2030 Communication with the Audit Entity: Initial and Ongoing

Aug-2021

What the CSAE 3001 means for communication with the audited entity

The CSAE 3001 requires that

• the audit team confirms the terms of the engagement with the audited entity,
• the audit team seeks a written acknowledgement of responsibility from the audited entity for the subject under audit,
• the audit team seeks a written acknowledgement from the audited entity that the criteria are suitable for the audit, and
• the audited entity provides written confirmation that it has provided the audit team with all information that was requested during the course of the audit or that could significantly affect the findings or the conclusion of the audit.

In terms of OAG practices, this translates into the following official communications to be sent to the audited entity during the course of the audit:

• notification / engagement letter to be sent before the start of the audit,
• communication of the audit plan summary / special examination plan and accompanying letter to be sent at the end of planning phase, and
• the PX draft and accompanying letter to be sent during the reporting phase.

Importance of building a solid and professional working relationship

Good communication between the audit team and the audited entity is essential to an audit.

The audit team maintains ongoing and regular communication throughout the audit, starting with early notification of the audit and discussions with the entity on the audit process, management’s responsibility for the subject area, and the terms of audit, including the audit objective and audit criteria (OAG Audit 4090 Audit plan summary for performance audits; OAG Audit 4100 Special examination plan).

The audit team should provide entities with the document What to Expect—An Auditee’s Guide to the Performance Audit Process (for performance audits), What to Expect—An Auditee’s Guide to the Performance Audit Process in the Territories or What to expect—a Crown corporation’s guide to a Special Examination (for special examinations). These documents describe each aspect of the audit process. The documents also explain what the OAG expects from auditees as well as what auditees can expect during the audit. The Auditor General also meets periodically with senior entity officials to obtain their views on the OAG’s auditing and reporting practices.

The audit team informs the entity of any emerging findings as they arise to avoid any surprises later in the process, and responds to questions and concerns. The audit team also discusses the logistics of the reporting process, including the language requirements of the entity. Maintaining good relations includes listening carefully to entity comments and concerns, and discussing and promptly resolving any problems or difficulties as they occur during the course of the audit.

Ultimately, the audit team’s objective is to ensure that the audit report and recommendations are fair and objective and are seen to be fair and objective by those responsible for making the proposed changes.

Language requirements for the transmission of specific audit documents

Early in the audit, teams should discuss with the audited federal entity its language preference for the audit and obtain a written confirmation. The audit team needs to know the entity’s language preference early in the audit so timelines (T-minus dates and Key dates for Special Examination Reports) can be adjusted accordingly to allow the OAG’s Editorial Services and Translation team time to provide translation services. “Entity’s preference” means one OR both official languages as indicated by the entity. The entity may request to receive the Audit Plan Summary/Special Examination Plan, PX Draft and the Transmission Draft in only one official language or may request to receive the documents in both languages. If the entity requests the documents in both languages, they must be sent at the same time. If the Transmission draft is requested in one official language, the final version of the translated report is sent to the audited entities for their information, a week before tabling (for their preparation).

Initial communication with the audited entity

During the initial consultation phase, in cooperation with the audit team, the audited entity

• arranges timely meetings between the entity’s senior management and other staff and the OAG to discuss the audit subject matter;
• provides the audit team with the information needed to understand the areas subject to audit, as well as information on lines of responsibility, sources of criteria, risks, management concerns, and any related internal audits, evaluations, or studies that were published previously; and
• facilitates any field visits to the entity or project sites.

Process when encountering problems with access. To avoid problems concerning the Office’s right of access, we need to be clear in our communications with entity officials at the outset. Transparent audit plans with clear iteration points accompanied by ongoing discussion with the audit entity will facilitate compliance with our requirements. Disputes regarding access to cabinet confidences should be resolved in accordance with the 2010 Protocol Agreement on Access by the Office of the Auditor General to Cabinet Documents (issued by PCO in May 2010).

