Workpaper Reviews: What You Can Do

How auditors can satisfy bank regulators and keep their clients happy.

WHILE AUDITORS MAY HAVE CONCERNS about turning over workpapers to regulators, in most cases there is little choice but to cooperate.

FEDERAL REGULATORS INSIST they have no interest in auditing auditors but merely want to do their jobs more efficiently. The primary purpose of a workpaper review is examination scoping, in which a review of the work of external auditors can help regulators to better focus their own resources.

WHAT EXAMINERS LOOK FOR in a workpaper review will vary. Fraud remains a concern; regulators want to know what the auditors are doing to detect it and the extent to which they have reviewed an institution’s internal controls. This concern won’t change anytime soon.

REGULATORS FROM ALL THE FEDERAL AGENCIES that oversee the nation’s financial institutions reserve the right to report any serious audit deficiencies to the institutions they examine. If deficiencies are severe enough, regulators can suggest a change in auditors.

CPAs ASKED TO TURN OVER THEIR AUDIT WORKPAPERS to federal banking regulators aren’t simply worried regulators might use those papers to examine them; they also worry about the confidentiality of client data and of their own policies and procedures.

RANDY MYERS is a financial writer who lives in Dover, Pennsylvania. His e-mail address is .

f you’re a CPA who audits financial institutions and this hasn’t happened yet to you, it almost certainly will: Federal bank regulators examining the institution you’re auditing ask to see a copy of your workpapers. While this may raise a host of concerns—after all, workpapers contain enormous amounts of confidential information—you probably know that you have little choice but to cooperate. CPAs who frequently perform bank audits say they can help examiners accomplish more, with fewer headaches for themselves, if they work with the examiners to make workpaper reviews efficient.

Confidence in Banking Building

The proportion of people who have a great deal of confidence in the safety and security of the U.S. banking and financial system has been rising—from a low of 15% in 1991 to 40% in 2000.

Source: American Banker/Gallup 2000
Consumer Survey, .

All banks, regardless of their size, are subject to some form of regulatory review. Regulators expect banks to retain knowledgeable and well-trained auditors. Conversely, CPAs who perform bank audits must be familiar with banking regulations and must also be aware that regulators have the right to review their workpapers. Depending upon which federal agency is making the request and how big the institution that’s under inspection is, the agency may have specific regulatory authority to demand the workpapers. For example, under the Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA), auditors are required to make workpapers available, upon request, to regulators for client banks with assets in excess of $500 million. If the agency doesn’t have authority, it always can subpoena the documents. In addition, many financial institutions, at regulators’ urging, have recently reworded their audit engagement letters to require that the workpapers be made available.


AU section no. 9339, “Working Papers: Auditing Interpretations of Section 339” ( Professional Standards, AICPA) sets forth guidelines for providing regulators with access to auditors’ workpapers. “When regulators ask for workpapers, our answer is routinely ‘yes,’” says Craig Dabroski, CPA, national technical director for banking at Andersen LLP. “I can’t remember if we have ever said ‘no.’ The only time a typical CPA firm would be reluctant to do so would be when there was a threat of litigation involved, at which point it would start funneling requests through its lawyers. But that is by far the exception.”

Still, it’s worth knowing that meeting a request for workpapers does not necessarily mean dumping reams of paper or stacks of computer disks into the laps of bank examiners. “We try to stress to our personnel that when examiners ask to look at copies of workpapers, they should talk to them first, find out what they’re trying to do and what they’re looking for,” Dabroski explains. “In our minds, that is number one: Have a discussion with them, and see if we can satisfy their needs just by talking, which may save us both a lot of time. If not, we try to direct them to the workpapers that we think make the most sense for what they’re looking for.”

That approach sits well with regulators, too. Doris L. Marsh, CPA, CFA, an examination specialist with the Federal Deposit Insurance Corporation’s (FDIC) division of supervision, agrees that workpapers can be voluminous and regulators don’t want to spend their time looking through irrelevant material. “I think if examiners are looking at a bank, and have questions in certain areas, they can talk to the auditors and perhaps the auditors can satisfy them without looking at the workpapers. And certainly asking the regulators if they found anything, or have anything they want to report, is valid,” says Marsh.

“We’re attempting to encourage our examiners to open up those communication lines early in the examination and review process,” says Bill Morris, a senior policy analyst and national bank examiner in the Office of the Comptroller of the Currency, (OCC) which oversees national banks. “If the auditor and examiner are discussing what the auditor has done for the bank and what the examiner might be looking for, the answers may come through those discussions. In that case, the examiner may not even need to look at the workpapers.”

