CHAPTER 10

Audit Documentation and Working Papers

The purpose of this chapter is to discuss the following issues:

• What should be the content of the working papers?
• What information should be kept in the permanent and current files?
• How long should documents be retained?
• How are International Standards on Auditing (ISA) different than Public Company Accounting Oversight Board (PCAOB) Auditing Standards (AS) and AU standard?

Introduction

The relevant ISA standard on documentation is ISA 230 entitled Audit Documentation. This provides the basic principles underlying documentation. The purpose of ISA 230 is to establish standards and provide guidance on documentation. ISA 230 advises that the auditor should document matters which are important in providing evidence to support the audit opinion. ISA 230 in particular (paragraph 2) notes that the auditor should prepare, on a timely basis, audit documentation that provides:

• a sufficient and appropriate record of the basis for the auditor’s report and
• evidence that the audit was performed in accordance with ISAs and applicable legal and regulatory requirements.

Audit documentation is also referred to as working papers. To aid the auditor in planning the audit, all necessary information should be available in the working papers. PCAOB’s AS 3 in paragraph 2 notes that working papers should be used as the:

• written record of the basis for the auditor’s conclusions and the support for the auditor’s representations, whether contained in the auditor’s report or otherwise;
• basis for facilitating the planning, performing, and supervision of the engagement;
• as the basis for the review of the quality of the work because it provides the reviewer with written documentation of the evidence supporting the auditor’s significant conclusions; and
• the records of the planning and performance of the work.

Once the audit opinion is provided in the published final report, the working papers are the physical proof that the audit was conducted adequately. Auditors work with original documents and accounting records that are required to be left behind on completion of the audit. The working papers act as an index to those documents. This is especially important if the auditor is called upon to prove that the audit was completed in accordance with ISAs should there be a lawsuit or regulatory inquiry.

Paragraph 9 of ISA 230 advises that the auditor should prepare the audit documentation in such a manner as to enable an experienced auditor, having no previous connection with the audit to understand:

• the nature, timing, and extent of the audit procedures performed to comply with the ISA and applicable legal and regulatory requirements;
• the results of the audit procedures and the audit evidence obtained; and
• significant matters arising during the audit and the conclusion reached thereon.

As paragraph 3 of ISA 230 notes, preparing sufficient and appropriate audit documentation on a timely basis helps to enhance the quality of the audit. It also facilitates the effective review and evaluation of the audit evidence obtained and conclusions reached before the auditor’s report is finalized.

Purpose of Audit Documentation

Audit documentation serves a number of purposes some of which have already been discussed in the prior section. However, some issues raised are important enough to bear repeating. Paragraph 5 of ISA 230 states that the purposes of documentation should include:

• assisting the audit team to plan and perform the audit;
• assisting members of the audit team responsible for supervision to direct and supervise the audit work and to discharge their review responsibilities in accordance with ISA 220 entitled Quality Control for Audits of Historical Financial Information;
• enabling the audit team to be accountable for its work;
• retaining a record of matters of continuing significance for future audits;
• enabling an experienced auditor to conduct quality control reviews and inspections in accordance with International Standards on Quality Control (ISQC) 1 entitled Quality control for firms that perform audits and review of historical financial information and other assurance and related services engagements; and
• enabling an experienced auditor to conduct external inspection in accordance with applicable legal, regulatory, or other requirements.

Nature of the Audit Documentation

Paragraph 7 of ISA 230 notes that audit documents may be recorded on paper or on electronic or other media. The components of the working papers should include audit programs, the auditor’s analysis, summaries of significant matters and copies of the entity’s records (e.g., significant documents including specific contracts and agreements). However, paragraph 7 cautions that audit documentation is not a substitute for the entity’s accounting records.

This means they cannot be equated with the entity’s accounting records. The latter are the primary documents in an audit.

