Peer reviewers are saying, “If it’s not documented, it’s not done.” Why? Because standards require sufficient audit documentation. And if it’s not documented, the peer reviewer can’t give credit for performance.
But what does sufficient documentation mean? What should be in our work papers? How much is necessary? This article answers these questions.
Made with Canva
In the AICPA’s Enhanced Oversight program, one in four audits is nonconforming due to a lack of sufficient documentation. This has been and continues to be a hot-button peer review issue. And it’s not going away.
But auditors ask, “What is sufficient documentation?” That’s the problem, isn’t it? The answer is not black and white. We know good documentation when we see it–and poor as well. It’s the middle that fuzzy. Too often audit files are poor-to-midland. Why?
First, many times it boils down to profit. Auditors can make more money by doing less work. So, let’s go ahead and state the obvious: Quality documentation takes more time and may lessen profit. But what’s the other choice? Poor work.
Second, the auditor may not understand what the audit requirements are. So, in this case, it’s not motive (more profit), it’s a lack of understanding.
Thirdly, another contributing factor is that firms often bid for work–and low price usually carries the day. Then, when it’s time to do the work, there’s not enough budget (time)–and quality suffers. Corners are cut. Planning is disregarded. Audit programs are poorly designed. Confirmations, walkthroughs, fraud inquiries are omitted. It’s easier, at least in the short run.
Even though these reasons may be true, we all know that quality is the foundation of every good CPA firm. And work papers tell the story–the real story–about a firm’s character. How would you rate your work paper quality? Is it excellent, average, poor? If you put your last audit file on this website and everyone could see it, would you be proud? Or does it need improvement?
Insufficient Audit Documentation
First, let’s look at examples of poor documentation:
- Signing off on audit steps with no supporting work papers (and no explanation on the audit program)
- Placing a document in a file without explaining why (what is its purpose?)
- Not signing off on audit steps
- Failing to reference audit steps to supporting work papers
- Listing a series of numbers on an Excel spreadsheet without explaining their source (where did they come from? who provided them?)
- Not signing off on work papers as a preparer
- Not signing off on work papers as the reviewer
- Failing to place excerpts of key documents in the file (e.g., debt agreement)
- Performing fraud inquiries but not documenting who was interviewed (their name) and when (the date)
- Not documenting the selection of a sample (why and how)
- Failing to explain the basis for low inherent risk assessments
- Key bank accounts and debt are not confirmed
- Not documenting the reason for not sending receivable confirmations
- A lack of retrospective reviews
- A failure to document the current year walkthroughs for significant transaction cycles (the file contains a generic description of controls with no evidence of a current year review)
- Not documenting COSO deficiencies (e.g., tone at the top, management’s risk assessment procedures)
- A failure to document risk assessments
- Low control risk assessments without a test of controls
- A lack of linkage from the risk assessment to the audit plan
- No independence documentation though nonattest services are provided
This list is not comprehensive, but it provides examples to consider. This list is based on my past experiences. Probably the worst offense (at least in my mind) is signing off on an audit program with no support.
Additionally, the AICPA has identified the following deficiencies. Work papers lack:
- Tests of controls over compliance in a single audit
- Determinations of direct and material Single Audit compliance requirements
- Eligibility testing in Employee Benefit Plan audits
Sufficient Audit Documentation According to AU-C 230
Now, let’s examine what constitutes sufficient documentation.
AU-C 230 Audit Documentation defines how auditors are to create audit evidence. It says that an experienced auditor with no connection to the audit should understand:
- Nature, timing, and extent of procedures performed
- Results and evidence obtained
- Significant findings, issues, and professional judgments
While most auditors are familiar with this requirement, the difficulty lies in how to accomplish this. What does it look like?
Experienced Auditor’s Understanding
Here’s the key: When an experienced auditor reviews the documentation, does she understand the work?
Any good communicator makes it her job to speak or write in an understandable way. The communicator assumes responsibility for clear messages. In creating work papers, we are the communicators. The responsibility for transmitting messages lies with us (the auditors creating work papers).
A Fog in the Work Papers
So what creates fogginess in work papers? We forget we have an audience. Others will review the audit documentation to understand what was done. As we prepare work papers, we need to think about those who will read our work. All too often, the person creating a work paper understands what he is doing, but the reviewer doesn’t. Why? The message is not clear.
Just because I know why I am doing something does not mean that someone else will.
This is why most work papers should include the following:
- A purpose statement (what is the reason for the work paper?)
- The source of the information (who provided it? where did they obtain it and how?)
- An identification of who prepared and reviewed the work paper
- The audit evidence (what was done)
- A conclusion (does the audit evidence support the purpose of the work paper?)
When I make these suggestions, some auditors push back saying, “We’ve already documented some of this information in the audit program.” That may be true, but I am telling you–after reviewing thousands of audit files–the message (what is being done and why) can get lost in the audit program. The reviewer often (speaking for myself) has a difficult time tieing the work back to the audit program and understanding its purpose and whether the documentation provides sufficient audit evidence.
Remember, the work paper preparer is responsible for clear communication.
And here’s another thing to consider. You (the work paper preparer) might spend six hours on one document. So, you are keenly aware of what you did. The reviewer, on the other hand, might spend five minutes–and she is trying (as quickly as she can) to understand.
Help Your Reviewers
To help your less informed reviewers:
- Tell them what you are doing (purpose statement)
- Do it (document the test work)
- Then, tell them how it went (the conclusion)
Sample Work Paper from AICPA
Here’s a sample work paper from the AICPA. What do I like about it?
It communicates (clearly):
- That it was not prepared by the client
- Who prepared it and who reviewed it
- The dates prepared and reviewed
- The objective (purpose)
- What the tickmarks mean
I also note there is no extraneous information, no clutter.
So far, we’ve discussed insufficient documentation. Let’s take a minute to review an opposite problem, having too much.
Too Much Audit Documentation
It’s funny, but many CPAs say to me, “I feel like I do too much,” meaning they believe they are auditing more than is necessary. To which I often respond, “I agree.”
In looking at audit files, I see:
- The clutter of unnecessary work papers
- Files received from clients that don’t support the audit opinion
- Unnecessary work performed on these extraneous documents
For whatever reason, clients usually provide more information than we request. And then–for some other reason–we retain those documents, even if not needed.
If auditors add purpose statements to each work paper, then they will discover that some work papers are unnecessary. In writing the purpose statement, we realize it has none. Which is nice–now, we can deep-six it.
One healthy exercise is to pretend we’ve never audited the company and that we have no prior year audit files. Then, with a blank page, we plan the audit. Once done, we compare the new plan to prior year files. If there’s any fat, start cutting.
The key to eliminating unnecessary work lies in performing the following steps (in the order presented):
- Perform risk assessment
- Plan your audit based on the identified risks
- Perform the audit procedures
Too often, we roll the prior year file forward and rock on. If the prior year file has extraneous audit procedures, then we repeat them. This creates waste.
In summary, audit documentation continues to be a significant peer review problem. We can enhance the quality of our work papers by remembering we are not just auditing. We are communicating. It is our responsibility to provide a clear message.
Below is a short video summarizing this article.