Archived - Audit Working Papers (PIN) - Sept. 1, 1983
We will be updating our design to align with Canada.ca. The policies, directives, standards and guidelines will remain available during and after this update is complete.
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Subject: Audit Working Papers
Question concerning this notice should be directed to:
Policy and Special Projects,
Centre of Excellence for Internal Audit
Comptrollership Branch, TBS
Purpose and Scope
The purpose of this notice is to announce the issuance of a position paper (refer to attachment) by the Operations Division relating to the purposes, principles, content, structure, retention and disposal practices associated with good audit working papers.
The position paper has been prepared primarily to ensure that the traditional purposes of audit documentation are achieved in the federal government through a uniform and disciplined approach to audit working paper practices. A secondary reason for this guidance is to facilitate compliance with the requirements of the Access to Information Act and revised TBS Records Management Policy where these initiatives impact audit working papers.
In the conduct of performance assurance review and liaison activities, practices relating to the preparation of internal audit working papers were found to vary among internal audit groups. In certain instances, the traditional purposes associated with audit documentation were not fully served by the existing working papers.
The Standards for Internal Audit in the Government of Canada refers to the types of information an auditor would normally consider during the course of an assignment, but specific guidance relating to working paper preparation and retention was beyond the scope of that document. Consequently the attached position paper, "Audit Working Papers", provides supplementary guidance to enhance the overall quality of audit documentation.
For several years the internal audit community has recognized that the preparation of good audit working papers is an essential part of audit work. Though few auditors would disagree with the importance of audit documentation, practices governing the content, organization, use, retention and disposal of working papers in the federal government vary widely.
The publication, Standards for Internal Audit in the Government of Canada as promulgated by the OCG, refers to the types of information an auditor would normally consider during the conduct of an assignment, but it was not intended as guidance to ensure a consistent approach to audit working paper preparation. This paper bridges the gap between the Standards and the various practices relating to audit working papers that have been adopted within departments.
The primary reason for the provision of guidance in this paper is to help ensure that the traditional purposes of audit documentation are achieved through a uniform and disciplined approach to audit working paper content, structure and retention practices. A secondary reason for this guidance is to facilitate compliance with the requirements of the Access to Information Act and the TBS records management policy where it impacts on the audit working papers.
The introduction of the Access to Information Act and a revised records management policy heighten the need for auditors to exercise care in the preparation of working papers. With the right of public access to certain aspects of working papers formalized in law, auditors are required to ensure that audit documentation is organized in a manner which will allow disclosure to be handled economically, efficiently and effectively. In addition, the auditor must make certain that information retained in working papers is relevant, understandable, accurate and complete so that all reviewers are properly informed of matters pertaining to the audit.
Scope of the Position Paper
The following major topics will be dealt with in this position paper:
- the purposes of internal audit working papers;
- general principles relating to the preparation of audit working papers;
- appropriate audit working paper content;
- organization and structure of working papers; and
- working paper retention practices.
In this paper, the term working papers refers to the formal records of the plans the auditors made, the procedures they performed, the audit evidence they obtained and the conclusions they drew in arriving at their final report. There are normally two types of working paper file maintained for each audited entity - a permanent file used over many years and current working paper files prepared to support the auditor's most recent assessment of the audit entity under review. The chapters of this paper relating to purpose, principles and content are associated with all audit documentation accumulated during an assignment, and are not concerned as to whether the information is current or permanent in nature. The section on organization and structure of working papers provides a method whereby the necessary content of assignment documentation can be logically arranged between current and permanent files.
The guidance provided here is directed towards all audit documentation prepared within the internal community of the federal government, whether it be prepared by the internal audit group, or by agents hired through the contracting process.
The Purposes of Audit Working Papers
The purpose of working papers described below, will serve as a basis for the approach taken in subsequent sections of this paper relating to the content, organization and retention of working papers. All audit documentation should be accumulated or prepared with these purposes in mind, so as to give maximum benefit to the auditors and interested third parties.
The most important purposes of audit working papers are:
- to facilitate effective conduct and management of the audit assignment;
- to provide support for the auditor's report; and
- to provide background and control for follow-up actions taken to correct deficiencies.
Other derived purposes are:
- to facilitate third-party review;
- to aid professional development; and
- to provide a source of information for non-audit purposes.
Facilitating Effective Conduct and Management of the Audit Assignment
Good working papers can contribute to the effectiveness of various administrative tasks required for the proper management of an audit assignment.
This section will outline these administrative tasks and the related contribution working papers can make towards allowing the tasks to be discharged effectively.
a) Facilitating adequate planning (including the assignment of necessary resources)
Documentation within the working papers of the planning decisions relating to audits in process, helps to ensure that:
- planning is completed in an organized manner;
- planning decisions are followed during the conduct of the field work (or explanations provided where changes occur); and
- an appropriate reference point is available for review both during and upon completion of the audit.
Audit projects are often repeated, extended to cover additional areas or used as a basis for planning other assignments. Given the typical limitations on staff continuity, good working papers contribute to the quality of subsequent or complementary audits by providing a good starting point for succeeding auditors to:
- reduce time spent in understanding the nature of the auditee's operations;
- identify areas of audit risks;
- determine the scope of audit coverage; and
- determine, with a greater degree of accuracy, the time and staff required.
b) Facilitating an organized approach
A standardized structure for working papers helps to provide a useful framework for the organization of the audit work. Uniformity in structure enables several staff members or separate offices to work on different segments of a single assignment in a co-ordinated manner.
