COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.
1192 Confidentiality, safe custody, integrity, accessibility, and retrievability of engagement documentation
Jun-2020
Overview
Engagement documentation is generally retained in one of two formats: paper or electronic. Electronic format is the preferred format for keeping audit records, but there are exceptions.
This section outlines the Office’s policies and procedures designed to maintain the confidentiality, safe custody, integrity, accessibility, and retrievability of engagement documentation. Integral to the application of these policies and procedures is the use of audit working paper software.
CPA Canada Assurance Standards
|
Office |
Annual Audit |
Performance Audit, Special Examination, and Other Assurance Engagements |
|
CSQC 1.46 The firm shall establish policies and procedures designed to maintain the confidentiality, safe custody, integrity, accessibility and retrievability of engagement documentation. (Ref: Para. A56-A59) Confidentiality, Safe Custody, Integrity, Accessibility and Retrievability of Engagement Documentation (Ref: Para. 46) CSQC 1.A56 Relevant ethical requirements establish an obligation for the firm's personnel to observe at all times the confidentiality of information contained in engagement documentation, unless specific client authority has been given to disclose information, or there are responsibilities under law, regulation or relevant ethical requirements to do so. Specific laws or regulations may impose additional obligations on the firm's personnel to maintain client confidentiality, particularly where data of a personal nature are concerned. CSQC 1.A57 Whether engagement documentation is in paper, electronic or other media, the integrity, accessibility or retrievability of the underlying data may be compromised if the documentation could be altered, added to or deleted without the firm's knowledge, or if it could be permanently lost or damaged. Accordingly, controls that the firm designs and implements to avoid unauthorized alteration or loss of engagement documentation may include those that:
CSQC 1.A58 Controls that the firm designs and implements to maintain the confidentiality, safe custody, integrity, accessibility and retrievability of engagement documentation may include the following:
CSQC 1.A59 For practical reasons, original paper documentation may be electronically scanned for inclusion in engagement files. In such cases, the firm's procedures designed to maintain the integrity, accessibility, and retrievability of the documentation may include requiring the engagement teams to:
There may be legal, regulatory or other reasons for a firm to retain original paper documentation that has been scanned. |
OAG Policy
Note: The sources for the majority of the policy statements below are existing Office policy documents, which are accessible via the links presented at the end of this section.
Use of audit working paper software
All engagement documentation up to and including Protected B shall be retained in electronic format and stored in audit working paper software. Permitted exceptions to this policy are listed in the guidance section of this document under the heading Use of audit working paper software. [Jun-2020]
Confidentiality
According to relevant ethical requirements (OAG Audit 1031 Ethical requirements), auditors shall respect the confidentiality of information acquired and not disclose any such information to third parties without proper and specific authority, unless there is a legal or professional right or duty to disclose, nor use the information for their personal advantage or the advantage of third parties. [Nov-2011]
Within the Office, auditors shall use their professional judgment to respect the confidentiality of audit information; in particular, auditors should keep the confidentiality of information in mind when having discussions with other Office staff not directly involved with the work related to the entity. [Nov-2011]
Auditors shall identify and categorize information assets and ensure that they are not disclosed without the appropriate authorization. The categorization process shall take into account data aggregation, whereby the sensitivity of a data set may be greater than the sensitivity of any individual component. [Nov-2011]
Access to classified and protected information and other assets is limited to those persons who have
- the appropriate reliability status or security clearance, and
- a need to know the information or a need to access the assets. [Nov-2011]
Protected and classified information shall be labelled, copied, stored, transmitted, and disposed of according to the measures outlined on the Security Quick Reference Card. [Nov-2011]
Audit teams shall restrict access to audit documentation to members of the engagement team and those that need to know the information to fulfill their professional responsibilities (e.g., quality reviewer, practice teams, internal specialists, etc.). [Jun-2020]
