3.01 This chapter establishes general standards and provides guidance for performing financial audits, attestation engagements, and performance audits under generally accepted government auditing standards (GAGAS). (See chapter 6 for an additional general standard applicable only to attestation engagements.) These general standards, along with the overarching ethical principles presented in chapter 2, establish a foundation for credibility of auditors' work. These general standards emphasize the independence of the audit organization and its individual auditors; the exercise of professional judgment in the performance of work and the preparation of related reports; the competence of audit staff; audit quality control and assurance; and external peer reviews.
3.02 In all matters relating to the audit work, the audit organization and the individual auditor, whether government or public, must be free from personal, external, and organizational impairments to independence, and must avoid the appearance of such impairments of independence.
3.03 Auditors and audit organizations must maintain independence so that their opinions, findings, conclusions, judgments, and recommendations will be impartial and viewed as impartial by objective third parties with knowledge of the relevant information. Auditors should avoid situations that could lead objective third parties with knowledge of the relevant information to conclude that the auditors are not able to maintain independence and thus are not capable of exercising objective and impartial judgment on all issues associated with conducting the audit and reporting on the work.
3.04 When evaluating whether independence impairments exist either in fact or appearance with respect to the entities for which audit organizations perform audits or attestation engagements, auditors and audit organizations must take into account the three general classes of impairments to independence--personal, external, and organizational.20 If one or more of these impairments affects or can be perceived to affect independence, the audit organization (or auditor) should decline to perform the work--except in those situations in which an audit organization in a government entity, because of a legislative requirement or for other reasons, cannot decline to perform the work, in which case the government audit organization must disclose the impairment(s) and modify the GAGAS compliance statement. (See paragraphs 1.12 and 1.13.)
3.05 When auditors use the work of a specialist,21 auditors should assess the specialist's ability to perform the work and report results impartially as it relates to their relationship with the program or entity under audit. If the specialist's independence is impaired, auditors should not use the work of that specialist.
3.06 If an impairment to independence is identified after the audit report is issued, the audit organization should assess the impact on the audit. If the audit organization concludes that it did not comply with GAGAS, it should determine the impact on the auditors' report and notify entity management, those charged with governance, the requesters, or regulatory agencies that have jurisdiction over the audited entity and persons known to be using the audit report about the independence impairment and the impact on the audit. The audit organization should make such notifications in writing.
3.07 Auditors participating on an audit assignment must be free from personal impairments to independence.22 Personal impairments of auditors result from relationships or beliefs that might cause auditors to limit the extent of the inquiry, limit disclosure, or weaken or slant audit findings in any way. Individual auditors should notify the appropriate officials within their audit organizations if they have any personal impairment to independence. Examples of personal impairments of individual auditors include, but are not limited to, the following:
a. immediate family or close family member23 who is a director or officer of the audited entity, or, as an employee of the audited entity, is in a position to exert direct and significant influence over the entity or the program under audit;
b. financial interest that is direct, or is significant/material though indirect, in the audited entity or program;24
c. responsibility for managing an entity or making decisions that could affect operations of the entity or program being audited; for example, serving as a director, officer, or other senior position of the entity, activity, or program being audited, or as a member of management in any decision making, supervisory, or ongoing monitoring function for the entity, activity, or program under audit;
d. concurrent or subsequent performance of an audit by the same individual who maintained the official accounting records when such services involved preparing source documents or originating data, in electronic or other form; posting transactions (whether coded by management or not coded); authorizing, executing, or consummating transactions (for example, approving invoices, payrolls, claims, or other payments of the entity or program being audited); maintaining an entity's bank account or otherwise having custody of the audited entity's funds; or otherwise exercising authority on behalf of the entity, or having authority to do so;
f. biases, including those resulting from political, ideological, or social convictions that result from membership or employment in, or loyalty to, a particular type of policy, group, organization, or level of government; and
3.08 Audit organizations and auditors may encounter many different circumstances or combinations of circumstances that could create a personal impairment. Therefore, it is impossible to identify every situation that could result in a personal impairment. Accordingly, audit organizations should include as part of their quality control system procedures to identify personal impairments and help ensure compliance with GAGAS independence requirements. At a minimum, audit organizations should
3.09 When the audit organization identifies a personal impairment to independence prior to or during an audit, the audit organization should take action to resolve the impairment in a timely manner. In situations in which the personal impairment is applicable only to an individual auditor or a specialist on a particular audit, the audit organization may be able to eliminate the personal impairment. For example, the audit organization could remove that auditor or specialist from any work on that audit or require the auditor or specialist to eliminate the cause of the personal impairment. If the personal impairment cannot be eliminated, the audit organization should withdraw from the audit. In situations in which auditors employed by government entities cannot withdraw from the audit, they should follow paragraph 3.04.