To be fair, the accounting profession’s approach to complying with workpaper requests hasn’t always been this congenial. Until recently, it was not unheard of for some CPA firms to ask regulators to sign a seven- or eight-page letter agreeing to drop those firms from any legal issues that might arise from the workpaper review, according to Wynne E. Baker, CPA, of Kraft, Bros, Eastman, Patton & Harrell, PLLC, Nashville, and chairman of the AICPA’s regulatory task force that works with the Federal Financial Examination Council. But regulators would not agree to sign such waivers. Efforts are underway to create uniform procedures to address auditors’ and regulators’ concerns (see “The Confidentiality Issue,” below), but until a consensus is in place, auditors must rely on their judgment and available guidance.

The Confidentiality Issue

C PAs asked to turn over their audit workpapers to federal banking regulators aren’t simply worried regulators might use those papers to examine them. They also worry about the confidentiality of client data and of their own policies and procedures. Although regulators have access to all bank records, if clients aren’t comfortable any data shared with their external auditors will remain confidential, they might be less forthcoming and so compromise their auditors’ ability to do their job, warns Carol H. Larson, CPA, national audit partner for banking at Deloitte & Touche LLP. Auditors also worry about opening up to the public record those aspects of their workpapers that describe their particular approach to auditing and their risk assessment procedures, all of which they consider to be proprietary information.

Regulators understand the privacy concerns voiced by CPAs and their clients. Zane D. Blackburn, the chief accountant at the Office of the Comptroller of the Currency (OCC) says, “Anything gained during the examination process is subject to our own confidentiality requirements, and it is very, very difficult for anyone to obtain information that we’ve received during the course of a bank examination. Workpapers would be part of that.” Blackburn knows that without confidentiality, bankers would not be as open and cooperative with regulators.

Partly in a bid to address these issues, regulators from all five federal agencies that oversee the nation’s financial institutions—the Federal Deposit Insurance Corporation, the Federal Reserve Board, the Office of Thrift Supervision, the OCC and the National Credit Union Association—met with representatives of the AICPA in September 2000.

The participants in that meeting—Wynne E. Baker, CPA, of Kraft, Bros, Eastman, Patton & Harrell, PLLC, Nashville, and chairman of the AICPA’s regulatory task force that works with the Federal Financial Examination Council, and other members of that group represented the institute—agreed to develop a short letter auditors could present to regulators for their signature when turning over workpapers. The letter, it was hoped, would not only itemize what was being provided but also address some of the accounting profession’s concerns about confidentiality.

After two tries, the regulators and AICPA representatives drafted a letter that specified any workpapers received by regulators would be given to them as part of their regulatory activities. This, in turn, would give those documents confidential status in the event they were solicited by a third party under a Freedom of Information Act request. While that wouldn’t necessarily preclude their release, it would make it harder for that information to be given to outside parties.

By late July, says Baker, he had received no comments from the regulatory agencies on the second draft of the letter, and he was preparing to send it to the AICPA Auditing Standards Board for its consideration. But as of September, only the FDIC had signed off on it.

“One of the problems [in reaching an agreement] is the OTS has rules that differ from the other three banking agencies,” says Doris L. Marsh, CPA, CFA, an examination specialist with the FDIC’s Division of Supervision. “Their rules require workpapers be made available to them for all of their banks, whereas we don’t have that as a rule or statute, except in cases where the institution has assets in excess of $500 million.”


Ever since regulators began filing lawsuits against accounting firms in the aftermath of the savings and loan crisis of the 1980s—four prominent cases produced out-of-court settlements totaling more than $1 billion—CPAs have worried about just whom federal regulators are regulating when they look at workpapers: Is it the banks or their accounting firms? The profession’s anxieties heightened when the 1999 failure of West Virginia’s First National Bank of Keystone prompted federal regulators to step up the frequency with which they asked to see workpapers. The OCC triggered the loudest alarm bells when its chief accountant, Zane D. Blackburn, sent a letter to Baker in the summer of 2000 explaining that the FDIC’s examination staff would begin evaluating “the quality and effectiveness of work performed by external auditors for national banks.” While the OCC ultimately backpedaled on that notice, telling its examiners their reviews were not intended to be audits of auditors, the incident left many CPAs wary.

“The audit profession has a significant role in the capital markets of this country, and we don’t take that responsibility lightly,” says Carol H. Larson, CPA, national audit partner for banking at Deloitte & Touche LLP. “So we subject ourselves to peer reviews in which people with the proper experience and training look at our work. It’s not that we are above having people look at our work, but we have a concern when individuals without an accounting background are making judgments on complex accounting issues.”

Yet Larson, like other audit professionals who are familiar with the issue, concedes workpaper reviews can play an appropriate role in bank supervision today. “Regulators have the same pressures as everyone else,” Larson says. “Budgets and staffing levels are being cut, and they are being asked to be more effective with fewer human and other resources. So just as internal and external auditors, regulators are looking for ways to be more efficient.” For example, in that do-more-with-less environment, she says, having regulators duplicate work already done by either internal or external auditors for a financial institution may not represent the most effective use of the agency’s resources.

“We recently had a case where the FDIC was going to examine a bank as the primary federal regulator for the first time,” observes Dabroski. “It just wanted to get a better understanding of the bank, and wanted to review the workpapers to do that. It made sense.”

