Audit Documentation: It’s a Whole New World

By Howard B. Levy

“The skill of an accountant can always be ascertained by an inspection of his working papers.”
— Robert H. Montgomery, Montgomery’s Auditing, 1912

E-mail Story Print Story

Statement on Auditing Standards (SAS) 41, issued in 1982, changed very little from SAP 38. Like its predecessor, SAS 41 reestablished that auditors should have workpapers, the form and content of which should follow its broad guidelines and meet the circumstances of a particular engagement. The workpapers would constitute the principal record of the work done and conclusions reached, and provide the principal support for auditors’ reports. It provided primarily that the workpapers should document the following:

• The work has been adequately planned and supervised;
• Internal control has been appropriately studied and evaluated; and
• The evidence obtained and procedures performed afford a reasonable basis for an opinion.

At the time of SAS 41’s issuance, there were very few explicit requirements elsewhere in professional standards to document specific matters. These requirements consisted principally of an audit program, a legal letter, a client representation letter, and a notation that material internal control weaknesses were communicated orally if not reported in writing.

SAS 96 was a project-in-process in October 2001 when the Enron scandal broke. By then, a few other specific requirements had crept into various other standards, but SAS 96 was intended to be a fresh, comprehensive approach to the objectives and content of audit documentation at the standard level. In the decades leading up to SAS 96, intense competition for audit services inspired the profession, led by the largest firms, to seek more efficient ways to audit. Besides developing risk-based auditing, a tendency began to emerge to shortcut audit documentation to achieve efficiencies apparently still permissible under the authoritative literature. In addition, a growing trend of audit failures and related litigation in the pre-Enron years caused the largest firms to adopt a defense strategy (undoubtedly recommended by their lawyers) to further minimize audit documentation.

Although hailed by its preparers and promoters as responsive to Enron-related issues, the hastily released SAS 96 did little to add any substantive audit documentation requirements or to reduce the opportunity to apply judgment; it was not an effective improvement to the status quo.

The case against Andersen with regard to its audit of Enron focused largely on the destruction of documents. The resultant Sarbanes-Oxley Act of 2002 (SOA) created the Public Company Accounting Oversight Board (PCAOB), and required and empowered the PCAOB to establish regulatory documentation and records-retention standards. Critical of the perceived softness of SAS 96, the newly formed PCAOB quickly addressed audit documentation and records retention in developing its Auditing Standard 3, applicable to audits of SEC issuers. PCAOB Standard 3 creates high hurdles for auditors to clear in improving audit documentation in several substantive ways. In many respects, it appears to have been motivated largely to facilitate the work of the PCAOB inspectors, but it will likely also aid other adversaries, such as plaintiffs’ attorneys, making audit documentation a much more defensive process than ever before. Almost 100 years after Montgomery’s Auditing, it’s a whole new world.

The implications for audit documentation in the post-Enron world stretch beyond SEC registrants. Some state regulators (notably in New York and California) and federal government auditors began seeking more uniformity and accountability among auditors in the preparation and retention of audit documentation for non-SEC entities. Recognizing that the prior standard continued to allow for too much diversity in judgment to satisfy governmental oversight and enabled reduced documentation for the purposes of efficiency and litigation defense, and feeling pressure from the new standards-setting body, the AICPA’s Auditing Standards Board (ASB) appointed a task force to revisit SAS 96. It prepared, and issued for public exposure and comment in January 2005, a proposed new SAS that closely mirrors PCAOB Auditing Standard 3 in most, but not all, significant respects.

The Scope of the New Documentation Standards

Beginning with periods ending on or after November 15, 2004, the new PCAOB documentation standard applies to financial statement and SOA section 404 internal control audits for all SEC issuers, as well as reviews of their quarterly financial information filed in Form 10-Q or 10-QSB. The proposed SAS (to replace SAS 96) will not be finalized until later this year at the earliest and will likely be made effective beginning with 2006 audits (fiscal years ending on or after December 15, 2006). When finalized, the new standard will apply to all audits of financial statements of non-SEC audit clients.

Many CPAs with significant SEC audit practices will choose early adoption of the provisions of this proposed standard in order to minimize the need to temporarily differentiate the nature and quality of audit documentation between SEC and non-SEC audit engagements. It is costly and confusing to maintain two sets of standards and quality-control policies and procedures. In addition, in the event of an adversarial challenge, it could be difficult to defend the use of a lower standard when there is knowledge of, and evidence of proficiency in, a higher standard.

