GS 011

This Guidance Statement (GS) has been formulated by the Auditing and Assurance Standards Board (AUASB) to provide guidance to auditors regarding requests for access to audit working papers relating to the following assurance engagements (herein referred to as an audit or review in this GS):

a. an audit or review of a financial report in accordance with the Corporations Act 2001 (the Act);

b. an audit or review of a financial report, or complete set of financial statements, for any other purpose;

c. an audit or review of other historical financial information;

d. an audit or review of information in a sustainability report in accordance with the Act, or for any other purpose; and

e. other audit or assurance engagements.

This GS also applies, as appropriate, to requests regarding access to an auditor’s internal audit working papers under an entity’s internal audit outsourcing arrangement. The AUASB is considering the approach to sharing documents where there are separate auditors (i.e. audit firms, authorised audit companies or individual auditors) for the financial report and sustainability report, and the value chain for sustainability purposes.

This GS is issued in February 2026 by the AUASB and replaces GS 011 Third Party Access to Audit Working Papers issued in April 2009.

This GS provides guidance to auditors when establishing and agreeing the conditions under which an auditor voluntarily grants third parties and group auditors access to their audit working papers. Audit working papers are prepared to meet the documentation requirements of applicable Australian Auditing Standards, Standards on Assurance Engagements, Standards on Sustainability Assurance and Standards on Review Engagements. The protocols outlined in this GS follow consultation with practitioners, and are on the basis of a willingness by practitioners to co-operate in providing access to their audit working papers to another party in certain circumstances.

The protocols in this GS endeavour to promote cooperation when access to an auditor’s audit working papers is requested. Audit working papers are the auditor’s property, and they may, at their discretion, grant, decline or restrict access (subject to regulatory, legislative or other legal requirements). Each request to access audit working papers is decided on its merits. An auditor might, for example, exercise their discretion to restrict or decline access to their audit working papers when their audit fees are outstanding, or if litigation has commenced or is threatened (unless the auditor becomes compelled to produce audit working papers in connection with that litigation).

Regulators may also, pursuant to legislative requirements, request access to audit working papers. When access to audit working papers is required by a regulator, the auditor provides access in accordance with the requirements of the relevant legislation.

For the purposes of this GS the following items have the meanings attributed below:

Audit – means an assurance engagement and may include:

i. an audit or review of a financial report in accordance with the Act;

ii. an audit or review of a financial report, or complete set of financial statements, for any other purpose;

iii. an audit or review of other historical financial information;

iv. an audit or review of information in a sustainability report in accordance with the Act, or for any other purpose; and

v. other audit or assurance engagements.

Auditor – means an individual auditor, audit firm or audit company.^[1] Unless specified, auditor refers to an external auditor conducting an assurance engagement as described in subparagraphs 1(a) to 1(e).

Audit file – is a file that contains one or more folders or other storage media, in physical or electronic form, containing the records that comprise the documentation (audit working papers) for a specific assurance engagement as defined in 7(d) below, and those other documents that are excluded for the purposes of allowing access, see paragraph 8.

Audit working papers – (herein referred to as audit working papers in this GS) contained within an audit file may include:

i. documents or any other records of information, produced or acquired by an auditor (whether from the client or third parties) during an engagement that are used, or developed, to undertake the engagement and fulfil the auditor's responsibilities under that engagement.

ii. copies of documents, records or schedules produced by the client and utilised by the auditor to undertake an engagement;

iii. internal documents and records created or developed by the auditor to perform or support any audit or audit-based procedures undertaken or conclusion derived from these documents, such as memorandums, external correspondence with the client or third parties, and final reports;

iv. audit work programs (other than those considered proprietary by the audit firm);

v. review or other assurance working papers; and

vi. for an internal audit engagement – the internal audit working papers.

Component auditor – includes an auditor who performs audit work related to a component for purposes of the group audit or an auditor who performs audit work related to a component for purposes of the group sustainability engagement. A component auditor is part of the engagement team for a group audit or a group sustainability engagement.

