Audit
Documentation: It’s a Whole New World
By
Howard B. Levy
“The
skill of an accountant can always be ascertained by an inspection
of his working papers.”
— Robert H. Montgomery, Montgomery’s
Auditing, 1912
JUNE 2005
- Montgomery’s Auditing was the primary source for auditors
about the purpose and content of audit workpapers until Statement
on Auditing Procedure (SAP) 38 was issued in 1967, 55 years
later. But from 1967 until now, authoritative auditing standards
have provided guidance primarily for the ownership and custody
of auditors’ workpapers, with only very broad guidelines
as to the content and objectives of the workpapers.
Statement
on Auditing Standards (SAS) 41, issued in 1982, changed
very little from SAP 38. Like its predecessor, SAS 41 reestablished
that auditors should have workpapers, the form and content
of which should follow its broad guidelines and meet the
circumstances of a particular engagement. The workpapers
would constitute the principal record of the work done and
conclusions reached, and provide the principal support for
auditors’ reports. It provided primarily that the
workpapers should document the following:
-
The work has been adequately planned and supervised;
-
Internal control has been appropriately studied and evaluated;
and
-
The evidence obtained and procedures performed afford
a reasonable basis for an opinion.
At
the time of SAS 41’s issuance, there were very few
explicit requirements elsewhere in professional standards
to document specific matters. These requirements consisted
principally of an audit program, a legal letter, a client
representation letter, and a notation that material internal
control weaknesses were communicated orally if not reported
in writing.
SAS
96 was a project-in-process in October 2001 when the Enron
scandal broke. By then, a few other specific requirements
had crept into various other standards, but SAS 96 was intended
to be a fresh, comprehensive approach to the objectives
and content of audit documentation at the standard level.
In the decades leading up to SAS 96, intense competition
for audit services inspired the profession, led by the largest
firms, to seek more efficient ways to audit. Besides developing
risk-based auditing, a tendency began to emerge to shortcut
audit documentation to achieve efficiencies apparently still
permissible under the authoritative literature. In addition,
a growing trend of audit failures and related litigation
in the pre-Enron years caused the largest firms to adopt
a defense strategy (undoubtedly recommended by their lawyers)
to further minimize audit documentation.
Although
hailed by its preparers and promoters as responsive to Enron-related
issues, the hastily released SAS 96 did little to add any
substantive audit documentation requirements or to reduce
the opportunity to apply judgment; it was not an effective
improvement to the status quo.
The
case against Andersen with regard to its audit of Enron
focused largely on the destruction of documents. The resultant
Sarbanes-Oxley Act of 2002 (SOA) created the Public Company
Accounting Oversight Board (PCAOB), and required and empowered
the PCAOB to establish regulatory documentation and records-retention
standards. Critical of the perceived softness of SAS 96,
the newly formed PCAOB quickly addressed audit documentation
and records retention in developing its Auditing Standard
3, applicable to audits of SEC issuers. PCAOB Standard 3
creates high hurdles for auditors to clear in improving
audit documentation in several substantive ways. In many
respects, it appears to have been motivated largely to facilitate
the work of the PCAOB inspectors, but it will likely also
aid other adversaries, such as plaintiffs’ attorneys,
making audit documentation a much more defensive process
than ever before. Almost 100 years after Montgomery’s
Auditing, it’s a whole new world.
The
implications for audit documentation in the post-Enron world
stretch beyond SEC registrants. Some state regulators (notably
in New York and California) and federal government auditors
began seeking more uniformity and accountability among auditors
in the preparation and retention of audit documentation
for non-SEC entities. Recognizing that the prior standard
continued to allow for too much diversity in judgment to
satisfy governmental oversight and enabled reduced documentation
for the purposes of efficiency and litigation defense, and
feeling pressure from the new standards-setting body, the
AICPA’s Auditing Standards Board (ASB) appointed a
task force to revisit SAS 96. It prepared, and issued for
public exposure and comment in January 2005, a proposed
new SAS that closely mirrors PCAOB Auditing Standard 3 in
most, but not all, significant respects.