3.10 Audit organizations must be free from external impairments to independence. Factors external to the audit organization may restrict the work or interfere with auditors' ability to form independent and objective opinions, findings, and conclusions. External impairments to independence occur when auditors are deterred from acting objectively and exercising professional skepticism by pressures, actual or perceived, from management and employees of the audited entity or oversight organizations. For example, under the following conditions, auditors may not have complete freedom to make an independent and objective judgment, thereby adversely affecting the audit:
a. external interference or influence that could improperly limit or modify the scope of an audit or threaten to do so, including exerting pressure to inappropriately reduce the extent of work performed in order to reduce costs or fees;
3.11 Audit organizations should include policies and procedures for identifying and resolving external impairments as part of their quality control system for compliance with GAGAS independence requirements.
3.12 The ability of audit organizations in government entities to perform work and report the results objectively can be affected by placement within government, and the structure of the government entity being audited. Whether reporting to third parties externally or to top management within the audited entity internally, audit organizations must be free from organizational impairments to independence with respect to the entities they audit. Impairments to organizational independence result when the audit function is organizationally located within the reporting line of the areas under audit or when the auditor is assigned or takes on responsibilities that affect operations of the area under audit.
3.13 External audit organizations can be presumed to be free from organizational impairments to independence when the audit function is organizationally placed outside the reporting line of the entity under audit and the auditor is not responsible for entity operations. Audit organizations in government entities can meet the requirement for organizational independence in a number of ways and may be presumed to be free from organizational impairments to independence from the audited entity if the audit organization is
c. appointed by someone other than a legislative body, so long as the appointment is confirmed by a legislative body and removal from the position is subject to oversight or approval by a legislative body,25 and reports the results of audits to and is accountable to a legislative body; or
d. appointed by, accountable to, reports to, and can only be removed by a statutorily created governing body, the majority of whose members are independently elected or appointed and come from outside the organization being audited.
3.15 In addition to the presumptive criteria in paragraphs 3.13 and 3.14, GAGAS recognize that there may be other organizational structures under which audit organizations in government entities could be considered to be free from organizational impairments and thereby be considered organizationally independent for reporting externally. These structures provide safeguards to prevent the audited entity from interfering with the audit organization's ability to perform the work and report the results impartially. For an external audit organization to be considered free from organizational impairments under a structure different from the ones listed in paragraphs 3.13 and 3.14, the audit organization should have all of the following safeguards. In such situations, the audit organization should document how each of the following safeguards were satisfied and provide the documentation to those performing quality control monitoring and to the external peer reviewers to determine whether all the necessary safeguards have been met.
b. statutory protections that require that if the head of the audit organization is removed from office, the head of the agency report this fact and the reasons for the removal to the legislative body;
d. statutory protections that prevent the audited entity from interfering with audit reporting, including the findings and conclusions or the manner, means, or timing of the audit organization's reports;
g. statutory access to records and documents related to the agency, program, or function being audited and access to government officials or other individuals as needed to conduct the audit.26
3.16 Certain federal, state, or local government entities employ auditors to work for management of the audited entities. These auditors may be subject to administrative direction from persons involved in the entity management process. Such audit organizations are internal audit functions and are encouraged to use the Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing in conjunction with GAGAS. Under GAGAS, a government internal audit function can be presumed to be free from organizational impairments to independence for reporting internally if the head of the audit organization meets all of the following criteria:
3.18 When internal audit organizations that are free of organizational impairments perform audits of external parties such as auditing contractors or outside party agreements, and no personal or external impairments exist, they may be considered independent of the audited entities and free to report objectively to the heads or deputy heads of the government entities to which they are assigned, to those charged with governance, and to parties outside the organizations in accordance with applicable law, rule, regulation, or policy.