Group financial report – a financial report that includes the financial information of more than one entity or business unit through a consolidation process. For purpose of this GS, a consolidation process includes:

i. Consolidation, proportionate consolidation, or an equity method of accounting;

ii. The presentation in a combined financial report of the financial information of entities or business units that have no parent but are under common control or common management; or

iii. The aggregation of the financial information of entities or business units such as branches or divisions.^[2]

Group audit – includes an engagement for the audit or review of a group financial report and engagement for assurance on group sustainability information.

Group auditor – the group auditor of the group financial report or the group sustainability information.

Group sustainability report – a sustainability report that includes the sustainability information of more than one entity or business unit.

Internal audit function – a function of an entity that performs assurance and consulting activities designed to evaluate and improve the effectiveness of the entity’s governance, risk management and internal control processes.

Internal auditors – those individuals who perform the activities of the internal audit function. Internal auditors may belong to an internal audit department or equivalent function, outsourcing entity or co-sourced from both internal and out-sourced resources.

Internal audit provider – a third party auditor contracted to provide internal audit services to an entity.

Regulators – may include the Australian Securities and Investments Commission (ASIC), the Australian Prudential Regulation Authority (APRA) or the Australian Taxation Office (ATO).

For the purposes of this GS, the following documents and information which are ordinarily contained in an audit file, may not form part of the auditor’s audit working papers defined in paragraph 7(d) that are normally provided to another party when access is requested:

a. The auditor’s internal budgeting documents concerning costing or billing records for the audit client;

b. Internal staffing-related documents for the engagement and any incidental personnel records or information about the engagement team;

c. Documents or information that are subject to legal professional privilege;

d. Information subject to other legislative requirements, for example, those governing privacy; and

e. Proprietary work programs (e.g. client acceptance checklists and internal firm independence review checklists).

The information contained in audit working papers can be in any form, including handwritten data, text, image or audio, and may be stored electronically or in hard copy.

For the purposes of this GS, documents or information included in the audit file may be subject to “legal professional privilege” because an audit client, or relevant laws or regulations, at the time it was originally provided, required that such information or audit working paper be legally privileged. An example is legal advice regarding litigation against the audit client, as provided by its legal counsel. Paragraphs 27-30 of this GS contain further discussion related to legal professional privilege.

The table below outlines:

a. common circumstances when requests for access to an external auditor’s audit working papers may arise and when requests for access to an internal audit provider’s working papers may arise;

b. specific paragraphs in this GS that could be considered in deciding whether access may be granted; and 

c. the example letter(s) auditors may use for each specific circumstance listed.

Certain matters need to be considered when an auditor receives a request for access to audit working papers. They include:

a. client confidentiality requirements concerning access to audit working papers;

b. risk of legal claims resulting from allowing access and appropriate legal protection to mitigate that risk, such as indemnities that may be required (depending on the circumstances governing the request including the form of the release, waiver or indemnity);

c. the appropriate sequence of indemnities between the auditor, auditor’s client and any other parties;

d. how and when the auditor grants access to their audit working papers, including having regard to whether the audit is complete;

e. whether the audit working papers contain documents or information that are subject to legal professional privilege, which may not form part of the audit working papers to be accessed by other parties; and

f. the auditor’s policies and procedures regarding requests for access to audit working papers.

The guidance provided in this GS is general in nature and needs to be adapted to the specific client or other circumstances faced by the auditor.

Client Confidentiality 

Before the auditor grants a party access to audit working papers, the client’s consent is necessary to ensure the auditor complies with their common law duty of confidentiality to the client, as well as applicable professional ethical standards on confidentiality^[3] and any contractual undertakings that the auditor may have given to the client. Unless consent is given, preferably in writing, the auditor cannot voluntarily grant access to another party unless required by law to do so.

When access to audit working papers is required by a regulator, the auditor (unless prohibited by the terms of the regulator) needs to consider informing their client that access is being sought and will be granted in accordance with legislative requirements.

The letter of consent required from the client needs to be signed by a person(s) appropriately authorised to legally bind the client. If the client wishes to give consent under a power of attorney, the auditor considers whether it is necessary to sight the power of attorney document.

Client Indemnity

External Auditor

Whenever the auditor’s client, or any third party, seeks access to audit working papers, the auditor may consider obtaining from the client and any third party (as the case may be) an indemnity against any liability which arises as a result of that access.