Letter of notification / Engagement letter and solicitor–client privilege

The letter of notification and solicitor–client privilege (for performance audits) and the engagement and solicitor–client privilege letter (for special examinations) informs the deputy head or the head of the Crown corporation of the start of the audit and outlines the entity’s responsibility to provide access to information required to conduct the audit (OAG Audit 2060 Accessing/requesting audit documentation). In a special examination, the engagement and solicitor–client privilege letter also serves to obtain acknowledgement from entity management of its responsibility for the subject matter of the audit, and agreement on the terms of the engagement. Seeking such acknowledgment may help to avoid misunderstandings. In a performance audit, these confirmations are done later in the planning process as part of communicating the audit plan after the specific subject and scope of the audit are known (OAG Audit 4090 Audit plan summary for performance audits).

The letter of notification and solicitor–client privilege (for performance audits) and the letter of engagement and solicitor–client privilege (for special examinations) request access to, among other things, documents that may be subject to solicitor–client and other privileges. Solicitor–client privilege is the right to refuse to disclose, and to prevent others from disclosing, confidential communications made with a lawyer for the purpose of furnishing or obtaining professional legal advice or assistance. The Auditor General is entitled to such documents under the Auditor General Act. The letter explains to entities being audited that disclosure of such documents to the OAG is not a waiver of any privilege attached to the documents. The OAG treats the information in strict confidence. The letter also serves to inform the audited entity early in the audit process that a written confirmation related to the completeness of the information provided to the Office will be required at the end of the audit (see OAG Audit 8019 Submitting the principal (PX) draft and transmission draft).

The letter also states that entities are responsible for creating and following appropriate procedures to ensure the confidentiality of controlled OAG documents sent to the entity for review. Entities are responsible for returning all non-electronic controlled documents to the OAG within one week after tabling (OAG Audit 1192 Confidentiality, safe custody, integrity, accessibility, and retrievability of engagement documentation).

After receiving the letter of notification and solicitor–client privilege (for performance audits) or the letter of engagement and solicitor–client privilege (for special examinations), the deputy head of the entity or the head of the Crown corporation is expected to acknowledge in writing that the entity will respect the confidentiality of the OAG-controlled documents to be provided during the course of the audit. This acknowledgement also confirms that the entity will comply with any requests that the OAG makes for access to relevant documents under the control of the entity, including those documents to which solicitor–client privileges are attached.

The engagement team must not commence the planning phase until the letter of notification and solicitor–client privilege (for performance audits) or the letter of engagement and solicitor–client privilege (for special examinations) has been signed by the entity. In the event that the audited entity refuses to sign the letter and provide acknowledgement of responsibility from management (for special examinations), the audit team should contact Legal Services.

Ongoing communication during the audit

The audit team holds an opening meeting with entity officials to discuss the areas to be audited and entity protocols. The entity is expected to respond to any request for information from the audit team, normally within five working days or within a mutually agreed time frame for documents that are not readily accessible. Audit team members who encounter a significant delay in obtaining information or who have been advised that they will not receive the required information during an audit, should seek advice from the director responsible for the audit and, if necessary, the engagement leader (OAG Audit 2060 Accessing-requesting audit documentation).

Other than Cabinet documents, which are tracked separately, audit teams keep a record of documents requested and received throughout all phases of the audit. This also avoids duplicate requests. The OAG has a different process for requesting Cabinet documents and Treasury Board submissions, which is described in OAG Audit 2060 Accessing-requesting audit documentation.

During the course of the audit, the audit team seeks input from entity management on the content of

• the audit plan summary or the special examination plan, which states the area to be audited for which entity management has responsibility and sets out the criteria for the audit (OAG Audit 4090 Audit plan summary for performance audits; OAG Audit 4100 Special examination plan);
• the principal’s (PX) draft, which includes contextual information, findings, conclusions, and recommendations. The audit team also requests entity management responses to the recommendations (OAG Audit 8020 Recommendations and entity responses); and
• the transmission draft, which is the near-final draft before the audit report is published or transmitted to the Board (OAG Audit 8019 Submitting the principal’s (PX) draft and transmission draft).

Entity management is expected to provide timely, consolidated, and coordinated comments and feedback.