3.19 The internal audit organization should document the conditions that allow it to be considered free of organizational impairments to independence for internal reporting and provide the documentation to those performing quality control monitoring and to the external peer reviewers to determine whether all the necessary safeguards have been met.
3.20 Audit organizations at times may perform other professional services (nonaudit services) that are not performed in accordance with GAGAS. Audit organizations that provide nonaudit services must evaluate whether providing the services creates an independence impairment either in fact or appearance with respect to entities they audit.27 Based on the facts and circumstances, professional judgment is used in determining whether a nonaudit service would impair an audit organization's independence with respect to entities it audits.
3.21 Audit organizations in government entities generally have broad audit responsibilities and, therefore, should establish policies and procedures for accepting engagements to perform nonaudit services so that independence is not impaired with respect to entities they audit. (See appendix I, paragraphs A3.02 and A3.03 for examples of nonaudit services that are generally specific to audit organizations in government entities that generally do not impair the organizations' independence with respect to the entities it audits and, therefore, do not require compliance with the supplemental safeguards described in paragraph 3.30.) Independent public accountants may provide audit and nonaudit services (commonly referred to as consulting) under contractual commitments to an entity and should determine whether nonaudit services they have provided or are committed to provide have a significant or material effect on the subject matter of the audits.
3.22 The following two overarching principles apply to auditor independence when assessing the impact of performing a nonaudit service for an audited program or entity: (1) audit organizations must not provide nonaudit services that involve performing management functions or making management decisions and (2) audit organizations must not audit their own work or provide nonaudit services in situations in which the nonaudit services are significant or material to the subject matter of the audits.28
3.23 In considering whether audits performed by the audit organization could be significantly or materially affected by the nonaudit service, audit organizations should evaluate (1) ongoing audits; (2) planned audits; (3) requirements and commitments for providing audits, which includes laws, regulations, rules, contracts, and other agreements; and (4) policies placing responsibilities on the audit organization for providing audit services.
3.24 If requested29 to perform nonaudit services that would impair the audit organization's ability to meet either or both of the overarching independence principles for certain types of audit work, the audit organization should inform the requestor and the audited entity that performing the nonaudit service would impair the auditors' independence with regard to subsequent audit or attestation engagements.
3.25 Nonaudit services generally fall into one of the following categories (see appendix I, paragraphs A3.02 and A3.03 for examples of nonaudit services that are generally unique to audit organizations in government entities):
a. Nonaudit services that do not impair the audit organization's independence with respect to the entities it audits and, therefore, do not require compliance with the supplemental safeguards in paragraph 3.30. (See paragraphs 3.26 and 3.27.)
b. Nonaudit services that would not impair the audit organization's independence with respect to the entities it audits as long as the audit organization complies with the supplemental safeguards in paragraph 3.30. (See paragraph 3.28.)
