GS 011

This Guidance Statement has been formulated by the Auditing and Assurance Standards Board (AUASB) to provide guidance to auditors regarding third party requests for access to audit or review working papers relating to:

1. audits or reviews of a financial report in accordance with the Corporations Act 2001 (“the Act”);
2. audits or reviews of a financial report for any other purpose; and
3. audits or reviews of other financial information.

This Guidance Statement also applies, as appropriate, to external auditor’s requests for access to internal auditor’s audit working papers.

This Guidance Statement is issued in April 2009 by the AUASB and replaces AGS 1038 Access to Audit Working Papers issued in February 2006.

This Guidance Statement provides guidance to auditors when establishing and agreeing the conditions under which third parties are voluntarily granted access to their audit working papers and related documentation. Such documentation is required to be prepared in accordance with applicable Auditing Standards.^[1] The protocols outlined in this Guidance Statement have resulted from consultation with practitioners, on the basis of a willingness by practitioners to co-operate in providing access to their audit working papers to third parties in certain circumstances.

The protocols in this Guidance Statement endeavour to promote cooperation when access to an auditor’s audit working papers is requested. Audit working papers are the auditor’s property, and they may, at their discretion, grant, decline or restrict access (subject to regulatory, legislative or other legal requirements). Each request to access audit working papers is decided on its merits. An auditor might, for example, exercise their discretion to restrict or decline access to their audit working papers when their audit fees are outstanding, or if litigation has commenced or is threatened (unless the auditor becomes compelled to produce audit working papers in connection with that litigation).

Regulators may also, pursuant to legislative requirements, request access to audit working papers. When access to audit working papers is required by a regulator, the auditor provides access in accordance with the requirements of the relevant legislation.

For the purposes of this Guidance Statement, the following terms have the meanings attributed below:

“Auditor” means an individual auditor, audit firm or audit company.^[2] Unless specified, auditor refers to an external auditor conducting an audit or review of an entity’s financial report or other financial information.

“Audit (or review) working papers” (herein referred to as audit working papers in this Guidance Statement) contained within an audit file may include:

1. documents or any other records of information, produced or acquired by an auditor (whether from the client or third parties) during an engagement that are used, or developed, to undertake the engagement and fulfil the auditor's responsibilities under that engagement.
2. copies of documents, records or schedules produced by the client and utilised by the auditor to undertake an engagement;
3. internal documents and records created or developed by the auditor to perform or support any audit or audit-based procedures undertaken or conclusion derived from these documents, such as memorandums, external correspondence with the client or third parties, and final reports;
4. audit work programs (other than those considered proprietary by the audit firm); and
5. for an internal audit engagement—the internal audit working papers.

An “audit file” is a file that contains the audit working papers as defined in (b) above, and those other documents that are excluded for the purposes of allowing third party access, as enumerated in paragraph 8 below.

“Internal audit function” means an appraisal activity, established within, or provided as a service to the entity. Its functions include, amongst other things, examining, evaluating and monitoring the adequacy and effectiveness of internal control.

“Internal auditors” means those individuals who perform the activities of the internal audit function. Internal auditors may belong to an internal audit department of an entity or equivalent function or an internal audit provider.

“Internal audit provider” means a third party contracted to provide internal audit services to an entity.

“Third parties”, in addition to internal audit providers defined in (f) above, may also include regulators, auditors of controlling entities or joint ventures, advisers to prospective purchasers, investors or lenders, and successor auditors.

“Regulators” may include the Australian Securities and Investments Commission (ASIC), the Australian Prudential Regulation Authority (APRA) or the Australian Taxation Office (ATO).

For the purposes of this Guidance Statement, the following documents and information which are ordinarily contained in an audit file, do not form part of the auditor’s audit working papers defined in paragraph 7 (b) that are normally provided to third parties when access is requested:

1. the auditor’s internal budgeting documents concerning costing or billing records for the audit client;
2. internal staffing-related documents for the engagement and any incidental personnel records or information about the engagement team;
3. documents or information that are subject to legal professional privilege; and
4. proprietary work programs (e.g. client acceptance checklists and internal firm independence review checklists).

When a regulator seeks access to audit working papers, the relevant legislative provisions may permit the regulator to access documents or information that do not form part of the auditor’s audit working papers as outlined in paragraph 8 above.