Audit team members follow the OAG’s protocol for meetings and interviews with entities:

• The assistant auditor general should be informed of all planned interviews with senior government officials (deputy ministers, associate deputy ministers, assistant deputy ministers, heads of agencies, and chief executive officers).
• The engagement leader should attend meetings with a deputy minister (or equivalent) or an assistant deputy minister. The assistant auditor general may attend the meeting or stand in if the engagement leader cannot attend.
• Through regular consultation with the entity’s OAG liaison office (and the appropriate OAG team, if the entity is being audited as part of a multi-entity audit), audit teams should ensure they follow entities’ established protocols for senior-level meetings.

Audit Plan Summary / Special Examination Plan

At the end of the planning phase, the audit team sends the audit plan to the audited entity in order to seek to obtain an acknowledgement that the criteria are suitable for the audit. For a performance audit, the acknowledgement of management’s responsibility for the subject of the audit and the acknowledgement of the specific terms of the engagement are also sought and obtained at this stage, whereas this is obtained earlier, through the engagement letter, in the planning for special examinations (OAG Audit 4090 Audit plan summary for performance audits and OAG Audit 4100 Special examination plan).

The audit team should not agree to a change in the terms of the engagement if there is no reasonable justification for doing so.

PX draft and written confirmation that all information requested has been provided

Towards the end of the reporting phase, the audit team sends one PX draft to the audited entity to obtain comments on the draft. In addition to the request for entity responses to recommendations, the transmission letter also requests that the audited entity provides written confirmation that it has provided all information it is aware of that has been requested or that could significantly affect the findings or conclusion of the report (OAG Audit 8019 Submitting the principal’s (PX) draft and transmission draft).

Delegation of authority

The Office’s expectation is that the deputy head (or equivalent) shall sign off on the notification and solicitor–client privilege letter, the audit plan summary, and the factual accuracy of the transmission draft and the entity’s responses to our recommendations. The party responsible for the program or activity subject to the audit, usually an assistant deputy minister (ADM), deputy head or equivalent, shall provide the written confirmation that all the information that has been requested or that could significantly affect the findings or the conclusion of the audit report has been provided. In the event that these documents are signed by anyone other than the parties indicated above, the audit team should ask to obtain documentary evidence of delegation of signing authority from the entity.

Other communication with the entity for performance audits: departmental audit committees

As part of the OAG’s ongoing communication with an entity, the engagement leader and the assistant auditor general (if necessary) will offer to meet annually with entity senior management to understand current key issues and discuss the OAG’s short- and long-term audit plans and the general working relationship between the OAG and the entity.

Another opportunity for the OAG to interact with the entity is through the departmental audit committee. The Treasury Board Policy on Internal Audit calls for the deputy head of each department or agency, other than small entities, to establish a departmental audit committee. All audit committees have a majority of external members who have been recruited from outside of the federal public administration. Members from the federal public administration are limited to deputy heads and associate deputy ministers usually from within the department. The role of audit committees is to support the deputy head or equivalent in fulfilling his or her oversight responsibilities as the departmental accounting officer by providing advice on the adequacy of the entity’s control and accountability processes.

Senior audit team members are often invited to departmental audit committees as observers. The OAG sees this as an opportunity to inform departmental audit committees about its audit plans and to explain audit findings that have been cleared with departmental management. The OAG welcomes committee input in reviewing and assessing the adequacy of departmental responses and action plans, and in monitoring the implementation of audit recommendations.

The deputy head decides whether to share OAG documents with members of the departmental audit committee. The deputy head is accountable for ensuring that this is done in a manner that protects the confidentiality of audit information. In the case of controlled documents (OAG Audit 9020 Management of controlled documents), the deputy head is responsible for ensuring that sharing information is done in a manner that complies with the requirements set out in the letter of notification / solicitor–client privilege.

Although the OAG welcomes the committee’s views on the content of OAG documents, this is not part of the fact validation process for an audit. Documents are finalized through the normal OAG process with appropriate departmental officials. Any departmental audit committee work concerning OAG audit documents should respect OAG timelines for finalizing audit reports, where applicable.