Over the last thirty years, I have reviewed audit files for CPA firms and have commonly asked this question: Why is this work paper in the file?
Here are a few standard answers.
1. It was there last year.
But is it relevant this year? Resist the temptation just to copy or bring forward work papers from the prior year. Performing a proper audit entails risk assessment (e.g., walkthroughs, analytics), planning (i.e., creating an audit plan), and execution (i.e., carrying out the audit plan). Likewise, compilations and reviews should reflect current year planning and performance.
2. The client gave it to me.
For some reason, young auditors tend to put everything given to them in the file. I think they believe, “if the client gave it to me, it must be important.”
There is one reason to place documentation is the file: It provides audit evidence to support the opinion.
3. I may need it next year.
Then save it—somewhere other than the audit file—for next year. If the information does not provide current year engagement evidence, then it does not belong in the current year file.
Consider setting up a file for next year and placing next year’s information in that file. Or create a folder in the current year file titled: next year’s work papers; then move this section from the current year file as you wrap up the engagement.
4. I might need it this year.
Before going paperless (back in the days of moving work papers with a hand truck), I kept a manila folder titled: File 13. The physical folder was my hang-on-to-it-in-case-I-need-it repository.
Since my files are now paperless, I create an electronic folder titled “Recycle Bin” that sits at the bottom of my file. If I receive information that is not relevant to the current year work, I move it to the recycle bin, and while I am wrapping up the engagement, I dispose of the entire folder.
5. It’s an earlier version of an existing work paper.
Move earlier versions of work papers (e.g., initial financial statements) to your recycle bin.
6. I need it for my tax work.
Then it belongs in the tax file (unless it’s related to your attestation work – e.g., deferred taxes).
7. We missed a fraud ten years ago, so we always include these work papers.
Fraud procedures (and all procedures for that matter) should reflect the current year audit risk assessment and planning.
Closing Comments
The most important reason for minimizing work paper content is to reduce your legal exposure. Excess work papers may provide an attorney ammunition. “Mr. Hall, here’s a work paper from your own audit file that reveals fraud was occurring, and you didn’t see it?” (So don’t, for example, leave the full general ledger in your work papers.)
What are your thoughts about removing unnecessary audit work papers?
Peer reviewers are saying, “If it’s not documented, it’s not done.” Why? Because standards requiresufficient audit documentation. And if it’s not documented, the peer reviewer can’t give credit for performance.
But what does sufficient documentation mean? What should be in our work papers? How much is necessary? This article answers these questions.
In the AICPA’s Enhanced Oversight program, one in four audits is nonconforming due to a lack of sufficient documentation. This has been and continues to be a hot-button peer review issue. And it’s not going away.
But auditors ask, “What is sufficient documentation?” That’s the problem, isn’t it? The answer is not black and white. We know good documentation when we see it–and poor as well. It’s the middle that is fuzzy. Too often audit files are poor-to-midland. Why?
First, many times it boils down to profit. Auditors can make more money by doing less work. So, let’s go ahead and state the obvious: Quality documentation takes more time and may lessen profit. But what’s the other choice? Poor work.
Second, the auditor may not understand what the audit requirements are. So, in this case, it’s not motive (for more profit), it’s a lack of understanding.
Thirdly, another contributing factor is that firms often bid for work–and low price usually carries the day. Then, when it’s time to do the work, there’s not enough budget (time)–and quality suffers. Corners are cut. Planning is disregarded. Audit programs are poorly designed. Confirmations, walkthroughs, fraud inquiries are omitted. And yes, it’s easier–at least in the short run.
Even though these reasons may be true, we all know that qualityis the foundation of every good CPA firm. And work papers tell the story–the real story–about a firm’s character. How would you rate your work paper quality? Is it excellent, average, poor? If you put your last audit file on this website and everyone could see it, would you be proud? Or does it need improvement?
Insufficient Audit Documentation
So, what is insufficient audit documentation?
First, let’s look at examples of poor documentation:
Signing off on audit steps with no supporting work papers (and no explanation on the audit program)
Placing a document in a file without explaining why (what is its purpose?)
Not signing off on audit steps
Failing to reference audit steps to supporting work papers
Listing a series of numbers on an Excel spreadsheet without explaining their source (where did they come from? who provided them?)