For the purposes of this Guidance Statement, documents or information included in the audit file may be subject to “legal professional privilege” because an audit client, or relevant laws or regulations, at the time it was originally provided, required that such information or audit working paper be legally privileged. An example is legal advice regarding litigation against the audit client, as provided by its legal counsel. Paragraphs 28–31 of this Guidance Statement contain further discussion related to legal professional privilege.

The table below outlines:

1. common circumstances when requests for access to an external auditor’s audit working papers may arise;
2. specific paragraphs in this Guidance Statement that could be considered in deciding whether access will be granted; and
3. the example letter(s) auditors may use for each specific circumstance listed.

Certain matters need to be considered when an auditor receives a request for access to audit working papers. They include:

1. client confidentiality requirements concerning access to audit working papers;
2. risk of legal claims resulting from allowing access and appropriate legal protection to mitigate that risk, such as indemnities that may be required (depending on the circumstances governing the request including the form of the release, waiver or indemnity);
3. the appropriate sequence of indemnities between the auditor, auditor’s client and any third parties;
4. how and when the auditor grants access to their audit working papers, including having regard to whether the audit is complete; and
5. whether the audit working papers contain documents or information that are subject to legal professional privilege, which should not form part of the audit working papers to be accessed by third parties.

The guidance provided in this Guidance Statement needs to be adapted to the specific client or other circumstances faced by the auditor. For example, when an auditor is responding to a request to access their audit working papers by a regulator, some of the above considerations may not be applicable, as access is granted in accordance with the requirements of the relevant legislation.

Client Confidentiality

Before the auditor grants third party access to audit working papers, the client’s consent is necessary to ensure the auditor complies with their common law duty of confidentiality to the client, as well as applicable professional ethical standards on confidentiality^[4] and any contractual undertakings that the auditor may have given to the client. Unless consent is given, preferably in writing, the auditor cannot voluntarily grant access to third parties unless required by law to do so.

When access to audit working papers is required by a regulator, the auditor (unless prohibited by the terms of the regulator) needs to consider informing their client that access is being sought and will be granted in accordance with legislative requirements.

The letter of consent required from the client needs to be signed by a person(s) appropriately authorised to legally bind the client. If the client wishes to give consent under a power of attorney, the auditor considers whether it is necessary to sight the power of attorney document.

Client Indemnity

External Auditor

Whenever the auditor’s client, or any third party, seeks access to audit working papers, the auditor ought to obtain from the client and any third party (as the case may be) an indemnity against any liability which arises as a result of that access.

A company cannot under the Act^[5] indemnify its auditor from a liability to the company or a related body corporate incurred in the capacity of being the company’s auditor. However, the company can indemnify its auditor against liabilities to third parties (i.e. parties other than the company and its related bodies corporate), and third parties themselves can indemnify the auditor against liability to those or other parties. Moreover, the company can indemnify its auditor from a liability to the company or a related body corporate incurred in a capacity other than as auditor.

Internal Auditor

The internal audit function of an external auditor’s client may be undertaken by employees of the entity, or, might be outsourced to an internal audit provider. Where the internal audit services are outsourced to an internal audit provider, the opportunity for the external auditor to access the internal audit working papers of the internal audit provider will depend on who “owns” such working papers. Normally, the letter of engagement between the client and the internal audit provider specifies who “owns” internal audit working papers.

When the internal audit working papers are “owned” by the client, a consent letter to access the internal audit working papers is not required. Nonetheless, prior to allowing access, the internal audit provider or the client may request the external auditor to acknowledge that their access is subject to their obligations to comply with the requirements of Auditing Standard ASA 610 Considering the Work of Internal Audit. When the internal audit working papers are “owned” by the internal audit provider:

1. The internal audit provider would ordinarily first require consent from its client before granting access to its working papers to the external auditor. Refer Example Letter C in Appendix 1 for an example client consent letter.
2. Once the internal audit provider has obtained the signed client consent letter, it would then request the external auditor to provide a signed request letter to access the internal audit working papers. Refer Example Letter D in Appendix 1 for an example of this letter.

See paragraph 43 for additional considerations related to granting access to internal audit working papers.

