What to Expect—An Auditee’s Guide to the Performance Audit Process in the Territories—November 2018
What to Expect—An Auditee’s Guide to the Performance Audit Process in the Territories
Table of Contents
- A message from the Auditor General
- 1. Introducing performance audits
- 2. Phases of a performance audit
- 3. Key documents
- 4. Recommendations and responses
- 5. Tabling report
- 6. After the audit
- 7. Access to entity information
- 8. Handling and treating information
- 9. Interactions with internal audit offices in the territories
- 10. Interactions with audit committees in the territories
- 11. Long-term audit plan—Strategic Audit Plan
- Appendix: A road map for performance audits
A message from the Auditor General
Questions often arise about how we conduct our performance audits. The organizations that we audit, entities, want to know what to expect from us and what we expect from them. The purpose of this document is to provide answers to these questions by outlining
- our objectives,
- the principles governing interactions between auditors and auditees, and
- information about our audit process.
The objectives of our relationships with the audited entities are to
- make an ongoing and consistent effort to understand the context in which government departments, corporations, and agencies do their work;
- promote open two-way communication; and
- act professionally and objectively.
The underlying principles that guide the work of the Office of the Auditor General of Canada (OAG) are to ensure respectfulness, trust, and integrity while maintaining our independence, professionalism, and objectivity.
Ultimately, the aim is to better serve Legislative Assemblies by ensuring that our performance audit reports and recommendations are fair and objective. Moreover, we trust they are seen to be fair and objective by those responsible for making the necessary changes in how the governments in the territories manage public funds.
I hope that this information provides entity officials with a valuable reference that will encourage productive and respectful relations between audited entities and my audit staff.
Michael Ferguson, Chartered Professional Accountant CPA, Chartered Accountant CA
Fellow Chartered Professional Accountant FCPA, Fellow Chartered Accountant FCA (New Brunswick)
Auditor General of Canada
1. Introducing performance audits
Performance audits examine the government’s activities or programs against established criteria to answer the following questions:
- Are activities or programs being run with due regard for economy, efficiency, and environmental impact?
- Does the government have the means in place to measure the effectiveness of its activities or programs?
In other words, a performance audit is an independent, objective, and systematic assessment of how well the government is managing its activities, responsibilities, and resources.
Performance audits are planned, performed, and reported in accordance with professional auditing standards and with policies of the Office of the Auditor General of Canada (OAG). Audits are conducted by qualified auditors who
- establish an audit objective and criteria for the assessment of performance,
- gather the evidence necessary to assess performance against the criteria,
- report both positive and negative findings,
- conclude against the established audit objective, and
- recommend improvements when there are significant differences between criteria and assessed performance.
Performance audits contribute to a public service that is effective and a government that is accountable to the Legislative Assembly and Canadians.
Performance audits do not question the merits of government policies. Rather, they examine the government’s management practices, controls, and reporting systems based on its own public administration policies and on best practices.
An audited organization or entity (“the auditee”) is a department, a corporation, or an agency in the territories that is subject to an audit under the Auditor General Act, the Nunavut Act, the Yukon Act, or the Northwest Territories Act.
A performance audit may involve the following:
Audit team—A team of auditors at the OAG responsible for conducting an audit. The team reports to an engagement leader and may include contract staff assigned to the team.
Auditor—A member of an audit team who may be either an OAG employee or contract staff assigned to the team.
Engagement leader—Usually an OAG Audit Principal (PX) with the overall responsibility for conducting performance audits that may involve one or more entities. The engagement leader manages the entire audit cycle and ensures the quality of audit products produced by the team.
OAG entity principal—An OAG Audit Principal (PX) designated to serve as the senior liaison or point of contact between the OAG and the audited entity. The entity principal coordinates with other OAG teams on audits affecting the entities for which he or she is responsible.
Lead auditor—Usually an OAG Audit Director who manages the audit project and a team of auditors on a day-to-day basis.
Deputy head—Usually the entity’s senior executive with the overall responsibilities for the subject being audited. It can be a deputy minister of a department, a president of a corporation, an agency, or a commission.
A performance audit may also involve the following:
Adviser—An individual recognized as a leader in a field of expertise. Advisers are selected by the audit team to advise—but not decide—on the scope and significance of audit issues, lines of enquiry, identified risks, and audit scope. An adviser may be internal or external to the OAG and is selected on the basis of skills, expertise, relevant knowledge on a particular topic, and experience.