An organized file influences the manner by which complex systems are reviewed, helping to ensure that major areas are not overlooked and that adequate depth of coverage is provided.
c) Facilitating adequate control of field work
A uniform file structure and method of preparing working papers provide guidance to audit staff on the job, reduce the chance of omission or of incorrect application of procedures and so contribute to the control of field work.
During an audit, considerable information is obtained, discussed or examined. It is vital that formal records be maintained rather than committing information to memory, where undoubtably some of it would be lost. In addition, audit records serve as an important basis for the auditor's understanding of the auditee's programs, objectives and activities, and as such can be used as support for orderly discussion with operating personnel.
Finally, working papers provide coherence to the numerous individual procedures comprising any given audit.
d) Facilitating review and reporting to superiors
Uniform working paper formats provide an efficient means for the audit team to communicated the results of their work to reviewers. Well-organized papers facilitate review by helping the reviewer spot omissions, deviations from normal procedures and unusual problems which were encountered. Good working papers provide for meaningful communication of key results and conclusions through the summarization of individual details.
Provide support for the auditor's report
In addition to contributing to the effective management of assignments, good working papers provide a vital link between the audit examination procedures and the auditor's report. Working papers represent evidence of the work done and should provide the proof that the examination as summarized in the auditor's report did encompass the areas identified.
Working papers should provide a record of the audit procedures performed in respect of items in the report and the conclusions reached with respect to those items.
Well-structured working papers provide for effective debriefing sessions with auditees, allowing for ready access to pertinent facts and proof supporting audit report commentary.
Finally, good working papers lend themselves to reduced report-writing effort; the continuous process of summarizing and refining individual audit results keeps the assignment focused and easy to translate to report format.
Provide background and control for follow-up actions
Audit projects are typically followed up to ensure that corrective action was taken for reported deficiencies. Professional working papers provide background information for this task and reduce the likelihood of duplication of effort.
Follow-up can take place any time from a matter of weeks after the audit, or not until the next scheduled assignment. The follow-up action can be controlled, however, through audit working paper documentation and a B/F system.
Facilitating third-party review
Internal audit working papers can be used by external auditors or other interested third parties as a means of evaluating the work of internal audit and in the external reviewer's assessment of the department's system of control.
The Auditor General and Central agency evaluation groups have been the primary users of audit information in the past. With the introduction of the Access of Information Act, however, there may be increased use of working papers by the public should they exercise their rights provided by legislation.
In the eyes of third parties, working papers reflect the quality of the audit work done. Third parties should be able to satisfy themselves from the working papers that a proper audit was carried out. Working papers must be prepared with this in mind.
It is important, therefore, that the working papers provide a complete record of the examination and can be readily understood by the third parties. Adequate documentation of planning, background data of the audited entity, control systems, test procedures, results of test work, important discussions with auditees, decisions and conclusions reached, will enable reviewers of working papers to establish the adequacy and appropriateness of the audit procedures performed.
Aiding professional development
The discipline required to create good working papers provides an opportunity for new staff to learn procedures and exercise judgment in arriving at audit conclusions.
Review of the staff's efforts can assist the staff appraisal process, help determine training requirements, and identify situations where staff are ready to take on additional responsibility.
Provide a source of information for non-audit purpose
Working papers can serve as a repository of information that may assist in non-audit tasks. Audit working papers often provide convenient summarizations of auditee data and may be useful in ways unrelated to the original audit assignment. For example, models of the management control framework may be helpful to auditees as planning input for system design changes or as a training device for their staff. Also, the work done by auditors may be useful as input to other studies such as those performed by program evaluators.
General Principles Relation to Working Papers
The most important principles relating to audit working papers are:
Working papers should be prepared with economy in mind: economical to prepare and review, to store and retrieve.
Working papers should be a usable record of work done, spare but complete and not a repository for every scrap of information available to the auditor. The professional auditor includes only what is essential and makes each worksheet serve a purpose that fits into the audit objectives. Poor judgment in the extent of information retained will make paper preparation, review, storage and retrieval uneconomical.
Working papers should be readily understandable and require no supplementary information. Reviewers of the papers should be able to determine what the auditors set out to do, what they found, what was concluded and what was not done.
Working papers should relate to matters which are pertinent and material. They should be directly related to the audit objectives. The likelihood of important information being overlooked or obscured is minimized when care is taken to include only that information relevant and sufficient to satisfy audit objectives.
Indiscriminate filing of information is not only inefficient, but may lead to problems in responding to requests under the Access to Information Act. With the inclusion of irrelevant data, uninitiated reviewers may misinterpret or confuse the meaning of the content within the working papers.
Working papers should be prepared accurately, ensuring that observations and comments are specific, valid and objective. The working papers should provide reviewers with proper perspective of the processes being examined.
Oral comments obtained during the course of the audit should be paraphrased by auditors and a summary interpretation of the meaning of the comments should be included within the working papers. To ensure that there is no misunderstanding and that audit documentation is accurate, the auditee should be asked to confirm the auditor's interpretations.
Working papers should record (a) for information obtained, all relevant and material facts and their source, (b) for audit procedures, their nature timing, extent, results and the name of the auditor who performed them and (c) for audit conclusions, the conclusions and the basis for arriving at those conclusions.
An inquiry should not be dropped without explanation.
Working papers should be comprehensible to the uninitiated reviewer. Jargon should be avoided or properly defined where necessary.
Working papers should reflect all findings including positive results as well as any deficiencies on which action should be taken.
Balanced working papers reduce the likelihood of a distorted impression being left with reviewers as to the adequacy of the management control framework under review. In addition, balanced working papers provide the proper basis for an effective audit report.
