Writing internal audit working papers and reports with Obsidian

Look at that computer

I came from a time when internal auditors still worked with their hands … writing cursive internal audit working papers, on paper, binding them all together with binding clips and being subject to a thorough or sometimes not so thorough manager working paper review.

It was on one of these internal audit assignments I saw the first laptop. The senior auditor on the job carried it. It was white and it had Excel, and Word, and as an email client Lotus Notes. It was awesome.

It was also probably the most ineffective way to write good working papers.

As time progressed, we started using more and more computers to document internal audit work. But, what became pretty obvious to me pretty fast was that computers were not necessarily better at helping us write internal audit working papers or internal audit reports for that matter.

Peer review

I’ve done my share of peer reviews and one of the things I find is that the quality of computer documented audits are not necessarily better and usually worse than paper working papers. Because paper forced you to be concise. Computer documentation does not require that at all.

And quite a few audit working papers are still printed out and put in binders, just to be on the safe side. To ensure nothing gets lost. To ensure all the key findings are properly reflected in the report.

So most of the automation has actually led us to document more irrelevant findings and be less concise. That means that the audit costs more and has less added value. And that is a problem.

Which is the main reason my students have always heard me say to start documenting on paper and go electronic only if they are very sure their system is as solid and focused as a paper system would be.

Software evolution

I know that software has evolved a lot. But when packages being sold on the market at very high prices start trying to do everything in one package, including risk based internal audit planning, I start to worry. I’m not that wild about packages that do everything. They tend to be mediocre in each aspect they cover, only selling because they are the only choice on the market.

What should internal audit working paper systems do well?

So let’s perhaps take a look at what internal audit working paper systems need to do well. Let’s perhaps start by defining an internal audit working paper.

An internal audit working paper is a means to demonstrate the internal audit work required was executed in a manner conforming to the standards. They provide both transparancy and accountability.

As an internal auditor, you materialize your work, executed based on the working program, in your working papers.

However, and that is interesting, there are no real internal audit working paper standards that apply. There isn’t a standard that explicitly details what you need to find in internal audit working papers. Documentation is required and how such documentation should be handled is made quite clear, but the auditing standards pretty much tell you to “use your professional judgment” and leave it at that.

So, let’s have a go at what internal audit working papers should do or should provide:

  1. They should show the professional way in which the internal auditor handled the audit;
  2. They should provide adequate documentation of the work from the preparatory phases up to and including the final report;
  3. They need to demonstrate the standards were complied with;
  4. And, last but not least, tney need to support all the findings as put forward in the final audit report.

Now, most of the software packages offered on the market today allow that, but they impose a very strict way of working and they actually force you as an internal auditor in a corset of compliance. And I’m sure that is exactly what you want if you are the CAE of a very large internal audit team of a multinational, but most internal audit teams are not that large. And they do not have the means or the willingness to dedicated 50% of their annual budget to a software.


I was not convinced there would ever be a tool on the market to respond to most of my requirements, and you know what, there still isn’t. But what I found is a tool that is really, really good at one specific thing and supported by a myriad of plug-ins that can create a really good internal audit documentation tool for almost no budget. Let me show you Obsidian.

What is Obsidian

On its website, Obsidian promotes itself as a “powerful knowledge based that works on top of a local folder of plain text Markdown files”. It allows you to “make and follow connections in a frictionless manner.”

It is one of a new breed of note-taking apps which allow for very easy note-taking and connecting of notes.

What is great about Obsidian for internal audit working paper writing?

Obsidian is very easy to get into. Once you understand how to write in Markdown, a html markup language developed by John Gruber, which is very, very easy to master, you can use it to write internal audit working papers. Future posts will show how that is done, I may even attempt a vlog.

Obsidian allows for collaboration. By sharing a folder in which the working papers sit, an audit team can work together on the audit and each document their part.

The working papers are yours and yours alone and will remain accessible. Markdown files are just simple text files. As long as there are computers, your working papers will remain accessible and readable. You are not locked into working with one vendor.

The plugins allow you to import, work with and review external files and directly export your review notes in the working papers.

The wiki-like links allow you to connect each individual working paper to summary papers to the audit report. You can even copy specific paragraphs from a working paper, for example your conclusion, in the summary pages and then link that to the internal audit report itself.

The development team focused on providing a secure syncing solution. A feature not found with two other similar tools, Obsidian’s sync solution, which is optional, allows for secure syncing with your own password. This is essential for confidential audit working papers … and are there any other?

The price is pretty much unbeatable. For 50 USD per user per year for a commercial license you have a price that is hard to beat.

What is missing to make Obsidian the perfect tool for internal audit documentation?

While collaboration is possible if you share a repository, there is a risk of duplication when two people are working on the same working paper. Now, of course, in a well structured audit team that would not happen, but when two people work on the same paper, there is a risk of duplication. Working papers will not get lost, but you may find a working paper and its cousin, only slightly different, with a 1 at the end of the file name.

There is yet a developer to write a plugin to allow for easy linking with and export of comments from Excel. However, this is the case for most software packages and is mostly linked to the proprietary format of Excel. Still, the day someone develops this, I’ll be the first to try it because I still do a lot of work in Excel.

My conclusion

I am not sponsored by Obsidian. For all I know, they don’t even know I use and write about their product. But I believe that without intending to, the developers of Obsidian have developed what could be one of the best tools for internal audit working paper documentation in the market today. With the backlinking features, the easy syncing, the fact it is in essence a tool that is build on markdown files which will remain readable forever and the amazing vibrant community of creative plugin developpers, this is a tool that you should at least explore.

I know it would have found a central place my internal audit workflow had I still been active in the day-to-day profession. I use Obsidian to make my own personal knowledge base … and am very, very pleased with that too.

So go ahead, if you are looking for a good tool, this may just be it.