2. Phases of a performance audit
A performance audit consists of three phases:
- examination, and
The audit team of the Office of the Auditor General of Canada (OAG) acquires appropriate knowledge of the audited entity, the activities or programs to be audited, and the current issues facing the entity. The audit team makes various inquiries as part of the planning phase to get a good understanding of the subject being audited. In fact, some specific inquiries are required by auditing standards. The team uses this knowledge to develop its audit strategy, which includes an Audit Plan Summary and audit programs.
The team also identifies its initial information needs and specifies entity areas, locations, or sites where the team expects to conduct preliminary fact finding. The team may travel to specified locations to meet entity officials and acquire appropriate knowledge of the audited entity and the subject matter being audited.
Entity notification. To initiate the audit, the OAG sends a letter of notification and solicitor-client privilege to the deputy head (or equivalent) of the entity. This letter formally notifies the deputy head (or equivalent) of the OAG’s intention to conduct an audit, and requests timely access to information and personnel. The entity will be asked to respond within five working days of its receipt of the letter.
Multiple entities. Issues may apply to more than one organization in the territories. When a performance audit includes many departments, corporations, or agencies, the OAG
- sends letters of notification and solicitor-client privilege to all entities included in the audit scope, and
- informs each entity of the administrative arrangements to follow when meeting or communicating with the OAG.
The audit team gathers the evidence to support its findings and conclude against the audit objective. During the audit, the entity can expect the audit team to request documentation, interviews with personnel, and access to premises during site visits to ensure there is sufficient and appropriate evidence to assess the entity’s performance against the criteria. Early in this phase, the team would also indicate any plans to rely on work conducted by, or on behalf of, the entity’s internal audit unit.
The audit team formally presents, in writing, the findings against the criteria used, the conclusion against the audit objective, and the recommendations. There are two key audit drafts provided for the entity’s comments:
- the principal’s draft report (called the PX draft), and
- a final draft report (called the transmission draft).
Before publishing a final report, the OAG provides entities with the opportunity to review and comment on draft audit reports. This opportunity allows entities to validate facts and provide responses to the recommendations for inclusion in the audit report.
During this phase, the audited entity
- arranges timely meetings between the entity’s senior management, other staff, and the OAG to discuss the audit subject matter;
- provides the audit team with the information needed to understand the areas subject to audit, as well as information on lines of responsibility, sources for the criteria, risks, management concerns, and any related internal audits, evaluations, or studies; and
- facilitates any field visits and access to premises or project sites.
After receiving the notification and solicitor-client privilege letter, the deputy head (or equivalent) of the entity is expected to acknowledge in writing that the entity will respect the confidentiality of the OAG-controlled documents to be provided during the course of the audit. This acknowledgement also confirms that the entity will comply with any requests that the OAG makes for access to relevant documents under the control of the entity, including those documents to which solicitor-client privileges are attached.
The entity is expected to identify one of its officials as its contact person for the audit. The contact person
- is the main point of contact between the entity and the audit team;
- can facilitate the flow of information between entity officials responsible for the subject matter of the audit and the audit team to help advance the audit process, and minimize miscommunication or misplacement of documents;
- informs the audit team by email of the entity’s language preference for the Audit Plan Summary, the PX draft, and transmission draft; and
- provides a list of recipients who need electronic access to OAG controlled documents.
The entity is also expected to brief its staff on the audit’s purpose, process, and timetable.
At the end of the planning phase, the entity is also required to review the Audit Plan Summary and acknowledge its responsibilities for the subject being audited. The entity should also review the terms of the engagement, including the suitability of the criteria as a basis for assessing whether the audit objective has been met.
Entity officials are expected to review and sign off on documented meeting and interview minutes prepared by the OAG, when required. Officials should normally sign off within five working days of receiving the minutes.
The entity is expected to review the draft reports, validate facts and provide responses to any recommendations made. The entity is also expected to confirm that it has provided the OAG with all information requested or information that could significantly affect the findings or the conclusion of the audit report.
The audit team reviews the audit schedule and key milestones with entity officials to determine whether any changes are needed. If changes are needed, the parties are expected to discuss how best to adjust deadlines to ensure the quality of reports within the OAG’s report production schedule.