For their part, federal regulators insist they have no interest in auditing auditors, but merely want to do their jobs more efficiently. “The primary purpose [of a workpaper review] is examination scoping,” says Timothy Stier, chief accountant for the Office of Thrift Supervision (OTS), which regulates about 1,000 savings and loans. “That means by reviewing what a firm’s external auditors have already done, regulators believe they can better decide where they need to focus their own resources.” FDIC’s Marsh agrees with Stier. “From our standpoint, these [workpaper reviews] have always been an informational tool.”


Exactly what examiners look for in a workpaper review will vary from case to case (see “Tips for CPAs When Regulators ‘Audit the Auditors,’” at the end of this article). Fraud, certainly, remains a concern; regulators want to know what the auditors are doing to detect it and the extent of their review of an institution’s internal controls. That won’t change anytime soon, especially now that there’s been another high-profile bank failure. On July 27, the OTS closed Superior Bank FSB in Hinsdale, Illinois, claiming the bank had become dangerously undercapitalized. The failure is projected to cost taxpayers hundreds of millions of dollars.

“One of our concerns is that some institutions, as part of other cost-cutting activities, have been reducing some of their internal controls and perhaps even some of the review of those controls,” says the OCC’s Blackburn. The agency concluded that workpaper reviews should assess whether the financial institution in question was meeting statutory and regulatory requirements for external audit and audit committee activities, and whether its board had implemented, and was effectively overseeing, an appropriate external audit program.

“Clearly,” says Blackburn, “we are not trying, nor do we believe we have the necessary knowledge, to evaluate external auditors from the viewpoint of whether or not they are following their professional standards.”

“We have the option of referring CPAs for consideration by their state boards of accountancy for some type of review,” says Gerald Edwards, CPA, associate director and chief accountant for the Federal Reserve Board. “But again, our objective in performing a workpaper review is that our examiners can use it, hopefully, as a source of information in designing and conducting their examination of a banking organization. It is not done for the purpose of second-guessing the auditor.”

But bank examiners do not turn a blind eye to auditing work they conclude is dangerously sub-par. “If we run across a situation where there are things we can bring to the attention of the senior audit personnel—GAAS deficiencies—we’ll often set up an informal meeting with the engagement partner upon conclusion of the review and say, ‘Here are some things you yourself might recognize as something that could be improved upon,’ says Stier.“If, on the other hand, we identify deficiencies in the auditor’s methods and procedures that are so serious we don’t think the auditor has any business doing an audit of an insured institution, we would take a much harsher stance and suggest a change in auditors.”

Regulators from the federal agencies that oversee the nation’s financial institutions—the FDIC, the OTS, the OCC, the Federal Reserve and the National Credit Union Association—also reserve the right to report any serious audit deficiencies to the institutions they examine. FDICIA gives federal regulators the authority to remove or suspend a CPA if they believe it is warranted.

If the GAAS deficiencies are severe enough, Stier adds, the OTS might notify the auditing firm of a possible enforcement action against it. At that point, he says, any further review of workpapers would be done only after the OTS had obtained a subpoena to see them. However, reviews for examination-scoping purposes rarely turn into reviews for enforcement purposes. “I would be surprised if this has happened more than one or two times in the 13 years that I’ve been here,” Stier adds. “It’s just exceptionally unusual.”

Regardless of the outcome of a workpaper review, Dabroski says it can be useful for accountants to meet with federal regulators after one has been conducted. Andersen encourages its auditors to arrange these exit interviews so they can clear up any misunderstanding on either side and ensure the examiners’ objectives were met. Once again, cooperation, rather than confrontation, can make the process simpler and less time-consuming for both parties. That’s an objective auditors and regulators alike can agree upon.

Tips for CPAs When Bank Regulators “Audit The Auditors”
W hen CPAs are asked to turn over their workpapers to federal banking regulators they know they must cooperate. To make the exchange of information as efficient as possible, here are some points to bear in mind:

Banking regulators have authority to demand review of auditor workpapers and can subpoena them if necessary.

Open dialogue between auditors and regulators can be helpful in making the review process more efficient and non-confrontational for both parties.

The primary purpose of a workpaper review is examination scoping, in which regulators can better focus their own resources by reviewing what the auditors have already done to avoid duplication. Examinations are not done to second-guess the auditors.

Regulators want assurance that financial institutions have met statutory and regulatory requirements for external audit and audit committee activities.

If regulators find serious audit deficiencies, they can remove or suspend the CPA, recommend a change in auditor to the client institution, refer the matter to a state review board, or institute an enforcement proceeding.

Where to find July’s flipbook issue

The Journal of Accountancy is now completely digital. 





Better decision-making with data analytics

Data analytics has become a hot topic, but many organizations have not yet managed to understand its potential, let alone put it to work. This report will take a deep-dive on how to best introduce or enhance the use of data in decision-making.