Table of Contents

• How to Get Workpapers Right

• The Best Audit Workpapers “Stand Alone,” But Only …

• Bottom-Line

• Workpaper Template

How to Get Workpapers Right

It doesn’t help much to be compliant if you’re not provably compliant. So GRC Analysts with portfolios of controls to assess spend a lot of time creating detailed records of their work performed, called “workpapers.”

It’s important to get workpapers right since they’re reviewed by your manager, Quality Assurance teams and potentially other groups looking to meet deadlines and have a solid basis for compliance attestations. They want you to include clear evidence of three things:

1. What you did

2. What you found

3. What you concluded

Since you’re writing for others here, it's important to be neat and consistent in how you present things. Templates help and are are common, and I’ve included an example below.

The Best Audit Workpapers “Stand Alone,” But Only Include What’s Necessary

In practice I’ve seen this much more in accounting than cybersecurity, but ideally every workpaper should stand alone. That means comprehensive and self-sufficient, containing all the necessary information and evidence to support its conclusions without requiring additional context or you to be in the room explaining things to the reviewer.

But the most important thing is to include only what's necessary. Tell the reader what you did, what you found, and what you concluded. Resist the temptation to include other stuff that happens to be interesting or that caught your attention. Unnecessary workpaper content wastes your time and the reader's. Worse still, they may open up lines of inquiry that are irrelevant to the audit at hand.

Bottom-Line

If you make your workpapers complete, clear and include only what matters, you make it easy for others to understand the work you've done, which leads to great GRC outcomes. Get after it with the template below and let me know what you think!

Workpaper Template