3.26 Nonaudit services in which auditors provide technical advice based on their technical knowledge and expertise do not impair auditor independence with respect to entities they audit and do not require the audit organization to apply the supplemental safeguards. However, auditor independence would be impaired if the extent or nature of the advice resulted in the auditors' making management decisions or performing management functions.
c. providing targeted and limited technical advice to the audited entity and management to assist them in activities such as (1) answering technical questions or providing training, (2) implementing audit recommendations, (3) implementing internal controls, and (4) providing information on good business practices.
a. providing basic accounting assistance limited to services such as preparing draft financial statements that are based on management's chart of accounts and trial balance and any adjusting, correcting, and closing entries that have been approved by management; preparing draft notes to the financial statements based on information determined and approved by management; preparing a trial balance based on management's chart of accounts; maintaining depreciation schedules for which management has determined the method of depreciation, rate of depreciation, and salvage value of the asset (If the audit organization has prepared draft financial statements and notes and performed the financial statement audit, the auditor should obtain documentation from management in which management acknowledges the audit organization's role in preparing the financial statements and related notes and management's review, approval, and responsibility for the financial statements and related notes in the management representation letter. The management representation letter that is obtained as part of the audit may be used for this type of documentation.);
b. providing payroll services when payroll is not material to the subject matter of the audit or to the audit objectives. Such services are limited to using records and data that have been approved by entity management;
c. providing appraisal or valuation services limited to services such as reviewing the work of the entity or a specialist employed by the entity where the entity or specialist provides the primary evidence for the balances recorded in financial statements or other information that will be audited; valuing an entity's pension, other post-employment benefits, or similar liabilities provided management has determined and taken responsibility for all significant assumptions and data;
d. preparing an entity's indirect cost proposal30 or cost allocation plan provided that the amounts are not material to the financial statements and management assumes responsibility for all significant assumptions and data;
e. providing advisory services on information technology limited to services such as advising on system design, system installation, and system security if management, in addition to the safeguards in paragraph 3.30, acknowledges responsibility for the design, installation, and internal control over the entity's system and does not rely on the auditors' work as the primary basis for determining (1) whether to implement a new system, (2) the adequacy of the new system design, (3) the adequacy of major design changes to an existing system, and (4) the adequacy of the system to comply with regulatory or other requirements;
f. providing human resource services to assist management in its evaluation of potential candidates when the services are limited to activities such as serving on an evaluation panel of at least three individuals to review applications or interviewing candidates to provide input to management in arriving at a listing of best qualified applicants to be provided to management; and
3.29 Compliance with supplemental safeguards will not overcome independence impairments in this category. By their nature, certain nonaudit services directly support the entity's operations and impair the audit organization's ability to meet either or both of the overarching independence principles in paragraph 3.22 for certain types of audit work. Examples of the types of services under this category include the following:
g. recommending a single individual for a specific position that is key to the entity or program under audit, otherwise ranking or influencing management's selection of the candidate, or conducting an executive search or a recruiting program for the audited entity;
m. serving as voting members of an entity's management committee or board of directors, making policy decisions that affect future direction and operation of an entity's programs, supervising entity employees, developing programmatic policy, authorizing an entity's transactions, or maintaining custody of an entity's assets.31
3.30 Performing nonaudit services described in paragraph 3.28 will not impair independence if the overarching independence principles stated in paragraph 3.22 are not violated. For these nonaudit services, the audit organization should comply with each of the following safeguards:
b. establish in writing an understanding with the audited entity regarding the objectives, scope of work, and product or deliverables of the nonaudit service; and management's responsibility for (1) the subject matter of the nonaudit services, (2) the substantive outcomes of the work, and (3) making any decisions that involve management functions related to the nonaudit service and accepting full responsibility for such decisions;
c. exclude personnel who provided the nonaudit services from planning, conducting, or reviewing audit work in the subject matter of the nonaudit service;32 and
3.32 Professional judgment includes exercising reasonable care and professional skepticism. Reasonable care concerns acting diligently in accordance with applicable professional standards and ethical principles. Professional skepticism is an attitude that includes a questioning mind and a critical assessment of evidence. Professional skepticism includes a mindset in which auditors assume neither that management is dishonest nor of unquestioned honesty. Believing that management is honest is not a reason to accept less than sufficient, appropriate evidence.
3.33 Using the auditors' professional knowledge, skills, and experience to diligently perform, in good faith and with integrity, the gathering of information and the objective evaluation of the sufficiency and appropriateness of evidence is a critical component of audits. Professional judgment and competence are interrelated because judgments made are dependent upon the auditors' competence.
