Securities audit: A legal guide for Canadian market players

Know what a securities audit is and get some practical steps to prepare when one happens in your organization
Securities audit: A legal guide for Canadian market players

While Canadian securities market players work hard to stay in the right league, a securities audit will check whether the playbook in the back office matches the moves on the trading field.

To help issuers, firms, registrants, and all other players, this guide will discuss these securities audits, what regulators look for, and how calm preparation with a securities lawyer wins more than last‑minute sprints.

What is a securities audit in Canada?

There are two levels of securities audits that a reporting issuer in Canada may be subjected to:

Recent Articles

OCC calls for clear criteria in Defence, Security and Resilience Bank headquarters location choice
Legal operations’ evolving role the central theme of 2026 CLOC Global Institute
Why Janice Jong chose an in-house role after a decade away from legal practice
  • first are the audits or reviews that may be conducted by a provincial or territorial securities regulator; and
  • second are the audits that are done by the issuer’s auditor or audit committee, as required by the provincial or territorial securities law

These audits are different from the other audits that may be referred to by the other National Instruments (NI) by the Canadian Securities Administrators (CSA). For instance, NI 51-102 on Continuous Disclosure Obligations requires that the annual financial statements filed by a reporting issuer must be accompanied by an auditor’s report.

Learn more about how securities audits are conducted, including some tips during the auditing season, with this video:

Be prepared during audit season by consulting with the best corporate finance lawyers in Canada as ranked by Lexpert.

Securities audit by securities regulators

More like a review, Canada’s securities regulators are empowered by the law to conduct securities audits whenever possible.

Similar with the other provincial and territorial securities regulators, the Ontario Securities Commission (OSC) reviews advisers and dealers (called market participants) through:

  • on-site or field compliance review: where the OSC examines the books, records, and documents of market participants, to check whether Ontario’s securities law is being complied with
  • compliance desk review or sweep: the OSC focuses on a specific issue or issues of concern using the information provided by a group of selected market participants

Recent amendments to the British Columbia Securities Act granted the British Columbia Securities Commission (BCSC) additional powers, including the authority to regulate auditors of its registrants. Now, the BCSC can:

  • create rules to regulate auditors of registrants
  • set standards for audits of registrants

All of these show the scope of the Canadian securities regulators’ power when it comes to conducting securities audit and review. As such, market participants and registrants must be diligent in complying with the law all the time, and not just when these audits are about to happen.

Investment markets will always be reviewed and regulated, not just by the securities regulators, but even the tax authorities such as the Canada Revenue Agency (CRA):

Looking for lawyers to help you during a securities audit? You can also check out our Special Edition on Finance Law, which features a directory of the leading lawyers in finance law.

Audit committee requirement for issuers

All reporting issuers are required to have an audit committee, as mandated by the provincial securities laws. The details of this audit committee are laid out in the NI 52-110 on Audit Committees by the CSA. This NI applies to all CSA members.

The audit committee must be composed of three members, who must be directors of the reporting issuer. Additionally, each audit committee member must be independent and financially literate if it intends to list on the TSX or Cboe Canada.

Among the responsibilities of a reporting issuer’s audit committee are the following:

  • recommend an external auditor to the board of directors, and oversee the work of the external auditor; the external auditor reports directly to the audit committee
  • review the financial statements, management’s discussion & analysis (MD&A), and press releases for annual and interim profit or loss, before publicly disclosing them
  • ensure that adequate procedures are in place when reviewing the reporting issuer’s public disclosure of financial information from its financial statements

Auditing standards to be followed

In addition to the requirement of having an audit committee, Canadian securities laws also require that reporting issuers follow certain auditing standards. NI 52-107 on Acceptable Accounting Principles and Auditing Standards requires that financial statements must:

  • be audited in accordance with Canadian Generally Accepted Auditing Standards (GAAS)
  • be accompanied by an auditor’s report that contains unmodified opinion and all financial periods presented, among others
  • include a comparative information for the immediately preceding financial year, which must also be covered by the auditor’s report

NI 52-107 also provides for the instances that reporting issuers can use auditing standards other than the Canadian GAAS in preparing financial statements.