The team also discusses how the OAG will brief the entity’s senior management on the results of the audit.
Opening meeting. The team holds an opening meeting with entity officials, including the deputy head (or equivalent) where appropriate, to
- discuss the planned audit, and
- gain a better understanding of the areas being audited.
Before the meeting, the audit team notifies the audited entity of the main topics to be discussed. The entity is expected to make every effort to ensure that the appropriate entity officials attend this meeting.
Audit meetings and briefings. The level of officials participating in audit meetings and briefing sessions depends on the subject matter discussed and on officials’ availability.
To reinforce ongoing communication, the contact person at the entity(ies) should have the authority and responsibility to
- set up meetings during the audit,
- ensure that appropriate individuals attend the meetings, and
- help resolve any problems or barriers to completing the audit.
The OAG will provide the entity with an opportunity to discuss the proposed audit plan.
The entity is expected to discuss issues with the audit team and indicate any changes that are underway that relate to the subject matter under audit. The entity should also be prepared to answer questions related to the topics discussed at meetings with the team.
The team periodically briefs entity officials and senior management on emerging findings throughout this phase and ensures that it gets the views of the deputy head (or equivalent).
Officials are expected to participate in briefings to
- understand the nature and the implications of the findings,
- understand the proposed recommendations, and
- ask the OAG questions related to the audit.
The OAG’s engagement leader normally offers to consult with the entity’s senior management at various key decision points during the audit.
How the OAG will brief the audited entity should be agreed on before the examination phase ends. Appropriate senior entity officials are expected to participate in these briefings.
The audit team offers briefings to senior entity officials to seek their views on the validity and completeness of audit evidence, audit findings, conclusions, and recommendations, including corrective actions to be taken. The OAG makes every effort to resolve disagreements quickly, professionally, and respectfully.
3. Key documents
During the course of an audit, these are several key documents that the Office of the Auditor General of Canada (OAG) and the audited organization, or entity, will be responsible for.
|Timeline||Documents from OAG||Documents from entity|
|Start of audit||
|End of planning phase||
|One week after tabling||
At the end of the planning phase, the OAG provides entities with an Audit Plan Summary, a document that shows
- the audit objective;
- the audit scope and approach;
- the audit criteria and their sources;
- the responsibilities of the entity and the OAG;
- the plans, if any, to rely on the work of the entity’s internal audit; and
- the audit timetable and team.
Objective, scope, approach, and criteria
The OAG team meets to discuss the audit objective, scope and approach, and criteria as stated in the Audit Plan Summary. The OAG grants the entity’s contact person and identified recipients with electronic access to a controlled version of the Audit Plan Summary.
After the OAG sends the Audit Plan Summary to the audited entity, the OAG asks the deputy head (or equivalent) to provide, within the established timeframe, written acknowledgement of
- the entity management’s responsibility for the subject matter of the audit, and
- the suitability of the audit criteria against which the entity will be assessed.
The OAG asks each audited entity to formally acknowledge its responsibility for areas included in the audit scope.
The team informs the audited entity(ies), in writing, of any significant changes made to the Audit Plan Summary and, if needed, issues a revised version to the entity.
The entity informs the OAG if these changes affect the entity’s position on management’s responsibility for the area under audit or the suitability of the criteria.
If required, the OAG discloses, with an appropriate explanation in the audit report, any unresolved disagreements about criteria or the entity management’s acknowledgement of its responsibility for the program or area being audited.
The audit team seeks written comments on the principal’s PX draft report. Auditing standards also require the team to seek written confirmation that the audited entity has provided all information of which it is aware that has been requested or that could significantly affect the findings or the conclusion of the audit report (excluding information classified as Cabinet confidence).
The team also asks for draft responses to the recommendations (modified, as appropriate, to reflect discussions).
The team provides electronic access to a controlled copy of the draft report to identified recipients.
All audited entities receive the full PX draft if they all agree to this approach. This gives them the full context of the audit and allows them to see the complete findings and conclusions. Otherwise, they receive only the portions of the PX draft relevant to their own operations. Only entities mentioned directly in recommendations are required to respond to them.
Discussions about the draft report
The audit team may need to meet with entity officials to discuss the entity’s comments. Such meetings are scheduled with due consideration for the report production schedule.