Regard should be given to any restrictions on obtaining an indemnity. For example, among other matters, a company cannot under the Act^[4] indemnify its auditor from a liability to the company or a related body corporate incurred in the capacity of being the company’s auditor. Indemnities cannot cover certain pecuniary penalties or acts other than in good faith.

Internal Auditor

The internal audit function of an external auditor’s client may be undertaken by employees of the entity, or, might be outsourced to an internal audit provider. Where the internal audit services are outsourced to an internal audit provider, the opportunity for the external auditor to access the internal audit working papers of the internal audit provider will depend on who “owns” such working papers. Normally, the letter of engagement between the client and the internal audit provider specifies who “owns” internal audit working papers.

When the internal audit working papers are “owned” by the client, a consent letter to access the internal audit working papers is not required. Nonetheless, prior to allowing access, the internal audit provider or the client may request the external auditor to acknowledge that their access is subject to their obligations to comply with the requirements of Australian Auditing Standard ASA 610 Using the Work of Internal Auditors (ASA 610) or Standard on Sustainability Assurance ASSA 5000 General Requirements for Sustainability Assurance Engagements (ASSA 5000). When the internal auditor’s working papers are owned by the internal audit provider:

a. The internal audit provider would ordinarily first require consent from its client before granting access to its working papers to the external auditor. Refer to Example Letter C in Appendix 1 for an example client consent letter.

b. Once the internal audit provider has obtained the signed client consent letter, it would then request the external auditor to provide a signed request letter to access the internal audit work papers. Refer to Example Letter D in Appendix 1 for an example of this letter.

See paragraph 46 for additional considerations related to granting access to internal audit working papers.

Indemnities from Other Parties

The audit working papers which form part of an audit file are ordinarily prepared for the sole purpose of an internal or external audit or review. Their preparation for an external audit or review is for the sole purpose of documenting and supporting the auditor’s conclusions included in the auditor’s report. Consequently, the audit working papers may not be suitable for any intended use by another party, as the scope and nature of the other party’s needs were not known by the auditor, and thus, did not form part of the scope of the audit.

Access to the audit working papers by third parties or group auditors, without receipt of appropriate releases, indemnities and/or waivers of reliance, could place the auditor at risk of a legal claim by the third party or group auditor based on the results of their access to the audit working papers. Accordingly, it would not be prudent for the auditor to grant such access to their audit working papers, unless the auditor has:

a. obtained the client’s consent letter; and

b. agreed terms of access with the third party or group auditor in writing, including appropriate releases and/or indemnities.

If access is provided to audit working papers, in most cases the letter of consent includes an express disclaimer of reliance and exclusion of liability.

The Example Letters in Appendix 1 incorporate a form of release, indemnity and waiver of reliance that an auditor may seek when responding to a request to access their audit working papers.

The Example Letters in Appendix 1 are designed to facilitate access to the auditor’s audit working papers when access is sought by another party. The Example Letters record the agreed basis on which an auditor may be prepared to provide access to their audit working papers to another party’s agent. The auditor might consider whether to deny access to the other party’s agent if a letter is not executed and obtained from the other party and their agent.

Auditor’s Control Over Access to Audit Working Papers

An auditor may decide to allow limited access to some of their audit working papers and inform the third party or group auditor that certain audit working papers have been omitted.

When access to audit working papers is granted, the auditor controls how access is to be administered. Ordinarily, the auditor may:

a. agree on the format (electronic or hard copy) with the other party in which access to the audit working papers will be provided. The auditor is entitled to determine the format, location and type of access including, for example, monitored remote virtual access, so as not to place at risk the confidentiality of any of their proprietary audit software and methodologies, as well as other clients’ confidential information;

b. agree on and control the extent of access to original audit working papers granted to the other party;

c. oversee the physical inspection of audit working papers;

d. request that any questions arising from the examination of the audit working papers be put in writing. The auditor’s response may be restricted to matters in the audit working papers, rather than for example, answering questions of a general nature or matters concerning events subsequent to the reporting period covered by the audit engagement; and

e. not permit making copies of audit working papers without specific consent. When permission to make copies of audit working papers is granted, the auditor ordinarily:

i. maintains control over which audit working papers can be copied;

ii. reviews all audit working papers that are to be copied, prior to making them available to the third party;

iii. retains a record of which audit working papers have been copied; and

iv. considers what (if any) charge is to be made for the cost of making copies of the requested audit working papers.