Audit Working Paper Contents
Working papers should document the entire audit process, commencing with the planning stage and following through the stages of review, evaluation, verification and reporting.
Each of these stages of the audit process has been described in Chapter 7 of the Standards for Internal Audit and in The Guide to the Development and Conduct of Audit Assignments. Some restatement of information from these documents has been made in this paper to clarify the nature of the various working papers generated in each stage of the audit. A study of working papers cannot be separated from the audit activities they are meant to facilitate and record.
This chapter describes the necessary documentation that should result from each stage of the audit process and indicates the primary purposes served by various working paper documents. The next chapter will provide guidance as to how the necessary working paper content should be organized into permanent or current working paper files. The reader should also recognize that the principles outlined in the previous chapter should be carefully applied to each document prepared for inclusion in the working papers.
In addition to the following narrative comments relating to audit documentation, Table 1 summarizes the various purpose of each working paper document.
Assignment Planning Phase
The principal documents arising from this phase are:
- background information relating to the nature, characteristics and boundaries of the audit entity; and
- the assignment planning memorandum.
|Audit working Paper Purposes \ Audit Working Paper Contents||ECM||SAR||BF||3PR||PD||NAP||CF||PF|
|Assignment Planning Phase|
|Detailed Documentation of Existing Control Framework||P||S||S||X||X(A)|
|Predetermined Control Model||P||S||S||S||X||X(A)|
|Register of Essential Controls||S||P||S||X|
|Register of Compensating Controls||S||P||S||X|
|Summary of control Weaknesses||S||P||P||S||X|
|Documentation as to the adequacy of Controls||S||P||S||X|
|Verification Plan Procedures and Results||S||P||S||X|
|Cause and Effect Analysis||S||P||S||X|
|Summaries of Audit Observations, Conclusions, Recommendations||S||P||S||S||X|
|Supervisory Review Checklists and Notes||P||S||S||X|
|Draft Audit Report||P||P||S||X|
|Final Audit Report||P||P||S||X||X(A)|
|Management Responses and Action Plans||P||P||S||X||X(A)|
- ECM = Effective Conduct and Management of Assignment
- SAR = Support for Auditor's Report
- BF = Background for Follow-up
- 3PR = Third Party Review
- PD = Aid for Professional Development
- NAP = Non-Audit Purposes
- CF = Retention: Current File
- PF = Retention: Permanent File
- P = primary purpose served by the working paper
- S = secondary purpose served by the working paper
- (A) = information is relevant to supporting the assessments of the specific assignment, but is also of continuing interest; information may be retained in both files or carried forward from current file to permanent file.
a) Background information
In formulating the scope parameters of the assignment the team leader must develop a good working knowledge and understanding of the audit entity.
All background information which provides the auditor and subsequent reviewers with a summary of relevant current facts, policies, systems and organizational structures pertaining to the audit entity should be retained in the working papers. The period of retention will be discussed in subsequent sections of this paper but the criteria generally applicable is that the background information retained is current and of continuing relevance.
A description of typical background information gathered by the auditor is outlined in Appendix A of this report.
b) Assignment planning memorandum
The assignment planning memorandum is the principal document of the planning phase of the audit. It should provide a documented summary of planning information, audit considerations, assumptions and decisions taken.
In that the memorandum establishes the overall plan for the audit, it is vital for facilitating the effective management of the assignment, serving as a basis for planning and conducting all subsequent phases of the audit.
The memorandum also serves as a useful reference point for discussions held with auditees and for subsequent reviewers of the assignment.
The principal components of the assignment planning memorandum are outlined in Appendix A.
The principal documents arising from this phase are:
- detailed descriptions of programs, objectives and activities under review;
- predetermined control models;
- control questionnaires, decisions tables or other techniques used to identify the existence of controls relative to the predetermined control model;
- criteria relating to the evaluations of the adequacy of controls; and
- working papers which summarize:
- essential controls
- compensating controls
- control weaknesses.
a) Detailed descriptions
In the review phase, the gathering of detailed descriptions relating to the management control framework can be viewed as an extension of the background information gathering activities of the assignment planning phase. This documentation serves as the basis for the auditor's understanding of the auditee's programs, objectives and activities and as such, can be used as support for discussion with operating personnel. In addition, the discipline required in preparing these working papers serves as a necessary audit control technique, helping auditors to clarify to themselves and reviewers their understanding of the entity under review.
Modelling techniques are often used in displaying the review phase documentation in the working papers. Models are presented typically as either narrative systems descriptions, organization and responsibility diagrams or outline and procedural flowcharts. The systems and processes of the audit entity most often addressed include program structure and logic, the management control framework and the organizational structure and accountability relationships.
As a necessary control, working papers should include documentation of the validation procedures employed to verify the relevance, completeness and accuracy of the data collected.
b) Predetermined control model
The documented predetermined control model provides the basis or framework for evaluating the effectiveness of the audit entity's processes under review. This documentation is a critical dimension of the evaluative process, setting out the auditor's expectations relating to the control objectives that should be achieved within the entity under review.
Related to the predetermined control model, the working papers should set out the techniques that will be used to elicit information relating to whether controls actually exist for the various control objectives set out in the model. Frequently used techniques include control questionnaires or checklists.
Criteria that will be used during the evaluation phase of the audit should be refined and documented in the working papers during the review phase. These evaluation criteria relate to the means by which an auditor will assess whether the results of existing controls are achieving the desired control objectives.
