CODI Guidance for OAG Employees

Introduction

Technical Requirements

Inviting Recipients

  1. Two weeks before delivery of the controlled document
  2. One week before delivery of the controlled document

Protecting (and Sending) a Document

  1. Date of delivery of the controlled document

Managing Recipients and Documents

  1. Post-delivery support to the entity

Revoking Access to a Document, or Closing the Audit File

  1. Revoking access to a controlled document (prior to file closing)
  2. Closing the audit file
  3. OAG IT annual cleanup and invitation to re‑register

Appendix A—CODI Email Validation Form (Entity Officials List)

Appendix B—User Registration

Appendix C—Activation Process

Appendix D—Opening a Document

Appendix E—Frequently Asked Questions

  1. What is my username?
  2. What do these terms mean?
  3. How can I assist officials who have trouble registering?
  4. How do I reset a recipient’s password, or my own?
  5. How can I search for a recipient in CODI?
  6. How do I correct a recipient’s email address?
  7. What if I selected the wrong document when preparing to Protect a Document?
  8. How can I assist an official who cannot open a protected document in CODI?
  9. Why did I receive this message: “Access to this document is restricted”?
  10. Why did I receive this message: “Account information not valid”?
  11. Why did I receive this message: “Can’t open this file” / “problem previewing this document” / “failed to load”?
  12. How do I revoke access to a document or change the date of revocation for a document?
  13. How does offline review provide access to work?
  14. What if the organization’s firewall does not accept the protected document, with the result that the document cannot be sent to the entity officials by email?
  15. How can an official open a protected document in CODI with an iPad?

Introduction

Certain documents prepared by the Office of the Auditor General of Canada (OAG) are considered OAG controlled documents. They are subject to restrictions and controls when distributed outside the OAG. They include key audit planning documents and draft audit reports. The OAG distributes these documents to audit entities in electronic format using the Controlled Document Interface (CODI).

All entity officials are responsible for ensuring the confidentiality of OAG controlled documents entrusted to their care. At the beginning of a performance audit or special examination, your deputy head or the head of your Crown corporation signed a letter accepting responsibility for maintaining the confidentiality of OAG controlled documents. None of the information in OAG controlled documents can be copied or reproduced, either in whole or in part, without the OAG’s prior written consent.

Technical Requirements

To be able to receive electronic controlled documents, entity officials need an email address, a browser, and Adobe Reader. We strongly recommend Adobe Reader version 11. Recipients will not be able to access the documents with Adobe Reader versions 10.1 or below. Version 11 offers maximum commenting functionality.

Important note: Access to CODI’s features (registration and opening documents) is allowed by default in Canada and the USA. Individuals trying to access electronic controlled documents from outside Canada need to inform the OAG audit team, who in turn need to contact OAG Security. Some restrictions may apply and access to the document may be limited, depending on the country where the individual is located.

Inviting Recipients

NOTE: For a small number of entities, the CODI process does not work exactly as described in this guide. For example, the entity’s firewall might block delivery of the email containing the CODI document. Before sending the first controlled document via CODI, it is recommended that the audit team contact the entity’s OAG liaison to check whether any special arrangements are needed.

I. Two weeks before delivery of the controlled document

Obtaining list of entity officials to register

The CODI Email Validation Form (see Appendix A) should be used to capture the information that the OAG needs to be able to send officials the controlled document. The OAG requires each official’s work email address, name, and title. The entity’s OAG liaison is responsible for coordinating and providing to the OAG team a list of all entity officials who need to review the document.

Step 1. The OAG team contacts the entity’s OAG liaison to request a list of all officials who need access to the document. Send the CODI Email Validation Form to the entity’s OAG liaison. The email should include a request to receive the list within five business days. In the email, explain that it is the entity’s responsibility to ensure that all email addresses are correct. Remind the entity’s OAG liaison not to add any numbering, spaces, or accents when entering each email address.

Step 2. Once the list has been received from the entity, it should be saved in the appropriate folder of the audit file. The audit team should save the list of officials for each controlled document that it sends; this will help the team track which officials requested to view the document. Also, saving the list makes the process easier as the audit progresses, some officials may need to be deleted, and others added.

Using CODI for non‑entity officials

IMPORTANT: If the entity wishes to share an OAG protected document with non‑entity officials, the entity’s OAG liaison must confirm the identity of those officials, using the CODI Email Validation Form.

CODI controlled documents are not to be shared with parties identified by the audited entities, other than the following:

  • departmental officials,
  • departmental audit committee members, and
  • third parties identified or readily identifiable from the audit report.

