Peer reviewers are saying, “If it’s not documented, it’s not done.” Why? Because standards require sufficient audit documentation in AU-C 230. And if it’s not documented, the peer reviewer can’t give credit. Work papers are your vehicle of communication.
But what does sufficient documentation mean? What should be in our work papers? How much is necessary? This article answers these questions.
Insufficient Audit Documentation
Insufficient audit documentation has been and continues to be a hot-button peer review issue. And it’s not going away.
But auditors ask, “What is sufficient documentation?” That’s the problem, isn’t it? The answer is not black and white. We know good documentation when we see it–and poor as well. It’s the middle that is fuzzy. Too often audit files are poor-to-midland. But why?
First, many times it boils down to profit. Auditors can make more money by doing less work. So, let’s go ahead and state the obvious: Quality documentation takes more time and may lessen profit. But what’s the other choice? Poor work.
Second, the auditor may not understand what the audit requirements are. So, in this case, it’s not motive (make more money), it’s a lack of understanding.
Thirdly, another contributing factor is that firms often bid for work–and low price usually carries the day. Then, when it’s time to do the work, there’s not enough budget (time)–and quality suffers. Corners are cut. Planning is disregarded. Confirmations, walkthroughs, fraud inquiries are omitted. And yes, it’s easier–at least in the short run.
But we all know that quality is the foundation of every good CPA firm. And work papers tell the story–the real story–about a firm’s character. How would you rate your work paper quality? Is it excellent, average, poor? If you put your last audit file on a website and everyone could see it, would you be proud? Or does it need improvement?
Sufficient Audit Documentation According to AU-C 230
Let’s see what constitutes sufficient documentation.
AU-C 230 Audit Documentation defines how auditors are to create audit evidence. It says that an experienced auditor with no connection to the audit should understand:
- Nature, timing, and extent of procedures performed
- Results and evidence obtained
- Significant findings, issues, and professional judgments
While most auditors are familiar with this requirement, the difficulty lies in how to accomplish this. What does it look like? Here are some pointers for complying with AU-C 230.
Experienced Auditor’s Understanding
Here’s the key: When an experienced auditor reviews the documentation, does she understand the work?
Any good communicator makes it her job to speak or write in an understandable way. The communicator assumes responsibility for clear messages. In creating work papers, we are the communicators. The responsibility for transmitting messages lies with us (the auditors creating work papers).
A Fog in the Work Papers
So what creates fogginess in work papers? We forget we have an audience. Others will review the audit documentation to understand what was done. As we prepare work papers, we need to think about those who will see our work. All too often, the person creating a work paper understands what he is doing, but the reviewer doesn’t. Why? The message is not clear.
Just because I know why I am doing something does not mean that someone else will. So how can we create clarity?
Work papers should include the following:
- A purpose statement (what is the reason for the work paper?)
- The source of the information (who provided it? where did they obtain it and how?)
- An identification of who prepared and reviewed the work paper
- The audit evidence (what was done)
- A conclusion (does the audit evidence support the purpose of the work paper?)
When I make these suggestions, some auditors push back saying, “We’ve already documented some of this information in the audit program.” That may be true, but I am telling you–after reviewing thousands of audit files–the message (what is being done and why) can get lost in the audit program. The reviewer often has a difficult time tieing the work back to the audit program and understanding its purpose and whether the documentation provides sufficient audit evidence.
Remember, the work paper preparer is responsible for clear communication.
And here’s another thing to consider: You (the work paper preparer) might spend six hours on one document, so you are keenly aware of what you did. The reviewer, on the other hand, might spend five minutes–and she is trying (as quickly as she can) to understand your work.
Help Your Reviewers
To help your reviewers:
- Tell them what you are doing (purpose statement)
- Do it (document the test work)
- Then, tell them how it went (the conclusion)
Now let’s move from proper to improper documentation.
Examples of Poor Work Paper Documentation
So, what does insufficient audit documentation look like? In other words, what are some of the signs that we are not complying with AU-C 230?
