Some of us were already taking quality control steroids.
We swallowed the GAO’s suggestions and added layers upon layers of audit documentation and report review. We bulked up our staff and processes accordingly. Like Hanz and Franz, the GAO, “Just want to pump… you up!”
Others of us resisted. These auditors thought the numerous layers of reviews were just too much, simplified them and kept a more lean, natural-sized team.
The GAO is still pushing
The 2023 GAGAS Exposure Draft is full of suggestions designed to strengthen your audit quality. In several places, they admit these particular ideas aren’t for everybody.
5.11 The design of the audit organization’s system of quality management, and in particular the complexity and formality of the system, will vary based on the audit organization’s circumstances, such as size, number of offices and geographic dispersion, knowledge and experience of its personnel, nature and complexity of its engagement work, and cost-benefit considerations….
So, that makes it clear. You don’t have to ingest all of their ideas on this topic. However, typical of the GAO, if you don’t take their ideas, you will need to explain yourself… in writing.
Here is the pumped-up version of quality control
What does a bulky and strong quality control system look like to the GAO? Well, it looks like this:
- Auditor creates the documentation and report (not optional)
- Supervisor reviews the documentation and report (mandatory)
- Manager reviews the documentation and report (optional)
- Director/Partner/CAE reviews the documentation and report (optional)
- Quality Control Reviewer does a cold review on the audit documentation and report prior publishing (optional, but strongly recommended)
- Annual quality control review performed by a leader in the audit organization reports on whether the quality control system is working as intended and develops suggestions for improvement (mandatory)
- Review of the quality control system by a peer (an auditor who is not part of your organization) every three years (mandatory)
I’m exhausted just thinking about it.
Where does the GAO get this stuff?
The GAO gets this layering idea from the Green Book (Standards for Internal Control in the Federal Government)/COSO Model, which are both internal controls on steroids!
In the Green Book/COSO Model, the monitoring component suggests you can’t just trust the controls in place are working as intended. You must check.
It suggests ‘ongoing’ monitoring to verify controls work without interruption and ‘separate evaluations’ performed periodically (and ideally) by someone who is not part of implementing the monitored controls. In the above pumped-up versions, the supervisory review and quality control review are ongoing monitoring activities while the annual quality control and peer review would be considered separate evaluations.
I can see the GAO’s point. You can’t recommend auditees implement monitoring controls if you aren’t willing to implement monitoring controls yourself.
No, it isn’t final… yet
These steroid quality control procedures aren’t required yet. However, since other audit organizations are integrating them into their standards, I expect the GAO will not want to fall behind. Visit this page to see what they’re planning.