COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.
9020 Management of Controlled Documents
Aug-2021
Overview
Certain audit documents provided to entity officials or to other external parties (such as external advisers) are considered to contain sensitive information. As such, these documents are labelled as protected and are controlled. Entity officials and other external parties must not copy, reproduce, or disclose their contents.
CSAE 3001 Requirements
There are no directly applicable CSAE 3001 requirements and no related application material.
OAG Policy
Certain audit documents sent to the audited entity or other external parties shall be controlled for external circulation. OAG policy requires audit teams to use the electronic form, via the Controlled Document Interface (CODI). Individual access is managed by the OAG and access is revoked within the required time frame. Upon request from the entity, teams may provide a maximum of two hard copies of OAG controlled documents. These paper documents are numbered, recorded in the team’s register of hard copy controlled documents, and returned to the OAG within the required time frame. [Nov-2017]
To prevent leaks and protect the confidentiality of audit work, OAG employees are not allowed to transport hard copy controlled documents outside Office’s premises. This information shall only be processed electronically, using OAG laptops. [Nov-2015]
OAG Guidance
Circulation of documents
The following are audit documents that are controlled for external circulation:
-
special examination plans, if deemed necessary by the engagement leader;
-
principal’s draft, subsequent amended versions, extracts, detailed responses to disposition tables that contain draft audit report extracts; and
-
transmission drafts (deputy minister’s drafts or audit committee’s drafts), subsequent amended versions, extracts, detailed responses to disposition tables that contain extracts of the draft audit report.
Other audit documents distributed outside the OAG are also subject to control requirements when they contain anything that could be construed as the result of audit work (e.g., key messages, preliminary or actual audit findings, conclusions, or recommendations). The engagement leader determines whether such documents need to be controlled and returned.
When the controlled document contains material with security implications or special sensitivity, it may be more appropriate to meet to review and discuss the document, rather than send it to the entity. An example of this type of document is a strategic audit plan, which describes risks to the entity that could be interpreted as audit conclusions, should the document be made public. A third-party reference (OAG Audit 8060 Third-party references) is another example where there is a risk that information may be disclosed before tabling.
The letter of notification and solicitor-client privilege (for performance audit) and the engagement and solicitor-client privilege letter (for special examinations) sent to entities at the beginning of an audit informs them of the confidential nature of controlled documents and that they are responsible for creating and following appropriate procedures to ensure the confidentiality of the documents entrusted to their care (OAG Audit 2030 Communication with the audit entity: initial and ongoing). Subsequent cover letters including the draft special examination plan (if the Engagement Leader deems it necessary to send the special examination plan as a controlled document), the PX draft document, and the transmission draft document, remind entity officials that the information contained in these respective controlled documents must be treated as confidential. Controlled documents should be distributed electronically or, at the request of the entity, in hard copy form (a maximum of two copies).
Controlled Documents—Electronic Form
CODI is used to manage document distribution and access privileges. The audit team communicates the process to entity officials (including the head of internal audit and/or audit liaison). The detailed information for entities is contained in CODI Instructions for Entity Officials (see guidance section below). Subsequent cover letters including those for the draft special examination plan (if needed), the PX draft, and the transmission draft, remind entity officials that the information contained in these respective controlled documents must be treated as confidential.
Individual access is managed by the OAG audit team. Two weeks before the document transmittal, the audit team requests the names and email addresses of all officials who will receive the OAG document. A new request is made for each controlled document during the audit using the CODI Email validation form. Audit teams should assess the reasonableness of the number of recipients requested by entities, taking into consideration the size of the entity, regional staff, and number of programs or sections audited. A week before the document transmittal, the audit team completes the registration process for the document recipients.
Each document in electronic form must follow a set of mandatory default parameters. For example, a three day access to documents offline is set as a default parameter that can be modified by the audit team under exceptional circumstances. The default parameter for revocation of access privileges is the day after tabling day. If necessary, this period can be shortened or extended.
