10 Steps to Better Audit Workpapers

By Charles Hall | Accounting and Auditing , Preparation, Compilation & Review

In this post, I provide ten steps to better audit workpapers. 

Have you ever been insulted by a work paper review note?

Your tickmarks look like something my six-year old created. 

Rather than providing guidance, the comment feels like an assault.

Or maybe as a reviewer you stare at a workpaper and you’re thinking, “what the heck is this?” Your stomach tightens and you say out loud, “I can’t understand this.”

There are ways to create greater audit workpaper clarity.

10 Steps to Better Audit Workpapers

Here are ten steps to make your workpapers sparkle.

1. Timely review. The longer the in-charge waits to review work papers, the harder it is for the staff person to remember what they did and, if needed, to make corrections. Also, consider that the staff person may be reassigned to another job. Therefore, he may not be available to clear the review notes.
2. Communicate the purpose.

a.  An unclear work paper is like a stone wall. It blocks communication.

b.  State the purpose; for example:

Purpose of Work Paper – To search for unrecorded liabilities as of December 31, 2018. Payments greater than $30,000 made from January 1, 2019, through March 5, 2019, were examined for potential inclusion in accounts payable.

Or:

Purpose of Work Paper – To provide a detail of accounts receivable that agrees with the trial balance; all amounts greater than $20,000 agreed to subsequent receipt.

If the person creating the work paper can’t state the purpose, then maybe there is none. It’s possible that the staff person is trying to copy prior year work that (also) had no purpose.

c.  All work papers should satisfy a part of the audit program (plan). No corresponding audit program step? Then the audit program should be updated to include the step—or maybe the work paper isn’t needed at all.

3.  The preparer should sign off on each workpaper  (so it’s clear who created it).

4. Audit program steps should be signed off as the work is performed (not at the end of the audit–just before review). The audit program should drive the audit process—not the prior year workpapers.

5.  Define tickmarks.

6.  Reference work papers. (If you are paperless, use electronic links.)

7.  Communicate the reason for each journal entry.

The following explanation would not be appropriate:

To adjust to actual.

A better explanation:

To reverse client-prepared journal entry 63 that was made to accrue the September 10, 2018, Carter Hardware invoice for $10,233.

8.   When in doubt, leave it out.

Far too many documents are placed in the audit file simply because the client provided them. Moreover, once the work paper makes its way into the file, auditors get “remove-a-phobia“–that dreaded sense that if the auditor removes the work paper, he may need it later.

If you place those unneeded documents in your audit file and do nothing with them, they may create potential legal issues. I can hear the attorney saying, “Mr. Hall, here is an invoice from your audit file that reflects fraud.”

Again, does the work paper have a purpose?

My suggestion for those in limbo: Place them in a “file 13” stack until you are completely done. Then–once done–destroy them. I place these documents in a recycle bin at the bottom of my file.

9.  Complete forms. Blanks should not appear in completed forms (use N/A where necessary).

10. Always be respectful in providing feedback to staff. It’s too easy to get frustrated and say or write things we shouldn’t. For instance, your audit team is more receptive to:

Consider providing additional detail for your tickmark: For instance–Agreed invoice to cleared check payee and dollar amount.

This goes over better than:

You failed to define your tickmark–again?

Last Remarks

What other ways do you make your audit workpapers sparkle? Comment below.

The AICPA provides a sample workpaper template that you may find helpful. 

You may also be interested in a related post: How to Review Financial Statements.

Also, see Audit Documentation: Peer Review Finding. 

Work Paper Mistakes: A List of 40 Common Errors

By Charles Hall | Auditing

Today, I offer you a list of forty work paper mistakes. If you’re an auditor or you perform review engagements or compilations, you’ve seen these–or if you’re like me, you’ve make some of these errors. 

The list is based on work paper reviews I’ve done over the last thirty-seven years (and not on any type of formal study).

You will, I think, shake your head in agreement as you read them. Why? Because you’ve seen these too. 