The
Scope of the New Documentation Standards
Beginning
with periods ending on or after November 15, 2004, the new
PCAOB documentation standard applies to financial statement
and SOA section 404 internal control audits for all SEC
issuers, as well as reviews of their quarterly financial
information filed in Form 10-Q or 10-QSB. The proposed SAS
(to replace SAS 96) will not be finalized until later this
year at the earliest and will likely be made effective beginning
with 2006 audits (fiscal years ending on or after December
15, 2006). When finalized, the new standard will apply to
all audits of financial statements of non-SEC audit clients.
Many
CPAs with significant SEC audit practices will choose early
adoption of the provisions of this proposed standard in
order to minimize the need to temporarily differentiate
the nature and quality of audit documentation between SEC
and non-SEC audit engagements. It is costly and confusing
to maintain two sets of standards and quality-control policies
and procedures. In addition, in the event of an adversarial
challenge, it could be difficult to defend the use of a
lower standard when there is knowledge of, and evidence
of proficiency in, a higher standard.
Although
far more specific than earlier standards, both new standards
continue to provide only broad, general requirements, and
there are many more specific documentation requirements
that will continue to be in effect. A comprehensive list
of such requirements appears in Appendix A to the proposed
SAS.
The
Objectives of Audit Documentation
Although
standards setters (particularly the ASB) recognize that
audit documentation is “an essential element”
of audit quality, they caution that it alone does not assure
a quality audit. Audit documentation provides the principal
written record to support the following:
-
The auditors’ report assertion that the audit was
performed in accordance with applicable standards, and
- The
auditors’ conclusions about each significant financial
statement assertion, and their opinion on the financial
statements taken as a whole.
Audit
documentation must clearly demonstrate that the work was
in fact performed in compliance with applicable standards,
must provide a clear link to significant matters (findings
or issues), and must contain sufficient information, in
sufficient detail, for a clear understanding by an “experienced
auditor” of the following:
-
The nature, timing, and extent of the auditing procedures
planned;
-
The work performed;
-
The purpose of the work;
-
The source of the information analyzed and supporting
evidential matter obtained, examined, and evaluated; and
- The
conclusions reached.
An
“experienced auditor” is someone who has no
previous experience with the engagement and has a reasonable
understanding of accounting and auditing in general, and
in particular with regard to issues relevant to the audit
client’s industry. The experienced-auditor principle
requires that the written audit documentation (i.e., workpapers)
stand on its own without oral supplementation except by
way of clarification for written documentation that is,
in fact, already present.
The
PCAOB acknowledged that the experienced-auditor principle
for evaluating audit documentation was derived from section
4.22 of the Government Accountability Office’s “Yellow
Book.” The experienced-auditor principle in the Yellow
Book, however, makes no specific reference to industry expertise,
because it was meant primarily to be applied to government
reviewers trained and experienced in government accounting
and auditing.
The
following are the more specific purposes of audit documentation:
-
Assisting auditors to plan and perform the audit;
-
Assisting those responsible to direct, supervise, and
review the work performed;
-
Providing and demonstrating the accountability of those
performing the work (i.e., compliance with applicable
standards);
-
Assisting quality-control reviewers to understand and
assess how the engagement team reached and supported significant
conclusions;
-
Enabling internal and external inspection teams and peer
reviewers to assess compliance with professional, legal,
and regulatory standards and requirements; and
-
Assisting successor auditors.
The
last three items focus on assisting reviewers in meeting
their responsibilities with minimal reliance on oral explanations.
PCAOB Standard 3 suggests that inadequate documentation
makes it difficult or impossible to determine if the work
was actually done, and states that, if it is not clearly
evident from the audit documentation, an auditor must demonstrate,
with persuasive other evidence, “that sufficient procedures
were performed, sufficient evidence was obtained, and appropriate
conclusions were reached.” Although it may be used
to clarify written evidence, oral explanation alone will
not constitute persuasive other evidence.
