Advice from a peer reviewer: Documentation missteps to avoid
AICPA logo
AICPA logo
  • Home
Businessman sitting with virtual checkmark in front of him

Advice from a peer reviewer: Documentation missteps to avoid

3 years ago · 3 min read

In my 25 years as a peer reviewer, I’ve reviewed thousands of audits from a variety of firms. You may be surprised by how often I see errors related to a fundamental audit step: documentation.

Audit documentation is important to get right because it provides evidence to support your audit opinion. It’s also crucial for auditors to document their work if they are going to comply with generally accepted auditing standards (GAAS).

I’ve found that several documentation missteps trip up auditors more than others. Keep reading to find out what these errors are and how to avoid them.

For help with all of these missteps, review the audit documentation standard. You may also find it helpful to download some of the free resources in this audit documentation toolkit.

  1. Documentation of threats to independence and mitigation
    In my peer reviews, firms have been doing a better job documenting independence and non-attest services performed for clients. However, I still see problems with auditors not specifically identifying threats to independence and whether those threats are significant threats.

    Many auditors stop documenting threats to independence after realizing they can proceed with performing the audit. However, under AU-C 220.13, you still need to consider whether specific threats are significant. These represent significant judgments under AU-C 230.08 and should be documented. You also need to include details about the safeguards that will prevent the threats from affecting both your independence in fact and appearance.

    To avoid this, make sure you don’t stop documenting threats right after determining your independence is not impaired. Be sure to carry it all the way through and think more specifically about what kinds of threats to independence exist and how you plan to mitigate them.

  2. Documentation of risk assessment
    Many firms I’ve reviewed say they’ve identified, assessed and responded to their clients’ risks of material misstatement, but they don’t document those steps or how their risk assessments carry into their audit approaches.

    Why is this happening? They may not understand what documentation is required by audit standards. Often, I see auditors using practice aids to guide them through their documentation process, but not delving into the detailed instructions to get an understanding of what specific documentation is required.

    While practice aids can be great guides for your audit, they’re only as good as your understanding of them. Be sure to review the more detailed instructions contained in your practice aids instead of going straight to the fillable fields and assuming you know what to look for.

  3. Documentation of internal control
    You should document your client’s controls to make sure they’ve been properly designed and implemented. Often auditors are documenting processes, but not controls within those processes.

    I see this happen when auditors go full steam ahead and do a substantive audit in which they test everything possible instead of focusing on a client’s risks. They may think controls don’t matter if they move straight to a substantive audit approach.

    However, not only does this approach not comply with the standards, it doesn’t help your audit, and it’s ultimately inefficient. It’s important that you understand your client’s internal controls over financial reporting to identify and assess risk. This will determine which procedures you perform. The standards require that your audit procedures be responsive to the risks you’ve identified, so you need to document your client’s controls to demonstrate this.

    To avoid this issue, start by documenting processes, then take a second pass and identify the controls in that process. The AICPA’s Internal Control Toolkit has a free process memo example that can help you do this. Make it a practice to do a walkthrough on every audit of major transaction classes to determine if controls have been implemented.

If your work isn’t documented, you’re not done.

Overall, the best advice I can give for avoiding these missteps is, “when in doubt, just write it down.”

Keep this in mind while auditing so that you’re always thinking about documenting. And remember that your documentation doesn’t always need to be complicated. You don’t need to use complex practice aids to document every time; you can also use memos to meet documentation requirements.

Finally, you can learn more about proper audit documentation and access free resources to help you comply with the standard by visiting the AICPA’s audit documentation toolkit. You may also be interested in the AICPA’s free resources to assist you with complying with the risk assessment and internal control standards.

Rick Reeder, CPA, CGMA

Rick Reeder is the owner of Reeder & Associates, PA a local CPA firm in Tampa, Florida. His diverse range of clients includes those in the areas of not-for-profit, employee benefit plans, construction and CIRAs. He has over 30 years of auditing experience including 10 years with International Accounting Firms.

Rick is an at-large member of the AICPA Council and serves on the AICPA Quality Control Standards Task Force. He is a past Chair of the AICPA Peer Review Board, and previously completed a 3-year term on the executive committee of the AICPA Government Audit Quality Center. In addition, he is a member of the AICPA Practice Monitoring of the Future Steering Committee and Architects Task Force, and the AICPA Practice Management Task Force for Government & Compliance Audits. Rick also serves on the FICPA Peer Review committee as a member of its executive committee. Rick is a member of the board of directors of the Grow Financial Federal Credit Union.

Rick received his Bachelor of Science degree in Accounting from Bowling Green State University in Bowling Green, Ohio. His interests included food, wine, travel and Rays baseball.

What did you think of this?

Every bit of feedback you provide will help us improve your experience

What did you think of this?

Every bit of feedback you provide will help us improve your experience

Mentioned in this article


Manage preferences

Related content