Although far more specific than earlier standards, both new standards continue to provide only broad, general requirements, and there are many more specific documentation requirements that will continue to be in effect. A comprehensive list of such requirements appears in Appendix A to the proposed SAS.

The Objectives of Audit Documentation

Although standards setters (particularly the ASB) recognize that audit documentation is “an essential element” of audit quality, they caution that it alone does not assure a quality audit. Audit documentation provides the principal written record to support the following:

• The auditors’ report assertion that the audit was performed in accordance with applicable standards, and
• The auditors’ conclusions about each significant financial statement assertion, and their opinion on the financial statements taken as a whole.

Audit documentation must clearly demonstrate that the work was in fact performed in compliance with applicable standards, must provide a clear link to significant matters (findings or issues), and must contain sufficient information, in sufficient detail, for a clear understanding by an “experienced auditor” of the following:

• The nature, timing, and extent of the auditing procedures planned;
• The work performed;
• The purpose of the work;
• The source of the information analyzed and supporting evidential matter obtained, examined, and evaluated; and
• The conclusions reached.

An “experienced auditor” is someone who has no previous experience with the engagement and has a reasonable understanding of accounting and auditing in general, and in particular with regard to issues relevant to the audit client’s industry. The experienced-auditor principle requires that the written audit documentation (i.e., workpapers) stand on its own without oral supplementation except by way of clarification for written documentation that is, in fact, already present.

The PCAOB acknowledged that the experienced-auditor principle for evaluating audit documentation was derived from section 4.22 of the Government Accountability Office’s “Yellow Book.” The experienced-auditor principle in the Yellow Book, however, makes no specific reference to industry expertise, because it was meant primarily to be applied to government reviewers trained and experienced in government accounting and auditing.

The following are the more specific purposes of audit documentation:

• Assisting auditors to plan and perform the audit;
• Assisting those responsible to direct, supervise, and review the work performed;
• Providing and demonstrating the accountability of those performing the work (i.e., compliance with applicable standards);
• Assisting quality-control reviewers to understand and assess how the engagement team reached and supported significant conclusions;
• Enabling internal and external inspection teams and peer reviewers to assess compliance with professional, legal, and regulatory standards and requirements; and
• Assisting successor auditors.

The last three items focus on assisting reviewers in meeting their responsibilities with minimal reliance on oral explanations. PCAOB Standard 3 suggests that inadequate documentation makes it difficult or impossible to determine if the work was actually done, and states that, if it is not clearly evident from the audit documentation, an auditor must demonstrate, with persuasive other evidence, “that sufficient procedures were performed, sufficient evidence was obtained, and appropriate conclusions were reached.” Although it may be used to clarify written evidence, oral explanation alone will not constitute persuasive other evidence.

The Nature, Form, Content, and Extent of the Audit Documentation

The proposed SAS contains an affirmative statement to the effect that it is “neither necessary nor practical to document every matter the auditor considers during the course of the audit.” PCAOB Standard 3 does not contain a similar statement, although it implies as much by suggesting judgmental factors in determining the extent of documentation required.

Audit documentation and workpapers can be stored in any medium, and include a variety of documents, including the following:

• Audit programs and other planning documents;
• Analyses;
• Memoranda;
• Confirmations;
• Representation letters;
• Checklists;
• Extracts of important documents;
• Significant correspondence; and
• Details of tests performed and documents examined.

There is nothing new about this list, but as became evident in the Andersen case, auditors must become more disciplined about incorporating significant e-mails into their workpapers, retaining them, and timely deleting those that are not necessary.

The quality, type, and specific content of audit workpapers are matters of professional judgment. Expanded criteria included in new and proposed standards can assist auditors in determining the nature and assessing the adequacy of audit documentation, including the following factors:

• The nature of an auditing procedure;
• The risk of material misstatement;
• The extent of judgment required in performing the procedure and evaluating the results;
• The significance and quality of evidence obtained;
• The nature and extent of exceptions found; and
• The extent to which the conclusion, or basis therefor, is or is not readily apparent.

Specific items tested. The new standards include very detailed requirements as to the specific content of the workpapers. It is unnecessary to retain copies of client source documents inspected or lists of entire populations from which balances or transactions were selected for detailed tests of controls or substantive tests (unless needed to enable an experienced auditor to understand the work performed and conclusions reached).