The
Nature, Form, Content, and Extent of the Audit Documentation
The
proposed SAS contains an affirmative statement to the effect
that it is “neither necessary nor practical to document
every matter the auditor considers during the course of
the audit.” PCAOB Standard 3 does not contain a similar
statement, although it implies as much by suggesting judgmental
factors in determining the extent of documentation required.
Audit
documentation and workpapers can be stored in any medium,
and include a variety of documents, including the following:
-
Audit programs and other planning documents;
-
Analyses;
-
Memoranda;
-
Confirmations;
-
Representation letters;
-
Checklists;
-
Extracts of important documents;
-
Significant correspondence; and
- Details
of tests performed and documents examined.
There
is nothing new about this list, but as became evident in
the Andersen case, auditors must become more disciplined
about incorporating significant e-mails into their workpapers,
retaining them, and timely deleting those that are not necessary.
The
quality, type, and specific content of audit workpapers
are matters of professional judgment. Expanded criteria
included in new and proposed standards can assist auditors
in determining the nature and assessing the adequacy of
audit documentation, including the following factors:
-
The nature of an auditing procedure;
-
The risk of material misstatement;
-
The extent of judgment required in performing the procedure
and evaluating the results;
-
The significance and quality of evidence obtained;
-
The nature and extent of exceptions found; and
-
The extent to which the conclusion, or basis therefor,
is or is not readily apparent.
Specific
items tested. The new standards include very
detailed requirements as to the specific content of the
workpapers. It is unnecessary to retain copies of client
source documents inspected or lists of entire populations
from which balances or transactions were selected for detailed
tests of controls or substantive tests (unless needed to
enable an experienced auditor to understand the work performed
and conclusions reached).
Audit
documentation should instead describe identifying characteristics
of the specific items tested (sufficient to enable reperformance
of the test for the same items), such as the source or population
and the selection criteria; for example:
-
For an audit sample selected from a population of checks,
the specific check numbers of the items included in both
the population and the sample; or
-
For a test of all items over a specific amount from a
given population, the scope and the population, such as
“all journal entries over $25,000 in the general
journal for the year”; or
-
For procedures that involve inquiries, the name and job
description of persons interviewed, the date and content
of the inquiries, and the responses received.
With
regard to contracts and other significant documents, the
standards require the retention of either contracts, corporate
minutes, or other documents significant to financial statement
assertions, or abstracts thereof.
Conclusions.
The standards require documentation of conclusions
for all “relevant” or significant financial
statement assertions, except when the conclusion is readily
apparent or obvious from the documentation of the work performed.
Relevant assertions are those that have a meaningful bearing
on whether the account is fairly stated. Although the standards
do directly address context, it is generally inappropriate
to state in a conclusion merely that an account balance
is or appears reasonable without a frame of reference as
to what “reasonable” means in terms of risk
and materiality (i.e., the likelihood of an undiscovered
material misstatement).
When
several procedures (primary and corroborative) relate to
the same assertion for the same population, only one conclusion
should be documented, and it should be based on the results
of all relevant tests considered together. The standards
also prohibit apparently unsupported conclusions, but require
that documentation be adequate to enable an experienced
auditor (as previously defined) to assess the evidential
support for all conclusions.
Significant
matters. Both standards contain similar requirements
for documenting significant matters, including the timely
documentation of all significant discussions with management
or with those charged with corporate governance, and the
records of discussions with stockholders, other investors,
analysts, or other interested parties, for SEC registrants.
Individual
significant issues or findings—defined as substantive
matters important to the procedures performed, evidence
obtained, or conclusions reached—must be documented.
