Audit file assembly is an area that may offer opportunities for audit firms to improve the quality of their procedures. This is an area where weaknesses have been identified during assurance monitoring visits by ICAEW’s Quality Assurance Department (QAD). All firms may benefit from reviewing their related procedures to ensure that these remain fit for purpose and compliant with all of the necessary auditing standards, from the new quality management standards (ISQMs) to the audit documentation standard ISA 230.

Strong procedures, effective controls and regular monitoring around file assembly and the safeguarding of completed audit files can offer many benefits. 

The following insights and reminders can assist firms, but auditors would do well to also read a more detailed article from QAD on the importance of audit file assembly.

• Administrative assembly of the final audit file should be completed on a timely basis after the date of the audit report.
• For statutory UK audits, the final audit file must be completed no later than 60 days from the audit report date.
• All firms need a written policy for this.
• Some firms have found that adopting a shorter timescale for completion can help to safeguard the quality of the final audit file. 
• After assembly, an appropriate method is needed to safeguard the completed file, with nothing deleted or discarded before the end of the retention period. If amendments are necessary, who made the changes, reasons why, and when, must be carefully documented.
• Procedures and controls on storage of final audit files need to ensure their integrity, safety, and security over long periods of time, with audit files kept for at least six years, or longer.
• Procedures and controls over safeguarding and changes to documentation need to reflect the mediums being used. Physical controls for paper files are different to controls for digital files, which need to reflect the software application(s) and/or platform(s) in use. 
• Physical and digital access controls for a completed audit file should prevent unauthorised changes, record/log the details (such as who, when, and why) for authorised changes, and other important information, such as the audit file completion date.
• Electronic files are not inherently more secure than paper. Not all applications/platforms allow files to be locked and/or enable access controls. Basic file storage may benefit from password protection and ‘read only’ settings for completed audit files/folders. 
• Monitoring of procedures can help to enhance compliance with the firm’s policy on final audit file assembly and safeguarding and controls following file completion.
• Regular monitoring of file assembly (and other completion activities) can indicate if audit teams, managers or responsible individuals need more support, long before cold file reviews. 
• Discipline over assembly of audit file documentation can help to convey the importance a firm attaches to this and contribute to a culture of audit quality. 

There are many benefits associated with strong procedures, effective controls and regular monitoring around audit file assembly and the safeguarding of completed audit files. As well as supporting ISA compliance, they can assist if engagement files are selected for audit monitoring purposes or if there is a complaint. They can also enhance quality management within firms and on audits, supporting firms as they use their systems of quality management and root cause analysis to drive continuous improvement.