Forty Work Paper Mistakes

Here’s the list of forty work paper mistakes:

1. No preparer sign-off on a work paper
2. No evidence of work paper reviews
3. Placing unnecessary documents in the file (the work paper provides no evidential matter for the audit)
4. Signing off on unperformed audit program steps
5. No references to supporting documentation in the audit program
6. Using canned audit programs that aren’t based on risk assessments for the particular entity
7. Not documenting expectations for planning analytics
8. Inadequate explanations for variances in planning analytics (“revenue went up because sales increased”)
9. Planning analytics with obvious risk of material misstatement indicators, but no change in the audit plan to address the risk (sometimes referred to as linkage)
10. Not documenting who inquiries were made of
11. Not documenting when inquiries were made
12. Significant deficiencies or material weaknesses that are not communicated in written form
13. Verbally communicating control deficiencies (those not significant deficiencies or material weaknesses) without documenting the conversation
14. Performing needed substantive tests with no related audit program steps (i.e., the audit program was not amended to include the necessary procedures)
15. Assessing control risk below high without testing controls
16. Assessing the risk of material misstatement at low without a basis (reason) for doing so
17. Documenting significant risks (e.g., allowance for uncollectible receivable estimates in healthcare entities) but no high inherent risks (when inherent risk are separately documented)
18. Not documenting the predecessor auditor communication in a first-year engagement
19. Not documenting the qualifications and objectivity of a specialist
20. Not documenting all nonattest services provided
21. Not documenting independence
22. Not documenting the continuance decision before an audit is started
23. Performing walkthroughs at the end of an engagement rather than the beginning
24. Not performing walkthroughs or any other risk assessment procedures
25. Not performing risk assessment procedures for all significant transaction areas (e.g., risk assessment procedures performed for billing and collections but not for payroll which was significant)
26. Not retaining the support for opinion wording in the file (especially for modifications)
27. Specific items tested are not identified (e.g., “tested 25 disbursements, comparing amounts in the check register to cleared checks” — we don’t know which particular payments were tested)
28. Making general statements that can’t be re-performed based on the information provided (e.g., “inquired of three employees about potential fraud” — we don’t know who was interviewed or what was asked or their responses)
29. Retrospective reviews of estimates are not performed (as a risk assessment procedure)
30. Going concern indicators are present but no documentation regarding substantial doubt
31. IT controls are not documented
32. The representation letter is dated prior to final file reviews by the engagement partner or a quality control partner
33. Consultations with external or internal experts are not documented
34. No purpose or conclusion statement on key work papers

35. Tickmarks are not defined (at all)

36. Inadequately defining tickmarks (e.g., ## Tested) — we don’t know what was done

37. No group audit documentation though a subsidiary is included in the consolidated financial statements

38. No elements of unpredictability were performed

39. Not inquiring of those charged with governance about fraud

40. Not locking the file down within 60 days 

That’s my list of workpaper mistakes. What would you add?

Even if you do all of these, have you documented them properly? See my article If It’s Not Documented, It’s Not Done.

Audit Documentation: Peer Review Finding

By Charles Hall | Auditing

Peer reviewers are saying, “If it’s not documented, it’s not done.” Why? Because standards require sufficient audit documentation in AU-C 230. And if it’s not documented, the peer reviewer can’t give credit. Work papers are your vehicle of communication. 

But what does sufficient documentation mean? What should be in our work papers? How much is necessary? This article answers these questions.

Insufficient Audit Documentation

Insufficient audit documentation has been and continues to be a hot-button peer review issue. And it’s not going away. 

But auditors ask, “What is sufficient documentation?” That’s the problem, isn’t it? The answer is not black and white. We know good documentation when we see it–and poor as well. It’s the middle that is fuzzy. Too often audit files are poor-to-midland. But why? 

First, many times it boils down to profit. Auditors can make more money by doing less work. So, let’s go ahead and state the obvious: Quality documentation takes more time and may lessen profit. But what’s the other choice? Poor work.

Second, the auditor may not understand what the audit requirements are. So, in this case, it’s not motive (make more money), it’s a lack of understanding.

Thirdly, another contributing factor is that firms often bid for work–and low price usually carries the day. Then, when it’s time to do the work, there’s not enough budget (time)–and quality suffers. Corners are cut. Planning is disregarded. Confirmations, walkthroughs, fraud inquiries are omitted. And yes, it’s easier–at least in the short run.

But we all know that quality is the foundation of every good CPA firm. And work papers tell the story–the real story–about a firm’s character. How would you rate your work paper quality? Is it excellent, average, poor? If you put your last audit file on a website and everyone could see it, would you be proud? Or does it need improvement?

Sufficient Audit Documentation According to AU-C 230

Let’s see what constitutes sufficient documentation.

AU-C 230 Audit Documentation defines how auditors are to create audit evidence. It says that an experienced auditor with no connection to the audit should understand:

• Nature, timing, and extent of procedures performed
• Results and evidence obtained
• Significant findings, issues, and professional judgments

While most auditors are familiar with this requirement, the difficulty lies in how to accomplish this. What does it look like? Here are some pointers for complying with AU-C 230. 