The predetermined control model and the evaluation criteria should be discussed with the auditee during the review phase or earlier, if the opportunity exists. In addition to keeping the auditee fully informed, this discussion will seek to elicit any concerns or disagreements the auditee may have with the proposed framework of the evaluative process. Where these concerns are significant, it may be necessary to re-evaluate or modify the audit approach to incorporate management's suggestions or concerns. The working papers should provide a complete record of this discussion so that subsequent reviewers can determine whether adequate steps were taken by the auditor in seeking agreement as to the premises underlying the evaluative aspects of the assignment. Such evidence will lend greater credibility to the standards used by the auditor in the evaluation of the adequacy of controls and performance of the entity under audit.
c) Application of the control model
At this stage in the assignment, the auditor will normally apply the control questionnaire (or related technique) to determine whether there is an actual control in place for each of the essential control objectives. Control questions may be answered from existing systems documentation or through further limited discussion with the auditee.
Where controls related to control objectives are identified they should be specifically documented in the working papers. A convenient means of recording controls which the auditor considers necessary to effective operations is through the use of the Register of Essential Controls, a type of worksheet illustrated in Appendix B.
This working paper serves as a useful summary to auditors and reviewers, and provides:
- a means of documenting in an organized manner the controls in existence;
- a means of identifying those controls considered essential;
- a record from which procedures and tests can be developed to substantiate the effectiveness of controls;
- a record of the results of substantive testing; and
- a record of weaknesses identified in the operation of essential controls.
When a control is not identified for a control objective the auditor should establish if part of the control framework has been missed in the original documentation of the system, or if compensating controls exist. The documentation of compensating controls can be documented on a worksheet such as the Register of Compensating Controls, illustrated in Appendix B. Essentially this worksheet serves purposes similar to the Register of Essential Controls, however it highlights that control objectives are not directly served by certain controls but are met through the secondary effects of compensating controls.
Where no adequate compensating controls are found during the limited review, the auditor must assume that a deficiency or weakness exists. These weaknesses may be documented on a worksheet such as the Summary of Weaknesses, also illustrated in Appendix B.
The principal purpose of these worksheets is to ensure that control strengths and weaknesses identified are recognized in developing evaluation and verification procedures and/or formulating audit findings.
The principal documents arising from this phase are:
- control questionnaires or related techniques designed to determine whether identified controls are operating effectively;
- supporting documentation relating to the application of the above questionnaire;
- a verification plan, procedures and results;
- cause and effect analysis for identified control weaknesses; and
- audit observation, conclusion and recommendation worksheets.
a) Documentation of the effectiveness of controls
In evaluating the adequacy of identified controls, the auditor will assess whether these controls are achieving desired results. To do this, the auditor uses the management control objectives and the evaluation criteria established in the review phase as a basis upon which to answer the questions:
- is the control being used as intended?
- is data supplied by the control system accurate, representative and timely?
- is the existing control framework appropriate to the entity?
To elicit answers to these questions, the auditor will normally prepare a control questionnaire which focuses on specific results of controls in place. At this point in the audit, these questionnaires are applied to the information gathered during the review phase.
The results from the application of the control questionnaire and limited tests should be documented as the basis for audit findings as to the effectiveness of existing controls.
Based on the findings derived to this point in the audit, the auditor may be in a position to conclude that certain controls exist and are operating effectively. If so, this conclusion should be documented and the auditor need not consider further documentation relating to this control until the reporting phase. Conversely, the auditor may find that controls do not exist or are operating ineffectively. In such cases the auditor will document these findings and will proceed with cause and effect analysis as described below.
In many cases however, the auditor may be faced with two problems:
- the information on hand does not sufficiently corroborate the tentative conclusions or findings reached to this point; and
- some questions relating to the effectiveness of controls are impossible to answer without additional information.
In such cases the auditor must determine detailed verification tests necessary to arrive at a position where definite findings or conclusions can be made, at which time the examination can then proceed to cause and effect analysis or the reporting phase. The decision as to whether or not the auditor has sufficient evidence to provide a satisfactory conclusion relating to the effectiveness of controls is a difficult one that requires professional judgment on the part of the auditor. This subject matter goes beyond the intended scope of this paper, but will be separately addressed in a subsequent paper on audit evidence. The audit working papers, however, should clearly document the auditor's decision-making process, the findings and conclusions relating to the study of the effectiveness of controls.
b) Cause and effect analysis
On completion of the necessary procedures to substantiate existing controls and significant deficiencies, inefficiencies and weaknesses, the auditor will be in a possession of a body of audit findings recorded on worksheets such as the Register of Essential Controls, the Register of Compensating Controls and the Summary of Weaknesses. To develop audit findings, conclusions and recommendations for reporting purposes, the causes and effects of control deficiencies must be analyzed. The focus of this analysis is to substantiate hypotheses on the reasons for, and significance of, failure to match the specified audit criteria.
Audit working papers should document:
- a clear statement of the problem revealed by an audit finding or group of findings. This statement should be supported through reference to control weaknesses noted in the course of the review and evaluation phases and substantiated in the verification phase; and
- a clear statement of cause and effect substantiated through further analysis and limited testing as necessary. Effects will usually be derived through reference to the control objectives outlined in the predetermined control model.
- Summarization of audit findings, conclusions and recommendations
c) Summarization of audit findings, conclusions and recommendations
For each area/activity subject to audit, the auditor should now have accumulated a list of findings, substantiated by verification procedures and analyzed for cause and effect where controls were found deficient. Summarization of these findings is a useful control for auditors, substantiating to reviewers that the scope of the audit has been satisfactorily covered and concluded upon. Summaries are beneficial in tying together groups of working papers relating to a particular issue. Relating summary findings to the original planning memorandum ensures that all significant areas have been covered.
