Audit Documentation: Auditing Interpretations of Section 339
Question—Section 339, Audit Documentation, paragraph .11, states that “the auditor has an ethical, and in some situations a legal, obligation to maintain the confidentiality of client information...Because audit documentation often contains confidential client information, the auditor should adopt reasonable procedures to maintain the confidentiality of that information.” However, auditors are sometimes required by law, regulation or audit contract, fn 3 to provide a regulator, or a duly appointed representative, access to audit documentation. For example, a regulator may request access to the audit documentation to fulfill a quality review requirement or to assist in establishing the scope of a regulatory examination. Furthermore, as part of the regulator’s review of the audit documentation, the regulator may request copies of all or selected portions of the audit documentation during or after the review. The regulator may intend, or decide, to make copies (or information derived from the audit documentation) available to others, including other governmental agencies, for their particular purposes, with or without the knowledge of the auditor or the client. When a regulator requests the auditor to provide access to (and possibly copies of) audit documentation pursuant to law, regulation or audit contract, what steps should the auditor take?
Interpretation—When a regulator requests access to audit documentation pursuant to law, regulation or audit contract, the auditor should take the following steps:
- Consider advising the client that the regulator has requested access to (and possibly copies of) the audit documentation and that the auditor intends to comply with such request. fn 4
- Make appropriate arrangements with the regulator for the review.
- Maintain control over the audit documentation, and
- Consider submitting the letter described in paragraph .05 of this Interpretation to the regulator.
The auditor should make appropriate arrangements with the regulator. These arrangements ordinarily would include the specific details such as the date, time and location of the review. The audit documentation may be made available to a regulator at the offices of the client, the auditor, or a mutually agreed-upon location, so long as the auditor maintains control. Furthermore, the auditor should take appropriate steps to maintain control of the audit documentation. For example, the auditor (or his or her representative) should consider being present when the audit documentation is reviewed by the regulator. Maintaining control of audit documentation is necessary to ensure the continued integrity of the audit documentation and to ensure confidentiality of client information.
Ordinarily, the auditor should not agree to transfer ownership of the audit documentation to a regulator. Furthermore, the auditor should not agree, without client authorization, that the information contained therein about the client may be communicated to or made available to any other party. In this regard, the action of an auditor providing access to, or copies of, the audit documentation shall not constitute transfer of ownership or authorization to make them available to any other party.
An audit performed in accordance with generally accepted auditing standards is not intended to, and does not, satisfy a regulator’s oversight responsibilities. To avoid any misunderstanding, prior to allowing a regulator access to the audit documentation, the auditor should consider submitting a letter to the regulator that:
- Sets forth the auditor’s understanding of the purpose for which access is being requested
- Describes the audit process and the limitations inherent in a financial statement audit
- Explains the purpose for which the audit documentation was prepared, and that any individual conclusions must be read in the context of the auditor’s report on the financial statements
- States, except when not applicable, that the audit was not planned or conducted in contemplation of the purpose for which access is being granted or to assess the entity’s compliance with laws and regulations
- States that the audit and the audit documentation should not supplant other inquiries and procedures that should be undertaken by the regulator for its purposes
- Requests confidential treatment under the Freedom of Information Act or similar laws and regulations, fn 5 when a request for the audit documentation is made, and that written notice be given to the auditor before transmitting any information contained in the audit documentation to others, including other governmental agencies, except when such transfer is required by law or regulation, and
- States that if any copies are to be provided, they will be identified as “Confidential Treatment Requested by (name of auditor, address, telephone number).”
The auditor may wish to obtain a signed acknowledgment copy of the letter as evidence of the regulator’s receipt of the letter.
An example of a letter containing the elements described in paragraph .05 of this Interpretation is presented below:
Illustrative Letter to Regulator fn 6
(Name and Address of Regulatory Agency)
Your representatives have requested access to our audit documentation in connection with our audit of the December 31, 20XX financial statements of (name of client). It is our understanding that the purpose of your request is (state purpose: for example, “to facilitate your regulatory examination”). fn 7
Our audit of (name of client) December 31, 20XX financial statements was conducted in accordance with auditing standards generally accepted in the United States of America, fn 8 the objective fn 9 of which is to form an opinion as to whether the financial statements, which are the responsibility and representations of management, present fairly, in all material respects, the financial position, results of operations and cash flows in conformity with generally accepted accounting principles. fn 10 Under generally accepted auditing standards, we have the responsibility, within the inherent limitations of the auditing process, to design our audit to provide reasonable assurance that errors and fraud that have a material effect on the financial statements will be detected, and to exercise due care in the conduct of our audit. The concept of selective testing of the data being audited, which involves judgment both as to the number of transactions to be audited and as to the areas to be tested, has been generally accepted as a valid and sufficient basis for an auditor to express an opinion on financial statements. Thus, our audit, based on the concept of selective testing, is subject to the inherent risk that material errors or fraud, if they exist, would not be detected. In addition, an audit does not address the possibility that material errors or fraud may occur in the future. Also, our use of professional judgment and the assessment of materiality for the purpose of our audit means that matters may have existed that would have been assessed differently by you.
