ISA 230 Audit Documentation: What Auditors Must Record

Audit documentation is the evidence that an audit was done properly. Without adequate documentation, an audit firm cannot defend its work to a regulator, a court, or a quality reviewer — regardless of how good the underlying audit actually was. ISA 230 sets the standard for what needs to be documented and when.

The Experienced Auditor Standard

The core test under ISA 230 is whether the audit file would enable an experienced auditor with no prior connection to the engagement to understand: the nature, timing and extent of procedures performed; the results and evidence obtained; and the significant matters arising and conclusions reached. "Experienced auditor" means a senior practitioner with reasonable knowledge of audit and financial reporting — not a specialist in the specific industry. This is a demanding standard that requires substantive documentation, not mere cross-references to blank workpapers.

What Must Be Documented

The file must contain: the overall audit strategy and the detailed audit plan; documentation of risk assessment procedures and results; responses to assessed risks; all significant matters and the reasoning behind significant judgements; evidence reviewed and conclusions reached; and communications with management and those charged with governance. The documentation standard for significant matters — areas requiring significant judgement, departures from ISAs, difficulties encountered — is particularly high.

Timing

Documentation should be prepared on a timely basis — ideally contemporaneously as work is performed. Preparing documentation long after the event from memory is poor practice and potentially misleading. The final audit file must be assembled and completed within 60 days of the audit report date (the "file completion date").

The Assembly Period and Subsequent Changes

During the assembly period (up to 60 days post report), the file can be organised and indexed but substantive changes to conclusions are not permitted. After file completion, no documentation may be deleted — only additions are permitted, and any addition must be documented with the reason and the date. This prevents retrospective amendment of audit files.

Retention

Audit files must be retained for at least five years from the audit report date, or longer if required by law or regulation. In practice, most firms retain for seven years. Files must be protected from unauthorised access and inadvertent damage.

Further Reading

• ISA 300 Planning an Audit
• Audit Evidence: Types and Sources
• Audit CPD

Study with Learnsignal: Audit CPD for qualified accountants. Browse CPD.