The OAG’s engagement leader meets with the deputy head (or equivalent) or other senior management as appropriate to discuss the draft, including the suitability of the proposed audit recommendations and the potential responses to them.
Expectations for entities
Each audited entity is expected to
- review the draft report,
- provide its position on the accuracy of the text,
- flag any disputed facts (accompanied by all the supporting evidence it has),
- inform the team of any new developments,
- provide written confirmation that it has provided all information of which it is aware that has been requested or that could significantly affect the findings or the conclusion of the audit report (excluding information classified as Cabinet confidence), and
- provide written responses to the recommendations.
Updates to the report
After careful consideration, the team revises the PX draft if necessary to reflect the discussions and comments received from
- each audited entity, and
- applicable third parties (other organizations not included in the audit scope but identified directly or indirectly in the report).
If required, the deputy head (or equivalent) or designate is expected to meet with the engagement leader to try to resolve any outstanding issues and reach either an agreement or a clear, shared understanding of points on which they “agree to disagree.”
Some sections of the draft are highlighted, indicating text that will be reproduced in the OAG’s report communications products.
While acquiring audit evidence, the OAG encourages entity officials to validate facts. This validation will help to ensure the evidence’s accuracy, relevance, and completeness.
This validation process may require a series of meetings with entity officials to ensure they agree on the facts gathered during the audit examination and field work.
While validating facts, entity management, including senior entity officials, are expected to examine all statements of fact and provide corrections with appropriate supporting evidence if it identifies
- factual errors,
- context changes, or
- new information.
The entity is expected to review the PX draft and provide its position on any disputed facts, accompanied by all supporting evidence.
The audit team prepares an updated draft, called the transmission draft report. The transmission draft
- reflects the disposition of discussions between the OAG audit team and the entity at the PX draft stage, and
- includes the final recommendations and draft entity responses to recommendations.
The OAG audit team provides identified recipients and the entity’s contact person with electronic access to a controlled copy of the draft report.
The transmission draft is submitted in the preferred official language(s) of the entity (as per the agreement established with the audited entity during the planning phase).
Expectations for deputy heads (or equivalent)
The deputy head (or equivalent) is expected to
- confirm that the audit report is factually accurate,
- confirm the final responses to the recommendations, and
- specify areas of and reasons for disagreement.
After the facts in the PX draft are confirmed and validated, the OAG normally sends a complete copy of the transmission draft to all entities covered by the audit scope. The draft includes the draft entity responses to recommendations. The entities are expected to
- provide final comments, and
- confirm that their responses to the recommendations are final.
If the entity has requested the transmission draft in both official languages, both versions will be sent at the same time.
If the entity has requested the transmission draft in one official language only, the translation of the final report is provided a week before the report is tabled in the Legislative Assembly. No additional comments or sign-offs are required.
For reports tabled in the Legislative Assembly of Nunavut, specific arrangements will be agreed to during the course of the audit regarding the Inuktitut translation of the transmission draft.
If required, the OAG discloses, with an appropriate explanation in the audit report, any unresolved disagreements around the validity of facts. This may include confirmation from the entity that it has provided all information of which it is aware that has been requested or that could significantly affect the findings or the conclusion of the audit report (excluding Cabinet confidences).
4. Recommendations and responses
Performance audits usually include recommendations that direct audited entities to positive changes they can make for the most serious deficiencies reported. Recommendations address areas where there are significant risks to the entity if deficiencies remain uncorrected.
Recommendations should be
- fully supported by and flow from the associated findings and conclusions;
- aimed at correcting the underlying causes of deficiencies; and
- directed specifically at the entities responsible for taking action on them.
During the examination phase of a performance audit, the audit team periodically offers to brief entity officials on emerging findings.
The team also encourages discussion of proposed recommendations as they are developed, and seeks views on actions needed to correct problems.
At the end of the examination phase, the audit team seeks the views of entity officials to enable the development of clearly stated and action-oriented recommendations.
This gives the audited entity time to prepare responses and develop an action plan. The team asks the deputy head (or equivalent) or other senior management to provide input to ensure that recommendations are practical and feasible to implement.