Indemnities from Third Parties

The audit working papers which form part of an audit file are ordinarily prepared for the sole purpose of an internal or external audit or review. Their preparation for an external financial report audit or review is for the sole purpose of documenting and supporting the auditor’s conclusions included in the auditor’s report on the financial report. Consequently, audit working papers may not be suitable for any intended use by a third party, as the scope and nature of the third party’s needs are not known by the auditor, and thus, did not form part of the scope of the audit.

Access to the audit working papers by third parties, without receipt of appropriate releases, indemnities and waivers of reliance, could place the auditor at risk of a legal claim by the third party based on the results of their access to the audit working papers. Accordingly, it would not be prudent for the auditor to grant such access to their audit working papers, unless the auditor has:

1. obtained the client’s consent letter; and
2. agreed terms of access with the third party in writing, including appropriate releases and/or indemnities.

If access is provided to audit working papers, in most cases the letter of consent includes an express disclaimer of reliance and exclusion of liability.

The Example Letters in Appendix 1 incorporate a suggested form of release, indemnity and waiver of reliance that an auditor ordinarily seeks when responding to a request to access their audit working papers.

The Example Letters in Appendix 1 are designed to facilitate access to the auditor’s audit working papers when access is sought by a third party. The Example Letters record the agreed basis on which an auditor may be prepared to provide access to their audit working papers to a third party agent. Access may be denied to the third party agent if a letter is not executed and obtained from the third party and the agent.

Auditor’s Control Over Access to Audit Working Papers

An auditor may decide to allow limited access to some of their audit working papers and inform the third party that certain audit working papers have been omitted.

When access to audit working papers is granted, the auditor controls how access is to be administered. Ordinarily, the auditor will:

1. agree on the format (electronic or hard copy) with the third party in which access to the audit working papers will be provided. The auditor is entitled to determine the format so as not to place at risk the confidentiality of any of their proprietary audit software and methodologies, as well as other clients’ confidential information.
2. agree on and control the extent of access to original audit working papers granted to a third party.
3. oversee the physical inspection of audit working papers;
4. request that any questions arising from the examination of the audit working papers be put in writing. The auditor’s response will be restricted to matters in the audit working papers, rather than for example, answering questions of a general nature or matters concerning events subsequent to the reporting period covered by the audit engagement; and
5. not permit making copies of audit working papers without specific consent. When permission to make copies of audit working papers is granted, the auditor ordinarily
   1. maintains control over which audit working papers can be copied;
   2. reviews all audit working papers that are to be copied, prior to making them available to the third party;
   3. retains a record of which audit working papers have been copied; and
   4. considers what (if any) charge is to be made for the cost of making copies of the requested audit working papers.

Legal Professional Privilege

In undertaking an engagement, the auditor might access or incorporate within their audit file confidential communications made between, or confidential documents prepared by, the audit client and their legal counsel(s). When the dominant purpose of these communications is for the client’s legal counsel to provide legal advice to the or where the documents have been created in contemplation of existing or anticipated legal proceedings, the communications may be subject to legal professional privilege.

Documents or information included in the audit file that are subject to legal professional privilege are owned by the client and not the auditor. When granting access to audit working papers is being contemplated, the auditor needs to consider obtaining legal advice from its own legal counsel as to how to deal with documents or information that may be subject to legal professional privilege. A client also ought to have an opportunity to review all documents and information that are to be produced so that the client can assess whether a claim for legal professional privilege will be made in relation to specified documents.

The following are example communications, documents and information that may attract legal professional privilege:

1. Correspondence between the client and their legal advisers for the dominant purpose of giving or receiving legal advice, or for use in existing or anticipated litigation, that has been provided to the auditor for the engagement;
2. Opinions from the legal counsel, and associated billing costs (including details of legal costs), where such information would disclose the nature of the advice sought or given;
3. Correspondence between the auditor and the client’s legal counsel; or
4. Documents that incorporate the types of documents listed (a) to (c) above.

If any of the documents or information listed in paragraph 30 above are contained in the audit working papers, or if the auditor is in any doubt about whether any client communications, documents or information are subject to legal professional privilege, the auditor notifies their client in accordance with paragraph 29 above. In these circumstances, the auditor might also need to consult with their own legal counsel in order to correctly identify the status of communications and documents that could potentially be the subject of legal professional privilege.

