New Quality Control Standards: GAGAS—Yellow Book

July 2008

The Government Accountability Office (the GAO) initially created the Yellow Book to guide its own auditors. The creators called it “The Golden Rule of Auditing”, but when it came back from the printers, it wasn’t gold, but bright yellow. Not wanting to waste taxpayer dollars or duke it out with the federal printing folks, the GAO settled for yellow.

Over time, the Yellow Book has been adopted by a variety of auditors who have professional affiliations and responsibilities to other professional organizations and standard setting bodies.

For instance, if you are an internal auditor for a governmental entity, you might follow the Yellow Book and the red book (the Institute of Internal Auditors’ Professional Practices Framework). If you are an auditor of federal grants, you might also follow the AICPA’s standards (The Statements on Auditing Standards or Statements on Standards for Attestation Engagements). Or you might follow the PCAOB’s standards if you are auditing a public corporation that receives governmental funds.

And each standard-setting body has its own unique situations and opinions about what is right. For instance, each of these standard-setting bodies has their own timeline for undergoing a peer review. The IIA requires a peer review every five years, while the AICPA requires a peer review every three years.

I once had the pleasure of meeting David Walker, the former Controller General of the United States and the chief of the GAO. I said something about the PCAOB having the toughest set of standards out there and he quickly corrected me. The GAO standards were the toughest standards out there and he intended to keep it that way. The GAO is always endeavoring to do their best and do the right thing. And if other standard setting bodies don’t quite agree yet, the GAO will do its best to still move forward following its core principles of accountability, transparency, integrity, and objectivity.

They tried to publish a revised Government Auditing Standard (also known as “GAGAS and the Yellow Book”) in 2006, but this controversial section was slowing them down. Having missed the 2006 deadline, they issued an incomplete version in February 2007. In July 2007, they were finally able to smooth out the rough spots and publish what we are going to review here.

What is new this time around?

For as long as I can remember, the GAO required auditors to establish a quality control system and to undergo an independent review of that quality control system every three years.

In the following review of this new section, I want to highlight several significant changes to the standards that have surprised participants in my Yellow Book review courses. The most shocking changes have to do with the following new requirements

• Quality control systems must now be thoroughly documented
• Monitoring reports must be generated annually
• Peer review reports must be shared with everyone and their mother!

The quality control standards appear in Chapter 3 of the Yellow Book. This is the General Standards chapter and these requirements apply to every type of audit conducted under government auditing standards.

At the most basic level, the quality control requirements are twofold. The Yellow Book requires that auditors

• have an internal quality control system
• undergo an external peer review

Here is exactly what the Yellow Book has to say:

3.50 Each audit organization performing audits or attestation engagements in accordance with GAGAS must:
a. establish a system of quality control that is designed to provide the audit organization with reasonable assurance that the organization and its personnel comply with professional standards and applicable legal and regulatory requirements, and
b. have an external peer review at least once every 3 years.

Significant Change #1—Quality control systems must be thoroughly documented

What constitutes a “quality control system” varies widely.

If you are a one-man shop, what does your quality control system look like? In my courses, I have heard a wide variety of answers. One guy said that he put his working papers away in a box and then gave them the once-over using a checklist six months later. Another one-man shop said that he had an agreement with another sole practitioner to review each other’s working papers every year or so. Another guy hired a reviewer once a year.

Which of these practitioners is right? All of them. Who judges whether your procedure is adequate or not? Your peer reviewer.

If I were conducting a peer review of the first guy—the guy who looks at his own stuff six months later—I would not be happy. But that is just me, and the Yellow Book doesn’t say that what he is doing is wrong or that I am right. (So if you are that guy, don’t hire me to do your peer review!)

One of my clients is a huge audit shop with 200+ auditors. On each engagement, the in-charge conducts a review, as does another supervisor. The audit manager reviews the working papers and sometimes the audit director gets involved. The shop also has a two or three-person team called the “quality assurance team” that is responsible for reviewing every set of working papers in detail before the report is issued. Whoa! That is a lot of review.

With the July 2007 revision of the Yellow Book, the GAO is making it harder for a sole practitioner to simply review the stuff in his box six months later. Now, everyone must document policies and procedures for six (!) aspects of quality control. To some larger shops, this is not overkill or impossible, because they likely have most of this in place. But to a smaller shop, this will be burdensome.

Notice this is a review by a peer; someone like you, in a similar situation to you. So a one-man shop would not ask a huge audit shop to review their quality control system; he will ask a peer—another one-man shop—to conduct the review. If the peer reviewing your system also puts his stuff in the closet and looks at it in six months, you’re golden.

3.51 An audit organization’s system of quality control encompasses the audit organization’s leadership, emphasis on performing high quality work, and the organization’s policies and procedures designed to provide reasonable assurance of complying with professional standards and applicable legal and regulatory requirements.

The nature, extent, and formality of an audit organization’s quality control system will vary based on the audit organization’s circumstances, such as the audit organization’s size, number of offices and geographic dispersion, the knowledge and experience of its personnel, the nature and complexity of its audit work, and cost-benefit considerations.

Notice that the quality control system must be documented—although the last sentence of the above paragraph does allow a little flexibility regarding the form and content of the documentation depending on the audit organization’s “circumstances”.

This last sentence of 3.52 below also leads me to believe that a small audit shop might be able to justify a less extensive set of documentation.

3.52 Each audit organization must document its quality control policies and procedures and communicate those policies and procedures to its personnel. The audit organization should document compliance with its quality control policies and procedures and maintain such documentation for a period of time sufficient to enable those performing monitoring procedures and peer reviews to evaluate the extent of the audit organization’s compliance with its quality control policies and procedures. The form and content of such documentation are a matter of professional judgment and will vary based on the audit organization’s circumstances.

