COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.
2060 Accessing/Requesting Audit Documentation
The right of access of the Office of the Auditor General of Canada (OAG) to both entity information and individuals to fulfill our responsibilities set out in legislation is broad and almost unconstrained. Our access is governed by legislation specific to the type of direct engagement:
- performance audit reports to Parliament and to northern legislative assemblies, and
- special examinations of Crown corporations.
It is our responsibility to determine and request what we require in order to conduct and complete our audits or examinations. This entitlement cannot be overridden except by specific statutory provision to the contrary.
CSAE 3001 Requirements
There are no directly applicable CSAE 3001 requirements.
CSAE 3001 Application Material
A52. Seeking the agreement of the appropriate party(ies) that it acknowledges and understands its responsibility to provide the practitioner with the following may assist the practitioner in determining whether the engagement exhibits the characteristic of access to evidence:
(a) Access to all information of which the appropriate party(ies) is aware that is relevant to the engagement, such as records, documentation and other matters;
(b) Additional information that the practitioner may request from the appropriate party(ies) for the purpose of the engagement; and
(c) Unrestricted access to persons from the appropriate party(ies) from whom the practitioner determines it necessary to obtain evidence.
The Auditor General of Canada’s access entitlement is governed by legislation:
- the Auditor General Act for performance audits
- the Financial Administration Act for special examinations
- the Yukon Act, Northwest Territories Act, and Nunavut Act for territorial audits
Therefore, there is no need for additional policy in this regard. The OAG’s auditors are entitled to information they determine is necessary to carry out their audits, including information that would not necessarily be accessible by the public under the Access to Information Act or the Privacy Act. [Nov‑2011]
The OAG’s right to access and request audit documentation for performance audits to Parliament relies on the following:
Section 13 (1) of the Auditor General Act concerning the Auditor General of Canada’s entitlement to “free access at all convenient times to information that relates to the fulfilment of his or her responsibilities” and the entitlement to “require and receive” information, reports and explanations from members of the federal public administration
Sections 13 (2) to (4) concerning stationing of OAG staff in departments, security requirements, and powers of inquiry
For audits of Crown corporations, the OAG’s right of access relates to Section 144 of the Financial Administration Act:
Section 144 (1) On the demand of the auditor or examiner of a Crown corporation, the present or former directors, officers, employees or agents of the corporation shall furnish such
(a) information and explanations, and
(b) access to the records, documents, books, accounts and vouchers of the corporation or any of its subsidiaries
as the auditor or examiner considers necessary to enable him to prepare any report as required by this Division and that the directors, officers, employees or agents are reasonably able to furnish.
For performance audits of territorial governments, the OAG’s right of access is governed by the respective territorial acts:
Yukon Act—Section 37 (2) Except as provided by any law made by the Legislature that expressly refers to this subsection, the Auditor General is entitled to free access at all convenient times to information that relates to the fulfilment of his or her responsibilities and is entitled to require and receive from the public service of Yukon any information, reports and explanations that he or she considers necessary for that purpose;
Northwest Territories Act—Section 43 (2) Except as provided by any law of the Legislature that expressly refers to this subsection, the Auditor General is entitled to free access at all convenient times to information that relates to the fulfilment of his or her responsibilities and is entitled to require and receive from the public service of the Northwest Territories any information, reports and explanations that he or she considers necessary for that purpose;
Nunavut Act—Section 48 (2) Except as provided by any law made by the Legislature that expressly refers to this subsection, the auditor of Nunavut is entitled to free access at all convenient times to information that relates to the fulfilment of the auditor’s responsibilities and is entitled to require and receive from the public service of Nunavut such information, reports and explanations as the auditor considers necessary for that purpose.
Principles for access to entity information
The OAG’s right of access is broad and limited only in the sense that the information sought by the Auditor General must be deemed to relate to the fulfillment of the Auditor General’s responsibilities according to the legislation under which the audit is conducted. The OAG has the right to access information that was created or received by the audit entity as part of its duties, unless the information is a Cabinet document (access to which is governed by the process described further below) or there are other statutory provisions governing access to the information by the OAG.
Furthermore, the fact that a document is not accessible under the Access to Information Act by the public is not a valid reason to deny us access; neither is the fact that the information is confidential business information or was supplied to the entity in confidence. The confidentiality of audit information acquired by the OAG is discussed in OAG Audit 1192 Confidentiality, safe custody, integrity, accessibility, and retrievability of engagement documentation.
Generally, there are five concepts that are key to understanding the Auditor General’s rights and responsibilities:
“Free Access”—refers to “unimpeded and uncontrolled” access to information and individuals that relate to the fulfillment of our responsibilities. This means we have the right to take extracts from the information and make copies of the information required for audit purposes.
