2030 Communication with the Audit Entity: Initial and Ongoing
Aug-2021

Overview

A successful outcome of an audit is when entity management implements the audit recommendations. This is more likely to happen if the audit team builds and sustains a constructive working relationship with the entity. Therefore, good communication between the team and the entity is essential.

CSAE 3001 Requirements

24. The practitioner shall accept or continue a direct engagement only when: (Ref: Para. A31-A34)

[…]

(c) The basis upon which the engagement is to be performed has been agreed, through:

[…]

(ii) Confirming that there is a common understanding between the practitioner and the engaging party of the terms of the engagement, including the practitioner's reporting responsibilities.

29. The practitioner shall agree the terms of the engagement with the engaging party. The agreed terms of the engagement shall be specified in sufficient detail in an engagement letter or other suitable form of written agreement, written confirmation, or in law or regulation. (Ref: Para. A55-A57)

30. The practitioner shall seek the responsible party’s written acknowledgement of responsibility for the underlying subject matter. If the practitioner does not obtain such acknowledgement, the practitioner shall:

(a) obtain other evidence that the responsible party is responsible for the underlying subject matter, such as a reference to legislation or a regulation; and

(b) consider how the lack of the responsible party’s written acknowledgement might affect the practitioner’s work and conclusion.

31. The practitioner shall seek to obtain from the responsible party, written acknowledgement that the criteria are suitable for the engagement. When such acknowledgement cannot be obtained, the practitioner shall consider the effect, if any, on the practitioner’s work and report.

33. The practitioner shall not agree to a change in the terms of the engagement where there is no reasonable justification for doing so. If such a change is made, the practitioner shall not disregard evidence that was obtained prior to the change. (Ref: Para. A58)

46. If it is discovered after the engagement has been accepted that one or more preconditions for a direct engagement is not present, the practitioner shall discuss the matter with the appropriate party(ies), and shall determine:

(a) Whether the matter can be resolved to the practitioner’s satisfaction;

(b) Whether it is appropriate to continue with the engagement; and

(c) Whether and, if so, how to communicate the matter in the assurance report.

61. The practitioner shall request from the appropriate party(ies) a written representation that it has provided the practitioner with all information of which the appropriate party(ies) is aware that has been requested or that could significantly affect the findings or the conclusion of the assurance report. (Ref: Para. A52-A53 and A137-A139)

81. The practitioner shall consider whether, pursuant to the terms of the engagement and other engagement circumstances, any matter has come to the attention of the practitioner that is to be communicated with the responsible party, the engaging party, those charged with governance or others. (Ref: Para. A191-A197)

CSAE 3001 Application Material

A52. Seeking the agreement of the appropriate party(ies) that it acknowledges and understands its responsibility to provide the practitioner with the following may assist the practitioner in determining whether the engagement exhibits the characteristic of access to evidence:

(a) Access to all information of which the appropriate party(ies) is aware that is relevant to the engagement, such as records, documentation and other matters;

(b) Additional information that the practitioner may request from the appropriate party(ies) for the purpose of the engagement; and

(c) Unrestricted access to persons from the appropriate party(ies) from whom the practitioner determines it necessary to obtain evidence.

A53. The nature of relationships between the responsible party and the engaging party may affect the practitioner’s ability to access records, documentation and other information the practitioner may require as evidence to complete the engagement. The nature of such relationships may therefore be a relevant consideration when determining whether or not to accept the engagement. Examples of some circumstances in which the nature of these relationships may be problematic are included in paragraph A140.

A55. It is in the interests of both the engaging party and the practitioner that the practitioner communicates in writing the agreed terms of the engagement before the commencement of the engagement to help avoid misunderstandings. The form and content of the written agreement or contract will vary with the engagement circumstances. For example, if law or regulation prescribe in sufficient detail the terms of the engagement, the practitioner need not record them in a written agreement, except for the fact that such law or regulation applies and that the appropriate party acknowledges and understands its responsibilities under such law or regulation.

A56. In certain types of engagement, agreeing on the terms and conditions of the engagement may be done before the commencement of the engagement using an engagement letter. For other types of engagement (such as performance audits in the public sector), the details typically included in an engagement letter (such as the engagement objective, scope and criteria to be used) are known only at the end of the initial planning phase. In such cases, agreement on the terms of the engagement is obtained from the appropriate party at the end of the initial planning phase.

A57. Law or regulation, particularly in the public sector, may mandate the appointment of a practitioner and set out specific powers, such as the power to access an appropriate party(ies)’s records and other information, and responsibilities, such as requiring the practitioner to report directly to a minister, the legislature or the public if an appropriate party(ies) attempts to limit the scope of the engagement.

