explanations on their own do not represent sufficient support for the work the auditor performed or conclusions the auditor reached but may be used by the auditor to clarify or explain information contained in the audit documentation. (AU-C 230.A7)
NOTE: For example, if the auditing standards state that the auditor should obtain an understanding of the entity’s control environment, but there is no evidence that he or she obtained such an understanding, then the auditor cannot make a plausible claim that the understanding was obtained but just not documented.
Audit Documentation Deficiencies
Some of the more common audit documentation deficiencies are failure to:
Express a conclusion on the account being analyzed.
Explain exceptions noted.
Obtain sufficient information for note disclosure.
Reference information.
Update and revise permanent file.
Post adjusting and reclassification journal entries to appropriate audit documentation.
Indicate source of information.
Promptly review audit documentation prepared by assistants.
Sign or date audit documentation.
Foot client-prepared schedules.
Explain tick marks.
Documentation Requirements in Other Sections
Certain other sections require documentation of specific matters. These requirements are presented in Illustration 4 at the end of this chapter. In addition, other standards, such as government auditing standards, laws, or regulations, may also contain specific documentation requirements.
INTERPRETATIONS
Providing Access to or Copies of Audit Documentation to a Regulator
A regulator may request access to an auditor’s audit documentation to fulfill a quality review requirement or to assist in establishing the scope of a regulatory examination. In making the request, the regulator may ask to make photocopies and may also make such copies available to others. (AU-C 9230.01) When regulators make a request for access, the auditor should:
Consider advising the client about the request and indicating that he or she intends to comply. In some cases the auditor may wish or be required to confirm in writing the requirements to provide access (see Illustration 1).
Make arrangements with the regulator for the review.
Maintain control over the original audit documentation.
Consider submitting a letter to the regulator (see Illustration 2).
(AU-C 9230.02)
Obtain the client’s consent, preferably in writing, to provide access when not required to provide access (see Illustration 3).
NOTE: The guidance in this interpretation applies to requests from regulators, specifically federal, state, and local government officials with legal oversight authority over the entity. The guidance does not apply to requests from:
The IRS,
Practice monitoring programs,
Proceedings related to alleged ethics indicators, or
Subpoenas.
(AU-C 9230 footnotes 1 and 2)
AU-C 230 ILLUSTRATIONS
Illustrations 1, 2, and 3 are adapted from AICPA Interpretations of AU-230 (AU-C 9230).
An auditor’s written communication to client when wishing to or required to provide access
An auditor’s letter to a regulator
A written communication to the client when regulator may request access to audit documentation when not required by law or regulation
Illustration 4, which lists audit documentation requirements in other sections, is adapted from the application guidance in AU-C 230.
Illustration 1. Auditor’s Written Communication to Client When the Auditor May Wish and in Some Cases May be Required to Provide Access (Adapted from AU-C 9230.02 and Footnote 4)
The audit documentation for this engagement is the property of Guy & Co. and constitutes confidential information. However, we may be requested to make certain audit documentation available to [name of regulator] pursuant to authority given to it by law or regulation. If requested, access to such audit documentation will be provided under the supervision of [name of auditor]. Furthermore, upon request, we may provide copies of selected audit documentation to [name of regulator]. The [name of regulator] may intend or may decide to distribute the copies of information contained therein to others, including other government agencies.
You have authorized Guy & Co. to allow [name of regulator] access to the audit documentation in the manner discussed above. Please confirm your agreement to the above by signing below and returning it to [name of auditor, address].
Firm signature
Agreed and acknowledged:
[Name and title]
[Date]
Illustration 2. Auditor’s Letter to Regulator (from AU-C 9230.06)
[Date]
[Name and address of regulatory agency]
Your representatives have requested access to our audit documentation in connection with our audit of December 31, 20X1, financial statements of Widget Company. It is our understanding that the purpose of your request is [state purpose: for example, “to facilitate your regulatory examination”].
Our audit of Widget Company December 31, 20X1, financial statements was conducted in accordance with auditing standards generally accepted in the United States of America, the objective of which is to form an opinion as to whether the financial statements, which are the responsibility and representations of management, present fairly, in all material respects, the financial position, results of operations, and cash flows in conformity with generally accepted accounting principles. Under generally accepted auditing standards, we have the responsibility, within the inherent limitations of the auditing process, to design our audit to provide reasonable assurance that errors and fraud that have a material effect on the financial statements will be detected, and to exercise due care in the conduct of our audit. The concept of selective testing of the data being audited, which involves judgment both as to the number of transactions to be audited and as to the areas to be tested, has been generally accepted as a valid and sufficient basis for any auditor to express an opinion on financial statements. Thus, our audit, based on the concept of selective testing, is subject to the inherent risk that material errors or fraud, if they exist, would not be detected. In addition, an audit does not address the possibility that material errors or fraud may occur in the future. Also, our use of professional judgment