Audit Data Room: How to Share PBC Files with External Auditors

An audit data room is a secure workspace where a finance team shares PBC documents with external auditors during year-end audits. PBC stands for "prepared by client," the list of supporting documents the audit firm requests from the company being audited. Bank statements, reconciliations, lease agreements, payroll registers, stock ledgers, board minutes, signed contracts, tax filings, and journal entry support all fit under the PBC umbrella.

The term "data room" originally comes from M&A. A physical or virtual room held confidential documents for potential buyers to review. Audit engagements borrowed the concept because the problem is similar: one party needs controlled access to a large volume of sensitive files for a bounded period, and the owner needs to know exactly who looked at what.

An audit data room differs from an M&A data room in a few practical ways. The audience is a known, named audit team instead of a rotating set of prospective bidders. The documents are operational rather than strategic. The timeline recurs every year instead of running once. And the request list grows and changes throughout the engagement as auditors dig into specific accounts.

Plenty of companies still run audits on email and a general-purpose shared drive. It works until it doesn't. The failure modes show up in predictable places.

Version confusion is the first one. A controller emails the auditor a draft reconciliation on Tuesday. The auditor asks a question Wednesday. The controller fixes the file and re-attaches it Thursday. Now there are two versions floating in two inboxes, and nobody is sure which one matches the working paper.

Access control is the second. A shared Google Drive folder is easy to spin up but hard to lock down. Once an auditor leaves the firm or rotates off the engagement, removing their access depends on someone remembering to do it. Many companies discover during the next audit that last year's staff still had read permissions on the working files.

Audit trails are the third. Regulators and internal compliance teams increasingly ask who accessed which file and when. Email threads and Drive activity logs give you a partial answer at best, and they are painful to export.

The fourth is request list drift. Auditors track PBC items in a spreadsheet on their side. The client tracks uploads on their side. The two lists stop matching within a week, and the weekly status call devolves into reconciling them instead of discussing findings.

Run your next audit in a workspace built for external collaborators

Share PBC files with auditors using granular permissions, branded links, and a full audit trail. Start free with 50 GB storage and no credit card.

Sign Up Free

Use this as a starting checklist. The exact contents depend on the audit scope, the industry, and the auditor's methodology, but the categories below cover most year-end financial statement audits.

• Trial balance and general ledger: the current year TB, prior year comparative, and the full GL export in a format the auditor can re-sort and re-total
• Bank and cash: month-end statements, bank reconciliations, and confirmations
• Accounts receivable: aged AR report, customer subledger, allowance for doubtful accounts analysis, and sample invoices with proof of shipment or delivery
• Inventory: stock count sheets, cost roll-ups, lower-of-cost-or-NRV analysis, and cutoff testing support
• Fixed assets: fixed asset register, additions with vendor invoices, disposals, and depreciation schedules
• Accounts payable and accrued liabilities: AP aging, unrecorded liabilities search, vendor statements, and cutoff testing
• Debt: loan agreements, amortization schedules, covenant calculations, and lender confirmations
• Equity: stock ledger, cap table, option grants, and board minutes approving issuances
• Revenue: signed customer contracts, rev rec memos, deferred revenue rollforwards, and samples supporting ASC 606 allocations
• Payroll and HR: payroll registers, 941s, W-2 reconciliation, and benefits accruals
• Leases: lease agreements, ASC 842 schedules, and IBR documentation
• Tax: federal and state returns, tax provision workpapers, and deferred tax support
• Governance: signed board and audit committee minutes, signed management representation letter draft, and conflict-of-interest certifications
• Management analyses: flux analyses, impairment memos, going concern support, and any significant judgments

Big Four audits routinely request 300 to 500 PBC items across these categories, and the request list tends to grow during fieldwork as the audit team follows specific balances into detail. Plan for that growth. A data room sized for the original list will feel cramped by week three.

Mirror the audit workpaper structure, not your internal accounting close structure. Auditors think in leadsheets and testing areas. Mirroring their mental model saves everyone time when an auditor asks "where is the AR confirmation support?" at 4pm on a Friday.