Audit documentation should instead describe identifying characteristics of the specific items tested (sufficient to enable reperformance of the test for the same items), such as the source or population and the selection criteria; for example:

• For an audit sample selected from a population of checks, the specific check numbers of the items included in both the population and the sample; or
• For a test of all items over a specific amount from a given population, the scope and the population, such as “all journal entries over $25,000 in the general journal for the year”; or
• For procedures that involve inquiries, the name and job description of persons interviewed, the date and content of the inquiries, and the responses received.

With regard to contracts and other significant documents, the standards require the retention of either contracts, corporate minutes, or other documents significant to financial statement assertions, or abstracts thereof.

Conclusions. The standards require documentation of conclusions for all “relevant” or significant financial statement assertions, except when the conclusion is readily apparent or obvious from the documentation of the work performed. Relevant assertions are those that have a meaningful bearing on whether the account is fairly stated. Although the standards do directly address context, it is generally inappropriate to state in a conclusion merely that an account balance is or appears reasonable without a frame of reference as to what “reasonable” means in terms of risk and materiality (i.e., the likelihood of an undiscovered material misstatement).

When several procedures (primary and corroborative) relate to the same assertion for the same population, only one conclusion should be documented, and it should be based on the results of all relevant tests considered together. The standards also prohibit apparently unsupported conclusions, but require that documentation be adequate to enable an experienced auditor (as previously defined) to assess the evidential support for all conclusions.

Significant matters. Both standards contain similar requirements for documenting significant matters, including the timely documentation of all significant discussions with management or with those charged with corporate governance, and the records of discussions with stockholders, other investors, analysts, or other interested parties, for SEC registrants.

Individual significant issues or findings—defined as substantive matters important to the procedures performed, evidence obtained, or conclusions reached—must be documented. This would include the following:

• Matters involving the selection, application, and consistency of accounting principles and related disclosures, especially those regarding complex transactions, estimates, and related assumptions and uncertainties;
• Disagreements among professional staff or consultants;
• Significant difficulties in applying audit procedures; or
• Audit findings or results indicating—
  • a need for revised risk assessments and modification of scope;
  • possibly material misstatements;
  • audit adjustments (defined by both standards);
  • possible management fraud or illegal acts;
  • significant internal control deficiencies; or
  • possible modification of an audit report or auditor withdrawal.

Any possible impairment of independence should also be documented. Discussions of any technical research or audit evidence that is inconsistent with or contradicts a final conclusion should be disclosed, along with how it was addressed in reaching the conclusion.

Other significant matters include intentional departures from any applicable SAS judged necessary to more effectively achieve an audit objective, along with the justification thereof. This expands older GAAS requirements that were limited to justifying not confirming receivables or not observing physical inventories. There is no similar requirement in PCAOB Standard 3, but it could be viewed as covered by the “significant issue” documentation requirement.

An “engagement completion summary” is required for SEC issuers. It may include either all information necessary to understand the significant findings and issues, or, as appropriate, cross-references to other available supporting audit documentation. The summary, together with all cross-referenced supporting documentation, should collectively be “as specific as necessary in the circumstances for a reviewer [presumably, an experienced auditor] to gain a thorough understanding of all the significant findings or issues.”

Identification of preparers, reviewers, and dates. Many firms have long had quality-control policies requiring the signing and dating of workpapers, but this is the first time it has been a requirement in professional standards. All workpapers, individually or in clearly identified groups, must now be signed and dated by the principal preparer and reviewer for the audit to be in accordance with applicable auditing standards (GAAS or PCAOB).

Revisions to Audit Documentation

PCAOB Standard 3 places no restrictions on revisions to the workpapers during the audit, as long as all minimum documentation requirements are met. After the report is released, there begins a 45-day file assembly (housekeeping) period that permits the tidying up of unclear or incomplete documentation and the removal of redundant or unnecessary documentation. After this period, only additions may be made, with documentation of the name of the person making the addition, the date it was made, the reason for the addition, the effect on audit conclusions, and any additional actions required.

The proposed SAS is the same as PCAOB Standard 3 in this regard except that it would allow a file assembly period of up to 60 days after release. A proposed international audit standard would start its 60-day file assembly period from the report date.

Security. Both standards require that audit firms maintain appropriate controls over audit documentation that would:

• Ensure that the workpapers clearly disclose to subsequent reviewers when and by whom anything was created, changed, or reviewed;
• Protect the integrity of the documented information, especially during the audit, when it is shared within the audit team or transmitted to others electronically;
• Prevent unauthorized changes; and
• Allow access by authorized parties as necessary to properly discharge their responsibilities.

