Workpaper Retention Presents Internal Audit With Its Own Compliance Risks

I am often surprised by the engagement my social media posts generate by internal auditors around the world. Ours is a profession where benchmarking and networking are an important path to enhancement of our internal audit functions. So, when a colleague asked me to post a LinkedIn poll to gauge internal audit workpaper retention practices, I naturally agreed. I anticipated it would generate some interest and comments, but I was not expecting the response I received. The poll was viewed more than 25,000 times, and generated more than 2,200 votes. In addition, it generated more than 85 thoughtful comments and responses from practitioners around the world.

Before delving into the topic of workpaper retention, it’s important to explore what is meant by internal audit workpapers. The IIA provides guidance for its members on documenting evidence in its “Implementation Guide 2330.” Specifically, The IIA notes that:

“Engagement workpapers are used to document the information generated throughout the engagement process, including planning; testing, analyzing, and evaluating data; and formulating engagement results and conclusions. Workpapers may be maintained on paper, electronically, or both. Use of internal audit software may enhance consistency and efficiency.”

In polling practitioners on workpaper retention, I asked a very simple question: “How long should internal audit workpapers be retained after the conclusion of the audit?” Here were the responses:

• 1-3 YEARS                            14%
• 3-5 YEARS                            46%
• MORE THAN 5 YEARS       39%
• NOT AT ALL                         2%

The responses and comments to the poll were interesting on the surface, but a closer analysis reveals just how little consensus there is on this topic. More than 850 respondents said retain them for more than five years while over 40 respondents said “don’t keep them at all.” Everyone else landed in between. More importantly, the comments from more than 80 respondents clearly indicate that workpaper retention presents a compliance risk for internal auditors that is more commonly encountered in the areas we audit than in our own operations.

Many of those who commented correctly noted that workpaper retention policies should be guided by three requirements:

• Corporate (enterprise) record retention policies. Naturally, internal audit does not operate as a stand-alone entity. It is part of a larger enterprise that typically imposes its own document retention policies. These policies will likely have been developed or approved by the enterprise legal department. These policies will almost always prescribe a minimum retention period, and will frequently include a maximum retention period as well. 

• Statutes or regulations in the jurisdiction where the enterprise operates. While internal audit should strive to conform to enterprise policies when retaining workpapers, it must also ensure records are retained in accordance with laws and regulations in the jurisdiction within which it operates. Internal audit should swiftly surface any discrepancies between enterprise retention policies and those requirements mandated by laws and regulations, for such discrepancies could expose the enterprise to potential legal and regulatory infractions beyond internal audit.

• Timing of internal audit’s “external quality assessment” requirements. Finally, internal audit must also be mindful of its own obligation to comply with Internal Audit Standards contained in The IIA’s International Professional Practices Framework (IPPF). Specifically, “Standard 1312 – External Assessments” states: “External assessments (EQA) must be conducted at least once every five years by a qualified independent assessor or assessment team from outside the organization.” If an internal audit’s last EQA was conducted in 2019, then the next one would be required not later than 2024. So, workpapers from an audit conducted in 2020 would need to be available for review at least four years after the completion of the audit. If workpapers are not available for review by the external quality assessor, it is unlikely that the assessor would be able to judge whether the audit was undertaken in accordance with The Standards.

In addition to the foregoing, the comments to the LinkedIn poll raised a number of other noteworthy points:

• Internal audits that disclosed frauds, or were used in investigations or prosecutions of frauds may need to be retained longer depending on the specific circumstances of the case.
• Workpapers may need to be retained until a follow-up audit has been conducted, or documentation has been received that corrective actions have been implemented by management relating to findings or issues noted in the audit.
• Some elements of the workpapers may need to be retained until the next audit of the function, program or activity is undertaken. Such documentation will assist in the subsequent audit planning process.

The question was also raised regarding how long review notes should be retained for a set of engagement workpapers. There was no consensus on this, but it is my opinion that evidence of supervisory or other workpaper reviews become an integral part of the workpapers. I believe evidence of workpaper reviews should be retained as long as the workpapers are retained.

In the final analysis, I was quickly reminded of the complexities of the topic of workpaper retention that I had long forgotten. As a CAE earlier in my career, I had to consider all of the foregoing issues and more when designing and implementing workpaper retention policies for my audit teams.

Finally, it’s important to remember that record retention is a complex regulatory and legal issue. I am not an attorney, and the information contained in this blog is provided for informational purposes only. Nothing in the blog should be construed as legal advice on document retention by internal auditors. Readers should not act or refrain from acting on the basis of any content included in this blog without seeking legal or other professional advice.

Maybe next time, I will post a poll on a less contentious topic.