3.34 Professional judgment represents the application of the collective knowledge, skills, and experiences of all the personnel involved with an assignment, as well as the professional judgment of individual auditors. In addition to personnel directly involved in the audit, professional judgment may involve collaboration with other stakeholders, outside experts, and management in the audit organization.
3.35 Using professional judgment in all aspects of carrying out their professional responsibilities, including following the independence standards, maintaining objectivity and credibility, assigning competent audit staff to the assignment, defining the scope of work, evaluating and reporting the results of the work, and maintaining appropriate quality control over the assignment process is essential to performing and reporting on an audit.
3.36 Using professional judgment is important in determining the required level of understanding of the audit subject matter and related circumstances. This includes consideration about whether the audit team's collective experience, training, knowledge, skills, abilities, and overall understanding are sufficient to assess the risks that the subject matter under audit may contain a significant inaccuracy or could be misinterpreted.
3.37 Considering the risk level of each assignment, including the risk that they may come to an improper conclusion is another important issue. Within the context of audit risk, exercising professional judgment in determining the sufficiency and appropriateness of evidence to be used to support the findings and conclusions based on the audit objectives and any recommendations reported is an integral part of the audit process.
3.39 While this standard places responsibility on each auditor and audit organization to exercise professional judgment in planning and performing an audit or attestation engagement, it does not imply unlimited responsibility, nor does it imply infallibility on the part of either the individual auditor or the audit organization. Absolute assurance is not attainable because of the nature of evidence and the characteristics of fraud. Professional judgment does not mean eliminating all possible limitations or weaknesses associated with a specific audit, but rather identifying, considering, minimizing, mitigating, and explaining them.
3.41 The audit organization's management should assess skill needs to consider whether its workforce has the essential skills that match those necessary to fulfill a particular audit mandate or scope of audits to be performed. Accordingly, audit organizations should have a process for recruitment, hiring, continuous development, assignment, and evaluation of staff to maintain a competent workforce. The nature, extent, and formality of the process will depend on various factors such as the size of the audit organization, its structure, and its work.
3.42 Competence is derived from a blending of education and experience. Competencies are not necessarily measured by years of auditing experience because such a quantitative measurement may not accurately reflect the kinds of experiences gained by an auditor in any given time period. Maintaining competence through a commitment to learning and development throughout an auditor's professional life is an important element for auditors. Competence enables an auditor to make sound professional judgments.
3.43 The staff assigned to conduct an audit or attestation engagement under GAGAS must collectively possess the technical knowledge, skills, and experience necessary to be competent for the type of work being performed before beginning work on that assignment. The staff assigned to a GAGAS audit or attestation engagement should collectively possess
3.44 Auditors performing financial audits should be knowledgeable in generally accepted accounting principles (GAAP), the American Institute of Certified Public Accountants (AICPA) generally accepted auditing standards for field work and reporting and the related Statements on Auditing Standards (SAS), and the application of these standards. Also, if auditors use GAGAS in conjunction with any other standards, they should be knowledgeable and competent in applying those standards. Auditors engaged to perform financial audits or attestation engagements should be licensed certified public accountants or persons working for a licensed certified public accounting firm or a government auditing organization.33
3.45 Similarly, for attestation engagements, GAGAS incorporate the AICPA attestation standards. Auditors should be knowledgeable in the AICPA general attestation standard related to criteria, the AICPA attestation standards for field work and reporting, and the related Statements on Standards for Attestation Engagements (SSAE), and they should be competent in applying these standards and SSAE to the task assigned. Also, if auditors use GAGAS in conjunction with any other standards, they should be knowledgeable and competent in applying those standards.