Content of Working Papers

When discussing what the content of working papers should be, it has to be noted that there are differences between ISA 230 and PCAOB (this issue is covered in AS 3, entitled Audit Documentation) with respect to the form and content of working papers, which is noted in a report published by the Maastricht Accounting, Auditing and Information Management Research Center (available at http://ec.europa.eu/internal_market/auditing/docs/ias/evalstudy2009/appendix_en.pdf). (We had mentioned this center in Chapter 1). To recapitulate, ISA 230 notes that the content of the working papers should be sufficiently complete and detailed to provide an overall understanding of the audit. As mentioned, the working papers are required to contain information on planning the audit work; the nature, timing, and extent of the audit procedures performed; the results of the audit procedures; and the conclusions drawn that led to the audit opinion. Paragraph 23 of ISA 230 notes that in documenting the nature, timing, and extent of audit procedures performed, the auditor should record (a) who performed the audit work and the date such work was completed and (b) who reviewed the audit work and the date and extent of such review.

In summary, ISA 230 notes that the extent of audit documentation depends on factors such as (refer paragraph 230.A2):

• the nature of the audit procedures to be performed;
• the identified risks of material misstatements;
• the extent of judgment required in performing the work and evaluating the results;
• the significance of the audit evidence obtained;
• the nature and extent of exceptions identified; and
• the audit methodology and tools used.

Types of Audit Documentation

In practice, auditors provide two types of documentation. They are:

• permanent and
• temporary files

However, in the standards ISA 230 and PCAOB’s AU 339A entitled Working Papers, there is no recommendation that auditors should categorize and retain documents based on whether the information in the working papers can be categorized as permanent or temporary. Our statement is based on our audit work experience and information in auditing text books (Hayes et al. 2005 as an example).

The permanent file is expected to include audit working papers containing all the data that are of continuing interest from year to year (Hayes et al. 2005). An example of a permanent file used in practice is shown in Table 10.1.

Table 10.1 Sample work papers: permanent file contents

Index	Page numbers (not shown)	Client description
I		General client and engagement information Engagement letter Client information form
II		Statutory and legal information Articles of association or incorporation Special legal, statutory, or contractual definitions Minutes of continuing relevance from management Insurance summary Borrowing, lease agreements Title deeds Details of any other important agreements
III		Accounting system and internal control Documentation of accounting system and internal control Chart of accounts Authorization limits, initials and signature list Accounting procedures
IV		Audit Correspondence of continuing relevance Documentation: Computer programs
V		Financial statement information Financial statement analysis/previous year’s summary Details: Property, plant, and equipment Details: Other tangible fixed assets
VI		Personnel, employment conditions Overview of personnel Standard employment contracts, salary scales Pension/early retirement rules and regulations Sick pay rules and regulations Expense allowance rules and regulations Other employment conditions
VII		Taxation

Source: Adapted from Hayes et al. 2005, 479

An example of a current file is shown in Table 10.2.

Table 10.2 Sample work papers: current file contents

Index	Page numbers (not shown)	Contents
I		Reports Financial statements Auditor’s report
II		Consolidated financial statements Trial balance Consolidated financial statements
III		Consolidation schedules Interoffice memoranda and reports from other offices
IV		Engagement planning Strategy document Planning memorandum and audit plan Memos of instruction from other offices Audit program Audit progress reports Budget Detailed audit planning and work allocation
V		Engagement completion Completion memorandum Accounting disclosure checklist Subsequent events review Notes for partner/manager
VI		Engagement administration Time sheets Hours and fee analysis
VII		Control overview document
VIII		Representations Letter of representation Major points discussed with management Client lawyer’s letter
IX		Planning analysis Budget Interim financial statements
X		Correspondence in respect of current year’s audit
XI		Prior work papers from permanent file

Source: Adapted from Hayes et al. 2005, 481

The tables are not meant to be all inclusive. The next important issue relates to the time period for preparation of the documentation and the duration for which the working papers should be retained? These issues will be discussed next.