“Convenient Times”—infers suitable, easily accessible, proper, and not troublesome access to information or individuals. As a general rule, this refers to normal business hours.
What we have access to—The OAG has the right to acquire and retain what in our judgment we need to fulfill our responsibilities under the legislation that governs us. It is information that supports audit observations and conclusions, including any findings leading to recommendations. Auditors have the right to make, receive, and retain copies of any of this information under our mandate if it is relevant within the scope of the audit.
Who has access—For the purpose of conducting our day-to-day work as auditors or examiners of Crown corporations, all members of the OAG involved in the audits and examinations would be entitled to access. As a general operating principle, the audit team members (managers and staff) have access to entity information for which they have security clearance and to the individuals who can provide it. However, some sensitive information (such as executive compensation) may be limited to audit management, or access is granted on a need-to-know basis within the audit team.
Formal requests and remedies—In rare circumstances when auditors have persistent serious problems obtaining access to information, the OAG, with input from Legal Services, may make written requests, usually to assistant deputy ministers, deputy ministers, or their equivalents, for specific information and then if that information is not received, we report the matter to Parliament.
Right of access
Once an entity has been notified by letter of the start of a direct engagement, auditors proceed with obtaining access to entity information and interviewing entity employees. The OAG’s access rights also extend to documents that may be subject to solicitor‑client and other privileges, as explained in the letter of notification and solicitor‑client privilege (OAG Audit 2030 Communication with the audit entity: initial and ongoing).
The audit team has an opportunity to explain the OAG’s access rights during introductory meetings with the entity. By acknowledging the letter of notification and solicitor‑client privilege, deputy heads confirm their responsibility for ensuring that, during the course of the audit, the OAG’s audit teams have efficient and timely access to entity materials and may arrange interviews and meetings with entity employees. Entities should ensure that their employees understand the Auditor General’s access rights. While we are not required to justify our need to the entity, the concept of need should be linked to the fulfillment of our responsibilities and to the significance of the observation to be supported by the information sought. To avoid problems with the entity staff questioning the access of individual team members, we should communicate to entity officials the names of the OAG staff and contractors at the beginning of the audit or as they join the audit team.
During introductory meetings, the team also establishes time frames for receiving requested information. Usually, documents that are easily accessible should be received within five working days of the request. The audit team and the entity liaison officer or other entity representatives can agree on a later date for receipt when the entity requires more time to find or compile documents. The team should make its requests for information as precise as possible. However, OAG staff members should be able to obtain information even if they cannot know the title of the document or location, but they can still make a request based on a description of the contents. The altering or pre-screening of files by the entity is not acceptable. If the team believes that entity officials are altering or screening requested documents, team members have the right to directly access files and documents stored in the entity’s cabinets or on computers.
Interviews with individuals
The Auditor General also has access to entity staff for interviews (OAG Audit 2030 Communication with the audit entity: initial and ongoing). We determine whom we wish to interview specifically within the requirements of the audit and more generally within our enabling legislation. Under the Auditor General Act, we have access to members of the federal public administration. With respect to Crown corporations, the access is broader in that we have access to both current and former directors, officers, employees and the agents of the Crown corporations. When an audit team decides to interview a deputy minister or an assistant deputy minister, the audit principal, in their capacity as engagement leader, should notify the assistant auditor general who will consider participating in the interview.
At times, an audit entity might attempt to screen or determine which entity staff are available for the audit team to interview. This practice is in our opinion unacceptable if it impedes our access to information to fulfill the requirements of the audit. The audit team should be alert to this possibility and immediately contact the audit entity to resolve the situation.
There is nothing preventing entities from having staff members other than those who we are interviewing present at those interviews. However, this practice can be intimidating to an entity staff member being interviewed. When their presence at interviews effectively impedes our access, then the audit team should immediately take the necessary steps to seek corrective action with the audit entity, starting with the manager in the area under audit and, as necessary, contacting the entity’s liaison officer.
Denial of access
Auditors encountering problems with access during an audit should not agree to any restrictions on the right of access. They should immediately report the problem to the audit team management. It is advisable that the audit team clarify with the audit entity starting with the manager in the area under audit whether there was a misunderstanding by entity staff about the OAG’s right of free access to information and individuals. If a lack of free access continues to be a problem for the audit, the audit team management should contact the liaison officer in the entity and indicate the timeline to resolve the issue. Should this approach not improve the access within established timelines, the audit team management should discuss the situation with senior management of the entity. The measures set out in the 2010 Protocol Agreement on Access by the Office of the Auditor General to Cabinet Documents may be used to resolve the access dispute.
