Agreed to mm/dd/yy workpapers

Confirmed with maker of transactionno exceptions

Examined during audit procedures
Footed
Footed and cross-footed
Traced to ledger balance
Traced to cash receipts deposit slips
Verified computation

EXHIBIT 16.9 Workpaper Auditor Tick Marks Examples

used for each. Rather than asking the auditor to develop a legend, many internal audit
departments have a standard set of tick mark symbols for use in all workpapers. For example, a
check mark with a line through it means that the workpaper item was traced to a supporting
schedule and the numbers at each were correct. These standard tick marks should be used by all
members of the audit staff for all audits.
Standard tick marks improve communication, as audit management can easily review and
understand workpapers. Exhibit 16.9 illustrates a set of traditional tick marks developed in the
pencil-and-paper days. Although these same symbols may not be available through Microsoft
Word, similar special characters can be designated for the same purpose. Of course, auditors
might develop another mark to indicate some other type of cross-check performed in the course
of an individual audit, which then must be clearly explained.
(iii) REFERENCES TO EXTERNAL AUDIT SOURCES
Internal auditors often record information taken from outside sources. For example, an internal
auditor may gain an understanding of an operational area through an interview with
management. The auditor would record that interview through workpaper notes and rely on that
information as the basis of further audit tests or conclusions. It is always important to record the
source of such commentary directly in the workpapers. For example, a workpaper exhibit could
show how the auditor gained an understanding of a sample system, and the source that provided
that information should be documented.
Auditors may need to reference laws or regulations to support their audit work. Similarly,
they may perform a vendor-related review and access a Web search to verify vendor existence. It
is usually not necessary to include in the workpapers a copy of what may be a voluminous
regulation, or a copy of a page from the search. However, workpapers should clearly indicate the
title and source of all external references, including the Internet address if appropriate. Extract
page copies can be included to make a specific point when necessary, but a reference notation is
normally sufficient.
(iv) WORKPAPER ROUGH NOTES
When conducting interviews, internal auditors often make very rough notes, written in a personal
form of shorthand readable only by the author. Auditors should rewrite or reenter these rough
notes into workpaper commentary. Because there may be a reason to review them again, these
original note sheets should be included in the workpapers, placed in the back of the workpaper
manual binder or even in a separate file.
Historically, most workpapers were prepared in pencil. Schedules were recorded on
accounting spreadsheet forms, commentaries were written in longhand, and any exhibits were
attached. Most internal audit departments have now automated their workpapers through the use
of spreadsheet and word-processing software. This automation does not change the workpaper
standards, but it usually makes the workpapers easier to read and to access. The typical
workpaper today may use a mix of manual and automated schedules and audit commentaries.
However, todays workpaper is usually a computer systems folder with perhaps some references
to paper documents.
Technology is always changing, and we may be seeing different formats of audit
evidence supporting audit workpapers in future years. Digital image scanners are very common
today. They can be passed over a paper document, creating a digital image of that document for
later audit evidence retrieval. Similarly, some computers are now equipped with a pen stylus for
the user to write directly on the computer screen. The data are captured on computer files.
These and other evolving technologies offer opportunities for audit workpaper automation.
(e) Workpaper Review Processes
All workpapers should go through an independent internal audit review process to assure that
necessary work has been performed, that it is properly described, and that audit findings are
adequately supported. The chief audit executive (CAE), reporting to the audit committee, has the
overall responsibility for this review but usually delegates that work to supervisory members of
the internal audit department. Depending on the size of the audit staff and the relative importance
of a given audit, there may be multiple reviews of a set of workpapers, one by the in-charge
auditor and another by a more senior member of internal audit management.
 Evidence of this supervisory review should consist of the reviewers initials and dates on
each workpaper sheet reviewed. Some internal audit functions prepare a memorandum or
workpaper review checklist to document the nature and extent of their reviews. In any case, there
should be documented evidence that all workpapers have received a proper level of supervisory
review. In addition to initialing completed workpapers, the supervisory reviewer should prepare a
set of review notes with any questions raised during the review process to give to the responsible
auditor for resolution. Some of these review points or questions may simply highlight clerical
errors, such as missing cross-references. Others may be of a more significant nature and may
require the auditor to do some additional follow-up work. Review questions should be cleared
promptly, and the reviewer should take responsibility to ensure that any open questions are
resolved. This workpaper review process should always take place prior to the issuance of the
final audit report. This will ensure that all report findings have been properly supported by audit
evidence as documented in the workpapers.
16.4 Internal Audit Document Records Management
Efforts to document processes or to describe an internal audit processes through effective
workpapers are of little value unless an internal function has a strong document retention
function covering all of its work products, including auditor notes, copies of meeting minutes, IT
files, and many others. As we move to largely paperless business and internal audit
environments, this document retention need has become much more of a challenge than in the
old days of paper-and-pencil records. In those old days, documents were often retained in formal
filing cabinets. Access required getting a key from an office administrator, supervisor reviews
were evidenced by a familiar signed initial on the form, and attempts to make unauthorized
changes resulted in smudged erasures. The ease and flexibility of things today raises document
risks, such as the loss of audit workpapers due to a stolen laptop to process errors in a CAATT
developed by internal audit.
In the first section of this chapter, we discussed internal audit documentation
requirements and outlined the need to keep all relevant internal audit documentation for seven
years after the completion of an internal audit. This can sometimes cause a challenge in our
paperless auditing environment today. Operating systems or file formats may change, and we
may not be able to access or read a document. Documents can disappear due to someone
mistakenly hitting DELETE, or documents can disappear because of a failure to download an
auditors laptop system to a central server system. An internal audit function needs to implement
strong and consistent document management policies with assigned administrative
responsibilities for the tasks.
Chapter 18 discusses IT general controls and IT Infrastructure Library (ITIL) best
practices. Many of the latter ITIL best practices cover such areas as establishing con- figuration
management controls over IT resources and IT change manage processes. While ITIL focuses on
the IT infrastructure, many of best practice concepts apply to internal audit document
management. The next list discuss some important or even essential needed document
management practices for an internal audit function in todays environment of auditor laptops
and wireless networks:

Document standards and review processes.

Internal audit needs to establish standards for the software used, laptop computer
configurations, and general document and template standards. The goal should be that
every member of the internal audit team is using the same equipment andwith the
exception of some specialized IT toolseveryone is following the same formats and
standards. An objective of an internal audits documentation processes should be to
eliminate all separate paper documents. When an internal auditor needs to use paper
forms or other evidential materials, digital scanners should be employed to capture the
material.
Formal and secure processes should be set for each scheduled audit. An internal
auditor at a field location may be assigned a laptop with a preliminary audit program as
well as workpapers from a prior review all secured and loaded. The lead auditor may
encounter situations where an established audit program needs to be modified, but these
proposed changes can be passed through a secure virtual private network for review and
approval by audit management. That audit work, loaded on the lead auditors laptop and
shared with others on the audit team, should be the prime records repository for a given
internal audit. At the conclusion of the audit, the workpaper materialsincluding the
audit reportshould be downloaded to the audit departments central server system.
Backup, security, and continuity.
This is perhaps the most critical and highrisk area for laptop-based internal audit systems.
Many of the cybersecurity and privacy controls discussed in Chapter 20 are very
appropriate for automated internal audit work as well. A good starting idea here is to
configure and assign auditor laptop systems as internal audit tools only. There should be
no outside links to the Internet or permitted downloads to USB devices. For personal e-
mails back home and the like, an internal auditor can use one of the many small portable
devices available.
While we should not chain an audit laptop to the internal auditors body, strong
security measures should be applied to keep the system secure. Strong security and
password controls should be installed such that if a system is stolen, its contents cannot
be easily accessed. (We use the word easily because strong computer forensics experts
can access almost anything.) Procedures should also be established for internal audit files
to be backed up and downloaded to the internal audit server system on a regular basis.
Hardware and software resource management.
Once some internal audit functions used central IT records for their automated
workpapers. Today, with relatively efficient and lower-cost resources available, there is
really no strong reason why an internal audit function does not have a server system
dedicated to just internal audit purposes. A secure system should be installed as a
 repository for all internal audit activities. The systems key file folders should be folded
in with the IT functions continuity planning processes, as discussed in Chapter 22.
CAATT repository.
Chapter 21 discusses IT tools to improve access and improve audit efficiencies. All too
often, these tools and processes were viewed as part of the IT audit specialists domains
and kept separate from other internal audit documentation and materials. Every effort
should be made to group and organize all CAATT-related materials with other internal
audit workpaper records.
Audit reports, risk management, and internal audit administration.
Internal audit has a need to prepare and distribute a large body of materials, including
audit reports, risk management analyses, budgets, and communications with the audit
committee. The same seven-year document retention rule should apply to these internal
audit administrative records, and they should be placed in secure folders on the audit
department server system.
The seven-year retention rule can place demands on physical storage facilities. Many
enterprises have used secure storage facilities for off-site storage of their older paper documents
that have retention requirements. Vendors will pick up an enterprises critical documents, catalog
them by some broad retrieval categories, and then store the in secure, fire-protected facilities.
These storage vendors provide insurance-company protection of stored documents and will
deliver any document requested in a relatively short time frame. Although originally oriented to
paper documents, similar vendors provide retention facilities for electronic documents. Internal
audit should make arrangements for some type of secure off-site storage for key internal audit
digital and paper documents.

16.5 Importance of Internal Audit Documentation

Adequate documentation is required for virtually all internal audit processes. This chapter has
emphasized the importance of audit workpapers to document internal audit activities as well as
process modeling to describe enterprise activities. The ability to prepare descriptive and effective
workpapers is a key internal CBOK requirement. In addition, all internal auditors, from the CAE
to audit staff, should be comfortable and familiar with the many IT tools available to describe
and document internal audit processes.