The principal’s PX draft report issued to the audited entity contains a complete set of draft recommendations. In a letter accompanying this draft, the OAG’s engagement leader offers to meet with the deputy head (or equivalent) or other senior management officials to discuss the recommendations. The discussion should include, among other things, how suitable and practical the draft recommendations are, and what the entity’s probable responses to them will be.
The letter asks the entity to send a formal, written draft response to the recommendations and provides a deadline for the response.
The subsequent transmission draft report contains the full text, the recommendations, and the entity’s draft responses. The team asks the deputy head (or equivalent) to confirm in writing that the report is factually accurate, and to comment on any disagreements. The team also asks the deputy head (or equivalent) to confirm that the responses to the recommendations are final.
Responses to recommendations are not a vehicle for disagreeing with the audit findings. The audit team and the audited entity must try to resolve any unsettled disputes. If this is not possible and the entity does not agree with the recommendation, the response must state the reason. This response will be included in the report.
If a matter has not been resolved by the time the transmission draft is issued, the team will raise it with the Assistant Auditor General. Failure to respond within the specified timeframe could result in the report being published without the entity’s responses.
Members of the Legislative Assembly are more likely to react favorably to responses that are clear and concise, and that describe specific actions and timeframes.
The OAG has established limits on the content and publication of entity responses and will not normally publish
- general responses or global comments to reports,
- entity responses where no recommendations were made, and
- entity responses where no new recommendations were made in a follow-up report from a previous audit.
The OAG determines whether the wording of the entity’s responses is appropriate and sufficient, and expects a response to
- clearly indicate whether the entity agrees or disagrees with the recommendation;
- have a maximum of 200 words;
- be consistent with the “Agreed” or “Disagreed” statement; and
- provide a basis for a potential future follow-up, including timelines and actions that the entity’s senior management intends to take to respond to the recommendations, and clear accountability from senior management.
Final responses to the transmission draft must be received within OAG-specified timeframes to be published in the report.
Publishing an audited entity’s response to a recommendation gives the government the opportunity to inform the Legislative Assembly whether the entity agrees with the recommendation, and how and when the entity intends to act.
The OAG reserves the right to
- edit responses;
- decline to include material that does not respond to a recommendation;
- omit material that repeats report content; and
- exclude from a published report responses, or parts of responses, that it believes false or misleading.
The audit team informs the entity of any significant changes made to final responses.
5. Tabling reports
In advance of a report tabling, the Auditor General or a senior OAG representative may arrange to meet with the Minister responsible for each audited entity.
On the day that a report of the Auditor General is tabled in the Legislative Assembly, the OAG may participate in
- a confidential preview for members of the Legislative Assembly,
- a briefing for journalists (media lock-up),
- a news conference for journalists, and
- media interviews.
Confidential preview for members of the Legislative Assembly
All members of the Legislative Assembly are invited. Those who attend the preview receive copies of the report and related communications material.
Journalists who attend media activities will be offered copies of the report and related communications material. Depending on the timing of report tabling and available resources on site, the media briefing may be under embargo.
The news conference is open only to journalists and usually occurs after the report is tabled.
The Auditor General or the senior OAG representative on site is available for interviews with journalists following the report tabling.
In some instances, members of the Legislative Assembly, the media, or the public may want additional information about the audited entities or audit subject matter not included in the report.
It is OAG policy to not provide such information. Any questions for further information or background are referred to the audited entity.
6. After the audit
To understand past performance and to identify possible areas for improvement, the Office of the Auditor General of Canada (OAG) believes that obtaining feedback from audited entities is important.
The OAG conducts post-audit surveys on various aspects of the audit experience after Auditor General reports have been tabled in the Legislative Assembly.
The deputy head (or equivalent) of the audited entity receives the survey and is expected to respond in a timely manner. Survey results are aggregated, analyzed, and included in a summary report produced annually. Results are reported to Parliament in the OAG’s performance report.
The Auditor General or other OAG representatives often appear before the legislative committee responsible for public accounts to answer questions about OAG reports after they are tabled.
Departmental and other entity representatives are also present at hearings.
Audited entities are encouraged to provide a detailed action plan to address the audit recommendations they agreed to, including specific actions, completion timelines, and responsible individuals. These are presented to the legislative standing committee responsible for OAG reports after the audit is tabled in the Legislative Assembly. If the entity is invited to appear before the committee to discuss the findings of this audit, the entity should provide, when feasible, an action plan to the committee prior to the hearing.