The OAG audit team should review the list of recipients identified by the entity on the CODI Email Validation Form. If an entity proposes recipients who are not in any of the three categories, the OAG audit team should ask the entity who the parties are and why they need to have the document. Only after receiving this information, the OAG audit team can determine whether to register the parties on CODI.

By clicking the box at the bottom of the CODI Email Validation Form, the entity’s OAG liaison is confirming that

  • the email address of each proposed recipient is correct,
  • the email address of each proposed recipient belongs to and is controlled by that party,
  • each proposed recipient has the appropriate security clearance, and
  • each proposed recipient has a need to know.

Once the CODI Email Validation Form has been properly completed, the OAG audit team can register those non‑entity officials in CODI, but cannot send OAG protected documents to them. It is the responsibility of the entity—specifically, the entity’s OAG liaison—to send the protected document to the non entity officials identified in the CODI Email Validation Form. The OAG team may not register non‑entity officials unless the form has been properly completed. On receiving the form, the OAG team must ensure that the entity has ticked the confirmation box.

Audit teams may also send controlled documents to its third parties. The Office expects audit teams not to share CODI controlled documents with parties other than the following:

  • external advisers,
  • departmental officials,
  • departmental audit committee members, and
  • third parties identified or readily identifiable from the audit report.

If issues arise when sharing documents with non‑entity officials through CODI, the audit team should contact the OAG HelpDesk to discuss other options. One possibility is the traditional method of sharing a hard-copy version printed on red‑bordered paper; this method should be used only in exceptional cases where it is not feasible to provide non‑entity officials with access to controlled documents through CODI. In addition, CODI should not be used without confirmation that the email address to which the controlled document will be sent belongs to and is controlled by the intended recipient.

II. One week before delivery of the controlled document

Inviting entity officials to register

Step 1. Open the list that was saved in the audit file. Select and copy the generated list of user emails from the box at the bottom of the page.

The OAG audit team should verify that the entity has properly completed the CODI Email Validation Form, and has ticked the box on the form to provide the necessary confirmations for third parties (that is, any non‑government email addresses). If the entity has not identified third parties and has not ticked the box on the CODI Email Validation Form, there is no need to follow up.

Step 2. Click the CODI link (http://codi/) to open the interface, and then click Invite Recipients. (Anyone who is authorized to receive a document via CODI is a recipient.) Paste the generated list of email addresses into the box. Then click the blue Pre‑Register button in the bottom right corner.

Registration—Entity officials will automatically receive a generic “do not reply” email, inviting them to click a link in order to register. The link directs users to a window in CODI, where they are asked to provide their first and last name and to create a password (see Appendix B—User Registration window and Confirmation box).

Activation—Immediately after registration, entity officials will receive another email asking them to activate their account (see Appendix C—Activation Process). Once they receive the registration email, officials have 30 days to register and 1 day to activate their account. If this time has passed before the officials take action, their status will show as Expired in the CODI system and they will not be able to register.

Shortly after sending the invitation to register, OAG teams can go to Manage Recipients to see which entity officials have registered and have activated their accounts. However, the OAG is not responsible for ensuring that officials register.

For tips on how to assist officials who have trouble registering, please consult Appendix E, question 3, How can I assist officials who have trouble registering?

Note: A common problem is that officials forget their username and/or password. The CODI Instructions for Entity Officials guide reminds officials to make a note of their username (which is always their entity email address) and the password they create. Emphasize this tip when communicating with the entity’s OAG liaison.

Protecting (and Sending) a Document

III. Date of delivery of the controlled document

A best practice is to send the document in the morning, early in the week. Sending a document late in the day or week does not allow time to assist officials if they have trouble accessing the document.

Note: If it is a multi-entity audit AND each entity will receive a different version of the document, the following steps 1 through 7 must be completed separately for each entity. If there is both an English and French version of the same document, steps 1 through 3 must be completed separately for each language version.

Save the document as a PDF, and then protect it in CODI.

Step 1. Open the audit file. Export the document from the audit file to your desktop. Open the file. Verify that the document is labelled Protected A or Protected B, as required. Next, click File, Save as, and then, under the option Save as type, select PDF. Also, be sure that the title of the document is clear (for example, Audit title, Fall 2019, PX draft, and entity name); this will make it easy for you to find the document when you are searching for it in the CODI system. Then click Save. Add the unprotected PDF version of the document to your audit file as a record of what was sent to the entities.