What are the ways to prepare for a securities audit?

Here are some proactive measures that can be done to prepare for a securities audit in Canada:

  1. Have a clear, current compliance program
  2. Be prepared with the necessary books and documents
  3. Keep up with obligations imposed by regulators
  4. Conduct regular risk assessments
  5. Doing documented remediation

We’ll discuss these points below.

1. Have a clear, current compliance program

A firm that deals in securities needs a written compliance program that matches its actual business, and this is one thing that your securities lawyer can do to help your firm. The compliance program should:

  • track both your registration and ongoing obligations
  • specify the officers who are responsible for these obligations
  • define the roles of each officer or group (e.g., senior management, the board)

This is important so that when a securities audit happens, your clear set of policies will show due diligence on your party if regulators question your firm’s practices or disclosures.

2. Be prepared with the necessary books and documents

Whatever the purpose of a securities audit is, it’s important to always be prepared with the necessary (and usually the statutory required) books and documents. Not only will this make the audit more seamless, but it will also prevent any penalties from happening.

One example is when you or your firm, if you’re a securities market participant, was chosen by the OSC for a compliance review. Generally, the OSC says that it will:

  • examine your books, records, and financial transactions, aside from conducting interviews and other assessments
  • request books and records during the review, depending on the firm’s category or categories of registration

Here are some good practices on handling your own or your firm’s documents:

  • keep both hard and soft copies of all important records and documents
  • records should be complete, easy to find, and tied to clear retention periods
  • use mapped data flows, showing its source until when used in regulatory reports

These tips will help you during a securities audit, such as answering questions that may be thrown at you in relation to these records or documents.

3. Keep up with obligations imposed by regulators

Through the help of your securities lawyer, you need to be updated with the obligations that your regulators are imposing (or will be imposing) on you and/or firm. An example is the Canadian Investment Regulatory Organization (CIRO), where part of its compliance monitoring and audits look at a member firm’s compliance with:

  • Know-Your-Client (KYC) and Know-Your-Product (KYP) principles
  • Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA)

This is aside from the possible CIRO reviews on the member firm’s financial stability and policies for complaints handling, which are standards that all firms must follow. As reference to these registrant obligations, you can also refer to NI 31‑103 on Registration Requirements, Exemptions and Ongoing Registrant Obligations.

Another regulator that must be considered is the Office of the Superintendent of Financial Institutions (OSFI), especially for financial institutions. At most, these federally regulated institutions must submit regulatory financial and corporate returns to OSFI, among other obligations.

4. Conduct regular risk assessments

Doing a risk assessment does not need to be triggered just because there’s an impending securities audit, but it must be a regular thing whatever your firm or organization is. These assessments are highly relevant to firms that fall under Canadian securities regulation, since they must match their controls to actual risks.

For registrants, a risk assessment should cover:

  • complaints handling
  • conflicts of interest
  • disclosure controls
  • suitability reviews
  • trading supervision

Again, anything required by NI 31‑103 must be included in a risk assessment to get a clearer picture on where you’re at when it comes to complying with your ongoing registrant obligations. Other relevant instruments include NI 51-102, and NI 41-101 on General Prospectus Requirements.

In addition to the laws that are administered by securities regulators, particular attention must be paid to the rules of CIRO and OSFI. These will make the risk assessment holistic and encompassing, rather than having a series of separate assessments.

To learn what laws or regulations that you and your firm must specifically consider, it’s important to get the help of a securities lawyer.

5. Doing documented remediation

Documented remediations and follow-throughs are not things that you must do before or during a securities audit, and not just after it or when a regulatory report is already issued. These remediations can show regulators that the firm has an active compliance culture that tracks issues, assigns key personnel, sets timelines, and documents the completed fixes.

Securities audit: Keeping the playbook ready for review

A securities audit should not feel like sudden death overtime for Canadian securities market players. Firms that keep policies, records, and data in order can treat it as a season review, and not a one-off shock. In any case, the help of a securities lawyer will ensure that everyone is compliant, preventing them from being knocked out by the law.

Subscribe to the free Lexpert newsletter to be updated on Canadian laws, including articles to help your company with securities audit.