Basis for Granting Access

The auditor of a controlling entity has a duty to form an opinion on various matters as may be required by laws or regulations, such as the Corporations Act 2001 (or other relevant statutory requirements) regarding the consolidated financial report of the entity. There may also be circumstances when the auditor of a controlling entity may be engaged to perform a non-statutory audit of the consolidated financial report of the entity. The auditor of the controlling entity may wish to access the audit working papers of the auditor of a controlled entity in order to assist them in the audit of the controlling entity. Under Auditing Standard ASA 600 Using the Work of Another Auditor, the auditor of the controlling entity is required to perform procedures to obtain sufficient appropriate audit evidence, that the work of the auditor of the controlled entity is adequate for the purposes of the auditor of the controlling entity, in the context of the specific engagement.^[6]

Relevant Factors to Consider

For an audit or review conducted under the Corporations Act 2001 of a financial report that includes consolidated financial statements, the auditor of a controlled entity must allow the auditor of the controlling entity access to the controlled entity’s books and must give the auditor of the controlling entity any information, explanation or assistance required, for the purposes of the audit or review.^[7] The meaning attaching to these statutory requirements is not precise, as there is no judicial or statutory authority about what is meant by the words “information, explanation or assistance”. The Act does not specify that the external auditor of the controlling entity has a statutory right to inspect the audit working papers of the external auditor of the controlled entity. Nonetheless, the auditor of a controlled entity ordinarily endeavours to be open and frank with the auditor of the controlling entity and seeks to ensure compliance with any reasonable request by the auditor of the controlling entity to discharge their responsibilities under the Corporations Act 2001. In determining the extent of obligations when the auditor of the controlled entity gives the controlling entity’s auditor access to their audit working papers, the requirements of Auditing Standard ASA 600 are to be complied with.

The auditor of a controlled entity may grant the auditor of the controlling entity access to its audit working papers. For example, access is normally given for audit or review engagements (under the Act or otherwise), but only if:

1. the controlled entity agrees to the terms of access as set out in Example Letter C in Appendix 1, including a release and indemnity in favour of the auditor of the controlled entity from liability which might arise through access being given to the auditor of the controlling entity; and
2. the auditor of the controlling entity agrees to the terms of access as set out in Example Letter A in Appendix 1.

When access to audit working papers is granted, for audit or review engagements under the Act, the controlling entity cannot release or indemnify the auditor of the controlled entity under the Act’s relevant provisions.^[8] The auditor of the controlling entity will also often not agree to release or indemnify the auditor of the controlled entity by virtue of reliance by the controlling entity’s auditor on the auditor of the controlled entity’s performance of its obligations required by the Act.^[9] Where the auditor of the controlled entity gives assistance or information to the auditor of the controlling entity more than is required by the Act^[8], the auditor of the controlled entity could seek a release and an indemnity from the auditor of the controlling entity (and arguably from the controlling entity itself). Any release or indemnity referred to in this paragraph must extend to liability that arises through access to audit working papers, other files maintained by the auditor and their audit staff.

Notwithstanding some uncertainty about the working paper access obligations of an auditor of a controlled entity under the Act^[10], Example Letter A in Appendix 1 identifies the basis upon which the auditor of a controlled entity may make audit working papers available to the auditor of the controlling entity. Example Letter A is completed and exchanged between both auditors, before access is granted by the auditor of a controlled entity to their audit working papers.

Circumstances in Which an Auditor of a Controlled Entity can Provide Access to their Audit Working Papers

Ordinarily, the auditor of the controlled entity will not allow the auditor of the controlling entity access to its audit working papers until the auditor of the controlled entity has completed its audit or review.

For the purposes of this Guidance Statement, the audit of a controlled entity is complete when:

1. the directors’ declaration about the financial statements^[11] or similar representation by the entity’s governing body, attached to the financial report, is signed; and
2. the auditor’s report on the financial report is signed and dated.

