Reviewing a File

October 2023

For Crowe Global member firm internal use only.

Reviewing a File 1

Reviewing a File
A completed engagement file review (i.e., a post issuance review or cold review) is an evaluation of
compliance with ISAs and relevant aspects of the IESBA code.
The objective of a file review is to be able to conclude on the following:
• The firm has conducted the engagement in accordance with relevant professional standards
and legal and regulatory requirements; and
• The opinion provided appears to be supported by the evidence on the file.

A completed engagement file review is not the same as a partner (or manager) review. The file
reviewer has no contact with the client or any original documents etc. – the file reviewer is considering
what is on the file.
There are three main types of monitoring file review:
• Cover to cover - The reviewer goes through the entire file (from cover to cover).
• Risk based – A review where the reviewer evaluates the panning and risk assessment areas
of the engagement file and then decides, on a risk basis, where to focus their efforts on risk
response and further audit procedures (i.e., which other file sections to review).
• Targeted - A review with a narrow focus targeted on one or two areas. This is typically
performed as a response to completed reviews which have identified areas where further
evidence is needed, either from additional engagements involving the same engagement
partner/manager/team (to test a theory that a problem lies with an individual) or different
people (to test a theory that a problem is widespread).

Targeted reviews are not generally considered to fulfil the requirement for completed engagement
monitoring activity, since they are performed as responses to already identified causes for concern.
Cover-to-cover and risk-based reviews are generally considered to fulfil the requirement for
completed engagement monitoring activity. Some regulators prefer one or the other type of review.
Firms in jurisdictions where this is the case must comply with local requirements.
The choice of the type of review (between cover-to-cover and risk-based) is the responsibility of either
the person with ultimate responsibility for Quality Management (PWUR) or the person with operational
responsibility for the SOQM (PWOR) and should be consistently applied. The choice to perform a
targeted review as a response to review findings will lie with either the reviewer or the person with
operational responsibility for monitoring, depending on the firm’s policy.
Typically, all file reviews will be performed and documented using a review checklist. There are
various styles of checklist, which range from high level to detailed. Digital checklists can change their
nature (from high level to detailed) depending on tailoring actions.
An effective checklist that will appropriately support and document the work done in the course of a
review will cover (to a greater or lesser degree depending on the firm’s policy):
• Pre planning;
• Planning and risk assessment;
• Risk response and further audit procedures;
• Control and review;
• Completion and reporting;
• Standback;
• The details of the engagement (name, year end, reason for selection) should be clearly
recorded in the checklist; and
• The names of the engagement partner (and manager) and the reviewer should be clearly
recorded in the checklist.

In addition:

© 2023 Crowe Global www.crowe.org

Reviewing a File 2

• The style of the checklist should be uniform and ideally comprised of positive statements
addressing the ISA (or other) requirements (e.g., this happened, this is appropriately
documented, this was done…). A ‘No’ answer should always be the ‘bad’ answer.
• All ‘No’ answers should require additional explanatory text.
• ‘Yes’ answers should be able to be supported by additional text if absolutely necessary.
However, reviewers should not abuse this facility and use it to essentially change what should
have been a ‘No’ answer to a ‘Yes’ answer with caveats. If a reviewer cannot give a whole-
hearted unambiguous ‘Yes,’ then they should give a ‘No’ (with mitigations/special pleading if
desired).
• N/A options should only be provided for situations where a requirement might genuinely not
be applicable. (For example, in situations where there is no internal audit function in the client,
questions relating to use of internal audit will not be applicable. Similarly, in situations where
control effectiveness testing is neither required nor performed, questions relating to that are
not applicable.
• If scoring is used, the checklist should force scoring on each section of the file, and also at the
overall engagement level.
• Where there are additional jurisdiction-specific requirements, these should be incorporated
into the checklist.
• The year ends to which the checklist applies should be clearly stated.
• Ideally, the checklist would have a schedule appended in which all ‘No’ answers could be
presented together to facilitate the identification of deficiencies, but ultimately so long as
these are documented somewhere intuitive, it’s the firm’s choice.

As with the wider SOQM review, the words used to support ‘No’ answers are as important as the
selection of ‘No’ in the relevant check box. Firms use checklists to impose consistency and to make
the documentation of what they have done as painless as possible, but the words they use are vital. A
‘No’ answer can be given to a question because the required information was nowhere to be seen on
the file, or because it was there but wrong in some way. The difference between the two types of
reason for the ‘No’ answer could lead to entirely different root causes and could have far reaching
implications. Therefore – the words really matter.
Once the file review checklist has been completed to the best of the reviewer’s ability, the reviewer
must interface with the engagement partner to clarify anything that needs clarifying, and to give the
partner the ‘right of reply.’ In some circumstances, the partner may be able to explain something the
reviewer may not have fully appreciated, or even provide additional documentation that should have
been with the file but wasn’t. Sometimes, the partner’s information and explanations may resolve
issues, sometimes they may open up new areas for exploration. Sometimes the communication
between the two can be quite involved. As long as it is positive and constructive, this is not
necessarily a bad thing since it is in everyone’s interest to ensure that there is full understanding of
how the engagement was performed. The aim of this ping pong process is to arrive at a situation
where all parties understand and accept why the review conclusions are as they are.

© 2023 Crowe Global www.crowe.org

Contact Information
David Chitty
International Accounting
& Audit Director
david.chitty@crowe.org

For Crowe Global member firm internal use only.

Crowe Global is a leading international network of separate and independent accounting and consulting firms that are licensed to use “Crowe” in connection with the provision
of professional services to their clients. Crowe Global itself is a non-practicing entity and does not provide professional services to clients. Services are provided by the
member firms. Crowe Global and its member firms are not agents of, and do not obligate, one another and are not liable for one another’s acts or omissions.
© 2023 Crowe Global