A58. A change in circumstances that affects the intended users’ requirements, or a misunderstanding concerning the nature of the engagement, may justify a request for a change in the engagement, [...]

A191. Matters that may be appropriate to communicate with the responsible party, the engaging party or others include fraud or suspected fraud.

OAG Policy

The audit team shall maintain entity relations over the course of the audit by

  • making consistent efforts to understand the context in which the entity does its work,
  • promoting open two-way communications, and
  • acting in a professional and objective manner. [Apr-2015]

The performance audit team shall send a letter of notification/solicitor–client privilege to the deputy head of the audited entity to

  • inform the entity of the start of the audit, and

  • confirm with the entity that disclosure of documents to the audit team that may be subject to solicitor–client privilege is not a waiver of any privilege attached to the documents. [Apr-2015]

The special examination team shall issue a letter of engagement and solicitor–client privilege to the head of the Crown corporation to

  • confirm the respective responsibilities of each party,

  • seek acknowledgement of the terms and conditions under which the special examination will be performed,

  • request written acknowledgement of entity's responsibilities for the subject matter as it relates to the objective of the audit, and

  • confirm with the entity that disclosure of documents to the engagement team that may be subject to solicitor–client privilege is not a waiver of any privilege attached to the documents. [Nov-2016]

OAG Guidance

What the CSAE 3001 means for communication with the audited entity

The CSAE 3001 requires that

  • the audit team confirms the terms of the engagement with the audited entity,
  • the audit team seeks a written acknowledgement of responsibility from the audited entity for the subject under audit,
  • the audit team seeks a written acknowledgement from the audited entity that the criteria are suitable for the audit, and
  • the audited entity provides written confirmation that it has provided the audit team with all information that was requested during the course of the audit or that could significantly affect the findings or the conclusion of the audit.

In terms of OAG practices, this translates into the following official communications to be sent to the audited entity during the course of the audit:

  • notification / engagement letter to be sent before the start of the audit,
  • communication of the audit plan summary / special examination plan and accompanying letter to be sent at the end of planning phase, and
  • the PX draft and accompanying letter to be sent during the reporting phase.

Importance of building a solid and professional working relationship

Good communication between the audit team and the audited entity is essential to an audit.

The audit team maintains ongoing and regular communication throughout the audit, starting with early notification of the audit and discussions with the entity on the audit process, management’s responsibility for the subject area, and the terms of audit, including the audit objective and audit criteria (OAG Audit 4090 Audit plan summary for performance audits; OAG Audit 4100 Special examination plan).

The audit team should provide entities with the document What to Expect—An Auditee’s Guide to the Performance Audit Process (for performance audits), or What to Expect—An Auditee’s Guide to the Performance Audit Process in the Territories. These documents describe each aspect of the audit process. The documents also explain what the OAG expects from auditees as well as what auditees can expect during the audit. The Auditor General also meets periodically with senior entity officials to obtain their views on the OAG’s auditing and reporting practices.

The audit team informs the entity of any emerging findings as they arise to avoid any surprises later in the process, and responds to questions and concerns. The audit team also discusses the logistics of the reporting process, including the language requirements of the entity. Maintaining good relations includes listening carefully to entity comments and concerns, and discussing and promptly resolving any problems or difficulties as they occur during the course of the audit.

Ultimately, the audit team’s objective is to ensure that the audit report and recommendations are fair and objective and are seen to be fair and objective by those responsible for making the proposed changes.

Language requirements for the transmission of specific audit documents

Early in the audit, teams should discuss with the audited federal entity its language preference for the audit and obtain a written confirmation. The audit team needs to know the entity’s language preference early in the audit so timelines (T-minus dates and Key dates for Special Examination Reports) can be adjusted accordingly to allow the OAG’s Editorial Services and Translation team time to provide translation services. “Entity’s preference” means one OR both official languages as indicated by the entity. The entity may request to receive the Audit Plan Summary/Special Examination Plan, PX Draft and the Transmission Draft in only one official language or may request to receive the documents in both languages. If the entity requests the documents in both languages, they must be sent at the same time. If the Transmission draft is requested in one official language, the final version of the translated report is sent to the audited entities for their information, a week before tabling (for their preparation).

