By Ron Miller, CD | Miller Contract Security Advisory
Most defence contractors approach PSPC audits the same way they approach tax audits: with a mixture of dread and denial, scrambling when they get the notice. The organizations that come out cleanly are the ones who understand that audits aren't random — they follow patterns, and those patterns are predictable.
After two decades working inside and alongside Canada's federal security compliance framework, I've seen the same triggers come up again and again. Here's what actually prompts PSPC's Industrial Security Sector to take a closer look at your organization — and what you can do about each one.
This is the most common trigger, and it catches organizations off guard because the timing feels backwards. You've just been awarded a contract — that's good news. But if that contract requires a higher security level than your current Facility Security Clearance (FSC) or Designated Organization Screening (DOS), PSPC will scrutinize your security posture before fully activating the clearance.
The same applies at renewal time. A contract that's been running smoothly for five years is no guarantee that your next renewal goes through without a review. Personnel turnover, facility changes, or updated PSPC requirements can all create friction at renewal that didn't exist at the original award.
PSPC takes changes to organizational control very seriously. If your company is acquired, merges, brings on new investors, or undergoes any change that affects beneficial ownership, you're required to notify PSPC — and that notification almost always initiates a review.
The same is true for key personnel changes. Replacing your Chief Security Officer, your CEO, or any other individual whose clearance is tied to the organization's screening status creates a mandatory notification obligation. Notifications that are late or incomplete are red flags that can prompt a broader audit.
If your organization experiences a security incident involving protected or classified government information — a document going missing, an unauthorized disclosure, a data breach — you are required to notify PSPC within 24 hours. That notification will very likely be followed by a compliance review.
What many organizations don't realize is that PSPC can also learn about incidents from other sources: their own monitoring activities, tips from government departments you work with, or reports from RCMP or CSIS. An incident that you didn't report — or reported late — is far more damaging than one you handled proactively and transparently.
If a government department you're working with raises a concern about your organization's security practices, PSPC will follow up. This might come from a routine contract monitoring visit, a department security officer flagging something they observed, or informal feedback through procurement channels.
This trigger is harder to anticipate, which is why the best defence is maintaining visible security practices — regular briefings, documented procedures, and a security culture that government personnel can observe when they're on-site.
Not every audit is triggered by something specific. PSPC conducts periodic compliance reviews of registered organizations as a matter of course, particularly those holding higher clearance levels (Secret and above). The frequency varies, but organizations that have gone several years without a review should factor one into their planning horizon.
In my experience, what separates organizations that pass cleanly from those that don't isn't the existence of gaps — virtually every organization has something to improve. It's documentation. PSPC auditors need to see evidence that your security program is real, practised, and maintained. Verbal assurances don't count. Policies that exist on paper but can't be demonstrated in practice don't count either.
The organizations I've worked with that achieve zero major findings are the ones that maintain current, accessible documentation across all their security obligations — clearance registers, briefing records, security plans, incident logs — and review them regularly enough that nothing comes as a surprise.
If you're not sure where your organization stands, a readiness assessment before an audit notice is the most efficient investment you can make.
37 compliance checkpoints covering registration, personnel screening, facility security, document handling, and CGP — with risk ratings for each item.
Download Free Checklist →We'll spend 20 minutes understanding your current situation — your contracts, clearance levels, and any open questions with PSPC. No sales pitch.
All inquiries handled in complete confidence. Typical response: within 24 hours.
Book Your Free 20-Minute Consultation →