Time Periods for Preparation of Documentation

ISA 230 in paragraph 7 states that the auditor shall prepare audit documentation on a timely basis. Paragraph 14 builds on this. The paragraph notes that the auditor should assemble the audit documentation in an audit file and complete the administrative process of assembling the final audit file on a timely basis after the date of the auditor’s report. Paragraph 21 states that an appropriate time limit should ordinarily be not more than 60 days after the report release date.

PCAOB’s AS 3 (paragraph 5) discusses the same topic. It notes that prior to the report release date, the auditor must complete all necessary auditing procedures and obtain sufficient evidence to support the representations in the auditor’s report. (This is discussed in detail in the Maastricht Accounting, Auditing and Information Management Research Center report mentioned previously in this chapter.) The PCAOB standard notes that a complete and final set of audit documents should be assembled for retention as of a date not more than 45 days after the report release date. If a report is not issued in connection with an engagement, then the documentation completion date should not be more than 45 days from the date that the fieldwork was substantially completed. If the auditor was unable to complete the engagement, then the documentation completion date should not be more than 45 days from the date the engagement ceased.

Hence, there is a difference. The PCAOB’s AS 3 (in paragraph 15) puts more pressure on the auditor in that AS 3 requires the auditor to assemble a complete and final set of audit documentation not more than 45 days after the report release date, whereas under ISA 230, it is 60 days. Another difference is that AS 3 entitled Audit Documentation (paragraph 15) contains specific requirements on documentation completion dates in case a report is not issued in connection with an engagement or if the auditor was unable to complete the engagement. This issue is not mentioned in ISA. Rather, it would appear that this is left to the judgment of the auditor.

Document Retention

ISA 230 states that the auditor should adopt appropriate procedures for maintaining the confidentiality and the safe custody of the working papers and for retaining them for a period sufficient to meet the needs of the practice and in accordance with legal and professional requirements of record retention. The standard provides no further guidance on documentation retention.

In the United States, the Securities and Exchange Commission (SEC) introduced detailed regulations (rule 210-06) regarding document retention as mandated by the Sarbanes Oxley Act (SOX). The regulation sets forth detailed requirements regarding the types of document (e.g., working papers, memos and the like that contain conclusions, opinions, analyses, etc) that should be retained and the specific period of time they should be retained. This is regardless of whether such documents support, or are inconsistent with, the final audit conclusions.

Hayes et al. (2005) noted that under SOX section 103, each registered public accounting firm is required to prepare and maintain audit working papers and other information related to any audit report for a period of not less than seven years. This same issue is covered in PCAOB’s AS 3. It states audit documentation must be retained for seven years from the date of completion of the engagement as indicated by the date of the auditor’s report unless a longer period of time is required by law (refer paragraph 15).

Under SOX section 105, the PCAOB may also require:

• the testimony of the firm or any person associated with a registered public accounting firm and
• the production of audit work papers and any other document or information in the possession of a registered public accounting firm or any associated person and may inspect the books and records of such a firm or associated person to verify the accuracy of any documents or information supplied.

The above discussion in SOX provides guidance to the PCAOB. The PCAOB in AS 3 does not cover this as it is already covered in SOX, section 105. ISA 230 does not have an equivalent discussion similar to that required in SOX section 105, and hence, there is a difference. ISA 230 states that the auditor “should adopt appropriate procedures for maintaining the confidentiality and safe custody of the working papers and for retaining them for a period sufficient to meet the needs of the practice and in accordance with legal and professional requirements of record retention”. We reviewed ISA 230 carefully and found no other guidance on document retention.

There is a significant difference between ISA 230 and PCAOB AS 3 with respect to document retention, where, for AS 3, there is a specified clear guidance of seven years. However, the time period issue is addressed in ISQC. It requires firms to establish policies and procedures for the retention of engagement documentation. The retention period for audit engagement documentation is ordinarily required under ISQC 1 to be no shorter than five years from the date of the auditor’s report or, if later, the date of the group auditors report. Hence, by default, auditors in the international arena would follow this guideline. ISQC 1 and ISA 230 also do not address the possibility of retention periods in case the auditor, for whatever reason, does not complete an audit.