Sometimes the OAG conducts follow-up audits of specific audit recommendations and issues of concern raised in past audit reports that continue to pose a significant risk, or continue to be of interest to the Legislative Assembly. The OAG completes these audits in the same manner as other performance audits, following professional auditing standards.
The audit team may identify issues that are less important than those included in the report tabled in the Legislative Assembly, or that fall outside the audit scope but are of interest to the audited entity. The team communicates these issues to the entity, as appropriate, through a
- verbal communication, or
- formal management letter.
If a management letter is issued, the OAG may request a written response to the issues raised in it, including any proposed actions to be taken and a target completion date.
The OAG may also choose to follow up on these issues at a later date.
7. Access to entity information
Federal legislation allows audit teams at the Office of the Auditor General of Canada (OAG) to access the following from audited entities:
- documents, and
OAG auditors are entitled to receive all information they determine is relevant and necessary to enable them to carry out their audits and examinations. This may include documents, reports, data, or explanations from members of the public service and from officers, employees, or agents.
As OAG auditors identify the information they need and who they need to interview, the audited entity is to give them access. The information that the entity should supply, upon request, includes all forms of communication—written, visual, auditory, and electronic—whether in final or draft form. The exception is draft Financial Management Board submission material.
Deputy heads (or equivalent) should ensure that
- their personnel establish a respectful and constructive working relationship with the OAG, and
- they supply the information needed to fulfill the OAG’s legislative mandates.
OAG auditors are entitled to access documents that may be subject to solicitor-client and other privileges. To ensure that this access does not affect the privilege attached to the documents, the OAG makes a formal written request for access to such documents at the start of the audit.
The OAG issues a letter of notification and solicitor-client privilege to the deputy head (or equivalent) requesting timely access to information and personnel under the powers granted by the the Auditor General Act, the Nunavut Act, the Northwest Territories Act, and Yukon Act. This access may include, among other things, documents that may be subject to solicitor-client and other privileges.
The deputy head (or equivalent) is expected to acknowledge in writing that the entity will comply with its duty under the acts and that providing the documents to the OAG does not constitute a waiver of any privilege attached to the documents. The exchange of letters maintains the privileged nature of the information provided to the OAG for audit purposes.
The OAG respects the confidentiality of the documents and does not refer to them in its reports.
When the audit team identifies entity staff for an interview, the staff must be made available. It is unacceptable and inappropriate for the entity to coach staff prior to an interview with auditors or to filter information requested by the OAG. As a general rule, to encourage candour and complete responses, only entity staff being interviewed should be present during the interview. Under certain circumstances, the audit team and the audited entity may agree that observers at an interview are appropriate, but it is up to the OAG to decide when they are.
The fact that a document is not accessible to the public through an Access to Information request, is not a valid reason for denying access to OAG staff. The provisions of the Access to Information Act do not apply to the Auditor General’s access to information for audit purposes.
Auditors who encounter problems obtaining information during an audit, such as delays, will report the problems to the engagement leader. If the problems continue, the engagement leader will attempt to resolve the issue with the entity’s contact person, or if necessary, with senior management.
In some circumstances, a delay in providing requested documents or information can amount to a denial of access. The Auditor General may report such cases to the Legislative Assembly.
Electronic information is preferred, but paper copies are acceptable. Information may be provided while audit teams are visiting entity locations or via mail, email, or electronic secure networks. The security level of the documentation may determine the transmission method, in order to ensure the confidentiality of the information.
Information can include all forms of communication—written, visual, auditory, and electronic—whether in final or draft form.
This information includes but is not limited to any relevant
- pictorial or graphic work,
- sound recordings,
- videotapes, or
Auditors may take extracts and make photocopies, unless security classifications dictate otherwise.
The audit team maintains a register of documents requested and received during an audit.
Access to information and to privileged information begins once
- the entity has been notified of the start of a performance audit or of the strategic audit planning exercise, and
- the deputy head (or equivalent) has responded to the OAG’s letter of notification and solicitor-client privilege.
Entity officials should instruct their employees to make themselves and information available, as they would for any other important business. Timely access to information is essential for the Auditor General to meet reporting obligations to the Legislative Assembly. Entity officials should respond expeditiously to OAG requests for information.