Step 2. Click the CODI link (http://codi/) to open the interface, and then select the Protect a Document tab. Set the policy for the document, by entering the information and the rules that apply to the document:

  • Product Code. Enter the product code that has been assigned to the audit.

  • Offline Review Period. The default is three days. Do not change this default. If arrangements have been made between the OAG audit team’s management and specific entity officials, a second version of the protected document will need to be created in CODI with a different period specified, containing the email addresses only of entity officials who will have a longer period of offline review.

  • Access Expiry Date. Click in the box or on the calendar icon and go to the Tabling date or date of submission of the final special examination report to the board of directors. Select this date as the access expiry date. The OAG audit team’s management will determine the circumstances in which access to a document needs to be revoked before this date.

  • Document Type. Click the box and select the type of document (for example, PX draft, DM draft).

  • Add Recipients. Open the Entity Officials List that was saved in the audit file. Select and copy the generated list of user email addresses from the box at the bottom of the page (see Appendix A). Paste the list into the Add Recipients box in the Protect a Document tab in CODI. Note: If it is a multi-entity audit and all entities will receive the same version of the document, teams can copy all the generated lists into the same box.

Step 3. Click the blue Select a Document to Protect bar underneath the Add Recipients box. A dialogue box will pop up, allowing you to browse your desktop and select the PDF version of the document you just created in Step 1.

The dialogue box gives the option of either Cancel or Protect. Selecting Cancel will take you back to the Protect a Document tab so you can start again (in case you accidentally selected the wrong PDF). Selecting Protect will apply the policies to the document (including cancelling printing and copying functions), and will automatically send you an email with the password-protected PDF document attached.

Immediately after you have protected the document, ONLY you—the creator of the protected document—will receive it via email. The other officials you added to the policy will not receive the document until you are ready to send it to them via an email that you will create (see Step 4).

You can also go into Manage Documents, select and open your newly created document, and confirm that the list of officials is complete. You can add recipients by clicking on the Add Recipient box at the bottom of the screen and entering the recipient’s email address. Then, click the blue Save button in the bottom left corner of the screen.

At this point, it is a good idea to delete the unprotected PDF version of the document from your desktop. (This version should already have been saved in the audit file.) Deleting the unprotected version will ensure that you do not get confused, and that you send the password-protected version to the entity. This version will automatically have the word “PROTECTED” in the title.

Step 4. Manually create an email to send the password-protected document to entity officials. Make sure to include the name and contact information of the OAG audit team member whom officials should contact if they have trouble accessing the document.

Attach the password-protected PDF document to the email. If there is both an English and a French version of the document, attach both versions to the same email. To do this, you can simply open the email from CODI that contains the protected document (Step 3 above) and drag and drop the other-language version into the body of the email you are creating to send to the officials.

Step 5. Attach scans of the transmittal letters (English and French) to the email, as explained in your audit file.

Step 6. Select and copy the generated list of user email addresses from the box at the bottom of the page in the Entity Officials List. Paste the list into the To: section of the email. In the Cc: section, include another audit team member so that at least two of you have a copy of the protected version of the document. Some entities may prefer that the OAG audit team sends the email and the protected document only to the entity’s OAG liaison. The liaison would then send the protected document to the list of recipients.

Once you have reviewed the email and are satisfied that it contains all the necessary documentation and information, send the email.

Important note: The OAG audit team should not send the protected document directly to third parties identified by the entity. The OAG audit team can register the third party in CODI if the entity has confirmed the third party’s identity in the CODI Email Validation Form. However, the entity is responsible for sharing the document with third parties.

Step 7. Save a copy of the sent email in the audit file for your records.

Note that when entity officials (and OAG recipients) receive the email and click to open the attachment, they will be asked to enter their username and password (see Appendix D—Opening a Document).

Entity officials will also be asked if they wish to view the document offline. This means that, for a limited period—the default is three days—they can view the document when they are not connected to the network. They should click Yes. If they do not choose this option, they cannot undo their choice.

Hard copies of the controlled documents

Upon request from the entity, OAG audit teams may provide a maximum of two paper copies of the OAG controlled documents. If paper copies are sent, the audit team must prepare the documents on red‑bordered paper, clearly indicating that they are the property of the Office of the Auditor General, and ensure that they are numbered and dated. Audit teams must enter the appropriate information in a register of hard copy. See the Direct Engagement Manual, section 9020 Management of controlled documents for more information.

Managing Recipients and Documents

IV. Post-delivery support to the entity

Assisting officials who experience problems working with the document

The OAG is not responsible for training entity officials on Adobe Reader, including how to use its commenting functionality. If officials experience problems because of unfamiliarity with Adobe Reader, they should contact their entity’s helpdesk or consult the information available on Adobe’s website.

