written consent of the OAG.
References to controlled documents should contain only section and paragraph numbers. The contents of these documents must be treated with appropriate discretion. Disclosing the Auditor General’s findings prior to tabling is an infringement on the rights and privileges of Parliament.
By default, controlled documents are submitted electronically to the entity’s contact person and to pre-identified recipients. The controlled documents can be accessed only during a specific period of time, until their access expires. Upon request from the entity, audit teams may provide a maximum of two paper copies of OAG controlled documents for use by the Deputy Head and the Minister.
When OAG-controlled documents in paper copy are provided to an entity, they are numbered and must be returned to the OAG within one week after the relevant report is tabled in the House of Commons.
Entities must track the internal distribution of the provided OAG-controlled documents in paper copy (if any) and return them to the OAG. Entities are not permitted to destroy or shred these documents and are expected to immediately inform the OAG if any are lost or made public.
The Access to Information Act, section 16.1(1), requires the Auditor General of Canada to refuse to disclose any record requested under the Act that contains information obtained or created by the OAG. This includes information obtained on its behalf in the course of an investigation, examination, or audit conducted by the OAG or under its authority. Members of the public cannot access audit plan summaries, draft audit reports, or other audit documents, such as audit working papers, held by the OAG.
At the start of the audit, the entity confirms by email the language preference for the audit, in particular for the Audit Plan Summary, PX draft, and transmission draft.
9. Interactions with internal audit offices
During a performance audit, audit teams often need to interact with the internal audit office of the federal department or agency being audited.
In large departments or agencies, the internal audit office usually plays the liaison role with the Office of the Auditor General of Canada (OAG) and facilitates the exchange of information and the access to entity staff.
|Meetings||Goal of meeting||Attendees|
|Opening meeting||Discuss the audit, so audit team can better understand areas subject to audit||Appropriate audited entity officials (as determined by the engagement leader in consultation with the contact person)|
|Subsequent meetings||Collect information||Only staff required to provide information to auditors (internal audit and contact person excluded)|
|Reporting phase meetings||Receive views of senior officials||Senior officials|
Internal audit offices should instruct entity employees to make themselves and information available, as they would for any other important entity business.
The internal audit office is expected to make every effort to ensure that the appropriate entity officials attend an opening meeting to discuss the planned audit.
During the fact validation and review of the principal’s (PX) draft report, the entity’s contact person should facilitate the process of obtaining and coordinating responses from responsible parties within the entity, and providing the audit team with
- the entity’s position on the accuracy of the text,
- any facts in dispute,
- the Assistant Deputy Minister (or Deputy Minister)’s written confirmation that the entity has provided all information of which it is aware that has been requested or that could significantly affect the findings or the conclusion of the audit report (excluding information classified as Cabinet Confidence), and
- the entity’s consolidated comments from parties responsible for audited areas.
During the reporting phase of the audit, the entity contact person is expected to facilitate the OAG’s access to senior officials to get their views.
When coordinating responses to recommendations, the entity contact person needs to ensure that final responses to the transmission draft report are provided in both official languages and received within the specified time frames to be published in the report.
When the audit team identifies entity staff for an interview, the staff must be made available. It is unacceptable and inappropriate for the internal audit office to coach staff prior to an interview with auditors or filter information requested by the OAG.
The audit team informs the entity’s contact person of
- the progress made throughout the audit, and
- new developments when they arise, such as emerging findings.
The process for ensuring ongoing communication, such as meetings at predetermined points, is usually determined by the team and the entity’s contact person at the start of the audit.
10. Interactions with departmental audit committees
The Office of the Auditor General of Canada (OAG) supports initiatives that strengthen departmental oversight, including the requirement for external membership for departmental audit committees.
The OAG wants to work with departmental audit committees while maintaining its objectivity and preserving its independence from government.
The OAG welcomes the opportunity to
- inform departmental audit committees about its audit plans (it appreciates receiving their input and discussing matters of mutual interest),
- discuss its reports, and
- explain audit findings after the entity’s management has had the opportunity to confirm and validate the facts.
Regarding draft audit reports, the OAG does not confirm or validate fact-based audit information with departmental audit committees. These documents are finalized through the normal OAG process with appropriate entity officials.
The departmental audit committee is expected to
- actively review and assess the adequacy of entity responses and action plans,
- monitor the implementation of audit recommendations, and
- advise the deputy head.
The deputy head may share OAG audit information with members of the departmental audit committee and is accountable for ensuring that this is done in a manner that protects the confidentiality of the information.
Senior OAG staff may participate in committee meetings as observers when invited by the committee chair. They will make every effort to appear if notified of the committee’s meeting schedule in advance. The Secretary of the Departmental Audit Committee is expected to notify OAG staff of the schedule.
At its discretion, the audit team may request advice from the audited entity on who would be useful external advisers on the audit. If the team has any concern about whether a potential adviser has a conflict of interest, it may seek the advice of the entity.