See also OAG Direct Engagement 9020 Management of controlled documents. [Nov-2011]
To ensure the confidentiality and integrity of audit information, the Office uses disk encryption to encrypt all data stored on OAG computers. [Nov-2011]
Auditors must
- not share passwords (e.g., SecureDoc, OAG Network, audit working paper software);
- keep any recorded passwords in a secure place; and
- change a compromised password immediately, and notify OAG Security. [Jun-2020]
Auditors are to use only OAG-issued encrypted USB keys. [Nov-2011]
Safe custody
Protected and classified information shall be labelled, copied, stored, transmitted, and disposed of according to the measures outlined on the Security Quick Reference Card. [Nov-2011]
Locking security cables are acceptable protection for Office laptops and must be used whenever a laptop is left unattended. Security cable keys must not be left where they are accessible to others (e.g., on desks or in unlocked desk drawers). [Nov-2011]
Laptops that cannot be secured with a locking cable must be secured in an approved security container commensurate with the sensitivity of information resident on the hard drive. [Nov-2011]
Staff members who use laptops outside the Office must transport them securely and take all reasonable precautions to prevent their loss, damage, or misuse. [Nov-2011]
Integrity
Auditors shall document on working papers when and by whom engagement documentation was created, changed, or reviewed (OAG Audit 1111). In audit working paper software, electronic sign offs assist in documenting this information. [Jun-2020]
See also OAG Audit 1172 Modifications to audit documentation after final assembly. [Nov-2011]
Working with audit working paper software, auditors using local replicas shall update the master regularly. They should resolve conflicts identified when merging a replica on a timely basis. [Jun-2020]
Where auditors are working in the field without a reliable remote connection (taking the master in the field via an encrypted USB key), they must make backups of the master and store them on a separate drive (another team member’s laptop). The encrypted USB key must not be stored with the same laptop that has the backup on it. [Nov-2011]
Accessibility and retrievability
Use of PROxI for performance audits and special examinations. Performance audit and special examination teams are expected to use PROxI as the document management system and repository for electronic external documents until they need to be entered into audit working paper software (OAG Audit 1121 Timely preparation of audit documentation). [Jun-2020]
The Office will grant access to OAG IT and electronic information assets on a need-to-know basis to those who have undergone an appropriate reliability status check or security screening. [Nov-2011]
Electronic documents, including email, that are password protected or encrypted shall have the password or encryption removed before saving in PROxI or in audit working paper software to ensure future accessibility. [Jun-2020]
Electronic scanning
Where original paper documentation has been electronically scanned for inclusion in the audit file, the auditor is responsible for ensuring the scanned copy is
- identical in form and content (see guidance below) to the original paper documentation, including replicating manual signatures, cross-references, and annotations;
- indexed and signed off in the audit file; and
- capable of being retrieved and printed. [Nov-2011]
OAG Guidance
Use of audit working paper software
Teams should retain all audit documentation in electronic format and store it in the audit working paper software with the following exceptions:
- if the document security level is Protected C or Classified (Confidential, Secret, or Top Secret);
- for the direct engagement practice, significant signed correspondence received from the audited entities and third parties;
- in rare circumstances, where the engagement leader may determine that there are legal or other reasons to retain original paper documentation. In such cases, the engagement leader should consult with Legal Services; and
- in the event that the team encounters difficulty saving the document into the audit working paper software (due to, for example, file size or file format issues).
Teams include in the audit working paper software a reference to the existence and physical location of any audit document retained in paper format to maintain the completeness of the file.
Legal and regulatory requirements
In consultation with Legal Services, the Office has considered whether there are legal, regulatory, or other reasons, as indicated by professional standards, to retain certain original paper documentation.
The first consideration was the likelihood that audit documentation would be requested for litigation purposes. A review of past experience found that there have been a number of cases where audit documentation was requested for litigation purposes and, in all cases, it was regarding performance audit documentation.