If an official has a problem related to accessing the document, the OAG audit team is responsible for providing assistance. The email sending the protected document should provide the officials with the name of the OAG audit team contact person. Both the Manage Documents and Manage Recipients pages have a feature to provide information about whether a particular person has registered and when, and whether a document has been opened, by whom, and when. The View Document Activities feature can be useful when assisting officials who have trouble opening the document. You will be able to see whether they or others in their organization have viewed a document, as well as when. This will help you to know how to assist them.

Viewing document activities

Step 1. Go to Manage Documents and click View Document Activities at the top right side of the screen, above the Search box. This will take you to the Document Activities page.

Step 2. In the Document Activities page, click the All documents button to view a drop-down list of documents. In the list, click to select the document you need information about.

Step 3. Click the All Activities tab, which has three options: All Activities, Close Document, or View Document. Click Close Document for information about who closed the document, and when. Click View Document for information about who opened the document, and when. Click All Activities for both Close and View Document event information.

Step 4. Finally, click the button under the Date heading, which has three options: Last 7 days, Last 30 days, or Custom dates. Clicking Custom dates allows you to select a different date range for the activities.

Step 5. Click the blue Show activities button to see the activity information, which includes the activity (closed or viewed document), the name of the user who performed the activity, the name of the document, and the date and time of the event.

Viewing recipient activities

Step 1. Go to Manage Recipients and click View Recipient Activities at the top right side of the screen. This will take you to the Recipient Activities page.

Step 2. In the Recipient Activities page, enter the name of the person you need information about and click to select.

Step 3. Then click the All Activities tab, which has three options: All Activities, User Events, or Document Events. Click User Events for information about the user’s registration status in CODI, such as when that person was invited and registered. Click Document Events for information about whether the user has closed or viewed a document, as well as which document and when. Click All Activities for both User and Document Events information.

Step 4. Click the tab under the Date heading, which has three options: Last 7 days, Last 30 days, or Custom dates. Clicking Custom dates allows you to select a different date range for the activities.

Step 5. Click the blue Show activities button to see the activity information. This includes activities, the name of the user who performed the activity, the name of the document, and the date and time of the event.

Resetting a password

If officials forget their password, they can contact the OAG audit team to request a password reset.

Step 1. In CODI, go to Manage Recipients.

Step 2. To find the recipient whose password you want to reset, enter the recipient’s name in the appropriate Search boxes.

Step 3. Once you have the name, click Reset password in the Actions column. (Note: You can reset a recipient’s password only if the account status is Active.)

The system will automatically send the person an email invitation to re‑register. This will allow the person to reset the password.

Adding a new recipient to an existing policy

Sometimes an official might receive a message that access to a certain document is restricted and the person does not have permission to open it. This likely means the recipient has not been added to the policy; that is, the person has not been given access to the document. In this case, do the following:

Step 1. Confirm that the official was included on the CODI Email Validation Form provided by the entity’s OAG liaison. (The list should have been saved in the audit file.)

Step 2. If the official was on the list, confirm that the email address is correct. If not, see Appendix E, question 5, How do I correct a recipient’s email address?

Step 3. If the official was not on the list, tell the person to contact the entity’s OAG liaison and request to be added to the list. The liaison should send the OAG audit team an updated list, if appropriate. This is especially important if it is a non‑entity official (that is, having a non‑government email address). For a non‑entity official, the entity must provide the confirmation by ticking the box in the CODI Email Validation Form.

Step 4. Once it is confirmed that the official should receive the document, open CODI and go to Manage Documents. Enter the product code in the Search field (right side of the page).

Step 5. Click the document to which you want the official to have access. This will take you to a screen where you can edit the policy associated with the document.

Step 6. Click the Add Recipient box at the bottom of the screen and enter the recipient’s email address.

Step 7. Click the blue Save button in the bottom left corner of the screen. An email will automatically be sent to the recipient, inviting that person to register (if the recipient has not yet registered). Note: If the official has not yet received the protected document by email, the OAG audit team will need to forward the original email containing the password-protected document to the new recipient.

Removing a recipient from an existing policy

Step 1. To remove a recipient from a policy, go to Manage Documents. Enter the product code in the Search field (right side of the page).

Step 2. Click the document for which you want to remove access. This will take you to a screen where you can edit the policy associated with the document.

Step 3. Find the name and email of the recipient, and click the Delete box in the Action column.

