Certain matters need to be considered when an auditor receives a request for access to audit working papers. They include:

1. client confidentiality requirements concerning access to audit working papers;
2. risk of legal claims resulting from allowing access and appropriate legal protection to mitigate that risk, such as indemnities that may be required (depending on the circumstances governing the request including the form of the release, waiver or indemnity);
3. the appropriate sequence of indemnities between the auditor, auditor’s client and any third parties;
4. how and when the auditor grants access to their audit working papers, including having regard to whether the audit is complete; and
5. whether the audit working papers contain documents or information that are subject to legal professional privilege, which should not form part of the audit working papers to be accessed by third parties.

The guidance provided in this Guidance Statement needs to be adapted to the specific client or other circumstances faced by the auditor. For example, when an auditor is responding to a request to access their audit working papers by a regulator, some of the above considerations may not be applicable, as access is granted in accordance with the requirements of the relevant legislation.

Client Confidentiality

Before the auditor grants third party access to audit working papers, the client’s consent is necessary to ensure the auditor complies with their common law duty of confidentiality to the client, as well as applicable professional ethical standards on confidentiality^[4] and any contractual undertakings that the auditor may have given to the client. Unless consent is given, preferably in writing, the auditor cannot voluntarily grant access to third parties unless required by law to do so.

When access to audit working papers is required by a regulator, the auditor (unless prohibited by the terms of the regulator) needs to consider informing their client that access is being sought and will be granted in accordance with legislative requirements.

The letter of consent required from the client needs to be signed by a person(s) appropriately authorised to legally bind the client. If the client wishes to give consent under a power of attorney, the auditor considers whether it is necessary to sight the power of attorney document.

Client Indemnity

External Auditor

Whenever the auditor’s client, or any third party, seeks access to audit working papers, the auditor ought to obtain from the client and any third party (as the case may be) an indemnity against any liability which arises as a result of that access.

A company cannot under the Act^[5] indemnify its auditor from a liability to the company or a related body corporate incurred in the capacity of being the company’s auditor. However, the company can indemnify its auditor against liabilities to third parties (i.e. parties other than the company and its related bodies corporate), and third parties themselves can indemnify the auditor against liability to those or other parties. Moreover, the company can indemnify its auditor from a liability to the company or a related body corporate incurred in a capacity other than as auditor.

Internal Auditor

The internal audit function of an external auditor’s client may be undertaken by employees of the entity, or, might be outsourced to an internal audit provider. Where the internal audit services are outsourced to an internal audit provider, the opportunity for the external auditor to access the internal audit working papers of the internal audit provider will depend on who “owns” such working papers. Normally, the letter of engagement between the client and the internal audit provider specifies who “owns” internal audit working papers.

When the internal audit working papers are “owned” by the client, a consent letter to access the internal audit working papers is not required. Nonetheless, prior to allowing access, the internal audit provider or the client may request the external auditor to acknowledge that their access is subject to their obligations to comply with the requirements of Auditing Standard ASA 610 Considering the Work of Internal Audit. When the internal audit working papers are “owned” by the internal audit provider:

1. The internal audit provider would ordinarily first require consent from its client before granting access to its working papers to the external auditor. Refer Example Letter C in Appendix 1 for an example client consent letter.
2. Once the internal audit provider has obtained the signed client consent letter, it would then request the external auditor to provide a signed request letter to access the internal audit working papers. Refer Example Letter D in Appendix 1 for an example of this letter.

See paragraph 43 for additional considerations related to granting access to internal audit working papers.

Indemnities from Third Parties

The audit working papers which form part of an audit file are ordinarily prepared for the sole purpose of an internal or external audit or review. Their preparation for an external financial report audit or review is for the sole purpose of documenting and supporting the auditor’s conclusions included in the auditor’s report on the financial report. Consequently, audit working papers may not be suitable for any intended use by a third party, as the scope and nature of the third party’s needs are not known by the auditor, and thus, did not form part of the scope of the audit.