OAG documents Language of transmission
Letter of Notification and Solicitor-Client Privilege / Engagement and Solicitor-Client Privilege Letter Both official languages
Minutes of Meetings (when signature is required) Entity’s preference
Audit Plan Summary (APS) + APS Transmission Letter / Special Examination Plan + SE Plan Transmission Letter APS/SE Plan—Entity’s preference;
APS/SE Plan Transmission Letter—both official languages
Management Letter Entity’s preference, but note that if a Management Letter is sent to a Deputy Minister, then it should be in both official languages
PX Draft report to audited entities + PX Draft Transmission Letter PX Draft—Entity’s preference; PX Draft Transmission Letter—both official languages
Transmission Draft report to audited entities + Transmission Draft Transmission Letter Transmission Draft—Entity’s preference; Transmission Draft Transmission Letter—both official languages
Survey Following a Performance Audit, a Special Examination or a Study Both official languages

Initial communication with the audited entity

During the initial consultation phase, in cooperation with the audit team, the audited entity

  • arranges timely meetings between the entity’s senior management and other staff and the OAG to discuss the audit subject matter;
  • provides the audit team with the information needed to understand the areas subject to audit, as well as information on lines of responsibility, sources of criteria, risks, management concerns, and any related internal audits, evaluations, or studies that were published previously; and
  • facilitates any field visits to the entity or project sites.

Process when encountering problems with access. To avoid problems concerning the Office’s right of access, we need to be clear in our communications with entity officials at the outset. Transparent audit plans with clear iteration points accompanied by ongoing discussion with the audit entity will facilitate compliance with our requirements. Disputes regarding access to cabinet confidences should be resolved in accordance with the 2010 Protocol Agreement on Access by the Office of the Auditor General to Cabinet Documents (issued by PCO in May 2010).

Letter of notification / Engagement letter and solicitor–client privilege

The letter of notification and solicitor–client privilege (for performance audits) and the engagement and solicitor–client privilege letter (for special examinations) informs the deputy head or the head of the Crown corporation of the start of the audit and outlines the entity’s responsibility to provide access to information required to conduct the audit (OAG Audit 2060 Accessing/requesting audit documentation). In a special examination, the engagement and solicitor–client privilege letter also serves to obtain acknowledgement from entity management of its responsibility for the subject matter of the audit, and agreement on the terms of the engagement. Seeking such acknowledgment may help to avoid misunderstandings. In a performance audit, these confirmations are done later in the planning process as part of communicating the audit plan after the specific subject and scope of the audit are known (OAG Audit 4090 Audit plan summary for performance audits).

The letter of notification and solicitor–client privilege (for performance audits) and the letter of engagement and solicitor–client privilege (for special examinations) request access to, among other things, documents that may be subject to solicitor–client and other privileges. Solicitor–client privilege is the right to refuse to disclose, and to prevent others from disclosing, confidential communications made with a lawyer for the purpose of furnishing or obtaining professional legal advice or assistance. The Auditor General is entitled to such documents under the Auditor General Act. The letter explains to entities being audited that disclosure of such documents to the OAG is not a waiver of any privilege attached to the documents. The OAG treats the information in strict confidence. The letter also serves to inform the audited entity early in the audit process that a written confirmation related to the completeness of the information provided to the Office will be required at the end of the audit (see OAG Audit 8019 Submitting the principal (PX) draft and transmission draft).

The letter also states that entities are responsible for creating and following appropriate procedures to ensure the confidentiality of controlled OAG documents sent to the entity for review. Entities are responsible for returning all non-electronic controlled documents to the OAG within one week after tabling (OAG Audit 1192 Confidentiality, safe custody, integrity, accessibility, and retrievability of engagement documentation).

After receiving the letter of notification and solicitor–client privilege (for performance audits) or the letter of engagement and solicitor–client privilege (for special examinations), the deputy head of the entity or the head of the Crown corporation is expected to acknowledge in writing that the entity will respect the confidentiality of the OAG-controlled documents to be provided during the course of the audit. This acknowledgement also confirms that the entity will comply with any requests that the OAG makes for access to relevant documents under the control of the entity, including those documents to which solicitor–client privileges are attached.

The engagement team must not commence the planning phase until the letter of notification and solicitor–client privilege (for performance audits) or the letter of engagement and solicitor–client privilege (for special examinations) has been signed by the entity. In the event that the audited entity refuses to sign the letter and provide acknowledgement of responsibility from management (for special examinations), the audit team should contact Legal Services.

Ongoing communication during the audit

The audit team holds an opening meeting with entity officials to discuss the areas to be audited and entity protocols. The entity is expected to respond to any request for information from the audit team, normally within five working days or within a mutually agreed time frame for documents that are not readily accessible. Audit team members who encounter a significant delay in obtaining information or who have been advised that they will not receive the required information during an audit, should seek advice from the director responsible for the audit and, if necessary, the engagement leader (OAG Audit 2060 Accessing-requesting audit documentation).

Other than Cabinet documents, which are tracked separately, audit teams keep a record of documents requested and received throughout all phases of the audit. This also avoids duplicate requests. The OAG has a different process for requesting Cabinet documents and Treasury Board submissions, which is described in OAG Audit 2060 Accessing-requesting audit documentation.

