Certain matters need to be considered when an auditor receives a request for access to audit working papers. They include:

a. client confidentiality requirements concerning access to audit working papers;

b. risk of legal claims resulting from allowing access and appropriate legal protection to mitigate that risk, such as indemnities that may be required (depending on the circumstances governing the request including the form of the release, waiver or indemnity);

c. the appropriate sequence of indemnities between the auditor, auditor’s client and any other parties;

d. how and when the auditor grants access to their audit working papers, including having regard to whether the audit is complete;

e. whether the audit working papers contain documents or information that are subject to legal professional privilege, which may not form part of the audit working papers to be accessed by other parties; and

f. the auditor’s policies and procedures regarding requests for access to audit working papers.

The guidance provided in this GS is general in nature and needs to be adapted to the specific client or other circumstances faced by the auditor.

Client Confidentiality 

Before the auditor grants a party access to audit working papers, the client’s consent is necessary to ensure the auditor complies with their common law duty of confidentiality to the client, as well as applicable professional ethical standards on confidentiality^[3] and any contractual undertakings that the auditor may have given to the client. Unless consent is given, preferably in writing, the auditor cannot voluntarily grant access to another party unless required by law to do so.

When access to audit working papers is required by a regulator, the auditor (unless prohibited by the terms of the regulator) needs to consider informing their client that access is being sought and will be granted in accordance with legislative requirements.

The letter of consent required from the client needs to be signed by a person(s) appropriately authorised to legally bind the client. If the client wishes to give consent under a power of attorney, the auditor considers whether it is necessary to sight the power of attorney document.

Client Indemnity

External Auditor

Whenever the auditor’s client, or any third party, seeks access to audit working papers, the auditor may consider obtaining from the client and any third party (as the case may be) an indemnity against any liability which arises as a result of that access.

Regard should be given to any restrictions on obtaining an indemnity. For example, among other matters, a company cannot under the Act^[4] indemnify its auditor from a liability to the company or a related body corporate incurred in the capacity of being the company’s auditor. Indemnities cannot cover certain pecuniary penalties or acts other than in good faith.

Internal Auditor

The internal audit function of an external auditor’s client may be undertaken by employees of the entity, or, might be outsourced to an internal audit provider. Where the internal audit services are outsourced to an internal audit provider, the opportunity for the external auditor to access the internal audit working papers of the internal audit provider will depend on who “owns” such working papers. Normally, the letter of engagement between the client and the internal audit provider specifies who “owns” internal audit working papers.

When the internal audit working papers are “owned” by the client, a consent letter to access the internal audit working papers is not required. Nonetheless, prior to allowing access, the internal audit provider or the client may request the external auditor to acknowledge that their access is subject to their obligations to comply with the requirements of Australian Auditing Standard ASA 610 Using the Work of Internal Auditors (ASA 610) or Standard on Sustainability Assurance ASSA 5000 General Requirements for Sustainability Assurance Engagements (ASSA 5000). When the internal auditor’s working papers are owned by the internal audit provider:

a. The internal audit provider would ordinarily first require consent from its client before granting access to its working papers to the external auditor. Refer to Example Letter C in Appendix 1 for an example client consent letter.

b. Once the internal audit provider has obtained the signed client consent letter, it would then request the external auditor to provide a signed request letter to access the internal audit work papers. Refer to Example Letter D in Appendix 1 for an example of this letter.

See paragraph 46 for additional considerations related to granting access to internal audit working papers.

Indemnities from Other Parties

The audit working papers which form part of an audit file are ordinarily prepared for the sole purpose of an internal or external audit or review. Their preparation for an external audit or review is for the sole purpose of documenting and supporting the auditor’s conclusions included in the auditor’s report. Consequently, the audit working papers may not be suitable for any intended use by another party, as the scope and nature of the other party’s needs were not known by the auditor, and thus, did not form part of the scope of the audit.