Summaries also act as a mechanical control over the underlying working papers. They provide the important link between the audit report and detailed supporting working papers.
The principal documentation of this phase includes:
- supervisory review checklists and notes;
- working papers relating to the presentation of audit findings to the auditee;
- draft audit report;
- final audit report; and
- management responses to audit findings, action plans and audit report follow-up notes.
a) Supervisory review
Audit working papers should be reviewed on a regular on-going basis by the team leader as the audit progresses. As a minimum, the audit manager should review working papers at the completion of the assignment planning phase and again, at the completion of the audit team's development of findings, conclusions and recommendations.
In the working papers, it is informative to retain evidence of the supervisory review. Inclusion of supervisory review checklists, duly signed off, will provide a record of the basis by which review took place. Review checklists should indicate at minimum that the reviewer is satisfied that:
- the scope of coverage has been adequate;
- the working papers documentation is complete; and
- appropriate evidence has been obtained and documented to support audit findings and conclusions.
Additional areas encompassed by the review may include:
- that only material relevant to audit objectives has been retained in the working papers; and
- working paper information is properly organized and will facilitate third-party review should the need arise.
Proper review of the working paper is a necessary quality control measure, helping to ensure that established standards of audit conduct are maintained and that budgets and deadlines are met. Review may also provide secondary benefits by ensuring that concise, relevant, accurate and complete information is available and easily retrievable in the working papers for external reviewers such as the Auditor General, Central agency evaluation groups, program evaluation staff, or the general public who exercise their rights under the Access to Information Act.
Detailed review notes are sometimes retained in the working papers along with the review checklists and reviewer conclusions. Presuming that reviewers ensure that working papers are completed to the point where all review notes have been adequately cleared, retention of the review notes is typically unnecessary.
b) Presentation of audit findings to the auditee
There should be a continuous dialogue between auditors and auditee management throughout the course of the audit assignment. There are, however, certain formal communication requirements, one of which is the requirement for the team leader to provide auditee management with a summary of audit findings and recommendations prior to drafting the final report.
Once the team leader is satisfied that all working papers have been completed and reviewed and a summary of audit findings, conclusions and recommendations prepared, a meeting with the appropriate auditee should be arranged.
Working papers should provide evidence that the auditor provided auditee management with an opportunity to review the results of the audit prior to the time that the auditors left the audit site.
The working papers should illustrate the audit findings discussed and the auditee's reactions. This will serve to:
- lend greater credibility to the audit findings that will be included in the final report. After the exit review there may be disagreement on conclusions and recommendations included in the draft audit report but there should seldom be disagreement or subsequent surprises on factual matters;
- provide assurance to reviewers that the auditor has taken steps to ensure that all relevant facts related to the audit findings were considered in reaching conclusions; and
- provide evidence that auditees were informed on a timely basis of findings, thereby allowing them the earliest opportunity to initiate corrective action.
c) Preparation of the draft and final audit reports
There is no standard or universal model for the audit report. However, all reports should incorporate the following elements:
- an outline of the audit objectives and scope including any limitations to scope;
- a brief description of the audit approach followed;
- an overview of the audit entity in sufficient detail to convey that the auditor has gained a good general perception of the nature of the entity, and the environment in which it operates; and,
- a summary of the major findings, conclusions and recommendations which states clearly the nature of the problem, the causes, the implications and the actions to be taken by each level of management, as necessary.
In preparing the report the team leader must ensure that the audit findings are adequately supported by evidence contained in the working papers. A working copy of the draft report should be cross-referenced to the supporting working papers to facilitate reference to the evidence that is backing the findings and conclusions.
The audit report should include only relevant and significant information expressed logically and concisely, and addressed clearly to those who have the responsibility for initiating corrective action.
Draft reports represent part of the decision-making process which culminates in the final audit report. In a sense, the draft report is a more formal presentation of audit findings to the auditee and essentially serves the same purposes as the exit debriefing, but in a more formal manner.
The receipt of formal responses from auditees to the draft material presented by the auditor may be considered to serve a purpose similar to the external auditor's use of the "letter of representation". The confirmation by the auditee of the validity and appropriateness of the auditor's findings and conclusions serves as an additional and necessary form of substantiation in ensuring that the final audit report is presented as objectively as possible and includes all relevant facts. This process also serves to ensure that changes within the audited entity from the time of the auditor's debriefing may be communicated to the auditors for their consideration before preparing the final audit report. The use of an actual letter of representation adapted for internal audit purposes is being studied by the OCG. If necessary, further comment on this subject will be provided through a future Policy Interpretation Notice.
The final report represents the ultimate product of the audit process and should be retained in the working papers. Once the final audit report has been issued, the senior executive responsible for the entity audited should require the preparation of appropriate action plans. A copy of these plans should be forwarded to the internal audit group for review and comment. This plan should contain implementation dates and be retained in the working papers.
During the course of the implementation of the action plan the auditor should monitor progress reports and retain them on file for the sake of completeness. The working papers should reflect evidence that the usual role adopted by the auditors in follow-up was properly discharged. In this regard, the auditor normally advises senior management as to the acceptability of corrective action taken by line management in response to audit findings and recommendations. Working papers should indicate the auditor's conclusions as to whether implementation of the action plans has been satisfactory and where necessary, document inadequate action. The steps taken by the auditor in ensuring that senior management remained informed until adequate action was taken should be provided in the working papers.