The audit documentation was prepared for the purpose of providing the principal support for our report on (name of client) December 31, 20XX financial statements and to aid in the conduct and supervision of our audit. The audit documentation is the principal record of auditing procedures performed, evidence obtained and conclusions reached in the engagement. The auditing procedures that we performed were limited to those we considered necessary under generally accepted auditing standards fn 11 to enable us to formulate and express an opinion on the financial statements fn 12 taken as a whole. Accordingly, we make no representation as to the sufficiency or appropriateness, for your purposes, of either the information contained in our audit documentation or our auditing procedures. In addition, any notations, comments, and individual conclusions appearing on any of the audit documents do not stand alone, and should not be read as an opinion on any individual amounts, accounts, balances or transactions.
Our audit of (name of client) December 31, 20XX financial statements was performed for the purpose stated above and has not been planned or conducted in contemplation of your (state purpose: for example, “regulatory examination”) or for the purpose of assessing (name of client) compliance with laws and regulations. fn 13 Therefore, items of possible interest to you may not have been specifically addressed. Accordingly, our audit and the audit documentation prepared in connection therewith, should not supplant other inquiries and procedures that should be undertaken by the (name of regulatory agency) for the purpose of monitoring and regulating the financial affairs of the (name of client). In addition, we have not audited any financial statements of (name of client) since (date of audited balance sheet referred to in the first paragraph above) nor have we performed any auditing procedures since (date), the date of our auditor’s report, and significant events or circumstances may have occurred since that date.
The audit documentation constitutes and reflects work performed or evidence obtained by (name of auditor) in its capacity as independent auditor for (name of client). The documents contain trade secrets and confidential commercial and financial information of our firm and (name of client) that is privileged and confidential, and we expressly reserve all rights with respect to disclosures to third parties. Accordingly, we request confidential treatment under the Freedom of Information Act or similar laws and regulations fn 14 when requests are made for the audit documentation or information contained therein or any documents created by the (name of regulatory agency) containing information derived therefrom. We further request that written notice be given to our firm before distribution of the information in the audit documentation (or copies thereof) to others, including other governmental agencies, except when such distribution is required by law or regulation.
[If it is expected that copies will be requested, add:
Any copies of our audit documentation we agree to provide you will be identified as “Confidential Treatment Requested by (name of auditor, address, telephone number).”]
Question—A regulator may request access to the audit documentation before the audit has been completed and the report released. May the auditor allow access in such circumstances?
Interpretation—When the audit has not been completed, the audit documentation is necessarily incomplete because (a) additional information may be added as a result of further tests and review by supervisory personnel and (b) any audit results and conclusions reflected in the incomplete audit documentation may change. Accordingly, it is preferable that access be delayed until all auditing procedures have been completed and all internal reviews have been performed. If access is provided prior to completion of the audit, the auditor should consider issuing the letter referred to in paragraph .05 of this Interpretation, appropriately modified, and including additional language along the following lines:
“We have been engaged to audit in accordance with auditing standards generally accepted in the United States of America the December 31, 20XX, financial statements of XYZ Company, but have not as yet completed our audit. Accordingly, at this time we do not express any opinion on the Company’s financial statements. Furthermore, the contents of the audit documentation may change as a result of additional auditing procedures and review of the audit documentation by supervisory personnel of our firm. Accordingly, our audit documentation is incomplete.”
Because the audit documentation may change prior to completion of the audit, the auditor ordinarily should not provide copies of the audit documentation until the audit has been completed.
Question—Some regulators may engage an independent party, such as another independent public accountant, to perform the audit documentation review on behalf of the regulatory agency. Are there any special precautions the auditor should observe in these circumstances?
Interpretation—The auditor should be satisfied that the party engaged by the regulator is subject to the same confidentiality restrictions as the regulatory agency itself. This can be accomplished by obtaining acknowledgment, preferably in writing, from the regulator stating that the third party is acting on behalf of the regulator and agreement from the third party that he or she is subject to the same restrictions on disclosure and use of audit documentation and the information contained therein as the regulator.
Question—When a regulator requests the auditor to provide access to (and possibly copies of) audit documentation and the auditor is not otherwise required by law, regulation or audit contract to provide such access, what steps should the auditor take?
Interpretation—The auditor should obtain an understanding of the reasons for the regulator’s request for access to the audit documentation and may wish to consider consulting with legal counsel regarding the request. If the auditor decides to provide such access, the auditor should obtain the client’s consent, preferably in writing, to provide the regulator access to the audit documentation.
