The audit working paper file: what your auditor is actually building behind the scenes

Most audits feel, from the management side, like a few weeks of email exchanges, a stack of schedules sent, a closing meeting, and a signed report. What you do not see is the file the audit team is building in parallel. That file — the working paper file — is the audit. The opinion on the cover is the conclusion. The working paper file is the evidence.

When NFRA opens a quality review, when a court asks for an audit's basis, when the next auditor at handover asks for last year's work, the working paper file is what gets produced. Founders should understand what is in it because the quality of that file determines whether the opinion on your statements is defensible. And because under SA 230, an audit that is not documented did not happen.

What SA 230 actually requires

SA 230 — Audit Documentation — is the standard that governs the working paper file. The principle is direct: the auditor must prepare documentation sufficient to enable an experienced auditor, with no previous connection to the audit, to understand the nature, timing, and extent of audit procedures performed, the results, and the conclusions reached.

The phrase 'experienced auditor with no previous connection' is the test. If a peer reviewer or an NFRA inspector reading the file cannot reconstruct what was done and why, the documentation has failed. Not the audit — the documentation. The audit may have been performed perfectly. Without documentation, none of it counts.

This is why insufficient documentation is the number one finding in NFRA inspection reports and the most common ground for ICAI peer-review qualifications. The audit work was done. The file just does not prove it.

The structure of a working paper file

A standard Indian audit working paper file for a listed company or large unlisted company has roughly this hierarchy.

Engagement acceptance and planning section. Engagement letter signed by management. Independence confirmations from the partner and team. Acceptance memo confirming firm-level conflict checks. Audit-team composition with hours allocated.

Planning memo. Business understanding — the company, the sector, the regulatory environment. Risk-assessment memo identifying significant risks, fraud risks, and significant accounts. Materiality calculation with the benchmark, percentage, performance materiality, and trivial threshold. Audit strategy and audit plan documents.

Risk-assessment workpapers. Walkthroughs of major business processes — revenue, procurement, payroll, treasury, financial reporting. Identification of key controls at each step. Initial assessment of control reliance versus substantive testing.

Audit programme. The detailed list of procedures by financial-statement line item. For each procedure: objective, source of evidence, sample size, basis of sample selection, and reference to the workpaper where it was performed.

Testing workpapers. This is the bulk of the file. For each significant account — revenue, trade receivables, inventory, fixed assets, payables, borrowings, equity, expenses — the testing performed, samples examined, evidence obtained, exceptions identified, and conclusions.

Standalone schedules. Materiality calculation, journal-entry testing, related-party transaction testing, subsequent-events review, going-concern memo, IFC testing under Section 143(3)(i), CARO 2020 clause-by-clause analysis.

Exception register. Every misstatement identified during the audit, classified into corrected and uncorrected. The schedule of uncorrected misstatements at year-end aggregated against materiality.

Conclusion and reporting. Opinion-formation memo. Audit committee communication memo (SA 260). Management representation letter. Engagement quality reviewer's notes for listed and high-risk engagements. Partner sign-off on the file.

What gets requested in litigation

When a company gets into litigation or regulatory action, and the audit is questioned, the audit firm is typically asked to produce the working paper file in full. Not selected sections. The full file. The audit team has roughly 60 days from the date of opinion sign-off to complete the file under SA 230 paragraph A21 — the 'assembly period.' After that, the file is locked. Any changes have to be documented as additions, not edits.

Litigation parties read the file looking for specific things. Whether the risk-assessment identified the issue that later became a problem. Whether the audit procedures responded to the identified risk with sufficient depth. Whether the sample sizes were reasonable given the population. Whether the conclusions in the file actually support the opinion issued. Whether the journal-entry testing covered the period in question.

Where files fall apart is rarely on substance. It is on the gap between what the procedures memo said would be done and what the testing workpapers show was done. The plan says 'select 25 high-value receivables and confirm with customers.' The file shows 12 confirmations. The other 13 are unexplained. In a peer review, that is a finding. In litigation, that is a hole.

NFRA's enforcement posture

NFRA has been issuing enforcement orders against audit firms since 2019. The pattern in those orders is consistent. Almost every order cites multiple SA 230 violations — missing workpapers, undocumented conclusions, sample sizes inconsistent with the audit plan, late additions to the file without proper documentation.

In the IL&FS-related orders against Big Four firms, the dominant finding was that the working paper files did not support the unqualified opinions issued. The audit may have caught the issues — or it may not have — but the file did not document either way. Without documentation, the firm cannot defend the opinion.

For founders this matters indirectly. If your auditor's file is weak, your company's audit is weak. The opinion on your statements is only as strong as the file behind it. In a high-stakes transaction — IPO, M&A, regulatory inquiry — the diligence team will sometimes ask the auditor to produce the working paper file. If the file is thin, the diligence team flags it. The transaction slows.

What management can do

You cannot directly improve the auditor's file. You can make the conditions under which the file gets built better.

Provide schedules on time. The audit team's documentation is cleanest when they receive complete schedules at the start of fieldwork rather than in fragments through the engagement. A controller who reconciles the trial balance to the audit lead schedules before sending them removes a category of file weakness.

Respond to queries in writing. Email or audit-portal responses become part of the working paper file. Verbal responses get summarized into a memo by the audit team and may or may not reflect what you said. Written answers protect both sides.

Sign management representations carefully. The management representation letter is a key workpaper. Read it. If a representation is broader than what you can actually represent, narrow it. A management rep that turns out to be false is a document the auditor can produce in their defence when something goes wrong.

Ask for the engagement quality review process. For listed companies and large engagements, ICAI's SQC 1 and SA 220 require an engagement quality reviewer. That reviewer reads the file before sign-off. A file that has been EQR-reviewed is materially stronger than one that has not. Confirm with your auditor that EQR happened.

What the file looks like for a clean audit

A clean audit working paper file for a ₹500 crore revenue Series B company runs to roughly 800-1,500 pages, plus the underlying data files. The audit team allocates 600-1,000 hours across partner, manager, and staff to build it. If your audit fee is ₹15-25 lakh for that size of company, the file should be in that range. If your audit fee is ₹6 lakh and the company is that size, the file is unlikely to be at that depth — which is its own warning.

You will never see the file. You should know it exists, what it contains, and why it matters. When the question of audit defensibility comes up — and at some point in the life of any growing company it does — that file is the answer.