This would include the following:
-
Matters involving the selection, application, and consistency
of accounting principles and related disclosures, especially
those regarding complex transactions, estimates, and related
assumptions and uncertainties;
- Disagreements
among professional staff or consultants;
-
Significant difficulties in applying audit procedures;
or
-
Audit findings or results indicating—
- a
need for revised risk assessments and modification
of scope;
-
possibly material misstatements;
- audit
adjustments (defined by both standards);
- possible
management fraud or illegal acts;
- significant
internal control deficiencies; or
- possible
modification of an audit report or auditor withdrawal.
Any
possible impairment of independence should also be documented.
Discussions of any technical research or audit evidence
that is inconsistent with or contradicts a final conclusion
should be disclosed, along with how it was addressed in
reaching the conclusion.
Other
significant matters include intentional departures from
any applicable SAS judged necessary to more effectively
achieve an audit objective, along with the justification
thereof. This expands older GAAS requirements that were
limited to justifying not confirming receivables or not
observing physical inventories. There is no similar requirement
in PCAOB Standard 3, but it could be viewed as covered by
the “significant issue” documentation requirement.
An
“engagement completion summary” is required
for SEC issuers. It may include either all information necessary
to understand the significant findings and issues, or, as
appropriate, cross-references to other available supporting
audit documentation. The summary, together with all cross-referenced
supporting documentation, should collectively be “as
specific as necessary in the circumstances for a reviewer
[presumably, an experienced auditor] to gain a thorough
understanding of all the significant findings or issues.”
Identification
of preparers, reviewers, and dates. Many firms
have long had quality-control policies requiring the signing
and dating of workpapers, but this is the first time it
has been a requirement in professional standards. All workpapers,
individually or in clearly identified groups, must now be
signed and dated by the principal preparer and reviewer
for the audit to be in accordance with applicable auditing
standards (GAAS or PCAOB).
Revisions
to Audit Documentation
PCAOB
Standard 3 places no restrictions on revisions to the workpapers
during the audit, as long as all minimum documentation requirements
are met. After the report is released, there begins a 45-day
file assembly (housekeeping) period that permits the tidying
up of unclear or incomplete documentation and the removal
of redundant or unnecessary documentation. After this period,
only additions may be made, with documentation of the name
of the person making the addition, the date it was made,
the reason for the addition, the effect on audit conclusions,
and any additional actions required.
The
proposed SAS is the same as PCAOB Standard 3 in this regard
except that it would allow a file assembly period of up
to 60 days after release. A proposed international audit
standard would start its 60-day file assembly period from
the report date.
Security.
Both standards require that audit firms maintain appropriate
controls over audit documentation that would:
-
Ensure that the workpapers clearly disclose to subsequent
reviewers when and by whom anything was created, changed,
or reviewed;
- Protect
the integrity of the documented information, especially
during the audit, when it is shared within the audit team
or transmitted to others electronically;
- Prevent
unauthorized changes; and
-
Allow access by authorized parties as necessary to properly
discharge their responsibilities.
Superseded,
redundant, and other unnecessary material. Robert
Montgomery also wrote in 1912 in Montgomery’s
Auditing:
“[The]
… practitioner who aspires to a high place in his
profession will avoid all unnecessary compilations and
comments … and he will ruthlessly destroy his papers
as soon as their value is questionable.”
Timely
removal of superseded, redundant, and other necessary material
from paper or electronic “workpapers” is not
only permitted but encouraged during the audit and during
the “file assembly” period, but not
after a subpoena (or notice of regulatory investigation)
arrives.
Materials
that are unnecessary for (and may impair) the achievement
of the objectives of workpapers should be removed and discarded
before the workpapers are ready for final review or storage,
as well as during (but never after) the post-release file
assembly period. This includes early drafts of management
letters and financial statements and other superseded materials,
open-items lists, follow-up notes, and review comments.
Private desk files and information stored by professional
and administrative staff members on a network, personal
computers, PDAs, or external disks, including e-mailboxes,
also should not contain items that are superseded, in draft
form, inconsistent with the final workpapers, or unnecessarily
duplicative. Client correspondence that is not related to
the audit may be retained in separate correspondence or
desk files, but not in audit workpapers.
