1191 Retention policies and procedures
Jun-2020

Overview

This section describes the Office’s retention periods for audit files, how and where to retain audit files, and the importance of not deleting or discarding audit documentation before the end of its retention period.

CPA Canada Assurance Standards

Office

Annual Audit

Performance Audit, Special Examination, and Other Assurance Engagements

CSQC 1.47 The firm shall establish policies and procedures for the retention of engagement documentation for a period sufficient to meet the needs of the firm or as required by law or regulation. (Ref: Para. A60-A63)

Retention of Engagement Documentation (Ref: Para. 47)

CSQC 1.A60 The needs of the firm for retention of engagement documentation, and the period of such retention, will vary with the nature of the engagement and the firm's circumstances, for example, whether the engagement documentation is needed to provide a record of matters of continuing significance to future engagements. The retention period may also depend on other factors, such as whether local law or regulation prescribes specific retention periods for certain types of engagements, or whether there are generally accepted retention periods in the jurisdiction in the absence of specific legal or regulatory requirements.

CSQC 1.A61 In the specific case of audit engagements, the retention period would ordinarily be no shorter than five years from the date of the auditor's report, or, if later, the date of the group auditor's report.

CSQC 1.A62 Procedures that the firm adopts for retention of engagement documentation include those that enable the requirements of paragraph 47 to be met during the retention period, for example to:

  • Enable the retrieval of, and access to, the engagement documentation during the retention period, particularly in the case of electronic documentation since the underlying technology may be upgraded or changed over time;
  • Provide, where necessary, a record of changes made to engagement documentation after the engagement files have been completed; and
  • Enable authorized external parties to access and review specific engagement documentation for quality control or other purposes.

Ownership of engagement documentation

CSQC 1.A63 Unless otherwise specified by law or regulation, engagement documentation is the property of the firm. The firm may, at its discretion, make portions of, or extracts from, engagement documentation available to clients, provided such disclosure does not undermine the validity of the work performed, or, in the case of assurance engagements, the independence of the firm or its personnel.

CAS 230.15 After the assembly of the final audit file has been completed, the auditor shall not delete or discard audit documentation of any nature before the end of its retention period. (Ref: Para. A23)

Assembly of the Final Audit File (Ref: Para. 14-16)

CAS 230.A23 CSQC 1 (or requirements that are at least as demanding) requires firms to establish policies and procedures for the retention of engagement documentation. The retention period for audit engagements ordinarily is no shorter than five years from the date of the auditor's report, or, if later, the date of the group auditor's report.

Documentation

CSAE 3001.85 After the assembly of the final engagement file has been completed, the practitioner shall not delete or discard engagement documentation of any nature before the end of its retention period. (Ref: Para. A205)

CSAE 3001.A205 CSQC 1 (or other requirements that are at least as demanding as CSQC 1) requires firms to establish policies and procedures for the retention of engagement documentation. The retention period for assurance engagements ordinarily is no shorter than five years from the date of the assurance report.

OAG Policy

Retention periods for audit files are as follows:

  • financial audits—7 years,
  • audits of the annual summary financial statements of the Government of Canada—7 years,
  • special examinations—15 years,
  • performance audits and studies of departments and agencies—15 years,
  • sustainable development monitoring activities and environmental petitions—15 years, and
  • assessments of annual performance reports—7 years. [Nov-2011]

After the assembly of the final audit file has been completed, the auditor shall not dispose of audit documentation before the end of its retention period. [Nov-2011]

The auditor shall include a reference in the electronic audit file to the existence and physical location of any audit records retained outside of the electronic audit file in order to maintain the completeness of the audit file. [Nov-2011]

OAG Guidance

Principles for managing audit records

The audit working paper software is the business tool used to capture and store audit records during the course of an audit, and PROxI is the corporate repository for managing all OAG records.

Final assembly of audit documentation

Finalizing the audit is important to enable the Office to retain a final record of the procedures performed, evidence obtained, and conclusions reached. Finalizing an audit file ensures that only the final audit file is called up for use in the subsequent year’s audit (for annual audits) or when referred to (in a performance audit or special examination), and that only the final version, with all coaching notes resolved and deleted, can be called on for future reference (e.g. for use as evidence).

Capturing, organizing, and storing records

All audit records are organized by product code and by audit phase.

Electronic format is the preferred format for keeping audit records, but exceptions are made with the approval of Information and Records Management. Examples of exception are electronic files that are too big or not compatible with the audit working paper software or documents that are above Protected B (OAG Audit 1192 Confidentiality, safe custody, integrity, accessibility, and retrievability of engagement documentation).

Audit teams store electronic documents that form part of the audit record in the audit working paper software. When necessary, they store other electronic documents in PROxI or a paper file, under the appropriate audit product code.

The Guidance on Managing Audit Records, Appendix C—Audit Records Checklist, provides additional guidance.

Electronic storage devices

Audit teams may temporarily store audit documentation in PROxI, encrypted USB keys or local hard drives. Before finalizing the audit file, they must transfer audit documentation from these media to the electronic audit file in the audit working paper software (OAG Audit 1112 Entity documentation and electronic (including email) audit evidence).

It is important to ensure audit documentation is properly assembled during the final file assembly period and deleted from temporary storage devices within the 60 days period. All documentation that supports the audit conclusion must be retained in the audit working paper software.

Maintaining audit records

Audit teams complete the audit file documentation in the audit working paper software through the finalization process and deliver paper records to Information and Records Management for storage and maintenance.

The audit principal completes the New Material to be Managed by Information and Records Management Form (from Appendix B) and reviews the Audit Records Checklist (Appendix C) to ensure that the audit records provided to Information and Records Management are consolidated and complete. The principal will include the New Material to be Managed by Information and Records Management form with the paper audit records when submitting them to Information and Records Management.

Finalized electronic audit files are kept in the audit working paper software until the end of their retention period.

Disposing of audit records

Audit teams follow the appropriate security procedures to dispose of transitory audit records, regardless of their format, as soon as they no longer need them within 60 days period. Library and Archives Canada has given the Office and its staff the authority to dispose of transitory records.

Under the Library and Archives of Canada Act, and according to disposition authorities that are OAG-specific as well as those that cover multiple federal institutions, only Information and Records Management has the delegated authority to dispose of audit records of enduring value.

Information and Records Management disposes of audit files at the end of their retention periods, according to agreements with Library and Archives Canada.

Retention Requirements

Retention periods assigned to all records may be extended or suspended when records are subject to:

  • request under the Access to Information Act or Privacy Act;
  • formal investigation;
  • legal proceedings; or
  • other conditions that alter the normal operational, fiscal, administrative, or legal value of the documents.

Retrieval

OAG Audit 1192 provides information on retrieval and access when technology is upgraded or changed over time.