Legal Professional Privilege

In undertaking an engagement, the auditor might access or incorporate within their audit file confidential communications made between, or confidential documents prepared by, the audit client and their legal counsel(s). When the dominant purpose of these communications is for the client’s legal counsel to provide legal advice to the client or where the documents have been created in contemplation of existing or anticipated legal proceedings, the communications may be subject to legal professional privilege.

Documents or information included in the audit file that are subject to legal professional privilege are owned by the client and not the auditor. When granting access to audit working papers is being contemplated, the auditor needs to consider obtaining legal advice from its own legal counsel as to how to deal with documents or information that may be subject to legal professional privilege. A client also ought to have an opportunity to review all documents and information that are to be produced so that the client can assess whether a claim for legal professional privilege will be made in relation to specified documents.

The following are example communications, documents and information that may attract legal professional privilege:

a. correspondence between the client and their legal advisers for the dominant purpose of giving or receiving legal advice, or for use in existing or anticipated litigation, that has been provided to the auditor for the engagement;

b. opinions from the legal counsel, and associated billing costs (including details of legal costs), where such information would disclose the nature of the advice sought or given;

c. correspondence between the auditor and the client’s legal counsel; or

d. documents that incorporate the types of documents listed (a) to (c) above.

If any of the documents or information listed in paragraph 29 above are contained in the audit working papers, or if the auditor is in any doubt about whether any client communications, documents or information are subject to legal professional privilege, the auditor notifies their client in accordance with paragraph 28 above. In these circumstances, the auditor might also need to consult with their own legal counsel in order to correctly identify the status of communications and documents that could potentially be the subject of legal professional privilege.

Basis for Granting Access – Group Audit

Under ASA 600 Special Considerations—Audits of a Group Financial Report (Including the Work of Component Auditors) (ASA 600) a group engagement partner is required to take overall responsibility for managing and achieving quality on the group audit.^[5] An auditor who performs audit work related to a component for the purposes of a group audit under ASA 600 is a component auditor and is part of the engagement team. The group engagement partner is required to have sufficient and appropriate involvement in the work of component auditors and takes responsibility for the nature, timing and extent of direction and supervision of component auditors and the review of their work. The group engagement partner of a controlling entity has a duty to form an opinion on various matters as may be required by laws or regulations, such as the Act (or other relevant statutory requirements) regarding the audit of a group financial report. There may also be circumstances when the auditor may be engaged to perform a non-statutory audit of a group financial report.

Under ASSA 5000 the engagement leader is required to take overall responsibility for managing and achieving quality on the audit of a group sustainability report. An auditor who performs audit work related to a component for the purposes of a group audit under ASSA 5000 is a component practitioner (herein, referred to as a component auditor) and is part of the engagement team. The engagement leader is required to have sufficient and appropriate involvement in the work of component auditors and takes responsibility for the nature, timing and extent of direction and supervision of component auditors and the review of their work. The engagement leader of a controlling entity has a duty to form an opinion on various matters as may be required by laws or regulations, such as the Act (or other relevant statutory requirements) regarding the audit of a group sustainability report.

If the group auditor requests access to the component auditor’s working papers, the component auditor considers whether it is necessary to establish and agree the conditions under which a group auditor is granted access to their working papers.

Relevant Factors to Consider – Corporations Act Engagement – Controlled Entities

For an audit or review of consolidated financial statements or all or part of a group sustainability report conducted under the Act, the auditor of a controlled entity must allow the group auditor of the controlling entity access to the controlled entity’s books and must give the auditor of the controlling entity any information, explanation or assistance required, for the purposes of the audit or review.^[6] The meaning attaching to these statutory requirements may not be precise, as there is no judicial or statutory authority about what is meant by the words “information, explanation or assistance”. The Act does not specify that the external auditor of the controlling entity has a statutory right to inspect the working papers of the auditor of the controlled entity. Nonetheless, the auditor of a controlled entity ordinarily endeavours to be open and frank with the auditor of the controlling entity and seeks to ensure compliance with any reasonable request by the auditor of the controlling entity to discharge their responsibilities under the Act.