In the case of PCAOB, AS 3 is very clear. There is no default here. AS 3 states that the auditor must retain documentation for seven years from the “date the auditor grants permission to use the auditor’s report in connection with the issuance of the company’s financial statements” (by this is meant the report release date). The main difference is that, unlike ISA 230, AS 3 paragraph 14 explicitly requires that the documentation be retained for seven years from the date the auditor grants permission to use the auditor’s report unless a longer period is required by law. Further, unlike ISA 230, AS 3 contains specific requirements about retention in case no report is issued in connection with an engagement or if the auditor is unable to complete the assignment.

Another related important issue relates to the necessity to make alterations to the working papers.

Alterations of Working Papers after Completion of the Audit

The PCAOB’s AS 3 paragraph 16 notes that circumstances may require subsequent additions to audit documentation. An example would be when evidence is obtained after completion of the audit or if work performed before engagement was finished and was documented only after completion. The PCAOB notes that the documentation added must indicate the date the information was added, by whom it was added and the reason for adding it (paragraph 16).

SOX specifically notes that audit documentation must not be deleted or discarded. Further, SOX provides criminal penalties for altering documents. The requirements of SOX are echoed by the PCAOB. Thus, there is a difference with ISA 230 since the latter does not discuss the issue of deleted or discarded or altered documents or legal penalties for doing so. This may be attributed to the fact that the PCAOB was instituted in the wake of Arthur Andersen’s destruction of documents in the wake of the problems with the Enron entity and its audits coming to light. Accordingly, preventing another wholesale destruction of audit documents by the auditor became a U.S. and, therefore, PCAOB priority. It is not similarly a priority for the International Auditing Assurance Standards Board (IAASB) in its writing of the ISA. Next, we discuss additional important issues relating to audit documentation.

Custodial Issues Related to Audit Documentation

The PCAOB’s AS 3 notes that matters specific to a particular engagement should be included in the audit documentation of the pertinent engagement (more elaborate discussion is provided in paragraphs 4 to 10). In particular issues such as level of auditor independence with respect to conducting the engagement, extent of staff training and proficiency of client (or lack thereof), and issues relating to client acceptance and retention may be documented in a central repository of the public accounting firm or in the particular office participating in the engagement (paragraph 11). If such matters are documented in a central repository, the audit documentation of the engagement should include a reference to the central repository. There is no mention of this in ISA 230. This is a significant difference between ISA 230 and AS 3 of PCAOB. Unlike AS 3, ISA does not mention that some items can be documented in a central repository, whereas others should be included in the documentation of the pertinent engagement.

Significant Matters and Issues Relating Thereto

Now, we discuss the issue of significant matters. ISA 230 does not define significant matters. It notes that judging the significance of a matter requires an objective analysis of the facts and circumstances. Examples of significant matters are provided. ISA 230 states that the auditor may consider it helpful to prepare and retain, as part of the audit documentation, a summary that describes the significant matters identified during the audit and how they were addressed. ISA 230 notes that judging the significance of a matter requires an objective analysis of the facts and circumstances. Paragraph 14 states that significant items could include:

• matters that give rise to significant risks as defined in ISA 315 Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement;
• results of audit procedures indicating (a) that the financial information could be materially misstated or (b) a need to revise the auditor’s previous assessment of the risks of material misstatement and the auditor’s responses to those risks;
• circumstances that cause the auditor significant difficulty in applying necessary audit procedures; and
• findings that could result in a modification of the auditor’s report.

