I see an acronym coming! QMRAP. That sounds almost as bad as GAGAS!
Overview of the quality management risk assessment process
Here is what the GAO proposes:
5.19 The audit organization should design and implement a risk assessment process that establishes quality objectives, identifies and assesses quality risks, and designs and implements responses to address the quality risks.
5.20 The audit organization should establish the quality objectives specified by this chapter and any additional quality objectives that the audit organization considers necessary to achieve the objective of the system of quality management.
5.21 The audit organization should identify and assess quality risks. To identify and assess quality risks, the audit organization should
- obtain an understanding of the conditions, events, circumstances, actions, or inactions that may adversely affect the achievement of the quality objectives and
- take into account how, and the degree to which, events, circumstances, actions, or inactions may adversely affect the achievement of the quality objectives.
5.22 The audit organization should design and implement responses to address the quality risks in a manner that is based on, and responsive to, quality management risk assessments.
What are the quality objectives mentioned in 5.16?
Many of these quality control system objectives are holdovers from the current version of the Yellow Book:
5.26 Quality objectives are the desired outcomes to be achieved by the audit organization in relation to the components of the system of quality management.
5.27 The quality objectives specified by this chapter relate to the following components:
- Governance and Leadership (5.43)
- Independence, Legal, and Ethical Requirements (5.45)
- Initiation, Acceptance, and Continuance of Engagements (5.49)
- Engagement Performance (5.52)
- Resources (5.72)
- Information and Communication (5.78)
What are the quality risks mentioned in 5.16?
However, the description of ‘quality risks’ is brand spanking new!
5.32 Quality risks are risks that have a reasonable possibility of
- occurring and
- adversely affecting the achievement of one or more quality objectives individually, or in combination with other risks.
5.33 A risk arises from how, and the degree to which, a condition, event, circumstance, action, or inaction may adversely affect the achievement of a quality objective.
5.34 Conditions, events, circumstances, actions, or inactions that may adversely affect the achievement of the quality objectives may be related to the nature and circumstances of the audit organization, and may include
- the complexity and operating characteristics of the audit organization;
- the strategic and operational decisions and actions of the audit organization;
- the characteristics and management style of leadership;
- the resources of the audit organization, including the resources provided by service providers; and
- law, regulation, professional standards, and the environment in which the audit organization operates
5.35 Conditions, events, circumstances, actions, or inactions that may adversely affect the achievement of the quality objectives may be related to the nature and circumstances of the engagements performed by the audit organization, and may include
- the types of engagements performed by the audit organization and the reports to be issued and
- the types of entities for which and upon which such engagements are undertaken.
Almost to the third step of the trifecta
Maybe you remember last week’s post about the trifecta. It’s the three-step process the GAO pulls out of its hat whenever it wants auditors to stop and think hard about what they are doing and why.
The first step of the trifecta is to understand the subject. The second step is to assess risk and the third step is to respond.
We covered the first step in this post: Understanding the subject by thinking about your organization’s circumstances and then defining quality management control system objectives. I feel another acronym coming on: QMCSOs. Nope, that’s not easy to say, either!
The second step is to assess risk. In this circumstance, the GAO calls it quality risk which we discussed in the section above.
Now it’s time to apply the third step of the trifecta which is to respond to the risk. In other words, do something to keep the high magnitude and likely quality risks from occurring.
The response to the risk
Strangely, the GAO does not help us much with the third step, like provide a handy-dandy list of options for responding to the quality risks. The GAO can’t provide one succinct little list of cures to quality issues because they’d have to provide solutions for each of the 6 quality control objectives. Plus, there are all the varying (shall we call them) ‘situations’ the audit team often find themselves in.
Finally, 100 paragraphs after laying out the quality risks, the GAO suggests a quality control review is a possible response:
5.138 The audit organization may determine that an engagement quality review is an appropriate response to address one or more quality risks applicable to all GAGAS engagements, specific types of GAGAS engagements, or specifically identified GAGAS engagements.
How might this affect your audit team?
Well, if these paragraphs in the 2023 exposure draft are finalized, we will have a new set of terms (and possibly some wacky acronyms) to work with. We will also need to create a memo or a risk assessment matrix to show we complied with this standard.
Ultimately, all of this activity is intended to lead your team to conduct better audits.
If you have doubts about the efficacy of these proposed standards regarding a quality management risk assessment process, now is the time to speak up!
Obviously, I didn’t cover the entire exposure draft in this newsletter. So you may want to read it before you shoot off an email to the GAO. Click here to read the exposure draft.
Here is where you send your comments: YellowBookComments@gao.gov
More on this topic next week!