Auditors performing work under GAGAS, including planning, directing, performing field work, or reporting on an audit or attestation engagement under GAGAS, should maintain their professional competence through continuing professional education (CPE). Therefore, each auditor performing work under GAGAS should complete, every 2 years, at least 24 hours of CPE that directly relates to government auditing, the government environment, or the specific or unique environment in which the audited entity operates. For auditors who are involved in any amount of planning, directing, or reporting on GAGAS assignments and those auditors who are not involved in those activities but charge 20 percent or more of their time annually to GAGAS assignments should also obtain at least an additional 56 hours of CPE (for a total of 80 hours of CPE in every
CPE programs are structured educational activities with learning objectives designed to maintain or enhance participants' knowledge, skills, and abilities in areas applicable to performing audits or attestation engagements. Determining what subjects are appropriate for individual auditors to satisfy both the
3.48 Improving their own competencies and meeting CPE requirements are primarily the responsibilities of individual auditors. The audit organization should have quality control procedures to help ensure that auditors meet the continuing education requirements, including documentation of the CPE completed. The Government Accountability Office (GAO) has developed guidance pertaining to CPE requirements to assist auditors and audit organizations in exercising professional judgment in complying with the CPE requirements.34
3.49 External specialists assisting in performing a GAGAS assignment should be qualified and maintain professional competence in their areas of specialization but are not required to meet the GAGAS CPE requirements described. However, auditors who use the work of external specialists should assess the professional qualifications of such specialists and document their findings and conclusions. Internal specialists who are part of the audit organization and perform as a member of the audit team should comply with GAGAS, including the CPE requirements.
a. establish a system of quality control that is designed to provide the audit organization with reasonable assurance that the organization and its personnel comply with professional standards and applicable legal and regulatory requirements, and
b. have an external peer review at least once every 3 years.35
3.51 An audit organization's system of quality control encompasses the audit organization's leadership, emphasis on performing high quality work, and the organization's policies and procedures designed to provide reasonable assurance of complying with professional standards and applicable legal and regulatory requirements.36 The nature, extent, and formality of an audit organization's quality control system will vary based on the audit organization's circumstances, such as the audit organization's size, number of offices and geographic dispersion, the knowledge and experience of its personnel, the nature and complexity of its audit work, and cost-benefit considerations.
3.52 Each audit organization must document its quality control policies and procedures and communicate those policies and procedures to its personnel. The audit organization should document compliance with its quality control policies and procedures and maintain such documentation for a period of time sufficient to enable those performing monitoring procedures and peer reviews to evaluate the extent of the audit organization's compliance with its quality control policies and procedures. The form and content of such documentation are a matter of professional judgment and will vary based on the audit organization's circumstances.
a. Leadership responsibilities for quality within the audit organization: Policies and procedures that designate responsibility for quality of audits and attestation engagements performed under GAGAS and communication of policies and procedures relating to quality. Such policies and communications encourage a culture that recognizes that quality is essential in performing GAGAS audits.
b. Independence, legal, and ethical requirements: Policies and procedures designed to provide reasonable assurance that the audit organization and its personnel maintain independence, and comply with applicable legal and ethical requirements.37
c. Initiation,38 acceptance, and continuance of audit and attestation engagements: Policies and procedures for the initiation, acceptance, and continuance of audit and attestation engagements, designed to provide reasonable assurance that the audit organization will undertake audit engagements only if it can comply with professional standards and ethical principles and is acting within the legal mandate or authority of the audit organization.
d. Human resources: Policies and procedures designed to provide the audit organization with reasonable assurance that it has personnel with the capabilities and competence to perform its audits in accordance with professional standards and legal and regulatory requirements.39
e. Audit and attestation engagement performance, documentation, and reporting: Policies and procedures designed to provide the audit organization with reasonable assurance that audits and attestation engagements are performed and reports are issued in accordance with professional standards and legal and regulatory requirements. (For financial audits, chapters 1 through 5 apply; for attestation engagements, chapters 1 through 3 and 6 apply; for performance audits, chapters 1 through 3 and 7 and 8 apply.)
f. Monitoring of quality: An ongoing, periodic assessment of work completed on audits and attestation engagements designed to provide management of the audit organization with reasonable assurance that the policies and procedures related to the system of quality control are suitably designed and operating effectively in practice. The purpose of monitoring compliance with quality control policies and procedures is to provide an evaluation of (1) adherence to professional standards and legal and regulatory requirements, (2) whether the quality control system has been appropriately designed, and (3) whether quality control policies and procedures are operating effectively and complied with in practice. Monitoring procedures will vary based on the audit organization's facts and circumstances. The audit organization should perform monitoring procedures that enable it to assess compliance with applicable professional standards and quality control policies and procedures for GAGAS audits. Individuals performing monitoring should collectively have sufficient expertise and authority for this role.