Step 4. Click the blue Save button in the bottom left corner of the screen. The recipient will no longer have access to the document.

Step 5. Go to Manage Recipients. Find the recipient. Under the Actions column on the right, click the arrow and select Delete. Note that some recipients are listed as Enduring, or are active on more than one policy (that is, they are reviewing more than one OAG controlled document at the same time). In that case, you cannot delete the person from the Recipients list. However, if someone has been deleted from the policy for a particular document, that person will not be able to access the document.

Step 6. In the audit file, open the entity email validation form and delete the recipient’s email address from the list of officials, if needed. This will ensure that the official will not receive invitations to register in CODI and will not be able to view other controlled OAG documents for the audit.

For other problems, consult Appendix E—Frequently Asked Questions. If you do not find a solution there, contact the OAG HelpDesk.

Unprotecting a document—save and review the entity’s consolidated comments

In some cases, the entity may send the protected document back to the OAG team with its consolidated comments added. To be able to save and review this document in the audit file, you can unprotect it by following these steps:

Step 1. Go to the Other Options tab in CODI and click the drop-down arrow.

Step 2. Click Unprotect a Document.

Step 3. Click Browse and select the document you want to unprotect.

Step 4. Click the blue Unprotect Document button in the bottom left corner of the page. The unprotected document will be sent to your email address.

Revoking Access to a Document, or Closing the Audit File

V. Revoking access to a controlled document (prior to file closing)

Before an audit report has been tabled, it may be necessary to revoke access to a specific document. To do this, follow these steps:

Step 1. In CODI, go to Manage Documents. Enter the product code in the Search box at the top right of the page. Under the Document name column, click the document for which you want to revoke access. This will take you to the Edit page.

Step 2. Click the red Delete policy box. A message will appear that asks whether you are sure you want to delete this policy. Confirm that you have selected the correct document and click the blue Delete box. Note that this will delete the policy, but it will not remove the recipients from the Manage Recipients list. To delete a recipient who is not listed as Enduring and is not associated with any other documents, go to the Manage Recipients tab. Find the recipient, click the drop-down arrow in the Actions column, and choose Delete.

You can also delete recipients from CODI through the Close File page when the audit ends. (See the following section).

Step 3. A message highlighted in green will appear, stating as follows: “Success The policy has been deleted.”

Step 4. Inform the entity’s OAG liaison that access to the document has been revoked, and recommend that the liaison inform the relevant officials. The audit team’s management may wish to look after this task.

VI. Closing the audit file

During file finalization at the end of an audit, the audit team must close the file in CODI. This involves deleting all the policies (documents) in CODI associated with the audit or product code, and generally all the recipients associated with those documents. Here is the way to do this:

Step 1. In CODI, go to Other Options, click the drop-down arrow, and choose Close File.

Step 2. Select the product code from the drop-down list and click Next.

Step 3. This will take you to a page that displays all the policies (documents) associated with the audit. It will also display a list of recipients at the bottom of the page. The list consists of all the people who were added to the policies. In some cases, the list will be divided into three parts: recipients to be deleted immediately as part of the Close File process; recipients to be deleted by IT because they never activated their account; and recipients who cannot be deleted because they are listed as Enduring or are active on other policies. Recipients listed as Enduring are users who are frequently active on OAG policies, such as an entity’s OAG liaison, chief audit executive, or deputy head.

Step 4. Click the blue Proceed box at the bottom left of the page.

Step 5. A message highlighted in green will appear, stating as follows: “Success File closed for product code XXXXXX.”

VII. OAG IT annual cleanup and invitation to re‑register

To ensure that the recipient list in CODI is up to date, the OAG IT unit will regularly review it to identify and delete individuals who are not associated with any policy or whose invitation has expired.

The review will also identify individuals whose account status has been Active for one year or more. In most cases, these will be recipients listed as Enduring. As a security measure, the system will invite these recipients to re‑register and create a new password once a year.

Appendix A—CODI Email Validation Form (Entity Officials List)

Appendix B—User Registration

Registration email

User Registration window

Confirmation box

Appendix C—Activation Process

Activation email

After activation, the user receives this message:

Appendix D—Opening a Document

Appendix E—Frequently Asked Questions

1. What is my username?

In CODI, a recipient’s username is that person’s email address.

2. What do these terms mean?

Manage Recipients, Account Status column

Invited—The individual has been invited to register in CODI, but has not yet done so.

Registered—The individual has registered in CODI, but has not yet activated his/her account.

Active—The individual has activated his/her account.