Superseded, redundant, and other unnecessary material. Robert Montgomery also wrote in 1912 in Montgomery’s Auditing:

“[The] … practitioner who aspires to a high place in his profession will avoid all unnecessary compilations and comments … and he will ruthlessly destroy his papers as soon as their value is questionable.”

Timely removal of superseded, redundant, and other necessary material from paper or electronic “workpapers” is not only permitted but encouraged during the audit and during the “file assembly” period, but not after a subpoena (or notice of regulatory investigation) arrives.

Materials that are unnecessary for (and may impair) the achievement of the objectives of workpapers should be removed and discarded before the workpapers are ready for final review or storage, as well as during (but never after) the post-release file assembly period. This includes early drafts of management letters and financial statements and other superseded materials, open-items lists, follow-up notes, and review comments. Private desk files and information stored by professional and administrative staff members on a network, personal computers, PDAs, or external disks, including e-mailboxes, also should not contain items that are superseded, in draft form, inconsistent with the final workpapers, or unnecessarily duplicative. Client correspondence that is not related to the audit may be retained in separate correspondence or desk files, but not in audit workpapers.

Records Retention

Among most clear and direct consequences of the Enron and Andersen scandals are the requirements now applicable to retention of audit documentation. As mandated by SOA, PCAOB Standard 3 requires the retention of all audit documentation (subject to the housekeeping permitted during the 45-day file assembly period) for completed engagements for a minimum of seven years after report release. The proposed SAS would require only five years. Both, however, are subject to state and local statutory and regulatory minimums, if longer.

A unique feature of the PCAOB standard is a requirement to retain documentation for incomplete engagements (for which no report was issued) for seven years after the cessation of audit work due to an auditor withdrawal or termination.

For multi-office or multi-firm engagements, PCAOB Standard 3 obligates the office of the firm issuing the report to retain (or have access to) for the minimum retention period (seven years) all audit documentation obtained or prepared by participating auditors associated with other offices of the firm or other firms, whether affiliated or nonaffiliated. The office must also obtain and review certain specified summary documentation prior to release of the audit report. The standard also holds the issuing office responsible for ensuring compliance with its documentation requirements by such other participating auditors.

A warning for auditors of SEC issuers, however: Rule 2-06 of Regulation S-X requires retention of documentation beyond the requirements of PCAOB Standard 3, including all correspondence and memoranda in paper or electronic media; e-mails created, sent, or received in connection with an audit or related professional practice engagement; and engagement-related conclusions, opinions, analyses, and data, subject to exceptions for redundant, superseded, and other material, as specified in SEC Release 33-8180, “Retention of Records Relevant to Audits and Reviews.”

A question might arise as to how the file-retention provisions of PCAOB Standard 3 (or the proposed SAS) would apply in the event the engagement partner leaves the audit firm (or even changes offices within the firm) and the client moves with her. This question is not addressed directly in either standard, so what follows is the author’s analysis and opinion.

It is clear that the file-retention requirements of the new and proposed standards apply to the issuing firm (and in the case of the PCAOB standard, the issuing office of a multi-office firm). Therefore, the audit documentation files may not be surrendered to a departing partner before the minimum retention period has expired. Under these circumstances, the departing partner’s professional relationship with her former firm becomes no different from any other successor-predecessor auditor relationship, which is governed presently by SAS 84. Nothing in SAS 84, or in either documentation standard, requires a predecessor to share audit documentation with a successor, nor is there anything that prevents or limits such sharing as a matter of professional courtesy. Therefore, in an amicable separation, the issuing firm is free to give copies of its audit files, in whole or in part, to the successor, if it chooses to do so, but it must continue to comply with the file-retention requirements.

Summary of the Major Changes

If the new SAS is adopted substantially as proposed—and there is no reason to believe it won’t be—auditors will be faced with a whole new world of audit documentation, even if they have little or no SEC audit work. A summary of the principal features of both new standards that change the status quo is shown in the Exhibit. Each standard—

• is based on an “experienced-auditor” principle;
• provides expanded criteria for determining the nature and extent of necessary audit documentation;
• specifies a minimum file-retention period;
• requires documentation of auditors’ competency and independence (which may be contained in central administrative records and, presumably, retained for the minimum file-retention period);
• requires effective signing and dating of all workpapers (or groups of related workpapers);
• specifies a file assembly period after which nothing may be deleted and subsequent additions and changes must be documented;
• provides guidance on what documentation need, or need not, be retained; and
• requires documentation of whenever evidence or technical research material is identified that is contradictory or inconsistent with a final conclusion, and of how it was addressed.