Audit Documentation

In the first of a series of articles, Steve Collings takes a look at the revised and/or redrafted auditing standards issued by the IAASB during the clarity project. The IAASB clarity project is aimed at removing ambiguity within the auditing standards and clarifying certain terms within the standards themselves. The first ISA in the series looks at ISA 230 (revised) Audit Documentation.

Audit work, whether it be discussion, observance, reperformance etc. must be documented within the audit file. Whilst this may seem obvious to any auditor, it is surprising just how much audit work is undertaken by audit firms that is not, in fact, documented. Simply ticking a box or writing completed on an audit programme does not constitute sufficient and appropriate audit evidence.

ISA 230 (revised) states that the auditor should prepare, on a timely basis, audit documentation that provides:

- A sufficient and appropriate record of the basis for the auditors report; and - Evidence that the audit was performed in accordance with ISAs and applicable legal and regulatory requirements.

For the purposes of ISA 230 Audit Documentation means the record of audit procedures performed (including audit planning), relevant audit evidence obtained and conclusions which the auditor has reached. For example, a typical working paper could contain:

Objective set out the overall objective of the audit procedure(s) to be performed.

Work performed document the work that was actually undertaken.

Results and evaluation document the results of the work performed above.

Conclusion whether the objective at the start of the procedure was met.

A common reason for audit files failing regulator inspections is because the auditor/audit firm does not sufficiently document procedures which have been carried out during the course of an audit. Consider the following example:

You are auditing Alicia Enterprises Inc. Alicia Enterprises Inc deal with highly corrosive and flammable liquids. You have met with the Managing Director, Lucas Stevens, of the company to discuss whether there have been any issues relating to Health and Safety compliance. After the discussion you annotate the audit programme to say that you have discussed the issues with Lucas Stevens.

What does this tell someone who is reviewing the file? All this tells the person reviewing the file is that you have had a discussion with the MD. It does not explain WHY you had the discussion or WHAT the objective of the discussion was and the DETAILS of that discussion or the OUTCOME of the discussion on which conclusions have been made.

Discussion (referred to as inquiry in ISA 500) is an audit procedure under ISA 500 Audit Evidence. Inquiry is an audit procedure that is used extensively throughout the audit, though it is often complementary to performing other procedures.

In terms of our discussion with Lucas Stevens, I would expect an audit working paper relating to the discussion to look as follows:

Client Alicia Enterprises Inc Prepared by SC Date July 2009 File Ref 2.8 Year End 31 March 2009 Reviewed by Date

Objective The objective of this meeting is to confirm whether or not the company has complied with its obligations under Health and Safety legislation. Health and Safety legislation is a central law to Alicia Enterprises Inc and any breach of such may have a detrimental impact on the company.

Work Performed I held a meeting with Lucas Stevens, Managing Director, on 1 July 2009 to discuss the companys compliance with Health and Sa fety Legislation. Lucas Stevens provided me with a copy of the latest Health and Safety inspection which was undertaken on 1 February 2009 (refer to schedule 1.2) This report confirms that the companys Health and Safety procedures are sufficient and that they have complied with all aspe cts of Health and Safety Legislation. Lucas Stevens confirmed that they have 3 internal Health and Safety inspectorates as well as an external Health and Safety specialist who monitor, on a regular basis, the companys compliance with Health and Sa fety issues.

Lucas Stevens confirmed that the company takes Hea lth and Safety extremely seriously and any employees who breach Health and Safety are taken through the companys Disciplinar y Procedures.

Results and Evaluation

See schedule 1.2 for the results of the Health and Safety Inspection undertaken by the Health and Safety Directorate. I have also obtained copies of the internal Health and Safety Review which was undertaken on 21 March 2009 (refer to schedule 1.3). There was no indication of any breaches of Health and Safety

Conclusion

Based on the evidence obtained, I am satisfied that no breaches of Health and Safety have occurred during the year.

By documenting the discussion as above, it is clear to any other experienced auditor reviewing the audit working papers (a) what the objective of the above discussion was (b) what was discussed (c) what evidence was obtained during the course of that discussion (d) the results of that discussion and (e) the conclusions drawn.

Engagement Documentation

The audit firm must establish policies and procedures for the team to assemble an audit file in a timely manner. Ordinarily the time limit for assembling an audit file should not be anymore than 60 days after the date the auditors report is signed (see ISQC 1). Where two or more different reports are issued in respect of the same subject (for example where the auditor is issuing a report on a comp onents financial information for group consolidation purposes and, at a subsequent date, an auditors report on the same financial information for statutory purposes) then the firms policies and procedures relating to time limits for final assembly of the file should add ress the time limit as if it were for a separate engagement.

In addition, the audit firm must establish policies and procedures which are designed to maintain the confidentiality, safe custody, integrity, accessibility and retrievability of engagement documentation. Remember, the audit engagement team must observe, at all times, the confidentiality of the information contained in audit engagement documentation and must not disclose to any third party, unless the client has instructed to do so, any information contained within the engagement documentation.

There could, however, be times when there is a legal or professional duty to disclose information to third parties (for example where a criminal act has been committed).

Amendments to Audit Documentation after the Auditors Report has been Signed

Where the auditor deems it necessary to amend or add new audit documentation after the assembly of the final file, then the auditor should, regardless of the nature of the amendments to the audit documentation document:

- When and by whom the amendments/additions were made and (where applicable) reviewed; - The specific reason for making the amendment/addition; and - Their effect, if any, on the auditors conclusions. In exceptional circumstances where the auditors report has already been signed and new information arises which requires the auditor to perform new or additional audit procedures, or the new information leads the auditor to reach new conclusions, the auditor should document:

- The circumstances encountered; - The new or additional audit procedures performed, audit evidence obtained, and conclusions reached; and - When and by whom the resulting changes to audit documentation were made, and (where applicable) reviewed.

Conclusion

Audit documentation is crucial. An audit file needs to stand on its own and tell a story behind how the financial statements have been verified and how the figures and disclosures within the statements derived. Audit working papers need to follow a methodical approach and document the objective, the work performed, the results of the work performed and the conclusions drawn.

In real life, firms are often criticized for failing to sufficiently document audit evidence. Remember, simply saying a procedure has been undertaken is not audit evidence the evidence needs to be clearly documented so that another experienced auditor reviewing the audit file can see exactly what has been done. The audit evidence on file must also support the opinion contained within the auditors report.