The Engagement File Is the Audit: What Canada's New Firm-by-Firm Inspections Reveal

There is an old discipline in auditing: if it is not documented, it did not happen. An auditor can do brilliant, skeptical, thorough work, but if the engagement file does not show that work - the evidence gathered, the judgments made, the review performed - then to an inspector, a regulator, or a court years later, it effectively did not occur. The engagement file is not paperwork that follows the audit; in every way that counts, the file is the audit. And that has just become a great deal more public.

For most of its history, audit inspection in Canada happened largely behind closed doors. Firms learned their results; the public saw aggregates. That has changed. With regulators now naming names and publishing firm-by-firm results, the quality of a firm's engagement records is no longer an internal matter - it is a comparative, reputational one. A deficiency is, in the regulator's language, a failure to obtain sufficient appropriate evidence to support the opinion. Strip away the jargon and most deficiencies are a records problem: the work may have been done, but the file did not prove it, supervise it, or preserve the review.

Recent context

Canada crossed a transparency line this year. In March 2026 the audit watchdog CPAB published its first firm-specific inspection reports, and the spread was visible: across files inspected in the 2025 cycle, significant-finding rates ran from roughly 8% at Deloitte (1 of 13 files) to about 21% at KPMG (5 of 24), with PwC and EY in between. CPAB and CPA Canada have repeatedly flagged audit documentation, supervision and review as a persistent area for improvement - precisely the part of an audit that lives or dies on the file.

Why this is a records problem, not just a quality one

It is tempting to read inspection findings as a verdict on professional judgment. Usually they are something more fixable: a verdict on whether the firm could show its judgment. Documentation, supervision and review are the three pillars that recur in findings, and all three are functions of how the engagement record is built and kept. Was the evidence captured and linked to the conclusion? Did the reviewer's sign-off happen, and can you prove when? Is the final file locked and complete, or still scattered across drafts and inboxes? A firm with a disciplined, single engagement record answers those questions instantly. A firm without one is reconstructing its own audit under inspection - the worst possible time to discover a gap.

How XNM helps

XNM helps accounting and audit firms hold the engagement record in one auditable command centre - evidence, working papers, supervision notes, review sign-offs and the final, locked file, organized by engagement and access-controlled. Where it helps, the XNM-Vision platform makes documentation, supervision and review traceable by design, so a firm walks into an inspection - or a malpractice claim years later - with the file already assembled rather than reconstructed. It gives quality leaders a portfolio view across engagements, so a thin file is visible before an inspector finds it. And because it deploys in days rather than the months a records project usually takes, a firm can close the gap ahead of the next inspection cycle, not after it.

Practical takeaways

1. Document as if it is the audit - because it is. Work an inspector cannot see in the file is work that, for their purposes, did not happen.

2. Make supervision and review provable. A sign-off you cannot evidence with a date and a record is the deficiency most likely to recur.

3. Lock the final engagement file. An archived, complete, tamper-evident file is your best defence against both an inspection and a future claim.

4. Watch quality at the portfolio level. A thin file is far cheaper to fix when your own review finds it than when an inspector does.

5. Assume your results will be public. Firm-by-firm transparency makes records discipline a reputational asset, not just a compliance one.

FAQ

Our auditors do strong work. Why focus on the file rather than the audit itself?

Because to an inspector or a court, the file is the only evidence the work happened. Strong judgment that the record cannot demonstrate is indistinguishable, after the fact, from work that was never done. Protecting the file is how you protect the quality you already deliver.

We use audit software with working-paper templates. Isn't documentation already covered?

Templates help structure a file; they do not guarantee it is complete, supervised, reviewed and locked - the things inspections actually flag. The recurring gaps are in governance of the record: traceable review, preserved sign-offs, a final file that cannot be quietly edited. That is the layer most firms still need to tighten.

The bottom line

Now that audit results are published firm by firm, the quality of an engagement file is a public, comparative measure of a firm's standing. The deficiencies that keep recurring - documentation, supervision, review - are records problems wearing a quality label. The firms that come out ahead in this new transparency are the ones whose engagement records already prove the work, every time. In audit, the file is not evidence of the work. It is the work.