The staff involved in this engagement need access to some or all of the types of personal information, noted below, to obtain evidence to support the firm's opinion on the company's financial statements. Such personal information will be a significant component of various transactions and events affecting the financial statements that will be subjected to confirmation, testing, analyses and such other procedures as the firm considers necessary to perform an audit in accordance with generally accepted auditing standards.
Such personal information could include:
+ Home addresses
+ Home telephone numbers
+ Personal identification numbers (e.g., social insurance numbers, credit card numbers)
+ Financial information (credit ratings, payroll information, personal indebtedness)
+ Personnel information (e.g., employment history, references to criminal records)
+ Information linked to the type of client, for example:
+ Information in medical records (with respect to organizations such as hospitals or medical practices)
+ Information related to race, religion, sexual preference, receipt of welfare or subsidized housing (with respect to various types of not-for-profit and government entities)
+ Source data in claims and in-force databases (with respect to insurance companies)
+ Tenant information (with respect to residential leasing companies).
As required by professional standards, rules of professional conduct and regulation, the firm documents the work it performs in records, commonly called working paper files. Such files may include personal information obtained from a client.
Working paper files and other files containing, for example copies of personal tax returns are retained for the time period required by law and regulation [or for a specified time period].
The personal information collected from a client during the course of a professional service engagement may be:
Shared with the firm's personnel participating in such engagement:
Disclosed to partners and employees within the firm to the extent required to assess compliance with applicable professional standards and rules of professional conduct, and the firm's policies, including providing quality control reviews of work performed;
Provided to members of the organization's audit committee and board of directors, and others in the company that might not otherwise have access to the information, in the course of communicating aspect of the results of our audit; and
Provided to external professional practice inspectors (e.g., representatives of the Canadian public accountability board, or a provincial institute of chartered accountants), who by law, professional regulation, or contract have the right to access to the firm's files for inspection purposes.
The firm regularly and systematically destroys, erases, or makes anonymous personal information no longer required to fulfill the identified collection purposes, and no longer required by laws and regulations.
Individual clients are encouraged to contact the firm to update their personal information.
Physical security (e.g, restricted access, locked rooms and filing cabinets) is maintained over personal information stored in hard copy form. All firm staff are authorized to access personal information based on client assignment and quality control responsibilities.
Authentication is used to prevent unauthorized access to personal information stored electronically. Encryption is used to prevent unauthorized access to personal information received or sent over the Internet.
For files and other materials containing personal information entrusted to a third party service provider (e.g., a provider of paper based or electronic file storage), the firm obtains appropriate assurance to affirm that the level of protection of personal information by the third party is equivalent to that of the firm.
Individual clients of the firm have the right to contact the engagement partner in charge of providing service to them and obtain access to their personal information. Similarly, authorized officers or employees of organizations that are clients of the firm have the right to contact the engagement partner in charge of providing service to them and obtain access to personal information provided by that client. In certain situations, however, the firm may not be able to give clients access to all their personal information. The firm will explain the reasons why access must be denied and any recourse the client may have, except where prohibited by law.
The firm has policies and procedures to receive, investigate and respond to client's complaints and questions relating to privacy.