How a Young Auditor Learned to Create High-Quality Workpapers

Meet Emily, a young auditor who had just landed her dream job at a top-tier audit firm.

Excited to start her career, Emily was eager to learn everything there was to know about the world of audits, risk management, and governance, and to make a positive impact on the clients she would be serving. As she began her journey, Emily quickly realized that one of the most critical aspects of her job was creating high-quality audit workpapers.

These documents were essential in maintaining a comprehensive audit trail, demonstrating compliance with regulations and standards, and validating the controls implemented by clients.

In this story, we follow Emily as she delves into the top 10 things that must be included in a high-quality audit workpaper, and learns some valuable lessons along the way.

Name of the Audit

The name of the audit is a pivotal element of the audit work paper, serving as a key identifier and facilitating the categorization of the audit documentation. It lays the groundwork for the entire audit engagement and offers essential context to those reviewing the work paper. In practical terms, if an auditor is conducting an audit on a specific application, it is crucial to include the name of that application at the top of the audit paper. Such a practice ensures that the audit work paper is correctly categorized and can be easily referenced by all relevant parties.

Emily was assigned to audit the payroll system of a new client. She remembered the newsletter's suggestion about naming the audit and including the name of the auditor. She promptly added the necessary information to the top of the workpaper.

Name of the Audit Test

The audit test is a fundamental component of the audit process, involving a series of rigorous procedures aimed at verifying evidence against specific criteria. In order to achieve this objective, auditors often use a systematic approach, which involves developing a set of audit test procedures tailored to the specific requirements of each engagement.

Emily's audit was focused on change management, the corresponding audit work paper test should be titled "Change Management for Payroll Application," thus enabling her to clearly and accurately document her findings.

Name of the auditor

The field of auditing places great emphasis on accountability, and one critical aspect of this is the identification of the auditor responsible for conducting the relevant tests. As part of their duties, auditors are entrusted with conducting specific tests, and the integrity of the results they produce ultimately lies with the auditor. The identification of the auditor by name is instrumental in facilitating effective review and feedback on their work. Furthermore, it promotes a sense of ownership and responsibility for the audits performed, while also providing a clear record of an auditor's professional accomplishments.

Effective Risk Statement

Writing an effective risk statement is a key quality of an auditor. Including the risk statement justifies the audit test performed. Ultimately, the reviewer, or a third party person who is going to have a look at the audit workpaper, is going to understand the justification for that audit test through a risk statement.

Emily ensured to include a proper risk statement for change management test that comprised of three major components. The first component talks about an event happening that can result into a negative impact on the organization. The second component is the cause for the event happening. And the last component is about the consequences of the event happening and how it will impact the organization.

Emily wrote - Application changes without proper approval getting promoted to production environment which might result in unauthorized changes in application's production environment leading to interruption of normal operations or financial losses.

Control Statement

In the audit process, a control statement serves as a remedy for identified risks and findings. As an auditor, it is crucial to provide recommendations only and not dictate implementation methods. Control statements do not address how controls are to be executed, but instead focus on what measures should be taken to mitigate risks. These statements must be tailored to the specific type of audit being conducted. For instance, if the risk statement concerns IAM group access controls in AWS, the control statement should offer solutions for granting appropriate access to AWS groups.

Audit Test Steps

The process of obtaining and validating evidence in an audit is crucial to forming accurate conclusions. Auditors follow a set of steps to gather evidence, validate it against predetermined requirements, and ultimately present their judgment on the audit test. The test steps taken form a bridge between the collection of evidence and the formation of conclusions. When a third-party reviewer reviews the audit work paper, they can understand the specific test steps taken to gather evidence and validate it.

Test Acceptance Criteria

The acceptance criteria is an essential component of the audit process that outlines the expected outcomes of the audit test. It serves as a guide for the auditor and answers the question of "what" is expected from the audit test. It is important to note that while the acceptance criteria provides an overview of the expectations, it does not address the "how" aspect of the audit test. This information is typically included in the test steps. The acceptance criteria enables the reader to review the specific criteria used to evaluate the results and draw conclusions.

Sample Selection

The selection of an appropriate population is a crucial step in conducting an audit test. A specific set of population must be identified in order to perform an effective audit test. For instance, when conducting a change management audit for a payroll application, it would be impractical for Emily to select all change management tickets from the application's inception. Instead, a certain time period such as three or six months was chosen as the test population for the audit. Clearly stating the test population in the audit workpaper is vital.

Presenting Evidence

In auditing, evidence plays a critical role in establishing the foundation for an audit report. The evidence provided by the client serves as the basis for the auditor's opinion, and its inclusion in the audit work paper is vital to ensure the quality and integrity of the audit. Failure to incorporate relevant evidence in the audit report can lead to inquiries and doubts on the auditor's professional judgment. Therefore, as an auditor, it is imperative to exercise due diligence and professional responsibility in documenting all pertinent evidence used in forming the audit conclusion.

Test Conclusion

The audit work paper's most critical section is the one that showcases the test procedures, evidence gathered, and potential findings identified during the audit test. A well-articulated and succinct conclusion is instrumental in making informed business decisions and implementing the necessary steps for the audit in question.

In conclusion, creating high-quality audit workpapers is a critical aspect of an auditor's job. As we have seen through Emily's story, there are ten essential elements to include in an audit work paper: the name of the audit, the name of the audit test, the name of the auditor, an effective risk statement, a control statement, audit test steps, test acceptance criteria, sample selection, presenting evidence, and forming conclusions. By incorporating these elements into your workpapers, you can ensure the quality and integrity of your audits, validate the controls implemented by clients, and make a positive impact on the clients you serve. So, let's start creating high-quality audit workpapers today!