Occasionally, a separate follow-up audit may be warranted. In this situation a detailed memo outlining the circumstances should be prepared so that additional work may be included in the long-term plan and annual schedules. The working papers should include points for follow-up as reference to any future audits to be performed in the area.
A detailed treatment of follow-up procedures is beyond the scope of this paper but will be the subject of a future paper.
Structure and Organization of Working Papers
As noted in the section relating to the purpose of working papers a number of useful effects can be achieved through maintenance of well-structured files.
Proper organization of working papers can lead to benefits such as:
- allowing several individuals or separate offices to work on different segments of an assignment in a co-ordinated manner;
- bringing discipline to the audit approach, reducing the chance of omissions in the review of complex systems;
- serving as a tool for instruction to audit staff;
- facilitating efficient communication of results; and
- facilitating review by helping to isolate deviation from normal procedures.
This section does not propose detailed guidance relating to the structure of working papers but will identify procedures in common usage that serve to meet the purposes noted above.
General Organizational Principles
A uniform policy for the organization of working papers should be established within the audit group. Uniformity in the type of files maintained, stationary used, indexing and general layout of working papers allows for proper co-ordination between auditors and for efficient reference and review.
Working papers are usually divided into two types of files: permanent and current. The organization of files into these types segregates background information of continuing interest that relates to the audit entity from that information which supports the auditor's current assessment of the adequacy of the management control framework under review.
The allocation of the various working papers accumulated or prepared during the audit between these two groups of files varies in practice. Generally, certain types of information are associated with either permanent or current working papers and this breakdown is identified in Table 1.
In practice, some variation in the content of permanent versus current working papers can occur. Differences in treatment generally relate to the extent of information of continuing interest that is maintained in the permanent file or included on schedules in the current working papers. Certain schedules retained in the current file that relate to the current assessment of the audited entity may be of use in the planning of a subsequent assignment. As a standard procedure, the audit group may designate that all such schedules in the current file need not be retained in the permanent file but simply carried forward at the time of the subsequent assignment.
Proper organization of working papers could accept either treatment. Consistency, however, in the manner by which working papers are divided by the audit group is extremely important. Reviewers of current working papers must have assurance that there has been no misfiling of evidence in support of individual assignment reports, Conversely, where certain information of continuing interest is filed in current working papers, the audit group must establish a procedure that ensures the information will be carried forward to subsequent assignments. Proper carry-forward procedures are particularly important if different retention practices are established for current and permanent paper contents.
Auditors usually maintain other files, such as correspondence files. For the purpose of this paper, these files are not considered to be audit working papers since they do not normally contain papers of continuing interest or information directly supporting the auditor's report. When they do contain such papers, copies of or references to them should be included in the working papers because audit working paper files should be complete in themselves.
Indexing and Cross-Referencing
Finding information in the working paper files is best facilitated by an index system and liberal use of cross-referencing.
The system of indexing should be simple and flexible. One such system is to use a capital letter to designate broad segments of the audit and numerals for the worksheets within the segments. Appendix C illustrates an indexing system and reflects how it can be readily expanded to accommodated a large body of working papers.
The indexing system should be known at the beginning of an assignment to avoid the situation where an auditor is faced with a mass of unreferenced papers. To keep working papers referenced on an ongoing basis the audit team leader should assign index references at the same time that tasks are assigned.
Cross-referencing related data within the working papers greatly facilitates review and provides ready access to supporting information during debriefing sessions. Cross-referencing audit plans to procedures applied, audit programs to the results of tests and the audit report to supporting evidence are examples of typical areas where this technique is most useful to prime users and reviewers of audit files.
The cross-referencing system uses the indexing references assigned to working papers. One method of cross-referencing commonly employed places significance on the location of the reference. References appearing to the left of the correlated data indicates the working paper from which the information was derived. References to the right of correlated data indicates the working paper to which the information is being carried forward.
Example A figure, 1234.56, is referenced from working paper K2 to draft report page A4.
- on K2 the reference would be: 1234.56 A4
- on A4 the reference would be: K2 1234.56
Cross-references, of course , are not restricted to tying figures together but are applied liberally to all related information contained in separate working papers. Appendix C illustrates how various segments of the working papers can be correlated.
The headings on individual working papers should facilitate the proper filing of the papers and the locating of specific information, and should enable the reviewer of the papers to determine who prepared them. Each paper should therefore include:
- period of examination
- title, subject or description of working pater
- date of preparation
- initials of the preparer
- initials of the reviewer
- indexing and cross-referencing codes.
Segregation of sensitive information
With the introduction of the Access of Information Act, internal auditors should pay particular attention to information accumulated within the working papers that should not be disclosed should there be a request under the Act (reference should be made to the Policy Interpretation Notice issued by the OCG entitled Treatment of Access to Information Requests for Audit Information).
To allow for efficient processing of access to information requests, the internal audit group should initially review the nature of the subject matter of the assignment and determine the extent of exempt or excluded information that will likely be accumulated in the working papers. Where little of such information is associated with an assignment, the internal audit group need not be concerned with segregation of sensitive material until a specific request is received. Alternatively, where it is expected that considerable exempt or excluded data will be accumulated during the assignment, the internal audit group may wish to segregate sensitive information from the working papers as they are prepared or accumulated. Where, in the auditor's judgment, a request for information is likely to be received and there is considerable exempt or excluded information associated with an assignment, greater efficiency in processing the request will be achieved by segregating sensitive information as the working papers are prepared. If a request is then received, only the segregated material needs to be reviewed in determining the extent of information that can be disclosed.
