Straight-forward requirements
Firms should be very familiar with the need to complete the administrative assembly of the final audit file on a timely basis after the date of the audit report. In the UK this must be no later than 60 days from the date of that report.
After assembly, there must be an appropriate method to safeguard the completed audit file, with nothing deleted or discarded before the end of the retention period. Should any changes or amendments be necessary, the reasons for, timing and those who made the changes must be carefully documented.
The consequences of getting file assembly wrong could be serious (and expensive). Audit Regulators will naturally have reason for concern about integrity of the firm and/or individuals if there are any grounds to suspect that there have been changes to an audit file, and the firm’s ability to successfully defend a complaint or claim about audit work could be significantly weakened for the same reason.
Periodically ICAEW’s Quality Assurance Department identifies cases where there is an apparent loss of audit files at a firm. Since the coronavirus pandemic there have been a few cases where it was acknowledged that no audit file had been properly assembled at all. More commonly there are aspects of the procedures around audit file assembly that should be strengthened in order to avoid the risk of serious problems in the future.
Safeguarding and controls over changes to documentation
All firms should have a written policy for audit file assembly within 60 days. For the smallest firms this may be sufficient, but once there are several audit teams and sizeable audit portfolio, it is advisable to add some monitoring procedures to ensure compliance.
Many larger firms have now concluded that an allowance of 60 days is too long. If RIs and teams have not been able to update audit documentation to reflect the final position on significant aspects of the audit within 5-7 days of signing, there is a good chance that documentation either will not be updated at all or that it will be insufficiently detailed thanks to the passage of time and distractions from other client engagements. Consider whether your firm should adopt a tighter deadline to safeguard the quality of your audit files.
Safeguarding and controls over changes to documentation
Appropriate procedures will depend on the format of the files themselves. Physical controls over paper files will look very different to those over electronic files. Controls over electronic files will also vary depending on the platform used, or if there is no platform and workpapers are held in soft copy on a standard file storage application. Remember that procedures need to be effective over a long period of time with audit files kept for at least six years or longer.
Paper files are not uncommon at – mainly smaller – audit firms. There should be a physical record of when that file is complete and should not then be altered. A simple form recording the date of final assembly added to the front of the file may suffice, and this could be used to record any subsequent changes when these are necessary. The files should be stored somewhere safe, preferably locked away. If files are temporarily moved or borrowed (for example when embarking on the next audit) this should be recorded.
Ideally electronic files are embedded in a software platform, can be ‘locked’ such that no changes can be made without administrator or similar access controls, and any changes are logged with date and time stamps. Many platforms will also enable the firm to have central oversight of the audit file assembly and completion process for monitoring purposes and may also contribute to the firm’s wider quality management system.
Soft copy working papers held on a standard file storage application present potentially greater risks than even relatively insecure paper files. Unless the folder of working papers assembled for a particular audit engagement can be designated ‘read only’, anyone who looks at the completed file may inadvertently delete or change documents and electronic time stamps even if there was no intention to make changes at all.
Wider Quality Management benefits
Compliance with these ISA requirements with effective file assembly and safeguarding policies will certainly assist if files are selected for audit monitoring purposes or in the event of a complaint. However, strong procedures and regular monitoring also have wider benefits.
Discipline over assembly of audit file documentation contributes to a culture of audit quality, with everyone clear about the importance that the firm attaches to audit documentation. One common root cause of audit quality weaknesses identified by firms is resourcing and the available capacity to complete audit work. Central monitoring of completion activities such as audit file assembly can give an early warning of RIs, managers or whole teams that are under pressure and need support, long before this becomes evident from cold reviews of their work.