Following is an example of language that may be used in the written communication to the client:
“The audit documentation for this engagement is the property of (name of auditor) and constitutes confidential information. However, we have been requested to make certain audit documentation available to (name of regulator) for (describe the regulator’s basis for its request). Access to such audit documentation will be provided under the supervision of (name of auditor) personnel. Furthermore, upon request, we may provide copies of selected audit documentation to (name of regulator).
“You have authorized (name of auditor) to allow (name of regulator) access to the audit documentation in the manner discussed above. Please confirm your agreement to the above by signing below and returning to (name of auditor, address).”
Agreed and acknowledged:
(Name and title)
If the client requests to review the audit documentation before allowing the regulator access, the auditor may provide the client with the opportunity to obtain an understanding of the nature of the information about its financial statements contained in the audit documentation that is being made available to the regulator. When a client reviews the audit documentation, the auditor should maintain control of the audit documentation as discussed in paragraph .03 of this Interpretation.
The auditor should also refer to the guidance in paragraphs .03–.10 of this Interpretation which provide guidance on making arrangements with the regulator for access to the audit documentation, maintaining control over the audit documentation and submitting a letter describing various matters to the regulator.
[Issue Date: July, 1994; Revised: June, 1996;
Revised: October, 2000; Revised: January, 2002.]
Footnotes (AU Section 9339 — Audit Documentation: Auditing Interpretations of Section 339):
fn 1 The term "regulator(s)" includes federal, state and local government officials with legal oversight authority over the entity. Examples of regulators who may request access to audit documentation include, but are not limited to, state insurance and utility regulators, various health care authorities, and federal agencies such as the Federal Deposit Insurance Corporation, the Office of Thrift Supervision, the Department of Housing and Urban Development, the Department of Labor, and the Rural Electrification Administration.
fn 2 The guidance in this Interpretation does not apply to requests from the Internal Revenue Service, firm practice-monitoring programs to comply with AICPA or state professional requirements such as peer or quality reviews, proceedings relating to alleged ethics violations, or subpoenas.
fn 3 For situations in which the auditor is not required by law, regulation or audit contract to provide a regulator access to the audit documentation, reference should be made to the guidance in paragraphs .11–.15 of this Interpretation.
fn 4 The auditor may wish (and in some cases may be required by law, regulation, or audit contract) to confirm in writing with the client that the auditor may be required to provide a regulator access to the audit documentation. Sample language that may be used follows:
"The audit documentation for this engagement is the property of (name of auditor) and constitutes confidential information. However, we may be requested to make certain audit documentation available to (name of regulator) pursuant to authority given to it by law or regulation. If requested, access to such audit documentation will be provided under the supervision of (name of auditor) personnel. Furthermore, upon request, we may provide copies of selected audit documentation to (name of regulator). The (name of regulator) may intend, or decide, to distribute the copies or information contained therein to others, including other governmental agencies."
fn 5 The auditor may need to consult the regulations of individual agencies and, if necessary, consult with legal counsel regarding the specific procedures and requirements necessary to gain confidential treatment.
fn 6 The auditor should appropriately modify this letter when the audit has been performed in accordance with generally accepted auditing standards and also in accordance with additional auditing requirements specified by a regulatory agency (for example, the requirements specified in Government Auditing Standards issued by the Comptroller General of the United States).
fn 7 If the auditor is not required by law, regulation, or audit contract to provide a regulator access to the audit documentation but otherwise intends to provide such access (see paragraphs .11–.15 of this Interpretation), the letter should include a statement that: "Management of (name of client) has authorized us to provide you access to our audit documentation for (state purpose)."
fn 8 Refer to footnote 6.
fn 9 In an audit performed in accordance with the Single Audit Act of 1984, and certain other federal audit requirements, an additional objective of the audit is to assess compliance with laws and regulations applicable to federal financial assistance. Accordingly, in these situations, the above letter should be modified to include the additional objective.
fn 10 If the financial statements have been prepared in conformity with regulatory accounting practices, the phrase "financial position, results of operations and cash flows in conformity with generally accepted accounting principles" should be replaced with appropriate wording such as, in the case of an insurance company, the "admitted assets, liabilities... of the XYZ Insurance Company in conformity with accounting practices prescribed or permitted by the state of... insurance department."
fn 11 Refer to footnote 6.
fn 12 Refer to footnote 9.
fn 13 Refer to footnote 9.
fn 14 This illustrative paragraph may not in and of itself be sufficient to gain confidential treatment under the rules and regulations of certain regulatory agencies. The auditor should consider tailoring this paragraph to the circumstances after consulting the regulations of each applicable regulatory agency and, if necessary, consult with legal counsel regarding the specific procedures and requirements to gain confidential treatment.