Here are examples of poor audit work paper documentation:
- Signing off on audit steps with no supporting work papers (and no explanation on the audit program)
- Placing a document in a file without explaining why (what is its purpose?)
- Not signing off on audit steps
- Failing to reference audit steps to supporting work papers
- Listing a series of numbers on an Excel spreadsheet without explaining their source (where did they come from? who provided them?)
- Not signing off on work papers as a preparer
- Not signing off on work papers as the reviewer
- Failing to place excerpts of key documents in the file (e.g., debt agreement)
- Performing fraud inquiries but not documenting who was interviewed (their name) and when (the date)
- Not documenting the selection of a sample (why and how and the sample size)
- Failing to explain the basis for low inherent risk assessments
- Key bank accounts and debt are not confirmed
- Not documenting the reason for not sending receivable confirmations
- A lack of retrospective reviews
- A failure to document the current year walkthroughs for significant transaction cycles (the file contains a generic description of controls with no evidence of a current year review)
- Not documenting entity-level controls (e.g., tone at the top, management’s risk assessment procedures)
- A failure to document risk assessments
- Low control risk assessments without a test of controls
- A lack of linkage from the risk assessment to the audit plan
- No independence documentation though nonattest services are provided
This list is not comprehensive, but it provides examples to consider. This list is based on my past experiences. Probably the worst offense (at least in my mind) is signing off on an audit program with no support.
Strangely, however, poor work papers are not the result of insufficient documentation, but too much documentation.
Too Much Audit Documentation
Many CPAs say to me, “I feel like I do too much,” meaning they believe they are auditing more than is necessary. To which I often respond, “I agree.”
In looking at audit files, I see:
- The clutter of unnecessary work papers
- Files received from clients that don’t support the audit opinion
- Unnecessary work performed on extraneous documents
For whatever reason, clients usually provide more information than we request. And then–for some other reason–we retain those documents, even if not needed.
If auditors add purpose statements to each work paper, then they will discover that some work papers are unnecessary. In writing the purpose statement, we might realize it has none. Which is nice–now, we can eliminate it.
One healthy exercise is to pretend we’ve never audited the company and that we have no prior year audit files. Then, with a blank page, we plan the audit. Once done, we compare the new plan to prior year files. If there’s any fat, start cutting.
The key to eliminating unnecessary work lies in performing the following steps (in the order presented):
- Perform risk assessment
- Plan your audit based on the identified risks
- Perform the audit procedures
Too often, we roll the prior year file forward and rock on. If the prior year file has extraneous audit procedures, we repeat them. This creates waste year after year after year.
Before I close this article, here is one good work paper suggestion from my friend Jim Bennett of Bennett & Associates: transaction area maps.
Transaction Area Maps
Include transaction area maps in your file. A summary creates organization and makes it easier to find your work papers. It also provides a birds-eye view of what you have done. Here’s an example:
ACCOUNTS RECEIVABLE WORKPAPER MAP
4-02 Audit Program
4-10 Risk Assessment Analyticals
ACCOUNTS RECEIVABLE AGING
4-20 Customer aging report
4-21 AR break-out of intercompany balances
4-23 AR aging tie in to TB
4-24 Review of AR aging
ACCOUNTS RECEIVABLE CONFIRMATIONS
4-50 Planning worksheet – substantive procedures
4-51 AR confirmation reconciliation
4-52 AR confirmation replies
4-60 Allowance for doubtful accounts
4-70 Intercompany balances and sales to significant customers
4-80 Sales analytics
4-90 Sales cut-off testing
4-95 Revenue recognition 606 support and disclosures
In summary, audit documentation continues to be a significant peer review problem. We can enhance the quality of our work papers by remembering we are not just auditing. We are communicating. It is our responsibility to provide a clear message. We need to do so to comply with AU-C 230, Audit Documentation.
The AICPA also provides some excellent guidance regarding work paper documentation. Download their work paper template; it’s very helpful.
Also, see my article titled 10 Steps to Better Audit Workpapers.