Experienced Auditor’s Understanding

Here’s the key: When an experienced auditor reviews the documentation, does she understand the work?

Any good communicator makes it her job to speak or write in an understandable way. The communicator assumes responsibility for clear messages. In creating work papers, we are the communicators. The responsibility for transmitting messages lies with us (the auditors creating work papers).  

A Fog in the Work Papers

So what creates fogginess in work papers? We forget we have an audience. Others will review the audit documentation to understand what was done. As we prepare work papers, we need to think about those who will see our work. All too often, the person creating a work paper understands what he is doing, but the reviewer doesn’t. Why? The message is not clear.

Just because I know why I am doing something does not mean that someone else will. So how can we create clarity?

Creating Clarity

Work papers should include the following:

• A purpose statement (what is the reason for the work paper?)
• The source of the information (who provided it? where did they obtain it and how?)
• An identification of who prepared and reviewed the work paper
• The audit evidence (what was done)
• A conclusion (does the audit evidence support the purpose of the work paper?)

When I make these suggestions, some auditors push back saying, “We’ve already documented some of this information in the audit program.” That may be true, but I am telling you–after reviewing thousands of audit files–the message (what is being done and why) can get lost in the audit program. The reviewer often has a difficult time tieing the work back to the audit program and understanding its purpose and whether the documentation provides sufficient audit evidence.

Remember, the work paper preparer is responsible for clear communication. 

And here’s another thing to consider: You (the work paper preparer) might spend six hours on one document, so you are keenly aware of what you did. The reviewer, on the other hand, might spend five minutes–and she is trying (as quickly as she can) to understand your work.

Help Your Reviewers

To help your reviewers:

1. Tell them what you are doing (purpose statement)
2. Do it (document the test work)
3. Then, tell them how it went (the conclusion)

Now let’s move from proper to improper documentation.

Examples of Poor Work Paper Documentation

So, what does insufficient audit documentation look like? In other words, what are some of the signs that we are not complying with AU-C 230?

Here are examples of poor audit work paper documentation:

• Signing off on audit steps with no supporting work papers (and no explanation on the audit program)
• Placing a document in a file without explaining why (what is its purpose?)
• Not signing off on audit steps
• Failing to reference audit steps to supporting work papers
• Listing a series of numbers on an Excel spreadsheet without explaining their source (where did they come from? who provided them?)
• Not signing off on work papers as a preparer
• Not signing off on work papers as the reviewer
• Failing to place excerpts of key documents in the file (e.g., debt agreement)
• Performing fraud inquiries but not documenting who was interviewed (their name) and when (the date)
• Not documenting the selection of a sample (why and how and the sample size)
• Failing to explain the basis for low inherent risk assessments
• Key bank accounts and debt are not confirmed
• Not documenting the reason for not sending receivable confirmations
• A lack of retrospective reviews
• A failure to document the current year walkthroughs for significant transaction cycles (the file contains a generic description of controls with no evidence of a current year review)
• Not documenting entity-level controls (e.g., tone at the top, management’s risk assessment procedures)
• A failure to document risk assessments
• Low control risk assessments without a test of controls
• A lack of linkage from the risk assessment to the audit plan
• No independence documentation though nonattest services are provided

This list is not comprehensive, but it provides examples to consider. This list is based on my past experiences. Probably the worst offense (at least in my mind) is signing off on an audit program with no support.

Strangely, however, poor work papers are not the result of insufficient documentation, but too much documentation. 

Too Much Audit Documentation

Many CPAs say to me, “I feel like I do too much,” meaning they believe they are auditing more than is necessary. To which I often respond, “I agree.”

In looking at audit files, I see:

• The clutter of unnecessary work papers
• Files received from clients that don’t support the audit opinion
• Unnecessary work performed on extraneous documents

For whatever reason, clients usually provide more information than we request. And then–for some other reason–we retain those documents, even if not needed.

If auditors add purpose statements to each work paper, then they will discover that some work papers are unnecessary. In writing the purpose statement, we might realize it has none. Which is nice–now, we can eliminate it.

One healthy exercise is to pretend we’ve never audited the company and that we have no prior year audit files. Then, with a blank page, we plan the audit. Once done, we compare the new plan to prior year files. If there’s any fat, start cutting. 