A second consideration was the risk that electronic evidence would not be accepted as evidence if its authenticity was questionable. In general, electronic files are acceptable as legal evidence, unless the original has a unique characteristic, most notably, a signature. Performance audit files may contain audit evidence with signatures, some of which are significant and need to be retained in hard copy format (OAG Audit 1191 Retention policies and procedures).
Electronic scanning
Teams may exercise discretion in scanning large documents, recognizing that file performance (i.e., replication of the electronic audit file) may be impaired when large files are stored in the audit working paper software. An alternative to scanning the entire contents is to scan key pages (such as the title page, relevant extracts, and signature page), which may be sufficient for audit documentation.
Confidentiality
Sharing of information within the Office
Confidential client documentation can be shared between teams without client consent, but doing so may involve conflict of interest or independence issues as well as other risks.
Generally speaking, sharing of client specific information is not prohibited within the Office (amongst auditors, audit teams, or audit practices) where, as explained below, it would be beneficial to the client’s interests and the audit professionals are satisfied that sufficient controls are in place to mitigate the risks associated with internal disclosure.
The disclosure of confidential client information internally between OAG staff is a matter of professional judgment. There is also a significant distinction from the disclosure of such information externally to third parties, which is generally prohibited without proper and specific authority. Aside from ensuring that the internal Office recipient has the appropriate security clearance and legitimate need to know the confidential information contained in client documentation, limiting the distribution of such information internally is also an important institutional mechanism for respecting the fundamental principles of ethics and related requirements as described in OAG Audit 1031.
The exercise of professional judgment in these matters is governed by the OAG Code of Values, Ethics and Professional Conduct as well as the rules of professional conduct and codes of ethics set out by various professional accounting bodies in Canada, which describe the related obligations more extensively. For example, the CPA Ontario CPA Code of Professional Conduct under the Chartered Accountants Act, 2010, S.O. 2010 specify that maintaining the confidentiality of information internally within an organization or firm is included in the general principle of confidentiality set out in the Foreword and Rule 208. The related guidance issued by CPA Ontario on this point, however, clarifies that the prohibition against the improper use of confidential client information does not restrain disclosure of such information within a firm. This interpretation is based on the presumption that the knowledge of one person in a firm is shared with (or attributed to) others in the firm when dealing with conflicts of interest, which is the main underlying issue in controlling the degree to which persons in a firm share client confidences. This interpretation is also consistent with equivalent commentary issued by the Law Society of Upper Canada on Section 3.3 of the Rules of Professional Conduct, which stipulates “it is implied that a lawyer may, unless the client directs otherwise, disclose the client’s affairs to partners and associates in the law firm”.
If audit teams plan to repurpose client information by sharing with other audit teams, it would be advisable in our view to consider, at a minimum, informing the audited entity at a preliminary phase in the engagement that, unless the entity directs otherwise, the team intends to seek out confidential documentation and information previously disclosed by the entity to the OAG in an effort to enhance knowledge of the entity’s business and to avoid additional requests for the same documents and information.
Sharing information concerning past experiences amongst auditors, audit teams and audit practices may be constrained by our duty to maintain client confidentiality but such sharing need not require the disclosure of confidential client information. The concept of client confidentiality applies to the information itself and is not changed by the form of communication (oral discussion versus review of documentation). However, often the sharing of past experiences need not include the disclosure of confidential client information and internal sharing of collective experiences and judgements is in the Office’s best interest.
Sharing of information with third parties
The Office may, in some specific cases, grant access to audit information to third parties. The engagement leader is responsible for dealing with the issue of access to audit files and for ensuring that appropriate security practices are adhered to, should access be granted. Consultation with the Access to Information and Privacy (ATIP) Coordinator, and with Legal Services should occur where circumstances warrant.