When access to working papers is granted, for assurance engagements under ASA 600 or ASSA 5000; and the Act, the controlling entity cannot release or indemnify the auditor of the controlled entity under the Act’s relevant provisions.^[7] Where the auditor of the controlled entity gives assistance or information to the auditor of the controlling entity more than is required by the Act, the auditor of the controlled entity could seek a release and an indemnity from the auditor of the controlling entity (and arguably from the controlling entity itself). Any release or indemnity referred to in this paragraph may extend to liability that arises through access to audit working papers, other files maintained by the auditor and their audit staff.

Relevant Factors to Consider – Component Auditor

ASA 600 requires the group auditor to confirm with the component auditor that they will co-operate with the group auditor. Such agreement of co-operation may facilitate any reasonable request by the group auditor for access to component working papers.

For non-Corporations Act engagements, the auditor of a controlled entity is ordinarily expected to co-operate with reasonable requests from the group auditor for access to its working papers. Auditors should apply ASA 600 or ASSA 5000, as applicable, and may consider whether appropriate terms of access, including appropriate releases and/or indemnities are necessary.

Providing the Group Auditor Access to Audit Working Papers

The terms of engagement may include a release of client confidentiality in order for the component auditor to provide working papers to the group auditor. In the absence of a release of client confidentiality in the terms of engagement, the component auditor obtains a release of client confidentiality and may issue Example Letter C to the component auditor’s client.

Ordinarily, the group auditor will issue instructions to the component auditor. The instructions issued by the group auditor may set out the nature, timing and extent of audit working papers requested from the auditor of the controlled entity or component auditor. It is expected that communications between the group auditor and component auditor take place at appropriate times throughout the group audit.^[8]

The following guidance is also relevant regarding access to audit working papers by the group auditor:

a. When access to working papers is permitted during the assurance engagement, it may be prudent to inform the group auditor that the assurance work or accompanying working papers may not reflect significant events or matters which are material to the assurance engagement at the date when access is agreed. This communication ought to also contain the extent to which the component entity’s auditor has any obligation or responsibility to update the working papers or inform the reviewing auditor of information obtained subsequent to the date access is provided.

b. Requests by the group auditor for progress reports, advice on or information on the audit of the component entity are best made in writing, detailing specific matters on which a response is sought, and requesting the component auditor to respond in writing.

Notwithstanding some uncertainty about the audit working papers access obligations of an auditor of a controlled entity under the Act^[9], the auditor may determine whether it is necessary to establish and agree conditions under which the auditor of the controlling entity is granted access to their working papers. When the auditor of a controlled entity decides to establish and agree on conditions for providing access to audit working papers, Example Letter A in Appendix 1 may help identify an appropriate basis for making audit working papers available to the group auditor. If the auditor of a controlled entity determines it is necessary to obtain client consent before providing access to their audit working papers, Example Letter C may assist in obtaining client consent. Client consent may be obtained through other means, such as the terms of the audit engagement.

Access to Audit Working Papers of the Associate or Joint Venture Auditor (not under ASA 600)

When an audit client has an investment in an associate or is one of the parties in a joint venture, the audit client’s auditor may seek access to the audit working papers belonging to the auditor of the associate or joint venture. In this context, issues similar to those related to access to audit working papers of the auditor of a controlled entity or component by the group auditor (discussed above) will need to be considered. Normally, audit arrangements are outlined in the joint venture agreement, wherein one auditor is appointed to audit the joint venture. Audit arrangements for an associate may be outlined in a contract and/or agreement. However, as the investment in the associate or joint venture may be material to one or more of the investors or joint venturers (whose financial report may be audited by another auditor), it may be necessary for that auditor to gain access to the audit working papers of the associate’s or joint venture’s auditor. Unless specifically provided for in the auditor’s contract of appointment with the associate or joint venture, the auditors of the associate or joint venture parties may not be legally entitled to such access. However, to assist the auditor of an investor or joint venturer, access may be granted at the discretion of all the relevant parties to the associate or joint venture and the associate’s or joint venture’s auditor. When the auditor of the associate or joint venture determines it is necessary to establish and agree conditions for providing access to audit working papers, Example Letter A in Appendix 1 may help identify an appropriate basis for making audit working papers available to the investor’s auditor. When the auditor of the associate or joint venture determines it is necessary to obtain client consent before providing access to their audit working papers, Example Letter C may assist in obtaining client consent. Client consent may be obtained through other means, such as the terms of the engagement.

