« Tax tops the list of best jobs. But wait — there’s more | Main | How a kid’s allowance can teach money management skills »

Advice from a peer reviewer: Documentation missteps to avoid

GettyImages-157399946In my 25 years as a peer reviewer, I’ve reviewed thousands of audits from a variety of firms. You may be surprised by how often I see errors related to a fundamental audit step: documentation.

Audit documentation is important to get right because it provides evidence to support your audit opinion. It’s also crucial for auditors to document their work if they are going to comply with generally accepted auditing standards (GAAS).

I’ve found that several documentation missteps trip up auditors more than others. Keep reading to find out what these errors are and how to avoid them.

For help with all of these missteps, review the audit documentation standard. You may also find it helpful to download some of the free resources in this audit documentation toolkit.


1. Documentation of threats to independence and mitigation

In my peer reviews, firms have been doing a better job documenting independence and non-attest services performed for clients. However, I still see problems with auditors not specifically identifying threats to independence and whether those threats are significant threats.

Many auditors stop documenting threats to independence after realizing they can proceed with performing the audit. However, under AU-C 220.13, you still need to consider whether specific threats are significant. These represent significant judgments under AU-C 230.08 and should be documented. You also need to include details about the safeguards that will prevent the threats from affecting both your independence in fact and appearance.

To avoid this, make sure you don’t stop documenting threats right after determining your independence is not impaired. Be sure to carry it all the way through and think more specifically about what kinds of threats to independence exist and how you plan to mitigate them.


2. Documentation of risk assessment

Many firms I’ve reviewed say they’ve identified, assessed and responded to their clients’ risks of material misstatement, but they don’t document those steps or how their risk assessments carry into their audit approaches.

Why is this happening? They may not understand what documentation is required by audit standards. Often, I see auditors using practice aids to guide them through their documentation process, but not delving into the detailed instructions to get an understanding of what specific documentation is required.

While practice aids can be great guides for your audit, they’re only as good as your understanding of them. Be sure to review the more detailed instructions contained in your practice aids instead of going straight to the fillable fields and assuming you know what to look for.


3.Documentation of internal control

You should document your client’s controls to make sure they’ve been properly designed and implemented. Often auditors are documenting processes, but not controls within those processes.

I see this happen when auditors go full steam ahead and do a substantive audit in which they test everything possible instead of focusing on a client’s risks. They may think controls don’t matter if they move straight to a substantive audit approach.

However, not only does this approach not comply with the standards, it doesn’t help your audit, and it’s ultimately inefficient. It’s important that you understand your client’s internal controls over financial reporting to identify and assess risk. This will determine which procedures you perform. The standards require that your audit procedures be responsive to the risks you’ve identified, so you need to document your client’s controls to demonstrate this.

To avoid this issue, start by documenting processes, then take a second pass and identify the controls in that process. The AICPA’s Internal Control Toolkit has a free process memo example that can help you do this. Make it a practice to do a walkthrough on every audit of major transaction classes to determine if controls have been implemented.

If your work isn’t documented, you’re not done.

Overall, the best advice I can give for avoiding these missteps is, “when in doubt, just write it down.”

Keep this in mind while auditing so that you’re always thinking about documenting. And remember that your documentation doesn’t always need to be complicated. You don’t need to use complex practice aids to document every time; you can also use memos to meet documentation requirements.

Finally, you can learn more about proper audit documentation and access free resources to help you comply with the standard by visiting the AICPA’s audit documentation toolkit. You may also be interested in the AICPA’s free resources to assist you with complying with the risk assessment and internal control standards.

Rick Reeder, CPA, CGMA, Owner, Reeder & Associates, PA. His diverse range of clients includes those in not-for-profit, employee benefit plans, construction and CIRAs. Rick is an at-large member of the AICPA Council and serves on the AICPA Quality Control Standards Task Force. He is a past chair of the AICPA Peer Review Board and previously completed a three-year term on the executive committee of the AICPA Governmental Audit Quality Center. Rick was also a member of the AICPA Practice Monitoring of the Future Steering Committee and Architects Task Force and is a member of the AICPA Practice Management Task Force for Government and Compliance Audits.


Comments are moderated. Please review our Comment Policy before posting.


Subscribe in a reader

Enter your Email:

CPA Letter Daily