The audit quality control standards are twofold. The Yellow Book requires that audit shops:
- Have an internal quality control system, and
- Undergo an external peer review that determines whether the audit shop’s quality control system is working
Here is exactly what the Yellow Book has to say:
5.02 An audit organization conducting engagements in accordance with GAGAS must establish and maintain a system of quality control that is designed to provide the audit organization with reasonable assurance that the organization and its personnel comply with professional standards and applicable legal and regulatory requirements.
5.60 Each audit organization conducting engagements in accordance with GAGAS must obtain an external peer review conducted by reviewers independent of the audit organization being reviewed. The peer review should be sufficient in scope to provide a reasonable basis for determining whether, for the period under review, (1) the reviewed audit organization’s system of quality control was suitably designed and (2) the organization is complying with its quality control system so that it has reasonable assurance that it is performing and reporting in conformity with professional standards and applicable legal and regulatory requirements in all material respects.
The GAO is mimicking the AICPA standards with these requirements. And if you are currently part of the AICPA’s peer review program, none of the quality control or peer review standards will surprise or annoy you.
But, if you are an internal auditor who follows both the IIA standards and the Yellow Book audit quality control standards, you are not going to be happy with the Yellow Book standards because the Yellow Book standards far exceed the IIA’s quality control and peer review standards!
For one, the IIA requires a peer review every five years, not every three years as required by the Yellow Book. For another, the Yellow Book details 6 components of an audit shop’s quality control and the IIA standards do not.
6 components of the quality control system
The Yellow Book audit quality control standards entail six specific components. Where did the GAO get these six components? You guessed it! The AICPA.
If you are responsible for the quality control system for your team, or if you are a peer reviewer, I recommend that you go to the AICPA standards instead of solely relying on what the GAO says in this section.
Why? Because sometimes the GAO, in summarizing the AICPA literature, leaves a few significant details out. The AICPA renames the requirements periodically, but as of this publication, they are entitled A Firm’s System of Quality Control and are available online for free.
Here are the six elements of your quality control system that the GAO standards require you to document and implement:
- Leadership responsibilities for quality within the audit organization (sections 5.05-5.06)
- Independence, legal, and ethical requirements (sections 5.08-5.11)
- Initiation, acceptance, and continuance of audits (sections 5.12-5.14)
- Human resources (sections 5.15-5.21)
- Engagement performance (sections 5.22-5.41)
- Monitoring of quality (sections 5.42-5.59)
1. Leadership Responsibilities
This component of quality control asks that you are clear who is responsible for audit quality and what their responsibilities are.
2. Independence, Legal, and Ethical Responsibilities
The audit organization needs to have policies and procedures in place to make sure that the team maintains its integrity and professionalism all year long.
The GAO added this clause in 2018:
5.09 At least annually, the audit organization should obtain written affirmation of compliance with its policies and procedures on independence from all of its personnel required to be independent.
3. Initiation, Acceptance, and Continuance of Audits
The audit organization needs to make sure that it can comply with standards and has the capacity to do the work before it accepts an engagement.
4. Human Resources and 5. Engagement Performance
Both of these components address your staff’s competence and responsibilities.
The HR element of the quality control system requires audit teams to have processes for recruiting, developing, and evaluating team members.
And the engagement performance standards define what supervisors and reviewers are responsible for doing. Yes, supervisors and reviewers are different roles on an audit! Please see these descriptions of the role of a supervisor and a reviewer below.
5.39 Engagement supervision includes the following:
- Tracking the progress of the engagement;
- Considering the competence of individual members of the engagement team, whether they understand their instructions, and whether the work is being carried out in accordance with the planned approach to the engagement;
- Addressing significant findings and issues arising during the engagement, considering their significance, and modifying the planned approach appropriately; and
- Identifying matters for consultation or consideration by engagement team members with appropriate levels of skill and proficiency in auditing, specialists, or both during the engagement.
5.40 A review of the work performed includes consideration of whether
- The work has been performed in accordance with professional standards and applicable legal and regulatory requirements;
- Significant findings and issues have been raised for further consideration;
- Appropriate consultations have taken place and the resulting conclusions have been documented and implemented;
- The nature, timing, and extent of the work performed is appropriate and without need for revision;
- The work performed supports the conclusions reached and is appropriately documented;
- The evidence obtained is sufficient and appropriate to support the report; and
- The objectives of the engagement procedures have been achieved.
6. Monitoring of Quality
Through monitoring procedures, the audit organization makes sure that all five of the previous elements of the quality control system are in place and working.
Peer reviewers should be your ‘peers’
The second quality control standard requires a peer review of the quality control system every three years. So the primary job of the peer reviewer is to make sure that the 6-pronged quality control system described above is working.
Notice that this is a review by a peer... someone like you, in a similar situation as you. A one-man shop would not ask a huge audit shop to review their quality control system because the bigger shop would not be empathetic to the one-man-shop’s efforts toward quality control. Instead, he would ask a peer, another one-man shop, to conduct the review.
To learn more enjoy the Yellow Book Interpreted, a self-study text.