When segregation of sensitive information is performed as the working papers are being prepared, the main body of working papers could include a number of "dummy worksheets" which indicate the nature of sensitive information that is being held separately. Where such information is related to data included in the main body of working papers, the dummy worksheets could contain cross-references to that data to ease review and retrieval. In that the head of a government institution is not required to indicate the existence of a record which is not disclosed, the dummy worksheets themselves may also be withheld from disclosure when they relate to excluded or exempt information.
Retention and Disposal
Authority for Disposal
The revised TBS records management policy (refer to TBS circular no.: 1983- 09) provides a broad definition of public records so that most types of audit working paper documentation would be considered to be included within its scope. When this policy is read in conjunction with the Public Records Order (P.C. 1966-1749) virtually all documented audit information, regardless of physical form, make or received in pursuance of federal law or in connection with the transaction of public business, falls within the scope of the policy's provisions.
With the inclusion of audit working papers within the scope of the TBS records management policy, audit groups must not destroy records or permit their removal from the control of the Government of Canada except in accordance with the schedules approved by the Dominion Archivist.
Although audit groups do not have authority to dispose of working papers outside of the provisions of the records management policy, they still retain special knowledge about the retention value of audit working papers. As such, audit groups working through their departmental records management system have a responsibility to advise on necessary retention cycles to ensure that storage of working papers is done economically and efficiently.
The following section provides guidance as to the method by which auditors can review the retention value of working papers for the purpose of advising departmental records management personnel. At present, Schedule 2 of the General Records Disposal Schedules, approved by the Dominion Archivist, establishes a six-year retention cycle (two years current; four years dormant) for audit working papers. This standard and the existing retention practices adopted within the internal audit community are being studied by the OCG for adequacy. At the conclusion of this study, more definitive guidance will be provided regarding proper retention cycles. Until such time, the six-year retention standard should be applied to all audit working papers content, adjusted for longer cycles where there exists additional value as described in the following section.
Evaluating Working Papers for Retention Value
Because the storage of working papers can require a great deal of costly space, the determination of the proper retention period constitutes a practical problem for audit groups. Retention should be guided by a review of the continuing value associated with working papers.
In evaluating working papers, four primary types of value should be considered. These are:
- administrative value
- legal value
- fiscal value
- informational data value.
The administrative value in records may be defined as those records required to carry out the current activities of the audit group.
All working papers contribute to the proper administration and conduct of an audit. As has been illustrated throughout this paper, the orderly accumulation of audit information serves a number of purposes relating to the effective completion of an audit assignment. Once an audit is complete however, determination of continuing administrative value of working papers represents a difficult problem for auditors.
In assessing working paper records for any remaining administrative value, the auditor should consider the following questions for each record and, when the answers are "YES", then the records will be considered to have no more administrative value:
- Has the record ceased to contribute to the administrative performance of the function which it supported?
- Has the original purpose of the record been fulfilled?
- Is the record being retained as a convenience or because it has been the practice to keep it?
- Has the transaction within each individual record been completed?
- Has the record been kept merely to guard against administrative blame?
- Is the record available elsewhere, i.e., is it duplicated?
The legal value in records may be defined as those records which involve long or short term rights of the government or of the private citizen and which are enforceable by the courts.
The retention of internal audit working papers in the public sector because of their legal value is less predominant than in the private sector where an action for tort or breach of contract is an important consideration for external auditors.
Nevertheless, specific legal requirements should be determined by the author to ensure that retention practices protect the legal rights of the department and individuals.
The fiscal value in records may be defined as those records which departments require to show how moneys were obtained, allotted, controlled and expended.
Audit working paper retention has been traditionally associated with their fiscal value. In the General Records Disposal Schedules (approved by the Dominion Archivist and issued under the authority of the Public Records Order P.C. 1966-1749) audit working papers were given a six-year retention cycle in order to protect audit practice and may be of questionable relevance in the federal government environment.
Informational Data Value
This multi-purpose value may be defined as the ability of a record to aid in the reconstruction of the past activities of a department, to provide information for current and future planning, and to furnish data upon which new activities may be based.
Much of the information retained in working papers has some informational data value. For the internal audit group, certain aspects of working papers, typically included in the permanent working paper files, are of continuing use in the planning and conduct of future assignments. All audit information pertaining to the last assignment at a specific audited entity has value to external reviewers, particularly the Auditor General, for establishing a basis upon which the activities of the internal audit group can be evaluated. With the increasing emphasis placed by the Auditor General upon relying on the results of internal audit work, recognition of the continuing informational data value of working papers is significant when establishing proper retention cycles.
- Anderson, Rodney, J. "The External Audit 1, Concepts and Techniques", Pitman Publishing 1977.
- The Canadian Institute of Chartered Accountants "Good Working Papers", 1980.
- Sawyer, Lawrence, B. "The Practice of Modern Internal Auditing", The Institute of Internal Auditors, Inc., Altamonte Springs, Florida, USA 1981 Expanded Edition.
Federal Government Reference Documents (formal)
- Circular No.: 1983-09, Records Management Policy, Treasury Board Secretariat; March 22,1983.
- General Records Disposal Schedules of the Government of Canada, Public Archives of Canada, 1978 Third Edition.
- Records Scheduling and Disposal, Public Archives of Canada, 1972.