Basis for Granting Access

Owners of an entity seeking to sell their investment, or entities seeking further equity or loan funding from third parties, often believe their objectives might be facilitated by requesting the entity’s auditor to make available their audit working papers to third parties. The auditor may consider the following matters before deciding whether to grant access to working papers for this purpose:

a. whether to obtain legal advice; and

b. ensuring the auditor’s client and third parties, to whom access is to be given, confirm and acknowledge, in favour of the auditor:

i. that no representation is made about the accuracy or completeness of the audit working papers or any additional information provided in connection with that access, or of any individual amounts, accounts, balances, transactions or disclosures, or the accuracy or completeness of other information included in the audit working papers or any additional information;

ii. that the auditor is not responsible to the audit client and/or other third parties for any loss suffered in connection with access, to or use of, the audit working papers; and

iii. that the auditor will receive an indemnity against any loss, action, liability, claim, suit, demand, claim for costs or expenses or any other proceeding that the auditor may suffer arising out of, or in connection with, granting access to the audit working papers and the additional information given in connection with that access.

Circumstances in Which a Practitioner can Provide Access to their Audit Working Papers to Prospective Purchasers, Investors or Lenders

Ordinarily, the statutory auditor will not allow prospective purchasers, investors or lenders access to its working papers until the assurance engagement is completed.

When considering whether the assurance engagement is complete, the auditor may consider matters such as:

a. whether the auditor’s report on the financial report or sustainability report or information has been signed; and

b. whether the assembly of the final audit file been completed.

When the internal audit function of an entity is outsourced to an internal audit provider, or where personnel from the internal audit provider are seconded to an internal audit client, and the audit working papers belong to the internal audit provider, the external auditor may seek access to the entity’s internal audit working papers to gain an understanding of relevant internal auditing activities that are relevant to the audit or review. In such circumstances, the following matters may be considered:

a. the external auditor seeking access to the internal auditor’s audit working papers needs to comply with the requirements and guidance in ASA 610 or ASSA 5000. This includes acknowledging that an understanding of the audit client’s internal control structure and subsequent assessment of audit risk, gained from the review of the internal auditor’s audit working papers, are based solely on the external auditor’s professional judgement; and

b. generally, internal audit working papers prepared by an internal audit provider will not be released for review by the external auditor until after the related internal audit report is finalised and/or has been tabled with the Audit Committee (or equivalent governing body), subject to the terms of the outsourcing arrangement.

When an auditor is newly appointed to perform an audit or review under the Act (or other applicable legislation), they have a statutory responsibility to report on the financial report or sustainability report of the entity for the year of appointment. The financial report may be affected by account balances carried forward from the prior period, and the sustainability report may include comparative information previously reported on by the predecessor auditor. Accordingly, the successor auditor will need to form a view about whether the opening balances are fairly stated in accordance with ASA 510 Initial Audit Engagements – Opening Balances, or whether comparative sustainability information is required and appropriately presented in accordance with ASSA 5000. To support these determinations, the successor auditor may seek access to the predecessor auditor’s working papers. The auditor’s client consent prior to granting access may be considered necessary in these circumstances and the Example Letter C in Appendix 1 sets out the matters that are ordinarily addressed.

Appropriate Procedures

Where the predecessor auditor agrees to provide the successor auditor access to the auditor’s audit working papers, such access ordinarily involves an exchange of letters between the two auditors. Example Letter E in Appendix 1 sets out the matters ordinarily addressed, though amendments may be required to reflect circumstances specific to the engagement.

There is no equivalent International Auditing Practice Statement (IAPS) to this GS.