Not signing off on work papers as a preparer
Not signing off on work papers as the reviewer
Failing to place excerpts of key documents in the file (e.g., debt agreement)
Performing fraud inquiries but not documenting who was interviewed (their name) and when (the date)
Not documenting the selection of a sample (why and how)
Failing to explain the basis for low inherent risk assessments
A failure to document the current year walkthroughs for significant transaction cycles (the file contains a generic description of controls with no evidence of a current year review)
Not documenting COSO deficiencies (e.g., tone at the top, management’s risk assessment procedures)
A failure to document risk assessments
Low control risk assessments without a test of controls
A lack of linkage from the risk assessment to the audit plan
This list is not comprehensive, but it provides examples to consider. This list is based on my past experiences. Probably the worst offense (at least in my mind) is signing off on an audit program with no support.
AICPA Findings
Additionally, the AICPA has identified the following deficiencies. Work papers lack:
Tests of controls over compliance in a single audit
Determinations of direct and material Single Audit compliance requirements
Eligibility testing in Employee Benefit Plan audits
Sufficient Audit Documentation According to AU-C 230
Now, let’s examine what constitutes sufficient documentation.
AU-C 230Audit Documentation defines how auditors are to create audit evidence. It says that an experienced auditor with no connection to the audit should understand:
Nature, timing, and extent of procedures performed
Results and evidence obtained
Significant findings, issues, and professional judgments
While most auditors are familiar with this requirement, the difficulty lies in how to accomplish this. What does it look like?
Experienced Auditor’s Understanding
Here’s the key: When an experienced auditor reviews the documentation, does she understand the work?
Any good communicator makes it her job to speak or write in an understandable way. The communicator assumes responsibility for clear messages. In creating work papers, we are the communicators. The responsibility for transmitting messages lies with us (the auditors creating work papers).
A Fog in the Work Papers
So what creates fogginess in work papers? We forget we have an audience.Others will review the audit documentation to understand what was done. As we prepare work papers, we need to think about those who will read our work. All too often, the person creating a work paper understands what he is doing, but the reviewer doesn’t. Why? The message is not clear.
Just because I know why I am doing something does not mean that someone else will.
Creating Clarity
This is why most work papers should include the following:
A purpose statement (what is the reason for the work paper?)
The source of the information (who provided it? where did they obtain it and how?)
An identification of who prepared and reviewed the work paper
The audit evidence (what was done)
A conclusion (does the audit evidence support the purpose of the work paper?)
When I make these suggestions, some auditors push back saying, “We’ve already documented some of this information in the audit program.” That may be true, but I am telling you–after reviewing thousands of audit files–the message (what is being done and why) can get lost in the audit program. The reviewer often (speaking for myself) has a difficult time tieing the work back to the audit program and understanding its purpose and whether the documentation provides sufficient audit evidence.
Remember, the work paper preparer is responsible for clear communication.
And here’s another thing to consider. You (the work paper preparer) might spend six hours on one document. So, you are keenly aware of what you did. The reviewer, on the other hand, might spend five minutes–and she is trying (as quickly as she can) to understand.
Help Your Reviewers
To help your less informed reviewers:
Tell them what you are doing (purpose statement)
Do it (document the test work)
Then, tell them how it went (the conclusion)
Too Much Audit Documentation
It’s funny, but many CPAs say to me, “I feel like I do too much,” meaning they believe they are auditing more than is necessary. To which I often respond, “I agree.”
Files received from clients that don’t support the audit opinion
Unnecessary work performed on these extraneous documents
For whatever reason, clients usually provide more information than we request. And then–for some other reason–we retain those documents, even if not needed.
If auditors add purpose statements to each work paper, then they will discover that some work papers are unnecessary. In writing the purpose statement, we realize it has none. Which is nice–now, we can deep-six it.
One healthy exercise is topretend we’ve never audited the company and that we have no prior year audit files. Then, with a blank page, we plan the audit. Once done, we compare the new plan to prior year files. If there’s any fat, start cutting.
The key to eliminating unnecessary work lies in performing the following steps (in the order presented):
Perform risk assessment
Plan your audit based on the identified risks
Perform the audit procedures
Too often, we roll the prior year file forward and rock on. If the prior year file has extraneous audit procedures, then we repeat them. This creates waste.
Summary
In summary, audit documentation continues to be a significant peer review problem. We can enhance the quality of our work papers by remembering we are not just auditing. We are communicating. It is our responsibility to provide a clear message.
In this post, I provide ten steps to make work papers sparkle.
Have you ever been insulted by a work paper review note?
Your tickmarks look like something created by my child.
Rather than providing guidance,the comment feels like an assault.
Or maybe you are the reviewer–you stare at a work paper for several minutes–and you’re thinking, “what the heck is this?” Your stomach tightens and you say out loud, “I don’t have time for this.”
There are ways to create greater clarity in your work papers.
Make Work Papers Sparkle
Here are ten steps to make your work papers sparkle.
