Assembly and Lockdown of the Audit File
Typically, the audit engagement reaches its climax upon signing the audit report and related documents, and delivery to the client. Habitually, and due to human nature, auditors tend to consider the job done and the procedures needed to be performed in compliance with audit standards, already completed.
There are three types of possible actions after the audit report date, namely
1. Audit Procedures
Before we look at the type of audit procedures that may be warranted after the audit report date, it should be emphasised that the audit report may only be signed once the auditor has, among others, satisfied themselves that:
- enough evidence has been obtained
- there is no material misstatement of the amounts and disclosures, due to fraud or error
- the financial statements are prepared in compliance with the accounting framework
- all the conclusions have been reached and are appropriate, in order to issue the appropriate opinion in the audit report.
In short, the audit procedures and evidence obtained should be COMPLETE (ISA 700 paras. 12‒15).
ISA 230 para. 13 states: “If, in exceptional circumstances, the auditor performs new or additional audit procedures or draws new conclusions after the date of the auditor’s report, the auditor shall document: (Ref: Para. A20)
- The circumstances encountered;
- The new or additional audit procedures performed, audit evidence obtained, and conclusions reached, and their effect on the auditor’s report; and
- When and by whom the resulting changes to audit documentation were made and reviewed.”
A20. “Examples of exceptional circumstances include facts which become known to the auditor after the date of the auditor’s report but which existed at that date and which, if known at that date, might have caused the financial statements to be amended or the auditor to modify the opinion in the auditor’s report. The resulting changes to the audit documentation are reviewed in accordance with the review responsibilities set out in ISA 220, with the engagement partner taking final responsibility for the changes.”
Therefore, when exceptional circumstances are encountered where facts become known which existed at the date of the audit report, the auditor HAS to demonstrate and document:
- when the facts became known to the auditor
- whether the facts existed at the date of the audit report
- what new / additional procedures were performed
- whether the facts require amendment of the financial statements
- whether the facts require amendment of the audit report
- whether other reporting requirements are affected, e.g. reportable irregularities.
2. File assembly procedures
File assembly procedures ONLY comprise administrative procedures to compile all the documented evidence together in a sensible order to enable an independent auditor to re-perform the audit and come to the same conclusions. The following procedures commonly confused with file assembly procedures are NOT part of the file assembly process:
- review of working papers
- filing of new evidence not corroborating with existing evidence already considered as adequate
- planning procedures to comply with standards
- completion procedures to comply with standards
- outstanding fieldwork.
Firm policies and procedures should specify the time period for file assembly, which should not be more than 60 days from the date of the audit report.
ISA 230 para. 14 states: “The auditor shall assemble the audit documentation in an audit file and complete the administrative process of assembling the final audit file on a timely basis after the date of the auditor’s report. (Ref: Para. A21–A22)”
A21. “ISQC 1 (or national requirements that are at least as demanding) requires firms to establish policies and procedures for the timely completion of the assembly of audit files. An appropriate time limit within which to complete the assembly of the final audit file is ordinarily not more than 60 days after the date of the auditor’s report.”
A22. “The completion of the assembly of the final audit file after the date of the auditor’s report is an administrative process that does not involve the performance of new audit procedures or the drawing of new conclusions. Changes may, however, be made to the audit documentation during the final assembly process if they are administrative in nature. Examples of such changes include:
- Deleting or discarding superseded documentation.
- Sorting, collating and cross-referencing working papers.
- Signing off on completion checklists relating to the file assembly process.
- Documenting audit evidence that the auditor has obtained, discussed and agreed with the relevant members of the engagement team before the date of the auditor’s report.”
3. File lockdown
After assembly, the audit file should be kept secure with prohibited access, whether electronic or manual, for the duration of the retention period as determined by the firm’s quality policies and procedures.
ISA 230 para. 15 states: “After the assembly of the final audit file has been completed, the auditor shall not delete or discard audit documentation of any nature before the end of its retention period. (Ref: Para. A23)”
ISA 230 para. 16 states: “In circumstances other than those envisaged in paragraph 13 where the auditor finds it necessary to modify existing audit documentation or add new audit documentation after the assembly of the final audit file has been completed, the auditor shall, regardless of the nature of the modifications or additions, document: (Ref: Para. A24)
- The specific reasons for making them; and
- When and by whom they were made and reviewed.”
In order to comply with the file lockdown requirements, the firm should have a record of access to files which sets out the required details of when a file was accessed. A common area where access is not documented is where files are used for monitoring reviews or planning the following year’s audit. Care should be taken that the necessary registers have been completed and that no amendments have been made. Substantial penalties and disciplinary measures have been imposed on audit firms which were not compliant with the requirements of ISA 230 in this regard.
Conclusion
LEAF is passionate about keeping your audit records compliant with standards and we are standing at the ready to assist with ensuring that your policies and procedures, and their implementation are compliant and efficient.
References
1. IAASB: ISA 700 (Revised), Forming an opinion and reporting on financial statements
2. IAASB: ISA 230, Audit documentation