The entity officials registered in CODI must authenticate their credentials to access the information before they can read the document, comment on it, and forward copies with their comments attached to other authorized users, or back to the OAG. The document cannot be modified, copied, printed, or converted, in whole or in part. Once officials no longer need access to the document, or the day after tabling or the day after the final special examination report has been transmitted to the board of directors, the OAG revokes access privileges.
The Office also distributes controlled documents via CODI to its own third parties including external advisers and others who are under contractual agreement with the OAG and bound to confidentiality. All third parties should be advised that OAG-controlled documents are not to be copied or reproduced either in whole or in part without the prior written consent of the OAG.
Audit teams should not forward OAG-controlled documents directly to third parties identified by entities (non-entity officials). Entities can forward our controlled documents to parties who are not entity officials (e.g. departmental Audit Committee members, contractors with the entity). However, these third parties must be registered in the CODI system. Therefore, the entity must send the email addresses of all third parties it wishes to share our controlled document with to the OAG so that the Office can register these parties in the CODI system. Once they have been registered, the entity can forward our controlled document and the third parties can open it. However, in connection with notifying entity officials that they and identified third parties have been registered in our CODI system, the audit team should remind entity officials that they are responsible for creating and following appropriate procedures to ensure the confidentiality of the documents entrusted to their care.
Government of Canada policies and rules governing the Handling and Safeguarding of Classified and Protected Information are found at: https://www.tpsgc-pwgsc.gc.ca/esc-src/msc-csm/chap6-eng.html.
For detailed procedures on how to use the system, see CODI Guidance for OAG Employees; for detailed procedures for entity officials, see CODI Instructions for Entity Officials; and for procedures for external parties who are under contract with the OAG, see CODI Instructions for the Office of the Auditor General’s External Parties under the guidance section below.
Controlled Documents—Hard Copy Form
At the request of the entity, a maximum of two (2) hard copies of controlled audit documents may be provided to entities for use by the Deputy Head and the Minister. These copies are prepared on red-bordered paper, clearly indicating that they are the property of the Office of the Auditor General. These copies are also numbered and dated. Audit teams must enter the appropriate information in a register of hard copy controlled documents.
When hard copy controlled documents are used by OAG employees in the course of their audit work, they are not allowed to transport these controlled documents outside Office’s premises (such as draft audit reports). This information shall only be accessed electronically, using OAG laptops.
Return of documents
Controlled Documents—Electronic Form
Access privileges to controlled documents in electronic form are revoked by the OAG once recipients no longer need access to the document, or at the latest the day after tabling of the report, or after the final special examination report has been transmitted to the Board of Directors.
Controlled Documents—Hard Copy Form
If hard copies were sent to external parties, they should be returned to the audit team immediately after they have served their useful purpose; for example, immediately after an audit advisory committee meeting or audit committee discussion, but no later than one week after the report is tabled in the House of Commons or the final special examination report has been transmitted to the Board of Directors.
The audited entity is expected to inform the OAG immediately if a controlled audit document is lost or made public. Audit teams are required to make reasonable efforts to recover all copies of controlled documents. Reasonable efforts would normally involve reminders to the entity before the pre-arranged deadline, and follow up to recover any outstanding copies after the deadline. If the entity does not return the documents, the engagement leader contacts more senior entity managers, as necessary. Escalation to the assistant auditor general level is the next step before the team reports missing documents to the Office’s departmental security officer. The decision to write a formal letter to the deputy head/chief executive officer is up to the engagement leader, in consultation with the assistant auditor general. This decision may be influenced by the entity's system to track documents, entity efforts to recover the missing document(s), as well as the entity's previous record of returning controlled documents.
No later than six weeks after tabling, or transmission of the final report to the board of directors, audit teams must
-
reconcile in the register of hard copy controlled documents the numbered copies distributed with those returned from the entity or other external parties,
-
report any missing copies to the departmental security officer, and
-
retain the register of hard copy controlled documents in the audit file.
OAG Audit 1192 Confidentiality, safe custody, integrity, accessibility, and retrievability of engagement documentation, contains further details about the security of audit documentation.