Locked—The individual’s status in the CODI system is locked as a result of entering an incorrect username and/or password more than three times.

Expired—The individual has failed to register within 30 days, or has registered but then failed to activate his/her account within 1 day. Individuals with a status of Expired will not be able to register; the audit team must contact the OAG HelpDesk for assistance.

Enduring—The individual is frequently active on OAG policies. Examples include an entity’s OAG liaison, chief audit executive, or deputy head. These recipients cannot be deleted from the Recipients list by audit teams.

Protect a Document

Offline review period—The length of time that the user can view and add comments in the protected document without being connected to the Internet. Offline review allows the user to review a document while away from the office (for example, while travelling). The usual rules apply: the document cannot be printed or copied, and it cannot be opened by anyone who is not registered in CODI with a valid username and password.

Access expiry date—The date on which users can no longer access a document. This is normally midnight on the date of Tabling or the date of submission (for a special examination report). However, the audit team could change the date for various reasons (for example, the calling of an election).

3. How can I assist officials who have trouble registering?

If an official did not receive an invitation to register, it may be because that person’s inbox was full or the email address provided by the entity’s OAG liaison was incorrect. Go to Manage Recipients and confirm that the email address is correct. If not, see FAQ 6, How do I correct a recipient’s email address? If the address is correct, simply click Resend invite to re invite the official. Note that officials are responsible for managing their own inbox and the entity’s OAG liaison is responsible for providing the correct email address to the OAG.

Once an official receives the registration email from CODI, that individual has 30 days to register. After registering and receiving the activation email, the individual has 1 day to activate the account. If the recipient waits longer than 30 days to register, or longer than 1 day to activate, the invitation will expire. In this case, the CODI system will not allow the recipient to register, even if the OAG team re invites the person. If the status is Expired, the audit team member must contact the OAG HelpDesk to request that the account be reset and the official be re invited by a member of the IT group.

If an official has received the email invitation to register, but clicked the link and could not register, go to Manage Recipients and check the official’s status. If the status is Locked, this means that the official entered an incorrect username and/or password more than three times. To immediately unlock, simply click the Unlock button. However, it is likely that the official forgot the username or password. You can give a reminder that the username is the person’s email address. In case of a forgotten password, however, you will need to send a new invitation so that the person can create a new password.

Sometimes the entity’s OAG liaison may contact the audit team about an issue but the team is unsure how to respond, In that case, the audit team should first consult the Help tab in CODI; this provides links to all CODI guidance, including a set of Frequently Asked Questions, or FAQs (Appendix E of this document). If a solution is not found in the FAQs, the audit team should contact the OAG HelpDesk.

Note: The audit team is not responsible for monitoring whether entity officials register in CODI. If officials fail to register within 30 days, it likely means that they are not directly involved in their entity’s OAG audit document review process. If an official asks to be re invited to register after the original invitation expires, it is recommended that the team confirm with the entity’s OAG liaison whether the official still requires access to the document.

4. How do I reset a recipient’s password, or my own?

Note: You can reset a recipient’s password only if the account status is Active.

Step 1. In CODI, go to Manage Recipients.

Step 2. To find the recipient whose password you want to reset, enter the recipient’s name in the appropriate Search boxes.

Step 3. Once you have the name, click Reset password in the Actions column. The system will automatically send an email inviting the person to re‑register. This will allow the recipient to reset the password.

5. How can I search for a recipient in CODI?

To search for a recipient, use one or more of the four search categories: first name, last name, email address, and product code. For example, you can search for a recipient by entering the first name, or the product code associated with the controlled document to which the recipient was given access. If you do not find a recipient when searching by first or last name, try searching by email address instead. (A search will not find the first or last name of someone who has not yet registered and is listed in CODI as Invited.) Once you have entered the information in the search box(es), click the blue Search tab on the left side of the page. The search results will appear at the bottom of the page.

Above the results, a message will also appear stating as follows: Click the recipient’s name to see list of policies. Clicking the recipient’s name allows you to see all the controlled documents to which the recipient has access, including documents from other audits.

If you want a list of all the recipients associated with your audit, simply search by the product code.

You can also click the blue Load all recipients tab on the right side of the page. This will automatically display a list of every recipient in the CODI system. You can still use the search function to find a specific recipient or group of recipients associated with a product code. You can also enter any search term in the Filter results box that appears to the right of the search results or when all recipients are loaded.

6. How do I correct a recipient’s email address?

It is important to verify a recipient’s email address before entering it into CODI. Otherwise, that person will not receive an email invitation to register. The entity’s OAG liaison is responsible for providing accurate email addresses. If a recipient’s email address is incorrect, you can correct it by following these steps:

Step 1. In CODI, go to Manage Documents.