If the audit team is unable to obtain a document or data set or interview with a requested entity staff member within a reasonable period of time (for example, during an audit phase), the audit team has an overall set of steps to follow to escalate an issue of unresolved access:
A senior member of the OAG audit team should contact the entity liaison officer to seek an explanation for the delay.
The matter is reported to the audit team principal who will consider communicating with the senior entity official for the audit (normally the assistant deputy minister or the equivalent level) and attempt to get the matter resolved.
The matter is referred to the assistant auditor general and Legal Services, who will consider raising the matter with the deputy head.
Lastly, the assistant auditor general would seek a meeting with the Auditor General accompanied by the principal and a representative from Legal Services to discuss the matter and seek agreement to send a letter and draft report paragraphs on the access problem to the deputy head.
If it is agreed to proceed with the above approach, a letter to the deputy head should be prepared for the assistant auditor general’s, deputy auditor general’s, or auditor general’s signature setting out the circumstances related to the request for the document or data set. The letter ought to indicate that the holdup amounts to a denial of access, and in turn creates a government-imposed scope limitation on our audit that we are required to report to Parliament under both professional standards and the Auditor General Act. In addition, a paragraph or paragraphs should also be drafted for inclusion in the report to indicate that the denial of access has caused a government-imposed scope limitation. The nature and extent of that limitation should be clearly articulated and the text describing it in the letter and paragraph should be reviewed by Legal Services.
Maintaining security of entity documents
Since the OAG obtains protected information, it also has an obligation to ensure that it does not disclose or act in a manner that unintentionally results in the disclosure of entity information that would not otherwise be accessible. Under section 13(3) of the Auditor General Act, the Auditor General requires all OAG employees who conduct audits to comply with any security requirements applicable to the entities that the OAG audits. The security of audit information held by the OAG is discussed in OAG Audit 1192 Confidentiality, safe custody, integrity, accessibility, and retrievability of engagement documentation.
Occasionally, audit teams may want access to information that is particularly sensitive. In these cases the OAG has tried to facilitate access without entering into formal protocols. Teams should contact Legal Services for advice.
OAG requests for Cabinet documents
Neither Cabinet nor Treasury Board documents are provided by entities as a regular part of our audits. Cabinet Confidences can be obtained through Legal Services. Audit teams must not accept Cabinet documents directly from the entity being audited. Audit teams should request Cabinet documents only if the documents are directly pertinent to the audit work; teams should not probe for information that the documents might contain.
Cabinet documents are considered “confidences of the Queen’s Privy Council of Canada” and are usually classified as secret. They include submissions to and decisions made by Cabinet and Cabinet committees, Cabinet agendas, and draft legislation. Auditors have access to Cabinet documents (as noted in the order-in-council: PC2018‑0535), but access is given only when auditors follow a specific protocol that is managed by the OAG’s Legal Services.
While essential audit information may be contained in Cabinet documents, auditor access is limited to the analysis and decision documents, and does not include access to any recommendations made to a Cabinet minister.
In May 2010, the Privy Council Office provided information and guidance to departments and agencies about providing the Auditor General with access to certain Cabinet documents. When the audit team wishes to request Cabinet documents, the entity being audited provides the titles and reference numbers. The team refers the requests to Legal Services which, on behalf of the OAG, initiates the process to obtain the documents through the Privy Council Office or the Treasury Board of Canada Secretariat, as appropriate.
Documentary evidence collected or examined during the audit process—planning, examination, or reporting phases—is critical to support findings of the audit reports. The following direction is provided to assist the receipt of documents prior to the clearance of audit reports with the entity or entities being audited. Note that this course applies only to documents that are not confidences of the Queen’s Privy Council of Canada, access to which is governed by separate policy guidance.
Performance audit and special examination audit teams are encouraged to establish and maintain a register of documents requested and received throughout the audit. The register should indicate
- the nature/title of the document;
- the name of the person from whom it has been requested, with job title and entity name;
- the expected and actual date of receipt;
- the name of the audit team member responsible for receiving the document;
- the reference showing where and how (electronic or print) the team has stored the document;
- actions that have been taken to obtain the document if not received on time; and
- an explanation if the document was not received.
If a document is easily accessible, it should be received normally within five working days of the request. The audit team should negotiate with the entity liaison officer or other entity representatives an agreed upon time frame of receipt if the retrieval of the documents requested requires more work for the audit entity or entities (for example, creation or manipulation of data). In addition, more time may also be needed in unusual circumstances—such as recovery from archives.
Audit teams may establish various administrative arrangements limited to matters that ensure the efficient conduct of the audit and should in no manner limit or constrain the OAG’s right of access. If there is any doubt about access restrictions, teams should contact Legal Services.