- Standards for Internal Audit in the Government of Canada, Office of the Comptroller General, Policy Development Branch, Treasury Board, 1982
Departmental Internal Audit Reference Documents (informal)
- Interdepartmental Advisory Committee on Internal Audit (IACIA), Internal Audit Handbook, Volume II, Book 1, Chapter 1, Exposure draft: "Guide to the Development and Conduct of Audit Assignments".
- Office of the Comptroller General, Policy Development Branch, Position paper: "Treatment of Access to Information Requests for Audit Information".
Appendix A: Background Information Gathered during the Assignment Planning Phase
To obtain an overall appreciation of the audited entity, the auditor will normally obtain and include within the working paper documentation:
- significant legal, financial and regulatory constraints that impact upon the audited entity including as sources such documents as the Main Estimates, legislation, regulations and Central agency policy;
- environmental information including the objectives and activities of all organizations affecting the operations under review;
- previous studies and audit reports that have either directly or indirectly has an effect on the operations of the auditee;
- internal information for both the audited entity and the
department, such as:
- organization charts and position descriptions;
- delegation of authorities documents;
- significant financial and other operating data including long-term and annual plans, budgets and variance reports, management reports, person-year allocations and performance measurement reports.
Assignment Planning Memorandum
An assignment planning memorandum should include as a minimum:
- a summary of the scope and objectives of the assignment and any limitations placed thereon;
- an overview description of the audit entity encompassing:
- legislative authorities and mandate;
- key objectives and goals;
- resources employed (human, financial and physical);
- key organizational/operational issues and constraints;
- principal information and control systems;
- principal management control mechanisms;
- significant changes in operations/system/influences over the past two years or since the last audit; and,
- known/expected future influences on the audit entity.
- principal issues and anticipated lines of audit enquiry;
- audit strategy discisions including the audit approach and general notes on audit techniques decisions;
- basic audit objectives and associated criteria developed;
- outline of audt report format(s) taking into account levels of reporting required;
- resource requirements including identification of specialist skills;
- time budget and critical milestone dates;
- assignment of staff responsibilities;
- any other significant considerations or outstanding issues; and,
- confirmation of approval to proceed.
Appendix B: Illustration of Summary Working Papers
Register of Essential Controls
|Working Paper Reference||Nature of Essential Control||Nature of Verification Test||Results of Verification Audit Procedures||Weakness Deficiencies Referred to Summary of Weakness|
|Basis\Sample Size||Reference to Verification Audit Procedures|
Summary of Weakness
|Working Paper Reference||Nature of Weakness||Is Weakness Significant?||Compensating Controls?||Additional Verification?||How Reported||Management Action Taken|
Register of Compensating Controls
|Working Paper Reference||Compensating Controls|
|Description||Flow Chart\Systems Document Reference||Verification Procedure Reference|
Appendix C: Illustration of Indexing/Cross-Referencing System for Working Papers
Current Working Paper Files
General\Administration (File 1)
|Subject||Index (1)||References to||References from (2)|
|Final report; Final management letter||A||C, D, G|
|Management comments and action plans||B||A||source (3), C|
|Draft report; Draft management letter||D||A||E, G|
|Verbal debriefing - notes||E||D||source|
|Supervisory review checklists and notes||F||(4)||(4)|
|Summary of audit observations, conclusions and recommendations (including cause\effect analysis)||G||A, D||J, K, L|
|Assignment Planning Memorandum||H||(5)||(5)|
Supporting Working Papers (File 2)
|Subject||Index (5)||References to||References from (1)|
|Register of Essential Controls||J||G||N, Q|
|Register of Compensating Controls||K||G||N, Q|
|Summary of Weakness||L||G||N, Q|
|Documentation in response to control questionnaires||N||P||if conclusive - J, K, L
if conclusive - Q
|Predetermined control model||O||M||source|
|Documentation of existing control framework||P||N||source|
|Verification plan, procedures, results||Q||J, K, L||N, source|
(1) Expansion of index
Each page of the section can be referenced simply as A1, A2, A3 etc., if a worksheet is to be added between A2 and A3, the A2 becomes A2.1 and the added sheet can be indexed A2.2.
(2) References to
Information contained in this section supports or provides background for the content of the section to which the review is being referred;
(2) References from
Information contained in this section is supported by the content of the section from which the reviewer is being referred.
For ease of review, working papers should be cross-referenced in a manner reflecting the relationships between sections as noted above. Working papers should build upwards from source data to the final audit report.
Indicates that information is derived directly from the audited entity through discussion, observation or application of audit procedures.
(4) Supervisory review checklists
Normally checklist is signed off indicating that a satisfactory standard of quality has been achieved in the audit and adequately reflected in the working papers.
(5) Assignment planning memorandum
Various aspects of the memo may be referenced to supporting working papers indicating to the reviewer that planning decisions and scope were taken into consideration during the conduct of the assignment.
Permanent Working Paper Files
General Information (Index AA)
- significant legal, financial and regulatory restraints that impact the audited entity;
- environmental information on organizations that effect the operations of the audited entity.
Operational Base for the Audited Entity (Index BB)
- objectives of the auditee
- departmental and internal plans
- relevant policies and procedures
- reporting requirements
- services provided
- organization chart, position descriptions
- capital and operating budgets
- performance standards.
Operational Documentation for Audited Entity (Index CC)
- systems documentation (program logic, management control framework, accountability relationships).
Previous Studies and Reports (Index DD)
- copies of previous audit reports, follow-up notes, management action plans, planning memorandum;
- copies of all recent AG reports, departmental responses
- other internal departmental or Central Agency evaluation group studies or reports.
The above list is meant to be illustrative and not restrictive in any way. Additional significant information should be included as necessary.