Hayes et al. 2005 provides further examples of significant matters. Hayes et al.’s list (page 74) includes, but is not limited to, the following:

• The selection, application, and consistency of accounting principles including related disclosures (examples of significant matters in this category include accounting for complex or unusual transactions, accounting estimates, and uncertainties as well as related management assumptions)
• Results of auditing procedures that indicate a need for significant modification of planned auditing procedures
• The existence of material misstatements
• Omissions in the financial statements
• The existence of significant deficiencies in internal control over reporting
• Audit adjustments and the ultimate resolution of these items (ISA 230 describes an audit adjustment as a proposed correction of a misstatement of the financial statements that could, in the auditor’s judgment, either individually or in the aggregate have a material effect on the company’s financial reporting process.)
• Disagreements among members of the engagement team or with others consulted on the engagement about conclusions reached on significant accounting or auditing estimates
• Circumstances that cause significant difficulty in applying audit procedures
• Significant changes in the assessed level of audit risk for particular audit areas.

Significant Differences between the Auditor and the Client

AS 3, on the other hand, provides a definition of significant matters (paragraph 12 of AS 3). AS 3 states that the auditor must identify all significant findings, findings that may or may not create differences or issues with the client, depending on whether the client is amenable to the auditor’s proposed resolution or not, and document these significant matters in a document referred to as an Engagement Completion Memorandum. The concept of the Engagement Completion Memorandum is unique to AS 3. The Engagement Completion Memorandum is required to include all information necessary to understand the significant findings of the audit. These significant findings are required to be cross referenced to other available supporting audit documentation. It is required that (paragraph 11) the document along, with any documents cross referenced, should collectively be as specific as necessary in the circumstances for a reviewer to gain a thorough understanding of the significant findings or issues.

There are differences between ISA 230 and PCAOB’s AS 3. Unlike ISA 230, PCAOB’s AS 3 (paragraph 13) requires that an engagement completion memorandum be prepared and maintained in the audit documentation. AS 3 requires that the office of the firm issuing the auditor’s report be responsible for ensuring that all audit documentation (specified in paragraphs 4 to 13 of AS 3) be prepared and retained. The PCAOB’s AS 3 also notes that relevant audit documentation supporting the auditor’s work performed by other auditors—including auditors associated with other offices of the firm, affiliated firms, or nonaffiliated firms— must be retained by or be accessible to the office issuing the auditor’s report. In addition, the office issuing the auditor’s report must obtain, review, and retain, prior to the report release date, documentation related to the work performed by other auditors including auditors associated with other offices of the firm, affiliated firms or nonaffiliated firms.

Here, there are significant differences between PCAOB standards and ISA. Unlike ISA 230, PCAOB’s AS 3 in paragraph 18 states very clearly that the office of the firm issuing the auditor’s report is responsible for ensuring that audit documentation is retained. Also documentation supporting the work of other auditors must be retained or accessible to the office issuing the auditor’s report. Moreover, PCAOB’s AS 3 paragraph 19 requires the office that issues the report to obtain, review, and retain specific documentation related to the work performed by other auditors, unless the auditor decides to make reference in the report to the audit performed by the other auditor. After careful review, we note that these issues are not addressed in ISA 230.

In summary, in ISA 230, there appears to be a presumption that the auditor would know what a significant matter is. However, PCAOB is different in that a definition of significant matters is provided. It notes that significant matters relate to significant findings or issues and is all embracing in that it should include actions taken to address them (including additional evidence obtained and the basis for the conclusions reached).

Conclusions

Earlier chapters described the audit process, a process that results in collecting a great deal of information about the client’s financial statements and internal controls systems through the application of auditing standards. The information obtained in the audit, as well as the particular audit procedures employed, is required to be documented. This chapter describes the information that needs to be retained in order to comply with ISA and PCAOB standards. The importance of this chapter to the readers is that it provides a description of the information to be retained and presents the differences between the ISA and PCAOB audits. However diligently an auditor works, the failure to appropriately document that work may cause the auditor severe problems should the auditor be challenged in a legal forum later, whether that legal forum is in the United States or abroad. Maintaining documentation helps the auditor document that the appropriate evidence was gathered in sufficient quantity.

Plus, maintaining records on how the audit was conducted provides valuable information to the auditors in the following year as to what problems and strengths characterized the client earlier. While the auditor must always update that information to fully account for circumstances that confront the auditor during the new audit, having access to appropriate information from prior years remains valuable.