3.54 The audit organization should analyze and summarize the results of its monitoring procedures at least annually, with identification of any systemic issues needing improvement, along with recommendations for corrective action. (Under GAGAS, reviews of the work and the report that are performed as part of supervision are not monitoring controls when used alone. However, these types of pre-issuance reviews may be used as a part of this analysis and summary.)
3.55 Audit organizations performing audits and attestation engagements in accordance with GAGAS must have an external peer review performed by reviewers independent of the audit organization being reviewed at least once every 3 years.40
3.56 The audit organization should obtain an external peer review sufficient in scope to provide a reasonable basis for determining whether, for the period under review,41 the reviewed audit organization's system of quality control was suitably designed and whether the audit organization is complying with its quality control system in order to provide the audit organization with reasonable assurance of conforming with applicable professional standards.
e. interviews with a selection of the reviewed audit organization's professional staff at various levels to assess their understanding of and compliance with relevant quality control policies and procedures.
The peer review team should perform a risk assessment to help determine the number and types of engagements to select. Based on the risk assessment, the team should use one or a combination of the following approaches to selecting individual audits and attestation engagements for review: (1) select GAGAS audits and attestation engagements that provide a reasonable cross-section of the GAGAS assignments performed by the reviewed audit organization or
b. an opinion on whether the system of quality control of the reviewed audit organization's audit and/or attestation engagement practices was adequately designed and complied with during the period reviewed to provide the audit organization with reasonable assurance of conforming with applicable professional standards;
d. for modified or adverse opinions,43 a description of reasons for the modification or adverse opinion, along with a detailed description of the findings and recommendations, in the peer review report, to enable the reviewed audit organization to take appropriate actions; and
b. The organization conducting the peer review and individual review team members are independent (as defined in GAGAS) of the audit organization being reviewed, its staff, and the audits and attestation engagements selected for the peer review.
c. The review team collectively has sufficient knowledge of how to perform a peer review. Such knowledge may be obtained from on-the-job training, training courses, or a combination of both. Having personnel on the peer review team with prior experience on a peer review or internal inspection team is desirable.
3.61 An external audit organization44 should make its most recent peer review report45 publicly available; for example, by posting the peer review report on an external Web site or to a publicly available file designed for public transparency of peer review results. If neither of these options is available to the audit organization, then it should use the same transparency mechanism it uses to make other information public, and also provide the peer review report to others upon request. Internal audit organizations that report internally to management should provide a copy of the external peer review report to those charged with governance. Government audit organizations should also communicate the overall results and the availability of their external peer review reports to appropriate oversight bodies.
3.62 Information in external peer review reports and letters of comment may be relevant to decisions on procuring audit or attestation engagements. Therefore, audit organizations seeking to enter into a contract to perform an audit or attestation engagement in accordance with GAGAS should provide the following to the party contracting for such services:
3.63 Auditors who are using another audit organization's work should request a copy of the audit organization's latest peer review report and any letter of comment, and the audit organization should provide these documents when requested. (See paragraphs 3.05 and 7.41 through 7.43 for further requirements and guidance on using the work of others.)
20. Awareness and compliance with other independence standards and applicable ethics laws and regulations associated with their activities may also be required for auditors performing work in accordance with GAGAS.
21. Specialists to whom this section applies include, but are not limited to, actuaries, appraisers, attorneys, engineers, environmental consultants, medical professionals, statisticians, and geologists.
