COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.
1112 Entity documentation and electronic (including email) audit evidence
Apr-2015
Overview
This section explains
- guidance on retention of entity documents and files;
- the importance of deleting email and other electronic documents from personal mailboxes and temporary locations once the audit file documentation is completed; and
- the policy and guidance on documentation of electronic audit evidence (email, word processing, spreadsheet, presentation, or similar documents).
OAG Policy
Auditors shall retain in the audit file substantive email communications sent to or received from an entity official or an outside party that are relevant to the audit and are related to the report. [Nov-2011]
Email communications among audit team members shall be retained in the audit file if they relate to a significant matter and contain information or data that is not preliminary. [Nov-2011]
Auditors shall transfer all relevant emails from their personal email boxes to the audit file before the file is finalized and delete any copies of the emails from their mailboxes when the file documentation is completed. [Nov-2011]
Auditors shall transfer audit documentation temporarily stored on USB keys or other storage media to the audit file before the file is finalized and delete the documents from the temporary location when the file documentation is completed. [Nov-2011]
All material, regardless of format or location, that does not form part of the audit record and is no longer required shall be disposed of prior to the completion of the assembly of the final audit file. [Nov-2011]
OAG Guidance
Capturing entity documentation as audit evidence
When there is a known issue or an area that involves a difficult question of judgment or principle, or audit testing produces an exception, it may be necessary to retain relevant audit evidence such as copies of entity documents in the audit file to facilitate the efficient review and clearance of the matter and to provide support that may be necessary in the future.
Only copies (or electronic versions or scanned images) of entity documents are included in an audit file, not original entity documents. (OAG Audit 1191 Retention policies and procedures). When team members obtain original versions of entity documents (for example, a contract, invoice or subject file), they will return them to the entity when they no longer require the documents; they will not discard them under any circumstances.
If entity original documents cannot be returned, team members consult Legal Services.
Following are factors to consider when determining whether to include copies (or electronic versions or scanned images) of entity information in the audit file:
- The risk that the entity records may be modified or not retained when auditors need copies of them later to demonstrate that there was sufficient appropriate evidence to support the report. The risk might be unintentional (i.e., poor record retention practices during the audit) or intentional (i.e., management's efforts at concealing the risk of fraud in the area might involve destruction of documents).
- The risk that a document or record (in electronic form or hard copy) may be subsequently amended.
- The risk that a document or record may be unavailable due to adverse entity circumstances (e.g., fraud, bankruptcy, a troubled relationship between the entity and the Office).
- The computerized system does not retain the details of transactions the Office examined or on which the Office performed comparisons. If the entity's system does not retain the details of the transactions examined (e.g., every receipt and issue of inventory), then the Office may need to retain in its audit file, preferably in electronic form, copies of the documents examined.
Email audit evidence
The requirement to retain email communication from the entity is dependent on the significance of the correspondence and whether that correspondence provides evidence, observations, or other findings.
The overall objective is for the audit file to be the sole repository for all documents required to be retained in connection with the audit (OAG Audit 1111 Nature, purpose, and extent of audit documentation).
Email messages need to retain their structure, content, and their business context. Structure refers to the layout of the message and the attachments and related messages. Context refers to the information documenting the source and destination of the message, the subject matter, dates, and other related information.
In order to maintain their value as evidence, email messages must be maintained in a manner that prevents them from being altered or manipulated. The originator of email messages and attachments should retain them in hard copy or in an accessible electronic format. OAG Audit 1192 Confidentiality, safe custody, integrity, accessibility, and retrievability of engagement documentation provides guidance concerning removing the password or encryption before saving in PROxI or in the audit working paper software.
Word processing, spreadsheet, presentation, or similar documents
Word processing, spreadsheet, presentation, or similar documents also form part of audit documentation and are sometimes stored temporarily on USB keys, local hard drives, central servers or other storage media. Team members need to transfer any of these documents temporarily stored outside the audit file to the audit file before its finalization. Note that such documents may already have been saved as attachments to emails or as other working papers. In this case, additional copies of the same document do not need to be kept. Once they transfer them, team members delete these documents from the original location. Any other data that is not transferred is considered similar to a desk file and is deleted.