Access to our audit files is normally provided in the following circumstances:
- when a successor auditor has been appointed, or when a new joint auditor has been appointed. This is normal professional practice where the interests of the client are best served by full cooperation between predecessor and successor auditors. Before any access is granted, there should be a clear understanding, in writing, of the terms and conditions under which access is granted. Successor auditors would normally be supervised as they conduct their review work on our files;
- as joint audits are being conducted. In such arrangements, both auditors are jointly and severally responsible for the audit. It is normal practice for all key sections of the files to be reviewed by both sets of auditors to ensure that there is sufficient and appropriate audit evidence to support the audit opinion;
- legal proceedings. Our audit files can and have been used as evidence in cases of litigation. Legal Services would normally be responsible for providing the subpoenaed information as and when required;
- at the client’s request. Occasionally, our clients request access to our audit files. Typically, this relates to requests from internal audit or from managers wishing to be provided with our descriptions of their accounting systems. In these situations, the audit Principal should attempt to satisfy the client’s request through means other than review of our audit files, providing such information does not undermine the independence of the Office or audit team members; and
- for external inspections conducted by the provincial institutes.
Auditors refer any third-party request for access to audit information to the Office Access to Information and Privacy (ATIP) Coordinator or Legal Services.
Access to Information Act requests
To protect the confidentiality of the Auditor General’s audit, investigation, and examination records, section 16.1(1) of the Access to Information Act requires that the Auditor General of Canada refuse to disclose any record requested under that Act that “contains information that was obtained or created by them or on their behalf in the course of an investigation, examination, or audit conducted by them or under their authority.”
When consulted by an entity that has received a request to disclose audit-related material, the Office will request that the entity protect audit information for ongoing audits in its possession
- until an audit has been tabled or presented. The Office will request that the entity protect any audit information from disclosure under section 22 of the Access to Information Act; and
- including information related to tabled/presented audits. The Office will request that the entity protect those audit-related documents for which the OAG clearly exercises its control (i.e., the Reds). The Office will not ask entities to withhold any other audit-related information that they may possess.
Privacy Act requests
The Privacy Act protects the privacy of personal information collected, managed, and disposed of by the Government of Canada. The Privacy Act also gives Canadians the right of access to and correction of their personal information held by a government institution, except in limited and specific circumstances (exemptions and exclusions). The Office of the Auditor General is subject to the Privacy Act and as such, any Canadian citizen or permanent resident can request his or her personal information from the Office of the Auditor General. If the Office is in possession of the requested personal information, the Office is obligated to release this personal information regardless of whether it is part of our audit documents or not.
Because the views of an individual about another individual are the personal information of that other individual, auditors are cautioned against making unnecessary references to individuals in marginal notes or comments in audit records. References by auditors that could be regarded as inflammatory by the individual referred to should be avoided. Care should also be taken in formulating questions for interviews where the response will be recorded in the audit file.
Legal proceedings
Professional ethics require that we guard the confidentiality of the information we obtain from the entities that we audit. As a result, the Office has consistently taken the position that we will not produce our audit files voluntarily. However, Office documents can be obtained through a court order: a subpoena (in criminal proceedings), or a summons (in administrative/civil proceedings).
When legal proceedings are commenced against entities that we audit, audit documents that have been left in their possession would not be protected from disclosure if they are relevant to the litigation. The law requires parties to litigation to disclose all relevant documents that are, or have been, in their possession, control, or power. The use of Office red paper to exert control over audit documents does not exempt them from disclosure in legal proceedings, particularly if they have remained in the possession of the entity.
In cases where the entity has returned audit documents to the OAG before the threat of litigation has been made, it is more likely that our documents will not be required to be disclosed. Auditors should therefore ensure that Office controlled documents are returned at the end of the audit (refer to Direct Engagement Manual Section 9020—Management of controlled documents). The entity would still have to disclose that the relevant OAG documents were in its possession at one time, but a court order requiring us to produce the documents could only be made if the court was satisfied that it would be unfair to one of the parties to proceed to a hearing without the documents.
Auditors should bear in mind that Office documents in the possession of an audit entity, as well as being subject to the Access to Information Act, may also be produced by that entity in a legal proceeding. Consequently, the content and tone of the document, whether electronic or paper, should withstand public scrutiny. Auditors should exercise care and professional judgment when communicating in writing.
