F.12 Security and Control of Working Papers

  1. The audit working papers developed for internal audits and practice reviews are owned by the Practice Review and Internal Audit (PRIA) of the Office of the Auditor General of Canada (Office).

Physical Control/Access

  1. Working papers are PRIA property and should be kept under its control.

  2. Working papers may contain sensitive Office information as well as data related to PRIA concerns and development of recommendations that should be considered preliminary and not to be shared. Besides the normal risks of losing Office information, PRIA’s reputation could be seriously damaged by the loss of data in their custody, or by the inadvertent communication of confidential or data on internal audit concerns or of partially developed audit issues.

  3. The security labelling of working papers is subject to Office security policy. All working papers must be assessed and clearly identified as Unclassified, Protected A, Protected B, etc. based on guidance included in the Office of the Auditor General – Security Quick Reference Card.

  4. Access to electronic working papers is managed by the Information and Records Management department and portable computers are subject to careful physical security measures and security controls (passwords, shared file controls, etc.). Working papers are to be prepared in electronic format. They should be secured in TeamMate so they are not readily available to persons unauthorized to see or access them.

  5. The Chief Audit Executive should obtain approval of senior management and/or legal counsel prior to releasing working papers to external parties.

Storage and Retention

  1. All audit work will be completed and stored in TeamMate. TeamMate files and the corresponding paper file (if applicable) should be archived within 60 days of the audit file completion. Each audit file has a destruction date. Information and Records Management is responsible for the disposition of audit files. Information and Records Management is responsible for ensuring that the retention procedures are consistent with Office guidelines and any pertinent regulatory requirements.

Last modified:
2018-03-22