22. This includes those who review the work or the report, and all others within the audit organization who can directly influence the outcome of the audit. The period covered includes the period covered by the audit and the period in which the audit is being performed and reported.
24. Auditors are not precluded from auditing pension plans that they participate in if (1) the auditor has no control over the investment strategy, benefits, or other management issues associated with the pension plan and (2) the auditor belongs to such pension plan as part of his/her employment with the audit organization, provided that the plan is normally offered to all employees in equivalent employment positions.
25. Legislative bodies may exercise their confirmation powers through a variety of means so long as they are involved in the approval of the individual to head the audit organization. This involvement can be demonstrated by approving the individual after the appointment or by initially selecting or nominating an individual or individuals for appointment by the appropriate authority.
27. The Government Accountability Office (GAO) has issued further guidance in the form of questions and answers to assist in implementation of the standards associated with nonaudit services. This guidance, Government Auditing Standards: Answers to Independence Standard Questions, GAO-02-870G (Washington, D.C.: June 2002), can be found on GAO's Government Auditing Standards Web page ( http://www.gao.gov/govaud/ybk01.htm ).
30. The Office of Management and Budget (OMB) prohibits an auditor who prepared the entity's indirect cost proposal from conducting the required audit when indirect costs recovered by the entity during the prior year exceeded $1 million under OMB Circular No. A-133, Audits of States, Local Governments, and Non-Profit Organizations, Subpart C.305(b), revised June 27, 2003.
31. Entity assets are intended to include all of the entity's property including bank accounts, investment accounts, inventories, equipment, or other assets owned, leased, or otherwise in the entity's possession, and financial records, both paper and electronic.
33. Public accountants licensed on or before December 31, 1970, or persons working for a public accounting firm licensed on or before December 31, 1970, are also considered qualified under this standard.
This guidance, Government Auditing Standards: Guidance on GAGAS Requirements for Continuing Professional Education,
(Washington, D.C.: April 2005), can be found on GAO's Government Auditing Standards Web page (
35. An audit organization's noncompliance with the peer review requirements (paragraph 3.50b and 3.55 through 3.60) results in a modified GAGAS compliance statement. The audit organization's compliance (or noncompliance) with the requirements for a system of quality control in paragraphs 3.50a and 3.51 through 3.54 are tested and reported on as part of the peer review process and do not impact the GAGAS compliance statement. (See chapter 1, paragraphs 1.11 through 1.13.)
36. The system of quality control discussed in this section is consistent with the AICPA proposed statement on Quality Control Standards, A Firm's System of Quality Control, except that the GAGAS requirements in paragraph 3.54 state that reviews of the work and the report that are performed as part of supervision are not monitoring controls when used alone.
37. See paragraphs 3.02 through 3.30 for GAGAS dealing with independence. See chapter 2 for GAGAS ethical principles. Individual auditors who are members of professional organizations or are licensed or certified professionals may also be subject to ethical requirements of those professional organizations or licensing bodies. Auditors in government entities may also be subject to government ethics laws and regulations.
Government audit organizations initiate audit and attestation engagements as a result of (1) the audit organization's discretion,
40. The external peer review requirement is effective within 3 years from the date an audit organization begins field work on its first assignment in accordance with GAGAS for both financial audit practices and performance audit practices. Generally, the deadlines for peer review reports are established by the entity that administers the peer review program. Extensions of the deadlines for submitting the peer review report exceeding 3 months beyond the due date are granted by the entity that administers the peer review program and GAO.
42. The second approach is generally applicable to audit organizations that perform only a small number of GAGAS audits in relation to other types of audits. In these cases, one or more GAGAS audits may represent more than what would be selected when looking at a cross-section of the audit organization's work as a whole.
43. A modified opinion is an opinion in which the peer reviewer concludes that except for the effects of deficiencies described in the eport, the system of quality control was adequately designed and complied with during the period. An adverse opinion is a conclusion that the system of quality control was not adequately designed and complied with to provide reasonable assurance of conforming with professional standards.