May 18, 2016

The Secrets to Excellent Audit Documentation

The Secrets to Excellent Audit Documentation Risk Advisory Services

Most auditors have heard the saying “Work papers need to stand alone,” meaning that all information should be documented properly so a reviewer doesn’t need to ask additional questions to understand what was tested, and how the conclusion was reached. If one gets hit by a bus, or preferably, if they win the Mega Millions lottery, they will not be coming to work the next day. Someone needs to be able to easily pick up their work papers and continue where they left off. There should be no undocumented knowledge pertinent to understanding the work.

Reviewers don’t want to give the same comments over and over again. A staff should apply previous review comments to future work papers. If a reviewer has to tell staff to run spell-check, they shouldn’t have to be reminded again. A good practice is to make a checklist of those comments and quickly go through them before you turn in the next project for review. That shows the reviewer that you understand why you received that review comment in the first place, and that you plan to make it a common practice going forward.

I once had to write six pages of review comments for a staff member completing an audit of accounts payable.  She was overwhelmed, but we sat down together and went through each item. The next section she audited was much better because she tried hard not receive the same review comments.

Here is a list of the review comments I have encountered. This is by no means a complete list. Please add your own comments to it and share it with your staff when you become the reviewer.

These items are written on the sample documentation:

  1. Purpose – What is the document? Give the document a name and describe what it is used for. If it is something completely obvious, such as an invoice that says “Invoice” along the top, you can just underline the word “Invoice.” But if the purpose of the document is not obvious, write what the document is used for. For example, if it is a computer screen shot, an explanation (“This document is a screen shot showing the approver’s electronic signature for Mark Peterson’s travel expenses.”) may be necessary.
  1. Source – Note who provided this document to you (name and title).
  2. If there are any signatures of approval on a document, you should write the person’s name and title next to it.
  3. Tick and tie the documentation. For example, if you are documenting a three-way match, tie out the invoice number, purchase order number, number of units, unit cost, and total cost between the purchase order, invoice and bill of lading. 
  4. When you have many numbers to add up, you can put the same letter next to each number to be added and then write: ∑ A =

These items are written on a control matrix (See Appendix 2)

  1. Nature – What are the test steps that you are performing?
  2. Timing – What is the date range of your tests: January through December, or a different population?
  3. Extent – Document how many samples are you selecting and note the reasoning for selecting that size. Each audit firm or audit department should have a sample size guidance to follow (e.g., number of samples for annual, quarterly, monthly, weekly, daily, multiple times per day controls).
  4. Exceptions or deviations noted – If there is a justified reason why the control operated differently (e.g., the normal approver was on vacation, so a different person had approval authorization), then that needs to be explained. If the control did not operate as intended with an unjustified deviation from the control plan; that is an exception and needs to be explained.
  5. Review controls explanations – If the control involves a review of a process, meet with the reviewer and document their process for review.
  6. Conclusion – This is the overall determination of whether the control is operating effectively.
  7. Spell check your work.
  8. Perform a self-review – If you were the reviewer, what questions would you ask, or what additional information is needed to understand the documentation and results?

Marcum LLP is a full-service CPA and financial services firm with internal auditors that specialize in providing assistance to internal audit departments on an as-needed basis. You can use this article and examples as a starting point for your department’s standard practices. Marcum LLP is available to assist your department with documentation training, review and suggestions for improvement in existing documentation practices, or to perform testing as an extension of your department on an as-needed basis.

Please see the and internal audit page for further information, or contact your Marcum representative.

Related Service

Risk Advisory Services