Engagement Documentation
Engagement documentation—commonly referred to as workpapers—is the written record of the audit procedures performed, the evidence obtained, and the conclusions reached during an engagement. Proper documentation is not just a best practice; it is a professional requirement that serves as the principal support for the auditor's report and provides evidence that the audit was planned and performed in accordance with professional standards.
This section covers the purpose and elements of sufficient appropriate documentation, assembly and retention requirements, the documentation completion date, changes after the completion date, and key differences between PCAOB and AICPA requirements.
Engagement documentation requirements are established by AU-C 230 (AICPA) for nonissuers and AS 1215 (PCAOB) for issuers. While both frameworks share core principles, there are important differences in completion deadlines, retention periods, and specific requirements that are frequently tested on the CPA exam.
Purpose of Engagement Documentation
The overarching purpose of documentation is to provide a record sufficient to enable an experienced auditor, having no previous connection with the engagement, to understand:
- The nature, timing, and extent of the audit procedures performed
- The results of those procedures and the audit evidence obtained
- Significant findings or issues identified during the audit and the actions taken to address them
- Significant professional judgments made in reaching conclusions
- The basis for the auditor's report
This "experienced auditor" standard is critical. Documentation must be clear and complete enough that a qualified professional who was not involved in the engagement could review the workpapers and understand exactly what was done, why it was done, and what conclusions were reached. Vague or incomplete documentation is a common deficiency identified in peer reviews and PCAOB inspections.
Additional Purposes
Beyond supporting the audit opinion, documentation serves several other important purposes:
| Purpose | Description |
|---|---|
| Quality control | Enables engagement quality reviews, supervisory reviews, and internal inspections |
| Legal protection | Provides evidence that the auditor exercised due professional care if the work is later questioned |
| Continuity | Assists successor auditors or team members who may need to understand prior-year work |
| Regulatory compliance | Fulfills PCAOB, SEC, and state board requirements for record retention |
| Training | Serves as a reference for developing audit staff and standardizing firm approaches |
Elements of Sufficient Appropriate Documentation
Audit documentation can take many forms—physical (paper) or electronic (digital workpapers). Regardless of form, the documentation must be sufficient and appropriate to meet the "experienced auditor" standard described above.
Common Forms of Documentation
| Form | Examples |
|---|---|
| Written narratives and memoranda | Planning memoranda, risk assessment summaries, conclusion memos |
| Audit programs | Lists of planned procedures, marked to show completion and cross-referenced to supporting workpapers |
| Schedules and analyses | Lead schedules, account reconciliations, roll-forward schedules |
| Correspondence | Letters, emails, and other communications with the client, specialists, or third parties |
| Confirmations | Bank confirmations, accounts receivable confirmations, legal letters |
| Abstracts or copies of documents | Copies of significant contracts, board minutes, or loan agreements |
| Checklists | Disclosure checklists, financial statement presentation checklists |
| Electronic workpapers | Computer-generated analyses, data analytics outputs, screenshots of system testing |
Required Elements
At a minimum, audit documentation should include:
- Identification of the items tested — What specifically was selected for testing (e.g., invoice numbers, customer names, transaction dates)
- Who performed the work and when — The preparer's initials or identifier and the date of completion
- Who reviewed the work and when — The reviewer's initials or identifier and the date of review
- The auditor's conclusions — A clear statement of the conclusion reached for each area of the audit
Example: While auditing Gies Co.'s accounts receivable, the engagement team selects a sample of 40 customer balances for confirmation testing. The documentation includes the sampling methodology, the list of selected customers with balances, copies of confirmations sent and received, follow-up procedures for non-responses, and a conclusion that the accounts receivable balance is not materially misstated. The workpaper is initialed by the staff member who performed the testing and the senior who reviewed the work.
The CPA exam frequently tests the concept of who, what, when, and why in documentation. A well-documented workpaper answers: Who performed and reviewed the work? What was tested? When was it done? Why was the conclusion reached?
Assembly and Retention of Documentation
The Documentation Completion Date
After the auditor's report is released, there is a defined window during which the engagement team must assemble the final audit file. This is the documentation completion date.
| Standard | Documentation Completion Date |
|---|---|
| AICPA (AU-C 230) — Nonissuers | 60 days after the report release date |
| PCAOB (AS 1215) — Issuers | 45 days after the report release date |
The documentation completion date is a hard deadline. After this date, the engagement file is considered final, and no documents may be deleted or discarded. The shorter PCAOB deadline (45 days vs. 60 days) is a commonly tested distinction on the CPA exam.
What Happens During the Assembly Period
During the documentation completion date window, the engagement team should:
- Assemble all workpapers into the final engagement file
- Complete administrative tasks such as signing off on checklists, organizing file sections, and ensuring cross-references are accurate
- Resolve any open items or review notes
- Delete or discard any superseded drafts or redundant documentation
Example: Kingfisher Industries' audit report is released on March 15. Under AICPA standards, the engagement team has until May 14 (60 days) to finalize and lock down the audit file. During this period, the team organizes the electronic workpaper file, resolves outstanding review notes, and archives final versions of all documentation.
Retention Periods
After the documentation completion date, the audit file must be retained for a minimum period:
| Standard | Minimum Retention Period |
|---|---|
| AICPA (AU-C 230) — Nonissuers | 5 years from the report release date |
| PCAOB (AS 1215) — Issuers | 7 years from the report release date |
Firms may establish longer retention periods based on legal, regulatory, or internal policy requirements. State boards and other regulators may also impose additional retention requirements. The standard establishes the minimum — not the maximum.