Access to the audit working papers by third parties or group auditors, without receipt of appropriate releases, indemnities and/or waivers of reliance, could place the auditor at risk of a legal claim by the third party or group auditor based on the results of their access to the audit working papers. Accordingly, it would not be prudent for the auditor to grant such access to their audit working papers, unless the auditor has:

a. obtained the client’s consent letter; and

b. agreed terms of access with the third party or group auditor in writing, including appropriate releases and/or indemnities.

If access is provided to audit working papers, in most cases the letter of consent includes an express disclaimer of reliance and exclusion of liability.

The Example Letters in Appendix 1 incorporate a form of release, indemnity and waiver of reliance that an auditor may seek when responding to a request to access their audit working papers.

The Example Letters in Appendix 1 are designed to facilitate access to the auditor’s audit working papers when access is sought by another party. The Example Letters record the agreed basis on which an auditor may be prepared to provide access to their audit working papers to another party’s agent. The auditor might consider whether to deny access to the other party’s agent if a letter is not executed and obtained from the other party and their agent.

Auditor’s Control Over Access to Audit Working Papers

An auditor may decide to allow limited access to some of their audit working papers and inform the third party or group auditor that certain audit working papers have been omitted.

When access to audit working papers is granted, the auditor controls how access is to be administered. Ordinarily, the auditor may:

a. agree on the format (electronic or hard copy) with the other party in which access to the audit working papers will be provided. The auditor is entitled to determine the format, location and type of access including, for example, monitored remote virtual access, so as not to place at risk the confidentiality of any of their proprietary audit software and methodologies, as well as other clients’ confidential information;

b. agree on and control the extent of access to original audit working papers granted to the other party;

c. oversee the physical inspection of audit working papers;

d. request that any questions arising from the examination of the audit working papers be put in writing. The auditor’s response may be restricted to matters in the audit working papers, rather than for example, answering questions of a general nature or matters concerning events subsequent to the reporting period covered by the audit engagement; and

e. not permit making copies of audit working papers without specific consent. When permission to make copies of audit working papers is granted, the auditor ordinarily:

i. maintains control over which audit working papers can be copied;

ii. reviews all audit working papers that are to be copied, prior to making them available to the third party;

iii. retains a record of which audit working papers have been copied; and

iv. considers what (if any) charge is to be made for the cost of making copies of the requested audit working papers.

Legal Professional Privilege

In undertaking an engagement, the auditor might access or incorporate within their audit file confidential communications made between, or confidential documents prepared by, the audit client and their legal counsel(s). When the dominant purpose of these communications is for the client’s legal counsel to provide legal advice to the client or where the documents have been created in contemplation of existing or anticipated legal proceedings, the communications may be subject to legal professional privilege.

Documents or information included in the audit file that are subject to legal professional privilege are owned by the client and not the auditor. When granting access to audit working papers is being contemplated, the auditor needs to consider obtaining legal advice from its own legal counsel as to how to deal with documents or information that may be subject to legal professional privilege. A client also ought to have an opportunity to review all documents and information that are to be produced so that the client can assess whether a claim for legal professional privilege will be made in relation to specified documents.

The following are example communications, documents and information that may attract legal professional privilege:

a. correspondence between the client and their legal advisers for the dominant purpose of giving or receiving legal advice, or for use in existing or anticipated litigation, that has been provided to the auditor for the engagement;

b. opinions from the legal counsel, and associated billing costs (including details of legal costs), where such information would disclose the nature of the advice sought or given;

c. correspondence between the auditor and the client’s legal counsel; or

d. documents that incorporate the types of documents listed (a) to (c) above.

If any of the documents or information listed in paragraph 29 above are contained in the audit working papers, or if the auditor is in any doubt about whether any client communications, documents or information are subject to legal professional privilege, the auditor notifies their client in accordance with paragraph 28 above. In these circumstances, the auditor might also need to consult with their own legal counsel in order to correctly identify the status of communications and documents that could potentially be the subject of legal professional privilege.