When requested by the audit team, the entity is expected to provide advice to help identify potential external advisers. The entity may wish to consult with its departmental audit committee.
11. Long-term audit plan—Strategic Audit Plan
The Office of the Auditor General of Canada (OAG) prepares long-term audit plans for individual audited entities. It also prepares plans for sectoral topics over a multi-year period that typically cover all OAG audit activities for the entity. The long-term plans are referred to as Strategic Audit Plans.
The Strategic Audit Plan is a planning tool based on a risk assessment. The OAG uses these plans to
- focus OAG resources on the areas of significance and of a nature that should be brought to the attention of Parliament;
- promote consistency in planning across OAG audit teams and product lines; and
- focus the audit selection process on key risks in entities or in sectoral topic areas (across the organization), as well as on OAG priorities and focus areas.
OAG strategic audit planning can be done through a formal assessment exercise or through ongoing monitoring.
If strategic audit planning is done through a formal assessment, the OAG sends a letter to the deputy head of each entity involved. This letter describes the OAG’s intention to carry out a systematic and risk-based exercise to determine the audit work that needs to be done. This work would take place over the next few years to fulfill the OAG’s responsibilities under the Auditor General Act.
If strategic audit planning is done through ongoing monitoring, the OAG requests to meet from time to time with the entity’s officials and may request documentation for various items.
The audit team reviews the entity’s key documents, such as
- corporate plans,
- integrated risk management frameworks,
- performance reports to Parliament,
- internal audit and program evaluation reports,
- the entity’s annual and long-term audit and evaluation plans, or
- other entity reports.
The team reviews other key documents, such as
- parliamentary committee reports,
- budget documents,
- past OAG audits, and
- information about the entities involved in the exercise.
The team interviews may take place with
- entity senior management (at headquarters and in regional offices),
- entity officials (at headquarters and in regional offices), and
- key external stakeholders and external experts, when appropriate.
Discussions can include but are not limited to
- building an understanding of key and emerging issues;
- short-and long-term audit plans;
- the general working relationship between the OAG and the entity;
- clarifying the nature of the OAG’s access to documents, as necessary;
- extenuating circumstances, such as pending legislative or regulatory approvals or changes that may require changes to future audit plans;
- audit risks; and
- the OAG’s assessment of risks compared with those identified by the entity.
When the Strategic Audit Plan exercise begins, the deputy head or other senior management of each entity involved in the Strategic Audit Plan is expected to inform the departmental audit committee and others in the organization who need to know about the exercise.
When the OAG prepares a Strategic Audit Plan, the deputy head or other senior management of each entity involved is expected to provide documents and participate in interviews as requested.
When the OAG has an ongoing and substantial audit presence in an entity, the OAG offers to meet annually with the entity’s senior management and, if requested, the departmental audit committee.
Appendix: A road map for performance audits
The following road map shows the key steps that need to be followed when conducting a performance audit.
OAG—Office of the Auditor General of Canada
PX draft—Principal’s draft report
A road map for performance audits —Text version
- The OAG issues a letter of notification and solicitor-client privilege to the deputy head of the audited entity, requesting timely access to information and personnel.
- The deputy head acknowledges the responsibility for complying with requests to access information and accepts the responsibility for managing OAG-controlled documents.
- The OAG and the entity’s senior management have an opening meeting.
- The OAG carries out the planning work by interviewing and interacting with entity staff.
- The OAG sends the Audit Plan Summary to the entity.
- The entity responds within the established time frame and provides written acknowledgement of the suitability of audit criteria and of management responsibilities for the program or area being audited.
- The OAG keeps entity officials informed of emerging audit findings.
- The OAG meets with the entity’s senior management near the end of the examination work to confirm facts and discuss recommendations.
- The OAG meets with the entity’s senior management to discuss early draft findings and recommendations.
- The OAG issues the principal’s PX draft report with draft recommendations.
- The OAG meets with entity officials to discuss the PX draft.
- The Assistant Deputy Minister (or Deputy Minister) confirms in writing that all information that has been requested or that could significantly affect the findings or the conclusion of the audit report has been provided (with the exception of information classified as Cabinet Confidence).
- The entity submits comments on the PX draft to the OAG (last opportunity to submit evidence).
- The entity submits its draft responses to the recommendations.
- The OAG issues the transmission draft report.
- The entity sends the deputy head sign-off on the transmission draft and the final bilingual responses to the recommendations.
- Entity representatives are invited to preview communications material prepared by the OAG before the tabling of the report.
- Entity officials attend news conference on tabling day (if arrangements were made).
- The OAG issues a management letter (when appropriate).
- The entity ensures that OAG-controlled documents shared in paper copy (if any) have been returned to the OAG within one week of tabling.
- The OAG sends a post-audit survey to the entity.
- The entity responds to the post-audit survey.