Quality Control and Assurance
GAO-03-673G Government Auditing Standards > Chapter 3 General Standards > Quality Control and Assurance
Each audit organization performing audits and/or attestation engagements in accordance with GAGAS should have an appropriate internal quality control system in place and should undergo an external peer review.
3.50 An audit organization’s system of quality control encompasses the audit organization’s structure and the policies adopted and procedures established to provide the organization with reasonable assurance of complying with applicable standards governing audits and attestation engagements. An audit organization’s internal quality control system should include procedures for monitoring, on an ongoing basis, whether the policies and procedures related to the standards are suitably designed and are being effectively applied.
3.51 The nature and extent of an audit organization’s internal quality control system depends on a number of factors, such as its size, the degree of operating autonomy allowed its personnel and its audit offices, the nature of its work, its organizational structure, and appropriate cost-benefit considerations. Thus, the systems established by individual audit organizations will vary as will the need for, and extent of, their documentation of the systems. However, each audit organization should prepare appropriate documentation for its system of quality control to demonstrate compliance with its policies and procedures. The form and content of such documentation is a matter of judgment. Documentation of compliance should be retained for a period of time sufficient to enable those performing monitoring procedures and peer reviews to evaluate the extent of the audit organization’s compliance with the quality control policies and procedures.
3.52 Audit organizations performing audits and attestation engagements in accordance with GAGAS should have an external peer review of their auditing and attestation engagement practices at least once every 3 years by reviewers independent of the audit organization being reviewed. 1 The external peer review should determine whether, during the period under review, the reviewed audit organization’s internal quality control system was adequate and whether quality control policies and procedures were being complied with to provide the audit organization with reasonable assurance of conforming with applicable professional standards. Audit organizations should take remedial, corrective actions as needed based on the results of the peer review.
b. Each review team member should be independent (as defined in GAGAS) of the audit organization being reviewed, its staff, and the audits and attestation engagements selected for the external peer review. A review team or a member of the review team is not permitted to review the audit organization that conducted its audit organization’s most recent external peer review.
a. The peer review should include a review of the audit organization’s internal quality control policies and procedures, including related monitoring procedures, audit and attestation engagement reports, audit and attest documentation, and other necessary documents (for example, independence documentation, CPE records, and personnel management files related to compliance with hiring, performance evaluation, and assignment policies). The review should also include interviews with various levels of the reviewed audit organization’s professional staff to assess their understanding of and compliance with relevant quality control policies and procedures.
b. The review team should use one of the following approaches to selecting audits and attestation engagements for review: (1) select audits and attestation engagements that provide a reasonable cross section of the assignments performed by the reviewed audit organization in accordance with GAGAS or (2) select audits and attestation engagements that provide a reasonable cross section of the reviewed audit organization’s work subject to quality control requirements, including one or more assignments performed in accordance with GAGAS.
c. The peer review should be sufficiently comprehensive to provide a reasonable basis for concluding whether the reviewed audit organization’s system of quality control was complied with to provide the organization with reasonable assurance of conforming with professional standards in the conduct of its work. The review team should consider the adequacy and results of the reviewed audit organization’s monitoring efforts to efficiently plan its peer review procedures.
d. The review team should prepare a written report(s) communicating the results of the external peer review. The report should indicate the scope of the review, including any limitations thereon, and should express an opinion on whether the system of quality control of the reviewed audit organization’s audit and/or attestation engagement practices was adequate and was being complied with during the year reviewed to provide the audit organization with reasonable assurance of conforming with professional standards for audits and attestation engagements. The report should state the professional standards 2 to which the reviewed audit organization is being held. The report should also describe the reasons for any modification of the opinion. When there are matters that resulted in a modification to the opinion, reviewers should report a detailed description of the findings and recommendations, either in the peer review report or in a separate letter of comment or management letter, to enable the reviewed audit organization to take appropriate actions. The written report should refer to the letter of comment or management letter if such a letter is issued along with a modified report.
3.55 Audit organizations seeking to enter into a contract to perform an assignment in accordance with GAGAS should provide their most recent external peer review report and any letter of comment, and any subsequent peer review reports and letters of comment received during the period of the contract, to the party contracting for the audit or attestation engagement. Information in the external peer review report and letter of comment is often relevant to decisions on procuring audit or attestation engagement services. Auditors who are relying on another audit organization’s work should request a copy of the audit organization’s peer review report and any letter of comment, and the audit organization should provide the peer review report and letter of comment when requested.
3.56 Government audit organizations also should transmit their external peer review reports to appropriate oversight bodies. It is also recommended that, upon request, the peer review report and letter of comment be made available to the public in a timely manner.
1Audit organizations should have an external peer review conducted within 3 years from the date they start (that is, start of field work) their first assignment in accordance with GAGAS. Subsequent external peer reviews should be conducted every 3 years. Extensions of these time frames beyond 3 months to meet the external peer review requirements can only be granted by GAO and should only be requested for extraordinary circumstances.
2“Professional standards” refers to both the auditing standards and quality control standards used by the reviewed audit organization.