Step 2. To find the title of the document associated with the recipient whose email address you need to correct, scroll down the list or else enter the product code or document name in the Search field (right side of the page).

Step 3. Click the name of the document. This will take you to the Edit page.

Step 4. In the Recipients section, find the incorrect email address and click Delete. Note that an email address is read-only once it has been added, so you cannot correct or modify it directly. Instead, you must delete the address and then add the correct email address (see Step 5).

Step 5. Click Add Recipient and enter the correct email address.

Step 6. Click the blue Save button in the bottom left corner of the screen. An email will automatically be sent to the recipient, with an invitation to register.

Step 7. If the email containing a password-protected document has not yet been sent to the recipient, send the email to the corrected email address.

Step 8. In the audit file, go to the CODI entity email validation form and make sure that the recipient’s email address is corrected.

7. What if I selected the wrong document when preparing to Protect a Document?

Once you have browsed and selected a PDF document that you want to protect, CODI will show the file in a dialogue box:

Confirm that you have selected the correct document. If not, click Cancel, then Select a Document to Protect . . . and browse again for the correct document.

If you did not click Cancel but instead clicked Protect for the wrong document, the document will automatically be protected and sent to you via email. Delete the email. Then go back into CODI and begin the Protect a Document process again to select and protect the correct document.

You should also go into CODI and revoke access to the document that you mistakenly protected. To do so, see FAQ 12, How do I revoke or change the date of revocation for a document?

8. How can I assist an official who cannot open a protected document in CODI?

If an official cannot open a document in CODI, there are several points on which the OAG audit team might be able to assist. Check these before contacting the OAG HelpDesk:

  • Has the official registered correctly with CODI? See FAQ 3 for tips on how to assist officials who have trouble registering.

  • Has the official been added to the policy? If not, the person has not been given access to the document. In this case, go to the section Adding a new recipient to an existing policy.

  • In what country is the official at the moment? Access to CODI’s features (registration and opening protected documents) is allowed by default in Canada and the USA. Individuals trying to access controlled electronic documents while outside Canada need to advise the OAG audit team, and the team needs to contact OAG Security. Some restrictions may apply and access to the document may be limited, depending on the country where the official is located.

  • Is the official trying to access the document with an iPad? If that is the case, see FAQ 15 on how to access a protected document in CODI with an iPad.

Sometimes the entity’s OAG liaison might contact the audit team about an issue but the audit team is unsure how to respond. In that case, the team should first consult the Help tab in CODI; this provides links to all CODI guidance, including a set of Frequently Asked Questions (Appendix E of this document). If a solution is not found in the FAQs, the audit team should contact the OAG HelpDesk.

9. Why did I receive this message: “Access to this document is restricted”?

This message likely means that the official has not been added to the policy; that is, the person has not been given access to the document. In this case, do the following:

Step 1. Confirm that the official was included on the Entity Officials List provided by the entity’s OAG liaison. (This list should have been saved in the audit file.)

Step 2. If the official was on the list, confirm that the email address is correct. If not, see FAQ 6, How do I correct a recipient’s email address?

Step 3. If the official was not on the list, tell the individual to contact the entity’s OAG liaison and ask to be added to the list. The liaison should send the OAG audit team an updated list, if appropriate.

Step 4. Once the updated list is received and it is confirmed that the official should receive the document, open CODI and go to Manage Documents. Enter the product code in the Search field (right side of the page).

Step 5. Click the document to which you want the official to have access. This will take you to a screen where you can edit the policy associated with the document.

Step 6. Click the Add Recipient box at the bottom of the screen and enter the recipient’s email address.

Step 7. Click the blue Save button in the bottom left corner of the screen. An email will automatically be sent, inviting the recipient to register.

10. Why did I receive this message: “Account information not valid”?

This message means that the recipient entered an invalid username and/or password to access the document. If an official contacts the OAG audit team with this problem, one possible cause is that the official forgot the username or password. In this case, the audit team should follow the steps described in FAQ 1, What is my username? and FAQ 4, How do I reset a recipient’s password, or my own?

Another possible cause is that the official has not been added to the policy; that is, the individual has not been given access to the document. In this case, the audit team should follow the steps described in FAQ 9, Why did I receive this message: “Access to this document is restricted”?