Timely review work papers. The longer the in-charge waits to review work papers, the harder it is for the staff person to remember what they did and, if needed, to make corrections. Also, consider that the staff person may be reassigned to another job. Therefore, he may not be available to clear the review notes.
Communicate the work paper’s purpose.
a. An unclear work paper is like a stone wall. It blocks communication.
b. State the purpose of the work paper; for example:
Purpose of Work Paper – To search for unrecorded liabilities as of December 31, 2018. Payments greater than $30,000 made from January 1, 2019, through March 5, 2019, were examined for potential inclusion in accounts payable.
Or:
Purpose of Work Paper – To provide a detail of accounts receivable that agrees with the trial balance; all amounts greater than $20,000 agreed to subsequent receipt.
If the person creating the work paper can’t state the purpose, then maybe there is none. It’spossible that the staff person is trying to copy a work paper from the prior year that (also) had no purpose.
c. All work papers should satisfy a part of the audit program (plan). No corresponding audit program step? Then the audit program should be updated to include the step—or maybe the work paper isn’t needed at all.
3. The preparer should sign off on each work paper(so it’s clear who created it).
4. Audit program steps should be signed off as the work is performed (not at the end of the audit–just before review). The audit program should drive the audit process—not the prior year work papers.
5. Define tickmarks.
6. Reference work papers. (If you are paperless, use electronic links.)
7. Communicate the reason for each journal entry.
The following explanation would not be appropriate:
To adjust to actual.
A better explanation:
To reverse client-prepared journal entry 63 that was made to accrue the September 10, 2018, Carter Hardware invoice for $10,233.
8. When in doubt, leave it out.
Far too many documents are placed in the audit file simply because the client provided them. Moreover, once the work paper makes its way into the file, auditors get “remove-a-phobia“–that dreaded sense that if the auditor removes the work paper, he may need it later.
If you place those unneeded documents in your audit file and do nothing with them, they may create potential legal issues. I can hear the attorney saying, “Mr. Hall, here is an invoice from your audit file that reflects fraud.”
Again, does the work paper have a purpose?
My suggestion for those in-limbo work papers: Place them in a“file 13” stack until you are completely done. Then–once done–destroy them. I place these work papers in a recycle bin at the bottom of my work paper tree.
9. Complete forms. Blanks should not appear in completed forms (use N/A where necessary).
10. Always be respectful in providing feedback to staff. It’s too easy to get frustrated and say or write things we shouldn’t. For instance, your audit team is more receptive to:
Consider providing additional detail for your tickmark: For instance–Agreed invoice to cleared check payee and dollar amount.
This goes over better than:
You failed to define your tickmark–again?
Last Remarks
What other ways do you make your work papers sparkle? Comment below.
Today, I offer you a list of forty audit and work paper mistakes.
The list is based on my observations from over over thirty years of audit reviews (and not on any type of formal study).
You will, however, shake your head in agreement as you read these. I know you’ve seen them as well. The list is not comprehensive. So, you can add others in the comments section of this post.
Here’s the list.
No preparer sign-off on a work paper
No evidence of work paper reviews
Placing documents in the file with no purpose (the work paper provides no evidential matter for the audit)
Signing off on unperformed audit program steps
No references to supporting documentation in the audit program
Using canned audit programs that aren’t based on risk assessments for the particular entity
Not documenting expectations for planning analytics
Inadequate explanations for variances in planning analytics (“revenue went up because sales increased”)
Planning analytics with obvious risk of material misstatement indicators, but no change in the audit plan to address the risk (sometimes referred to as linking)
Verbally communicating control deficiencies (those not significant deficiencies or material weaknesses) without documenting the conversation
Performing needed substantive tests with no related audit program steps (i.e., the audit program was not amended to include the necessary procedures)
Assessing control risk below high without testing controls
Assessing the risk of material misstatement at low without a basis (reason) for doing so
Documenting significant risks (e.g., allowance for uncollectible receivable estimates in healthcare entities) but no high inherent risks (when inherent risk are separately documented)
Not documenting the predecessor auditor communication in a first-year engagement
Not documenting the qualifications and objectivity of a specialist
Not performing risk assessment procedures for all significant transaction areas (e.g., risk assessment procedures performed for billing and collections but not for payroll which was significant)
Specific items tested are not identified (e.g., “tested 25 disbursements, comparing amounts in the check register to cleared checks” — we don’t know which particular payments were tested)
Making general statements that can’t be re-performed based on the information provided (e.g., “inquired of three employees about potential fraud” — we don’t know who was interviewed or what was asked or their responses)