Records
Retention
Among
most clear and direct consequences of the Enron and Andersen
scandals are the requirements now applicable to retention
of audit documentation. As mandated by SOA, PCAOB Standard
3 requires the retention of all audit documentation (subject
to the housekeeping permitted during the 45-day file assembly
period) for completed engagements for a minimum of seven
years after report release. The proposed SAS would require
only five years. Both, however, are subject to state and
local statutory and regulatory minimums, if longer.
A unique
feature of the PCAOB standard is a requirement to retain
documentation for incomplete engagements (for which no report
was issued) for seven years after the cessation of audit
work due to an auditor withdrawal or termination.
For
multi-office or multi-firm engagements, PCAOB Standard 3
obligates the office of the firm issuing the report to retain
(or have access to) for the minimum retention period (seven
years) all audit documentation obtained or prepared by participating
auditors associated with other offices of the firm or other
firms, whether affiliated or nonaffiliated. The office must
also obtain and review certain specified summary documentation
prior to release of the audit report. The standard also
holds the issuing office responsible for ensuring compliance
with its documentation requirements by such other participating
auditors.
A warning
for auditors of SEC issuers, however: Rule 2-06 of Regulation
S-X requires retention of documentation beyond the requirements
of PCAOB Standard 3, including all correspondence and memoranda
in paper or electronic media; e-mails created, sent, or
received in connection with an audit or related professional
practice engagement; and engagement-related conclusions,
opinions, analyses, and data, subject to exceptions for
redundant, superseded, and other material, as specified
in SEC Release 33-8180, “Retention of Records Relevant
to Audits and Reviews.”
A question
might arise as to how the file-retention provisions of PCAOB
Standard 3 (or the proposed SAS) would apply in the event
the engagement partner leaves the audit firm (or even changes
offices within the firm) and the client moves with her.
This question is not addressed directly in either standard,
so what follows is the author’s analysis and opinion.
It
is clear that the file-retention requirements of the new
and proposed standards apply to the issuing firm (and in
the case of the PCAOB standard, the issuing office of a
multi-office firm). Therefore, the audit documentation files
may not be surrendered to a departing partner before the
minimum retention period has expired. Under these circumstances,
the departing partner’s professional relationship
with her former firm becomes no different from any other
successor-predecessor auditor relationship, which is governed
presently by SAS 84. Nothing in SAS 84, or in either documentation
standard, requires a predecessor to share audit documentation
with a successor, nor is there anything that prevents or
limits such sharing as a matter of professional courtesy.
Therefore, in an amicable separation, the issuing firm is
free to give copies of its audit files, in whole or in part,
to the successor, if it chooses to do so, but it must continue
to comply with the file-retention requirements.
Summary
of the Major Changes
If
the new SAS is adopted substantially as proposed—and
there is no reason to believe it won’t be—auditors
will be faced with a whole new world of audit documentation,
even if they have little or no SEC audit work. A summary
of the principal features of both new standards that change
the status quo is shown in the Exhibit.
Each standard—
-
is based on an “experienced-auditor” principle;
-
provides expanded criteria for determining the nature
and extent of necessary audit documentation;
- specifies
a minimum file-retention period;
-
requires documentation of auditors’ competency and
independence (which may be contained in central administrative
records and, presumably, retained for the minimum file-retention
period);
-
requires effective signing and dating of all workpapers
(or groups of related workpapers);
-
specifies a file assembly period after which nothing may
be deleted and subsequent additions and changes must be
documented;
-
provides guidance on what documentation need, or need
not, be retained; and
-
requires documentation of whenever evidence or technical
research material is identified that is contradictory
or inconsistent with a final conclusion, and of how it
was addressed.
Howard
B. Levy is a senior principal and director, technical
services, with Piercy Bowler Taylor and Kern, Las Vegas, Nev. |