During the course of the audit, the audit team seeks input from entity management on the content of

  • the audit plan summary or the special examination plan, which states the area to be audited for which entity management has responsibility and sets out the criteria for the audit (OAG Audit 4090 Audit plan summary for performance audits; OAG Audit 4100 Special examination plan);
  • the principal’s (PX) draft, which includes contextual information, findings, conclusions, and recommendations. The audit team also requests entity management responses to the recommendations (OAG Audit 8020 Recommendations and entity responses); and
  • the transmission draft, which is the near-final draft before the audit report is published or transmitted to the Board (OAG Audit 8019 Submitting the principal’s (PX) draft and transmission draft).

Entity management is expected to provide timely, consolidated, and coordinated comments and feedback.

Audit team members follow the OAG’s protocol for meetings and interviews with entities:

  • The assistant auditor general should be informed of all planned interviews with senior government officials (deputy ministers, associate deputy ministers, assistant deputy ministers, heads of agencies, and chief executive officers).
  • The engagement leader should attend meetings with a deputy minister (or equivalent) or an assistant deputy minister. The assistant auditor general may attend the meeting or stand in if the engagement leader cannot attend.
  • Through regular consultation with the entity’s OAG liaison office (and the appropriate OAG team, if the entity is being audited as part of a multi-entity audit), audit teams should ensure they follow entities’ established protocols for senior-level meetings.

Audit Plan Summary / Special Examination Plan

At the end of the planning phase, the audit team sends the audit plan to the audited entity in order to seek to obtain an acknowledgement that the criteria are suitable for the audit. For a performance audit, the acknowledgement of management’s responsibility for the subject of the audit and the acknowledgement of the specific terms of the engagement are also sought and obtained at this stage, whereas this is obtained earlier, through the engagement letter, in the planning for special examinations (OAG Audit 4090 Audit plan summary for performance audits and OAG Audit 4100 Special examination plan).

The audit team should not agree to a change in the terms of the engagement if there is no reasonable justification for doing so.

PX draft and written confirmation that all information requested has been provided

Towards the end of the reporting phase, the audit team sends one PX draft to the audited entity to obtain comments on the draft. In addition to the request for entity responses to recommendations, the transmission letter also requests that the audited entity provides written confirmation that it has provided all information it is aware of that has been requested or that could significantly affect the findings or conclusion of the report (OAG Audit 8019 Submitting the principal’s (PX) draft and transmission draft).

Delegation of authority

The Office’s expectation is that the deputy head (or equivalent) shall sign off on the notification and solicitor–client privilege letter, the audit plan summary, and the factual accuracy of the transmission draft and the entity’s responses to our recommendations. The party responsible for the program or activity subject to the audit, usually an assistant deputy minister (ADM), deputy head or equivalent, shall provide the written confirmation that all the information that has been requested or that could significantly affect the findings or the conclusion of the audit report has been provided. In the event that these documents are signed by anyone other than the parties indicated above, the audit team should ask to obtain documentary evidence of delegation of signing authority from the entity.

Other communication with the entity for performance audits: departmental audit committees

As part of the OAG’s ongoing communication with an entity, the engagement leader and the assistant auditor general (if necessary) will offer to meet annually with entity senior management to understand current key issues and discuss the OAG’s short- and long-term audit plans and the general working relationship between the OAG and the entity.

Another opportunity for the OAG to interact with the entity is through the departmental audit committee. The Treasury Board Policy on Internal Audit calls for the deputy head of each department or agency, other than small entities, to establish a departmental audit committee. All audit committees have a majority of external members who have been recruited from outside of the federal public administration. Members from the federal public administration are limited to deputy heads and associate deputy ministers usually from within the department. The role of audit committees is to support the deputy head or equivalent in fulfilling his or her oversight responsibilities as the departmental accounting officer by providing advice on the adequacy of the entity’s control and accountability processes.

Senior audit team members are often invited to departmental audit committees as observers. The OAG sees this as an opportunity to inform departmental audit committees about its audit plans and to explain audit findings that have been cleared with departmental management. The OAG welcomes committee input in reviewing and assessing the adequacy of departmental responses and action plans, and in monitoring the implementation of audit recommendations.

The deputy head decides whether to share OAG documents with members of the departmental audit committee. The deputy head is accountable for ensuring that this is done in a manner that protects the confidentiality of audit information. In the case of controlled documents (OAG Audit 9020 Management of controlled documents), the deputy head is responsible for ensuring that sharing information is done in a manner that complies with the requirements set out in the letter of notification / solicitor–client privilege.

Although the OAG welcomes the committee’s views on the content of OAG documents, this is not part of the fact validation process for an audit. Documents are finalized through the normal OAG process with appropriate departmental officials. Any departmental audit committee work concerning OAG audit documents should respect OAG timelines for finalizing audit reports, where applicable.