11. Why did I receive this message: “Can’t open this file” / “problem previewing this document” / “failed to load”?

One of these messages appears when a recipient attempts to open a protected document with a program other than Adobe Reader. This will most likely happen if the recipient is opening the document on a device having a default PDF reader other than Adobe Reader. Examples include iPads or devices using Windows 8 as their operating system. In this case, the recipient must save the document to the device’s desktop, right-click it, select Open with, and choose Adobe Reader. If Adobe Reader is not listed, the recipient will need to install it on the device before the document can be opened.

If the official is using an iPad, see FAQ 15, How can an official open a protected document in CODI with an iPad?

12. How do I revoke access to a document or change the date of revocation for a document?

Step 1. In CODI, go to Manage Documents.

Step 2. To find the title of the document, scroll down the list or else enter the product code or document name in the Search field (right side of the page).

Step 3. Click the name of the document. This will take you to the Edit page.

Step 4.

  • To change the date of revocation, under Access Expiration Date, select the new date and then be sure to click the blue Save button in the bottom left corner of the screen. Access will be revoked at midnight on the new date. OR

  • To immediately revoke access, click the red Delete policy box. A message will appear that asks whether you are sure you want to delete this policy. Confirm that you have selected the correct document. Then click the Delete box. Note that this action will delete the policy but it will not remove the recipients from the Manage Recipients list. To delete a recipient who is not listed as Enduring and is not associated with any other documents, go to the Manage Recipients tab. Find the recipient, click the drop-down arrow in the Actions column, and choose Delete.

This removes access for a recipient to a particular document. Recipients can be deleted from the CODI system only through the Close File page. The file is closed at the end of the audit.

Step 5. A message highlighted in green will appear that states the following: “Success The policy has been deleted.”

Step 6. Inform the entity’s OAG liaison that access to the document has been revoked, and recommend that the liaison inform the relevant officials. The audit team’s management may wish to look after this task.

13. How does offline review provide access to work?

Offline access enables entity officials to review a protected document on weekends and while travelling, when they might not be connected to the Internet.

To be able to access the document offline, here is what the official must do:

Step 1. Connect to the Internet on the device that will be used to view the document offline.

Step 2. While still connected to the Internet, open the document. This allows CODI to verify the recipient’s username and password.

As soon as the recipient opens the document, the offline review period begins. The default period is three days. This means that, if the document is opened at the office at noon on Tuesday, it will be available for offline viewing until noon on Friday.

However, the three‑day review period restarts every time the document is opened from a device connected to the Internet. This means that a recipient can open the document at the office at noon on Tuesday, review it offline during a flight on Wednesday, return to the office and review the document online on Friday, and then have another three days to review the document offline over the weekend.

14. What if the organization’s firewall does not accept the protected document, with the result that the document cannot be sent to the entity officials by email?

The Entrust program can be used to send the protected document to the entity’s OAG liaison, who can then forward the document to the relevant entity officials. These officials must be registered in CODI to be able to view the document.

Step 1. Follow all the steps in CODI to protect the controlled document.

Step 2. Send a test Entrust encrypted email to the entity’s OAG liaison to find out whether an exchange of Entrust certificates is required. If it is required, follow the instructions for Importing/Exporting Entrust Certificates to find out how to do the certificate exchange.

Step 3. Once you have confirmed that you can successfully send Entrust emails to the entity’s OAG liaison, attach the CODI protected PDF to a new email. Be sure to follow all the steps to create the email, using the controlled document email transmission template, including attaching any transmittal letters. However, in the To: section of the email, enter only the address of the entity’s OAG liaison. In turn, the liaison will forward the document to the relevant entity officials. To assist the liaison, you can attach a copy of the entity’s CODI Email Validation Form. This will ensure that both you and the entity’s OAG liaison are working with the same list of recipients.

Step 4. Click the Encrypt and Sign buttons in the Security tab in Outlook before sending the email.

Step 5. Contact the entity’s OAG liaison to confirm that the liaison received the email, and was able to download and open the protected document.

15. How can an official open a protected document in CODI with an iPad?

If an official has difficulties opening a protected document from CODI with an iPad, help the official take these steps:

Step 1. Tell the official to download Adobe Acrobat Reader from the App Store and install the application on the iPad.

Step 2. Once the email with the protected document is received, tell the official to keep a finger on the attachment until some options appear. One of these is “Copy to Acrobat Reader.” Selecting this option will bring up the Acrobat Reader application, with a window asking for the official’s username and password for CODI.

Step 3. Tell the official to enter the username and password for CODI, as established at the time of registration. (Again, the username is the official’s email address.) After entering the username and password, the official should have access to the document.