The key to eliminating unnecessary work lies in performing the following steps (in the order presented):

1. Perform risk assessment
2. Plan your audit based on the identified risks
3. Perform the audit procedures

Too often, we roll the prior year file forward and rock on. If the prior year file has extraneous audit procedures, we repeat them. This creates waste year after year after year.

Before I close this article, here is one good work paper suggestion from my friend Jim Bennett of Bennett & Associates: transaction area maps. 

Transaction Area Maps

Include transaction area maps in your file. A summary creates organization and makes it easier to find your work papers. It also provides a birds-eye view of what you have done. Here’s an example:

ACCOUNTS RECEIVABLE WORKPAPER MAP

4-02 Audit Program

4-10 Risk Assessment Analyticals

ACCOUNTS RECEIVABLE AGING

4-20 Customer aging report

4-21 AR break-out of intercompany balances

4-23 AR aging tie in to TB

4-24 Review of AR aging

ACCOUNTS RECEIVABLE CONFIRMATIONS

4-50 Planning worksheet – substantive procedures

4-51 AR confirmation reconciliation

4-52 AR confirmation replies

4-60 Allowance for doubtful accounts

4-70 Intercompany balances and sales to significant customers

4-80 Sales analytics

4-90 Sales cut-off testing

4-95 Revenue recognition 606 support and disclosures

Summary

In summary, audit documentation continues to be a significant peer review problem. We can enhance the quality of our work papers by remembering we are not just auditing. We are communicating. It is our responsibility to provide a clear message. We need to do so to comply with AU-C 230, Audit Documentation. 

Additional Guidance

The AICPA also provides some excellent guidance regarding work paper documentation. Download their work paper template; it’s very helpful. 

Also, see my article titled 10 Steps to Better Audit Workpapers.

Seven Excuses for Unnecessary Audit Work Papers

By Charles Hall | Auditing

Unnecessary audit work papers create clutter and potential legal problems.

I see two problems in most work paper files:

(1) Too much documentation, and
(2) Too little documentation

I have written an article titled: Audit Documentation: If It’s Not Documented, It’s Not Done. Since I’ve already addressed the too little documentation issue, I’ll now speak to the other problem: too much documentation.

Unnecessary Audit Work Papers

Over the last thirty-five years, I have reviewed audit files for CPA firms and have commonly asked this question: Why is this work paper in the file?

Here are a seven answers I’ve received.

1. It was there last year.

But is it relevant this year? Resist the temptation to mindlessly bring forward work papers from the prior year. Performing a proper audit entails risk assessment (e.g., walkthroughs, analytics), planning (i.e., creating an audit plan), and execution (i.e., carrying out the audit plan). Likewise, compilations and reviews should reflect current year planning and performance.

2. The client gave it to me.

Inexperienced auditors tend to put everything given to them in the file. Some auditors believe “if the client gave it to me, it must be important.” But this is not necessarily true. Every work paper needs a purpose.

3. I may need it next year.

Then save it for next year—somewhere other than in the current file. If the information does not provide current year engagement evidence, then it does not belong in the file.

Consider creating a file for next year and placing next year’s information in that file. Or create a folder in the current year file titled: Next year’s work papers. Then move this section to next year’s file as you close the engagement.

4. I might need it this year.

Before going paperless (back in the prehistoric days when we moved work papers with hand trucks [icon name=”smile-o” class=”” unprefixed_class=””]), I kept a manila folder titled: File 13. The physical folder was my hang-on-to-it-in-case-I-need-it repository.

Since my files are now paperless, I create an electronic folder titled Recycle Bin that sits at the bottom of my file. If I receive information that is not relevant to the current year (but there is a chance I will need it), I move it to the recycle bin, and when I am wrapping up the engagement, I dispose of the folder.

5. It’s an earlier version of a work paper.

Move earlier versions of work papers to your recycle bin—or delete them.

6. I need it for my tax work.

Then it belongs in the tax file (unless it’s related to your attest work – e.g., deferred taxes).

7. We always do this.

But why is it being done this year? Maybe a fraud was missed ten years ago and the partner said, from now on we will…

Are these procedures still relevant?

The test of details, substantive analytics, and test of controls should be in response to the current year audit risk assessment and planning.

Reducing Legal Exposure

The most important reason for minimizing work paper content is to reduce your legal exposure. Excess work papers may provide ammunition to an opposing attorney: “Mr. Hall, here’s a work paper from your own audit file that reveals fraud was occurring, and you didn’t see it?” (So don’t, for example, leave the full general ledger in your work papers.)

What are your thoughts about removing unnecessary audit work papers?