Your work papers are the internal set of documentation that houses all of the relevant information about the audit. It is the evidence and justification of your activities and conclusions. It should walk a reasonably competent IS auditor through your process in a sufficient amount of detail that would enable them to agree with your approach and directions and draw the same conclusions related to the findings and their relative materiality. If a legal case were ever to be brought against the auditee, you should be aware that the regulators can and have subpoenaed internal auditors' work papers into court. Work papers have the following basic sections:
Cover sheet with history and signoff
Key audit documents
Planning and risk assessment
Whether the work papers are hard copy or electronic, they will have this basic structure. With IS audits it is often more convenient or practical to gather evidence in a electronic fashion, but storing, retrieving, and proving the integrity of the gathered information needs to be considered when using electronic evidence. It is often difficult to produce a completely electronic set of work papers, but scanning and converting all of the paper-based documents is acceptable. Many regulators still find comfort is seeing information in writing in an ink-signed document when they are considering matters that are officially presented. It may take some time before this ...