Some practical issues that may be encountered by an auditor of a controlled entity regarding access to their audit working papers by the auditor of the controlling entity include:

1. Where the controlled entity is a subsidiary of an overseas controlling entity and the management of the controlling entity has forwarded a group consolidation package, access may not be granted to the controlling entity’s auditor until the controlled entity’s audit has been completed in accordance with paragraph 38 (a) and (b) above. Prior to this, the controlled entity’s auditor may consider if it is prepared to provide a written response on the stage of completion of the audit, the basis of the review of the consolidation package and the opinion on the appropriateness of the package for group consolidation purposes.
2. If the controlled entity’s financial report has been finalised, and submitted for group consolidation purposes, but the requirements in paragraph 38 (a) and (b) above are not yet complete, then access to the auditor’s audit working papers is inappropriate, and is unlikely to be granted. Until the directors have provided the auditor the signed directors’ declaration, the auditor of the controlled entity will not be able to confirm that the directors have agreed with, and adopted the representations of management. Once this occurs, the auditor of the controlled entity may be requested to advise the auditor of the controlling entity, in writing, of any differences between the previously reported upon group consolidation package and the statutory financial report.

The following guidance is also relevant with regard to access to audit working papers by the auditor of the controlling entity:

1. At the completion of the audit of a controlled entity, the auditor of the controlled entity may grant the auditor of the controlling entity access to their audit working papers, when the auditor of the controlling entity has provided to the auditor of the controlled entity a letter of understanding in the form of Example Letter A in Appendix 1.
2. Access to the controlled entity’s auditor’s audit working papers and audit staff is likely to be denied to all parties and, similarly, access ought not be requested until the completion of the audit of the controlled entity or until adoption of the controlled entity’s financial report. Nonetheless, the respective auditors may negotiate access to audit working papers at an earlier time. When access to incomplete audit working papers is permitted, it is prudent to acknowledge that the audit work or accompanying audit working papers may not reflect significant events or matters which are material to the audit or review at the date when access is agreed. The acknowledgement ought to also contain the extent to which the controlled entity’s auditor has any obligation or responsibility to update the audit working papers or inform the reviewing auditor of information obtained subsequent to the date access is provided to the incomplete audit working papers.
3. Until completion of the audit of the controlled entity, or until completion of a group’s consolidation reporting package, requests by the auditor of the controlling entity to the auditor of the controlled entity for progress reports, advice on or information on the audit of the controlled entity are best made in writing, detailing specific matters on which a response is sought, and allowing the auditor of the controlled entity to respond in writing.

Access to Audit Working Papers of the Joint Venture Auditor

When an audit client is one of the parties in a joint venture, the audit client’s auditor may seek access to the audit working papers belonging to the auditor of the joint venture. In this context, issues similar to those related to access to audit working papers of the auditor of a controlled entity by the controlling entity’s auditor (discussed above) will need to be considered. Normally, audit arrangements are outlined in the joint venture agreement, wherein one auditor is appointed to audit the joint venture. However, as the investment in the joint venture may be material to one or more of the joint venturers (whose financial report may be audited by another auditor), it may be necessary for that auditor to gain access to the audit working papers of the joint venture’s auditor. Unless specifically provided for in the auditor’s contract of appointment with the joint venture, the auditors of the joint venture parties may not be legally entitled to such access. However, to assist the auditor of a joint venture party, access may be granted at the discretion of all the relevant parties to the joint venture and the joint venture’s auditor by completing and exchanging Example Letter A in Appendix 1.

Basis for Granting Access

Owners of an entity seeking to sell their investment, or entities seeking further equity or loan funding from third parties, often believe their objectives might be facilitated by requesting the entity’s auditor to make available their audit working papers to third parties. As such a request potentially exposes an auditor to significant legal risk, access to audit working papers for this purpose necessitates the following matters be considered by the auditor before access is given:

1. whether to obtain legal advice; and;
2. ensure the auditor’s client and third parties, to whom access is to be given, confirm and acknowledge, in favour of the auditor:
   1. that no representation is made about the accuracy or completeness of the audit working papers or any additional information provided in connection with that access, or of any individual amounts, accounts, balances, transactions or disclosures, or the accuracy or completeness of other information included in the audit working papers or any additional information;
   2. that the auditor is not responsible to the audit client and/or other third parties for any loss suffered in connection with access, to or use of, the audit working papers; and
   3. that the auditor will receive an indemnity against any loss, action, liability, claim, suit, demand, claim for costs or expenses or any other proceeding that the auditor may suffer arising out of, or in connection with, granting access to the audit working papers and the additional information given in connection with that access.

