8060 Third-Party References


Audit reports often include direct and indirect references to organizations, groups, and individuals that are not included in the scope of an audit, for example, a professional body that sets professional or industrial standards. These are third parties to the audit. Third parties can be government departments and agencies, other levels of government, Crown corporations, suppliers or beneficiaries of government programs, commercial organizations, interest groups, and individuals.

Organizations or individuals that are to be cited, mentioned, discussed, identified or identifiable in the reports of the Auditor General should be advised in writing on a timely basis of the nature and substance of the proposed reference and asked to verify the accuracy and completeness of the statements made concerning them. Communicating with third parties enables the OAG to fulfill its duty of care to third parties to ensure that the references are accurate and fair, as well as promoting the objectivity and underlying evidence for the reports.

CSAE 3001 Requirements

There are no directly applicable CSAE 3001 requirements and no related application material.

OAG Policy

At the same time as issuing the principal’s draft to audited entities, teams shall verify the accuracy and completeness of statements in audit reports that refer to third parties. [Apr-2015]

OAG Guidance

Audit teams sometimes refer to third parties and use information from them in their audit reports. If the reference is part of an audit finding, for example, in a case study or in a description of technical or professional standards, the audit team must notify the parties and ask them to verify the accuracy and completeness of statements concerning them. Third parties receive this notification when they are identified in the report, or are identifiable. Third-party notification is also required if the team uses information from or about a third party as contextual information in the introduction.

Notifying the third party is not necessary if an audit report contains information that is frequently cited outside the source organization and is in the public domain; for example, numerical data from Statistics Canada. However, the source must be stated. Third-party notification is also not necessary for the sources of audit criteria that are set out in audit reports.

Audit teams provide third parties with the extracts of the principal’s (PX) draft where the third party is identified or is identifiable. These are controlled documents and must be treated appropriately, as described in OAG Audit 9020 Management of controlled documents. Third parties are also instructed to keep the content of the extracts in the strictest confidence until after the relevant report is tabled in Parliament or provided to the board of directors. When it is important to control sensitive information, the audit team should consider meeting with representatives of the organization, or with the group or individual, to discuss the information, rather than sending extracts of the draft report to the third party. The discussion can also take place by video- or teleconference. Once the information is verified and any edits have been decided, the team requests that the third party provide written agreement by a specified date.

Engagement leaders should consult Legal Services for guidance when they have concerns with the legal implications of comments pertaining to third parties or when difficulties with third parties occur.

Legal Requirements

There are three primary statutes of a general nature, governing the release of information (including third party names) that affect the Office: the Auditor General Act, the Access to Information Act and the Privacy Act.

  • The Auditor General Act contains several provisions governing our access to information for audit purposes and requiring the Office, among other things, to report to the House at various times on the results of our work. The act requires that the Office comply with any security requirements applicable to, and to take any oath of secrecy required to be taken by, persons employed in department or Crown corporation.
  • The Access to Information Act regulates the disclosure of information held by government institutions and provides for release of information, other than personal information, after consideration as to whether any of the permitted exemptions from release contained in the Act apply. It applies to the Office, but the act has an exception for any record that contains information that was obtained or created by the Office in the course of an investigation, examination or audit.
  • The Privacy Act prevents the disclosure of personal information concerning an individual. “Personal information” means information about an identifiable individual that is recorded in any form. However, some exceptions may apply.

Different legal and transparency considerations may apply depending upon whether the third party is an individual, a corporation or a public body. There may be specific statutes permitting or prohibiting the release of certain types of information. For example, the Income Tax Act has provisions governing the access to, use and disclosure of taxpayer information. If a statute is meant to apply notwithstanding the Access to Information Act or the Privacy Act, it will usually say so clearly. If there is any confusion as to whether another piece of legislation is meant to prevail, Legal Services should be consulted.

Notification Procedures

All third parties mentioned in the report, whether identified or identifiable, must be notified of the reference. When the third party is not identified in the report and a decision has been made to disclose the identity, if asked, either to a parliamentary committee or to the media, the third party must be so informed. Likewise, the audit team should discuss the proposed disclosure decision with the department. It is therefore essential that the department be consulted to ensure that, if the department were presented with an Access to Information request concerning identity, no grounds exist for the department to refuse to disclose. A written response should be sought from departments.

Disclosure in the Report

It may be appropriate to name the third party in the body of the report. Such a situation could arise where the third party is a prominent public body, for example, a province, municipality or other governmental body. It may also arise in the case of a corporation that is clearly identifiable as the party discussed in the audit report. The decision to name a third party in the report will be based on a combination of legal requirements and the importance/necessity of presenting the most complete information within the report itself. Where the matter being reported has already received some publicity and the facts of the situation are familiar to the public, as well as the name of the third party, as is often the case, there is little to be served by not disclosing the name in the report. However, if there is a specific statute preventing the disclosure of the third party’s identity, the Office will not reveal the name in an audit report.

The decision to name third parties in the report involves an exercise of judgment, balancing the advantages to complete reporting by naming third parties against their legitimate privacy or confidentiality interests and legal requirements.

Disclosure before Parliamentary Committee

Although a third party may not be named in the body of a report, a question as to identity may be posed during the Committee hearings that follow tabling of the report. A different set of considerations may come into play in arriving at a decision as to whether or not to respond to such a question.

Witnesses before parliamentary committees enjoy parliamentary privilege. Freedom of speech means that witness testimony before a parliamentary committee is precluded from a review by the courts. However, despite this immunity, there may well be valid reasons for non-disclosure, even when pressed by the Committee. The Office may feel constrained by, for example, a specific statutory prohibition against disclosure. There may be other public policy reasons for non-disclosure. In such a situation, the Office can present the case for non-disclosure to the committee. Where the Committee insists on public disclosure, it is open to the Office to refuse. While standing committees have the power to order the disclosure of information, a standing committee has no means of enforcing the order on its own and must refer the matter to the House. The Office will only be compelled to provide the information where the Committee has obtained an order of the House, requiring disclosure.

Again, legal considerations will not be the sole determinant of whether or not to disclose. A decision is still required as whether or not it is appropriate to disclose before a committee.

Disclosure to the Media

Where the Office chooses to identify third parties outside this reporting structure, an informal risk assessment should be carried out. If the identity is already a matter in the public domain, for example through other published government sources such as the Public Accounts, it will generally be “safe” to disclose. Report authors should establish the extent of information already in the public domain to determine whether a decision to disclose the identity to the media can be justified. However, where there is no reference to the third party in the public domain, the Office should carefully assess its reasons for disclosure, since disclosure at this level may be viewed as made solely for the enhancement of media relations. As a general rule, unless the third party is a public body, there will be no disclosure to the media in the absence of a pre-existing reference in the public domain to the third party and its connection with the audit matter.