The time required to produce information varies. It can be affected by such factors as the information’s format and location, and an individual’s availability.
|Type of information||Time frame to produce|
|Easily accessible||Five working days|
|Additional work to compile (such as data manipulation or archive searches)||Audit team and audited entity discuss and agree on time frame.|
Audit team members have access to an audited entity’s
- information for which they have the required level of security clearance, and
- staff who can provide the information.
Auditors must comply with the same security requirements that apply to the entity’s employees. Most OAG auditors have, at a minimum, the federal public service’s “secret” level designation.
At the start of an audit, the audit team provides the entity’s contact person with the names and security clearance levels of OAG and contract staff initially assigned to the audit. If any changes need to be made to this list during the audit, the team notifies the contact person.
8. Handling and treating information
During the audit process, the Office of the Auditor General of Canada (OAG) and the audited entity exchange information that needs to be handled and treated with due care.
One underlying principle of auditing is a duty of confidentiality with respect to an audited entity’s affairs.
The OAG makes every effort to ensure that it keeps audit information in its direct possession. The OAG’s Code of Values, Ethics and Professional Conduct requires that all staff be familiar with the security aspects of their work and consider it an important and essential individual responsibility.
For all information received from an entity, auditors must, at a minimum, comply with the same security arrangements that apply to the entity’s employees.
During the audit, the audit team provides the audited entity with controlled documents, such as the Audit Plan Summary, the principal’s PX draft report, and the transmission draft report. These protected documents are OAG property.
Entity staff members are required to respect the confidentiality of the content of OAG-controlled documents. They must ensure that these documents are not copied, reproduced, distributed, republished, downloaded, displayed, posted, or transmitted in any form or by any means without the prior written consent of the OAG.
References to controlled documents should contain only section and paragraph numbers. The contents of these documents must be treated with appropriate discretion. Disclosing the Auditor General’s findings prior to tabling is an infringement on the rights and privileges of the Legislative Assembly.
By default, controlled documents are submitted electronically to the entity’s contact person and to pre-identified recipients. The controlled documents can be accessed only during a specific period of time, until their access expires. Upon request from the entity, audit teams may provide a maximum of two paper copies of OAG-controlled documents for use by the deputy head (or equivalent) and the Minister.
When OAG-controlled documents in paper copies are provided to an entity, they are numbered and must be returned to the OAG within one week after the relevant report is tabled in the Legislative Assembly.
Entities must track the internal distribution of the provided OAG-controlled documents in paper copy (if any) and return them to the OAG. Entities are not permitted to destroy or shred these documents, and are expected to immediately inform the OAG if any are lost or made public.
The Access to Information Act, section 16.1(1), requires the Auditor General of Canada to refuse to disclose any record requested under the Act that contains information obtained or created by the OAG. This includes information obtained on its behalf in the course of an investigation, examination, or audit conducted by the OAG or under its authority. Members of the public cannot access audit plan summaries, draft audit reports, or other audit documents, such as audit working papers held by the OAG.
At the start of the audit, the entity confirms by email the language preference for the audit, in particular for the Audit Plan Summary, PX draft and transmission draft.
9. Interactions with internal audit offices in the territories
The Office of the Auditor General of Canada (OAG) regularly contacts internal audit offices in the territories to exchange general information about audits, including risks identified and other pertinent information.
10. Interactions with audit committees in the territories
The Office of the Auditor General of Canada (OAG) supports initiatives that strengthen departmental oversight.
The OAG wants to work with audit committees while maintaining its objectivity and preserving its independence from government.
The OAG welcomes the opportunity to
- inform audit committees in the territories about its audit plans (it appreciates receiving their input and discussing matters of mutual interest), and
- discuss its reports to the Legislative Assembly.
Regarding draft audit reports, the OAG does not confirm or validate fact-based audit information with audit committees. These documents are finalized through the normal OAG process with appropriate entity officials.
The OAG may share draft audit plans and reports with the chair of the audit committee if the deputy head (or equivalent) requests that we do so.
11. Long-term audit plan—Strategic Audit Plan
The Office of the Auditor General of Canada (OAG) prepares long-term audit plans for individual audited entities. It also prepares plans for sectoral topics over a multi-year period that typically cover all OAG audit activities for the entity. The long-term plans are referred to as Strategic Audit Plans.