A folder layout that works for most engagements:

/2026-Audit
  /01-General
    Engagement letter
    Prior year financials
    Trial balance and GL
  /02-Cash
  /03-AR
  /04-Inventory
  /05-Fixed-Assets
  /06-Other-Assets
  /07-AP-Accrued
  /08-Debt
  /09-Leases
  /10-Equity
  /11-Revenue
  /12-Payroll
  /13-Tax
  /14-Governance
  /15-Management-Analyses
  /99-Auditor-Requests-During-Fieldwork

The final folder is the release valve. When an auditor asks for something that does not fit cleanly into a leadsheet area, you have a place to park it without breaking the main structure.

Name files with dates and descriptions, not just document types. "2026-03-Bank-Rec-Chase-4421.pdf" beats "Bank Rec.pdf" every time. The auditor searching in two months will thank you.

PBC requests are typically delivered over 4 to 8 weeks during year-end fieldwork. That window breaks into three phases.

Weeks 1 to 2 are the initial upload. The PBC list arrived two or three weeks before fieldwork started. The finance team has been pulling files and loading them. The goal by the end of week 2 is to have 80 percent of the list uploaded, so the audit team can start testing on day one of fieldwork.

Weeks 3 to 5 are the question-and-response phase. Auditors are testing balances and finding follow-up items. "Can you pull the invoice supporting this JE?" or "We need the vendor contract for this accrual." Turnaround on these matters. A 24-hour response time keeps the audit on schedule. A 4-day response time adds a week to fieldwork.

Weeks 6 to 8 are the closing items. Management representation letters, subsequent events memos, legal confirmations, and final adjusting entries. These items tend to cluster near report issuance and generate the most signature tracking.

Set expectations early about response times and channels. One coordinator on the client side owns the tracker. One senior on the audit side owns the request list. All new requests go through those two people. When requests come in over email from a staff auditor directly to a staff accountant, things fall through the cracks.

Most companies already have Box, SharePoint, Dropbox, or Google Drive. Any of these can serve as an audit data room if you set permissions carefully and build discipline around the folder structure. They work especially well for smaller audits where the PBC list is under 150 items.

For larger engagements, a purpose-built audit portal or a workspace platform with granular permissions and an audit trail pays for itself in time saved on the close. Fast.io fits here. It is a shared workspace platform with folder, file, and workspace-level permissions, branded share links for external auditors, and a full audit trail of who accessed which file and when. The granular permission model is the part that matters for audits: you can give the engagement partner access to everything, give a staff auditor access only to the AR folder, and revoke both on the day the audit opinion is issued.

A few practical notes on running an audit in Fast.io:

• Create a workspace per audit year. "2026-Audit" is a workspace, not a folder inside a general finance workspace. This keeps year-over-year separation clean and makes archival simple.
• Use branded Receive links for auditor uploads. When the auditor needs to send back signed confirmations or a redacted workpaper, a Receive link drops the file into a designated folder without giving them write access to anything else.
• Turn on Intelligence Mode on the audit workspace if you expect a lot of "can you find the contract that mentions X" questions. Files get indexed automatically, and the controller can answer questions by searching semantic content rather than scrolling through folders.
• Export the audit trail at the end of the engagement. The file access log becomes part of the audit package and answers any later questions about who saw what.
• On the free agent tier you get 50 GB of storage, which is enough for a small to mid-sized audit with document-heavy support. Larger engagements with scanned invoices or video evidence will want a paid plan.

Fast.io is one option among several. Evaluate it against Box, Dropbox, Google Drive, and ShareFile based on your existing stack and the size of your audit.

A few patterns show up on nearly every audit that ran poorly.

Mixing the audit data room with day-to-day finance files. The controller uploads the bank rec to the monthly close folder, and separately re-uploads it to the audit folder. Now there are two copies, and when the close folder gets an update, the audit folder does not. Pick one home for audit artifacts and link to it from the close folder if you need a pointer.

Using a single shared login. Pooling the audit team behind one account destroys the audit trail. Each person on each side should have a named account.

Emailing files outside the data room. The moment a file leaves the controlled environment, you lose the audit trail and the version control. Adopt a rule: if it is relevant to the audit, it goes in the data room, and the email references the data room link.

Forgetting to close out access. On the day the opinion is issued, run through every account with access and revoke the ones that no longer need it. The easiest way is a workspace-level access review, which takes five minutes if the permission model was clean from the start.