Immunity under the Auditor General Act
Section 18.2 of the Auditor General Act gives the Auditor General, and those acting under his or her direction, immunity from being sued or prosecuted for anything done, reported, or said in good faith in the course of performing statutory audit powers, duties, or functions.
Section 18.1 of the Act provides a different kind of immunity—testimonial immunity. Specifically, the Auditor General, and those acting under his or her direction, are not competent or compellable witnesses in relation to matters that come to their knowledge while performing audit powers, duties, or functions. In other words, the law does not allow Office representatives to testify in legal proceedings about information that is discovered during audits. The only exception to this testimonial immunity relates to perjury prosecutions.
Both sections provide immunity to the Auditor General and those persons (employees and contractors) acting under his or her direction. However, these sections do not apply to OAG documents, including audit documents.
Safe custody
The OAG IT security policies, procedures and guidelines provide direction for travelling with laptops.
After final assembly of the audit file, Records Operations restricts access, enables proper distribution, and provides confidential storage of electronic and hardcopy engagement documentation.
Integrity
The audit working paper software functionality identifies any electronic working papers that have been changed following their review.
OAG Audit 1172 provides further guidance on maintaining the integrity of working paper files.
Accessibility
The audit file should contain only significant audit material, in particular, sufficient, appropriate audit evidence. This will reduce both the number of prepare / review sign offs required and the task-processing slowdowns that occur with larger audit files. In addition, using PROxI will improve the file management process and provide enhanced capability (not available in the audit working paper software) for sorting, searching, and managing documents (OAG Audit 1111 Nature, purpose, and extent of audit documentation and OAG Audit 1112 Entity documentation and electronic (email) audit evidence).
Principles for handling external documents for performance audits and special examination are as follows:
- Audit teams should use PROxI as the repository for all external electronic documents received during the course of an audit, ensuring that these are logged in and stored appropriately until they are needed as part of the documentation of an audit step.
- When an audit team member determines that an external document is needed, he or she should copy the document, or at least the relevant parts of it, into the electronic audit file.
- All audit work prepared by a member of the audit team must be reviewed by a more experienced team member. The preparer of a received document is the team member who makes a professional judgment about the significance of the document to the audit. The reviewer is the team member who reviews the prepared working paper(s)/audit step(s) that the external document(s) support.
- Early in the reporting stage, the engagement leader should ensure that a final review of all received external documents stored outside the electronic audit file is undertaken. The purpose of this review is to assess, before dating the assurance report, whether any documents received by the team but not transferred into the audit file could affect the audit conclusions reached or the content of the report. The engagement leader should document this review, and subsequent conclusions or actions, in the audit working paper software as part of the audit file.
- According to current Office policies (OAG Audit 1191 Retention policies and procedures), following the engagement leader’s review, audit teams should dispose of transitory documents unless they feel that retention of these documents would enhance the Office’s knowledge of the entity, in which case the documents are filed in the knowledge of business file.
Electronic documents, including email saved as files, that are password protected or encrypted must have the password or encryption removed before saving in PROxI or in the audit working paper software.
Removing a password from a file involves resaving the file without the password. However, encrypted email when saved using the default process (using the .msg extension) will retain the encryption. Therefore, team members must remove the encryption.
Retrievability
Auditors are encouraged to perform regular backups of their individual workstations as prompted by the IT backup application.
The IT Group is responsible for establishing requirements and implementing procedures for data back up and recovery in anticipation of the failure of a single system or any short-term/localized service failure. The backup process offers recoverability for servers and workstations. IT systems are designed to ensure that data can be recovered from known trusted checkpoints after any security incident.
The IT Group develops continuity plans to recover from service disruptions.
During the retention period (OAG Audit 1191), the IT group performs compatibility testing to ensure the files in the audit working paper software can be retrieved and accessed if technology is upgraded or changed.