The Strategic Audit Plan is a planning tool based on a risk assessment. The OAG uses these plans to
- focus OAG resources on the areas of significance and of a nature that should be brought to the attention of the Legislative Assembly;
- promote consistency in planning across OAG audit teams and product lines; and
- focus the audit selection process on key risks in entities or in sectoral topic areas across the organization, as well as on OAG priorities and focus areas.
OAG strategic audit planning can be done through a formal assessment exercise or through ongoing monitoring.
If strategic audit planning is done through a formal assessment, the OAG sends a letter to the deputy head (or equivalent) of each entity involved. This letter describes the OAG’s intention to carry out a systematic and risk-based exercise to determine the audit work that needs to be done. This work would take place over the next few years to fulfill the OAG’s responsibilities under the Auditor General Act.
If strategic audit planning is done through ongoing monitoring, the OAG requests to meet from time to time with the entity’s officials and may request documentation for various items.
The audit team reviews the entity's key documents, such as
- corporate plans,
- integrated risk management frameworks,
- performance reports to the Legislative Assembly,
- internal audit and program evaluation reports, or
- other entity reports.
The team reviews other key documents, such as
- Legislative Assembly committee reports,
- budget documents,
- past OAG audits, and
- information about the entities involved in the excercise.
The team interviews may take place with
- entity senior management (at headquarters and in regional offices),
- entity officials (at headquarters and in regional offices), and
- key external stakeholders and external experts, when appropriate.
Discussions can include but are not limited to
- building an understanding of key and emerging issues;
- short- and long-term audit plans;
- the general working relationship between the OAG and the entity;
- clarifying the nature of the OAG’s access to documents as necessary;
- extenuating circumstances, such as pending legislative or regulatory approvals, or changes that may require changes to future audit plans;
- audit risks; and
- the OAG’s assessment of risks compared with those identified by the entity.
When the Strategic Audit Plan exercise begins, the deputy head (or equivalent) or other senior management of each entity involved in the Strategic Audit Plan is expected to inform the audit committee and others in the organization who need to know about the exercise.
When the OAG prepares a Strategic Audit Plan, the deputy head (or equivalent) or other senior management of each entity involved is expected to provide documents and participate in interviews as requested.
Appendix: A road map for performance audits
The following road map shows the key steps that need to be followed when conducting a performance audit.
OAG—Office of the Auditor General of Canada
PX draft—Principal’s draft report
A roadmap for performance audits—text version
- The OAG issues a letter of notification and solicitor-client privilege to the deputy head (or equivalent) of the audited entity, requesting timely access to information and personnel.
- The deputy head (or equivalent) acknowledges the responsibility for complying with requests to access information and accepts the responsibility for managing OAG-controlled documents.
- The OAG and the entity’s senior management have an opening meeting.
- The OAG carries out the planning work by interviewing and interacting with entity staff.
- The OAG sends the Audit Plan Summary to the entity.
- The entity responds within the established timeframe and provides written acknowledgement of the suitability of audit criteria and of management responsibilities for the program or area being audited.
- The OAG keeps entity officials informed of emerging audit findings.
- The OAG meets with the entity’s senior management near the end of the examination work to confirm facts and discuss recommendations.
- The OAG meets with the entity’s senior management to discuss early draft findings and recommendations.
- The OAG issues the principal’s PX draft report with draft recommendations.
- The OAG meets with entity officials to discuss the PX draft.
- The deputy head (or equivalent) confirms in writing that all information that has been requested or that could significantly affect the findings or the conclusion of the audit report has been provided (with the exception of information classified as Cabinet Confidence).
- The entity submits comments on the PX draft to the OAG (last opportunity to submit evidence).
- The entity submits its draft responses to the recommendations.
- The OAG issues the transmission draft report.
- The entity sends the deputy head (or equivalent) sign-off on the transmission draft.
- When possible, certain entity representatives can preview communications material prepared by the OAG before the tabling of the report.
- The OAG issues a management letter (when appropriate).
- The entity ensures that OAG-controlled documents shared in paper copies (if any) have been returned to the OAG within one week of tabling.
- The OAG sends a post-audit survey to the entity.
- The entity responds to the post-audit survey.