When the internal audit function of an entity is outsourced to an internal audit provider, or where personnel from the internal audit provider are seconded to an internal audit client, and the audit working papers belong to the internal audit provider, the external auditor may seek access to the entity’s internal audit working papers to gain an understanding of relevant internal auditing activities that are relevant to the audit or review of the financial report. In such circumstances, the following matters may be considered:

1. the external auditor seeking access to the internal auditor’s audit working papers needs to comply with the requirements and guidance in Auditing Standard ASA 610 Considering the Work of Internal Audit. This includes acknowledging that an understanding of the audit client’s internal control structure and subsequent assessment of audit risk, gained from the review of the internal auditor’s audit working papers, are based solely on the external auditor’s professional judgement; and
2. generally, internal audit working papers prepared by an internal audit provider will not be released for review by the external auditor until after the related internal audit report is finalised and/or has been tabled with the Audit Committee (or equivalent governing body), subject to the terms of the outsourcing arrangement.

An auditor is required to produce, or give access to their audit working papers when:

1. legally requested to do so pursuant to the issue of a subpoena, search warrant or court order or pursuant to discovery obligations during court proceedings; or
2. required by a regulator such as ASIC, APRA and the ATO, under relevant legislative provisions.

Regulators may seek to access an auditor’s audit working papers when, for example, they are undertaking:

1. an investigation of an alleged or suspected contravention of the relevant legislation by the auditor’s client; or
2. compliance-related surveillance activities concerning legislative obligations or monitoring of industry-wide issues that affect the auditor’s client.

If under the relevant legislation regulatory authorities seek access to audit working papers, the auditor’s statutory obligations under normal circumstances will override common law or professional responsibilities to respect the confidentiality of the client. The level of access granted by the external auditor will need to be in accordance with the requirements of the relevant legislation.

When a regulator requests an auditor to provide access to their audit working papers, the request is normally made on a formal basis, by issuing a written notice under the legislation. The notice typically sets out for example, the nature of the matter to be investigated, to whom and when audit working papers are required to be made available and a description of the specific audit working papers to be provided.

The base level financial requirements (refer paragraph 18) and other financial requirement conditions, as set out in ASIC Pro Forma 209 (PF 209), do not apply, but FS70 and FS71 are still required to be lodged with ASIC, if the Licensee is either:

1. inform the client, or former client that a request for audit working papers concerning the audit client’s engagement has been made and the purpose for which access is required, except where such disclosure is prohibited by law;
2. consult their legal counsel;
3. where appropriate, and in consultation with the client, inform the regulator seeking access to their audit working papers that certain audit working papers may not be accessed, because they are the subject of client legal professional privilege (see paragraph 28); and
4. maintain a written record of action taken to comply with the regulator’s request, as well as a list of the audit working papers provided pursuant to such request; and
5. ensure the regulator provides a written receipt for all audit working papers accessed.

A recently appointed auditor (successor auditor) of an entity which requires an audit in accordance with the Act has a statutory responsibility to report on the financial report of the entity in the year of appointment pursuant to the provisions of the Act(or other relevant legislation). The financial report on which the successor auditor reports is affected by the account balances carried forward from the previous reporting period on which the predecessor auditor issued an audit report. Consequently, the successor auditor will need to form a view about whether the opening balances for the year are fairly stated in accordance with Auditing Standard ASA 510 Initial Engagements–Opening Balances. It is for this purpose access to the predecessor auditor’s audit working papers may be obtained. The auditor’s client consent prior to granting access is considered essential in these circumstances and Example Letter C in Appendix 1sets out the matters that are ordinarily addressed.

Appropriate Procedures

Where the predecessor auditor agrees to provide the successor auditor access to the auditor’s audit working papers, such access ordinarily involves an exchange of letters between the two auditors. Example Letter E in Appendix 1sets out the matters ordinarily addressed, though amendments may be required to reflect circumstances specific to the engagement.

There is no equivalent International Auditing Practice Statement (IAPS) to this Guidance Statement.