Access to the audit working papers by third parties, without receipt of appropriate releases, indemnities and waivers of reliance, could place the auditor at risk of a legal claim by the third party based on the results of their access to the audit working papers. Accordingly, it would not be prudent for the auditor to grant such access to their audit working papers, unless the auditor has:

1. obtained the client’s consent letter; and
2. agreed terms of access with the third party in writing, including appropriate releases and/or indemnities.

If access is provided to audit working papers, in most cases the letter of consent includes an express disclaimer of reliance and exclusion of liability.

The Example Letters in Appendix 1 incorporate a suggested form of release, indemnity and waiver of reliance that an auditor ordinarily seeks when responding to a request to access their audit working papers.

The Example Letters in Appendix 1 are designed to facilitate access to the auditor’s audit working papers when access is sought by a third party. The Example Letters record the agreed basis on which an auditor may be prepared to provide access to their audit working papers to a third party agent. Access may be denied to the third party agent if a letter is not executed and obtained from the third party and the agent.

Auditor’s Control Over Access to Audit Working Papers

An auditor may decide to allow limited access to some of their audit working papers and inform the third party that certain audit working papers have been omitted.

When access to audit working papers is granted, the auditor controls how access is to be administered. Ordinarily, the auditor will:

1. agree on the format (electronic or hard copy) with the third party in which access to the audit working papers will be provided. The auditor is entitled to determine the format so as not to place at risk the confidentiality of any of their proprietary audit software and methodologies, as well as other clients’ confidential information.
2. agree on and control the extent of access to original audit working papers granted to a third party.
3. oversee the physical inspection of audit working papers;
4. request that any questions arising from the examination of the audit working papers be put in writing. The auditor’s response will be restricted to matters in the audit working papers, rather than for example, answering questions of a general nature or matters concerning events subsequent to the reporting period covered by the audit engagement; and
5. not permit making copies of audit working papers without specific consent. When permission to make copies of audit working papers is granted, the auditor ordinarily
   1. maintains control over which audit working papers can be copied;
   2. reviews all audit working papers that are to be copied, prior to making them available to the third party;
   3. retains a record of which audit working papers have been copied; and
   4. considers what (if any) charge is to be made for the cost of making copies of the requested audit working papers.

Legal Professional Privilege

In undertaking an engagement, the auditor might access or incorporate within their audit file confidential communications made between, or confidential documents prepared by, the audit client and their legal counsel(s). When the dominant purpose of these communications is for the client’s legal counsel to provide legal advice to the or where the documents have been created in contemplation of existing or anticipated legal proceedings, the communications may be subject to legal professional privilege.

Documents or information included in the audit file that are subject to legal professional privilege are owned by the client and not the auditor. When granting access to audit working papers is being contemplated, the auditor needs to consider obtaining legal advice from its own legal counsel as to how to deal with documents or information that may be subject to legal professional privilege. A client also ought to have an opportunity to review all documents and information that are to be produced so that the client can assess whether a claim for legal professional privilege will be made in relation to specified documents.

The following are example communications, documents and information that may attract legal professional privilege:

1. Correspondence between the client and their legal advisers for the dominant purpose of giving or receiving legal advice, or for use in existing or anticipated litigation, that has been provided to the auditor for the engagement;
2. Opinions from the legal counsel, and associated billing costs (including details of legal costs), where such information would disclose the nature of the advice sought or given;
3. Correspondence between the auditor and the client’s legal counsel; or
4. Documents that incorporate the types of documents listed (a) to (c) above.

If any of the documents or information listed in paragraph 30 above are contained in the audit working papers, or if the auditor is in any doubt about whether any client communications, documents or information are subject to legal professional privilege, the auditor notifies their client in accordance with paragraph 29 above. In these circumstances, the auditor might also need to consult with their own legal counsel in order to correctly identify the status of communications and documents that could potentially be the subject of legal professional privilege.