Changes After the Documentation Completion Date
Once the documentation completion date has passed and the engagement file is final, strict rules govern any modifications.
General Rule
After the documentation completion date:
- No documents may be deleted or discarded from the engagement file
- Any additions to the file must clearly indicate the date of the addition, the name of the person making the addition, and the reason for the addition
When Changes Are Permitted
Changes after the completion date are rare and must be carefully controlled. Examples of situations that might require post-completion changes:
| Situation | Action Required |
|---|---|
| Subsequent discovery of a fact that existed at the report date | The auditor adds documentation describing the newly discovered fact, the procedures performed in response, and any conclusions reached |
| Peer review or inspection findings | The auditor may add documentation explaining how findings were addressed, but the original workpapers must not be altered |
| Legal or regulatory inquiry | Additional documentation may be added to explain the work performed, but original documentation is preserved |
Example: Six months after the documentation completion date for Illini Security's audit, the firm discovers that a significant customer confirmed a receivable balance that was, in fact, fictitious. The auditor adds a memorandum to the file explaining the discovery, the additional procedures performed, the conclusions reached, and any revisions to the audit report. The original confirmation workpaper is not deleted — it remains in the file with the supplemental documentation.
Under the Sarbanes-Oxley Act, knowingly destroying or altering audit documentation with the intent to impede a federal investigation is a criminal offense. This applies to both issuer and nonissuer engagements. The penalties can include fines and imprisonment.
PCAOB vs. AICPA Documentation Requirements
While both frameworks share core principles, there are notable differences between PCAOB and AICPA documentation standards.
| Requirement | AICPA (AU-C 230) | PCAOB (AS 1215) |
|---|---|---|
| Documentation completion date | 60 days after report release | 45 days after report release |
| Retention period | 5 years minimum | 7 years minimum |
| Scope | Nonissuers (private companies, not-for-profits, governmental entities) | Issuers (public companies registered with the SEC) |
| Specificity of identification | Must identify items tested and their characteristics | Must identify items tested; explicitly requires identifying characteristics that distinguish specific items (e.g., document numbers, dates) |
| Departures from firm methodology | Should be documented | Must be documented, and the reasons for departure must be explained |
| Engagement quality review | Documentation of the EQR process is required when an EQR is performed | Documentation of the EQR is required for all issuer audits |
PCAOB-Specific Requirements
The PCAOB places additional emphasis on:
- Specificity: Workpapers must clearly identify the specific items tested (e.g., by document number or other identifying characteristics), not just describe them in general terms
- Departures from firm methodology: Any departure from the firm's standard audit methodology must be documented with an explanation of why the departure was appropriate
- Retention of all documents: The PCAOB takes a strict view on document retention — all documents that form part of the audit file at the documentation completion date must be retained for the full 7-year period
Example: BIF Partners audits MAS Inc., a publicly traded company. When documenting the test of journal entries for potential fraud, the engagement team must list each specific journal entry tested (by entry number, date, and amount), the source of the entry, the testing performed, and the conclusion. A general statement such as "tested a sample of journal entries and found no exceptions" would not meet PCAOB documentation standards.
When the CPA exam asks about documentation completion dates or retention periods, pay close attention to whether the question specifies an issuer or nonissuer engagement. The PCAOB rules (45 days / 7 years) apply to issuers; the AICPA rules (60 days / 5 years) apply to nonissuers.
Documentation of Significant Matters
Both AICPA and PCAOB standards require that certain significant matters be documented with particular care:
Significant Findings or Issues
The auditor must document:
- Significant matters discussed with management, those charged with governance, and other relevant parties, including the nature of the discussions
- Identified risks of material misstatement at the financial statement level and assertion level
- Results of procedures that indicate a need for significant revision to the auditor's risk assessment or planned audit approach
- Circumstances that caused significant difficulty in applying audit procedures
- Findings that could result in modification of the auditor's report
Significant Professional Judgments
The auditor must document the professional judgments made in reaching conclusions about significant matters, including:
- The basis for the conclusions reached
- The alternatives considered and why the chosen approach was most appropriate
- Consultations with other professionals on difficult or contentious matters
Example: While auditing Illini Entertainment's goodwill impairment assessment, the engagement team determines that management's cash flow projections used a growth rate significantly above industry benchmarks. The workpapers document the team's professional judgment in evaluating the reasonableness of the growth rate, the alternative scenarios considered, the discussion with the engagement partner, and the conclusion that an additional $2.3 million impairment charge was necessary.
Summary
| Topic | Key Takeaway |
|---|---|
| Purpose of documentation | Enable an experienced auditor with no prior connection to understand the nature, timing, extent, and results of procedures, significant findings, and significant professional judgments |
| Forms of documentation | Physical or electronic — narratives, programs, schedules, confirmations, correspondence, checklists, and electronic workpapers |
| Required elements | Identification of items tested, who performed and reviewed the work, when it was done, and conclusions reached |
| Documentation completion date | 60 days (AICPA / nonissuers) or 45 days (PCAOB / issuers) after report release |
| Retention period | 5 years (AICPA / nonissuers) or 7 years (PCAOB / issuers) minimum |
| Changes after completion | No deletions allowed; additions must note the date, person, and reason for the change |
| PCAOB specifics | More stringent identification requirements, mandatory documentation of methodology departures, 7-year retention |
| Significant matters | Significant findings, risks, difficulties, and professional judgments must be documented with particular care |