Six elements of a quality control system

Here are the six elements of your quality control system that the GAO standards require us to document and implement.

3.53 An audit organization should include policies and procedures in its system of quality control that collectively address:
a. Leadership responsibilities for quality within the audit organization: Policies and procedures that designate responsibility for quality of audits and attestation engagements performed under GAGAS and communication of policies and procedures relating to quality. Such policies and communications encourage a culture that recognizes that quality is essential in performing GAGAS audits.
b. Independence, legal, and ethical requirements: Policies and procedures designed to provide reasonable assurance that the audit organization and its personnel maintain independence, and comply with applicable legal and ethical requirements.37
c. Initiation,38 acceptance, and continuance of audit and attestation engagements: Policies and procedures for the initiation, acceptance, and continuance of audit and attestation engagements, designed to provide reasonable assurance that the audit organization will undertake audit engagements only if it can comply with professional standards and ethical principles and is acting within the legal mandate or authority of the audit organization.
d. Human resources: Policies and procedures designed to provide the audit organization with reasonable assurance that it has personnel with the capabilities and competence to perform its audits in accordance with professional standards and legal and regulatory requirements.
e. Audit and attestation engagement performance, documentation, and reporting: Policies and procedures designed to provide the audit organization with reasonable assurance that audits and attestation engagements are performed and reports are issued in accordance with professional standards and legal and regulatory requirements.
f. Monitoring of quality: An ongoing, periodic assessment of work completed on audits and attestation engagements designed to provide management of the audit organization with reasonable assurance that the policies and procedures related to the system of quality control are suitably designed and operating effectively in practice. The purpose of monitoring compliance with quality control policies and procedures is to provide an evaluation of (1) adherence to professional standards and legal and regulatory requirements, (2) whether the quality control system has been appropriately designed, and (3) whether quality control policies and procedures are operating effectively and complied with in practice. Monitoring procedures will vary based on the audit organization’s facts and circumstances. The audit organization should perform monitoring procedures that enable it to assess compliance with applicable professional standards and quality control policies and procedures for GAGAS audits. Individuals performing monitoring should collectively have sufficient expertise and authority for this role.

Significant Change #2—Annual monitoring reports

And the last of the six components of the quality control system—the monitoring requirement—leads us to one of the more surprising aspects of the new standards; the audit organization must conduct an annual review of its own monitoring procedures.

3.54 The audit organization should analyze and summarize the results of its monitoring procedures at least annually, with identification of any systemic issues needing improvement, along with recommendations for corrective action. (Under GAGAS, reviews of the work and the report that are performed as part of supervision are not monitoring controls when used alone. However, these types of pre-issuance reviews may be used as a part of this analysis and summary.)

What constitutes monitoring?

In the appendix to the Yellow Book, the GAO gives us some ideas about what the monitoring process should accomplish. Please note that is only guidance!!! And as guidance, you don’t have to follow what they are suggesting. However, if you are a moderate or large audit firm or shop, you might be hard-pressed to justify why you didn’t follow this guidance.

A3.04 (2) … Examples of specific monitoring procedures include:
(a) examination of selected administrative and personnel records pertaining to quality control;
(b) review of selected audit and attest documentation, and reports;
(c) discussions with the audit organization's personnel (as applicable and appropriate);
(d) periodic summarization of the findings from the monitoring procedures in writing, (at least annually), and consideration of the systematic causes of findings that indicate improvements are needed;
(e) determination of any corrective actions to be taken or improvements to be made with respect to the specific audits and attestation engagements reviewed or the audit organization's quality control policies and procedures;
(f) communication of the identified findings to appropriate audit organization management with subsequent follow-up; and:
(g) consideration of findings by appropriate audit organization management personnel who also determine whether actions necessary, including necessary modifications to the quality control system, are performed on a timely basis.

Sounds very much like a full-blown peer review, right? Check out the following paragraphs (that again mimic a full-blown peer review) regarding the review of personnel and administrative records:

A3.04 (3) Review of selected administrative and personnel records: The review of selected administrative and personnel records pertaining to quality control may include tests of:
(a) compliance with policies and procedures on independence;
(b) compliance with continuing professional development policies, including training;
(c) procedures related to recruitment and hiring of qualified personnel, including hiring of specialists or consultants when needed;
(d) procedures related to performance evaluation and advancement of personnel;
(e) procedures related to initiation, acceptance, and continuance of audit and attestation engagements;
(f) audit organization personnel's understanding of the quality control policies and procedures, and implementation of these policies and procedures; and:
(g) audit organization's process for updating its policies and procedures.

To most of my clients these lists of monitoring procedures are more than they are used to doing on a regular basis. Many audit shops and firms will do a simple pre-peer review internal review (man that is redundant!) to make sure that they have all of their ducks in a row before the peer reviewer visits. So if you are already in that habit, you only need to generate a formal report and do it every single year. Only.

Who should do it?

Again, this is from the guidance. It is not mandatory. The GAO says that it would be better if the monitor is independent of the process they are reviewing.

(1) Who: Monitoring is most effective when performed by persons who do not have responsibility for the specific activity being monitored (e.g., for specific engagements or specific centralized processes). The staff member or team of staff members assigned with responsibility for the monitoring process collectively need sufficient and appropriate competence and authority in the audit organization to assume that responsibility. Generally the staff member or the team of staff members performing the monitoring are apart from the normal audit supervision associated with individual audits.

And what is in this report?

The annual report has very similar contents to a peer review report. The GAO recommends that the report should include:

• Descriptions of the monitoring procedures performed
• Conclusions drawn from the monitoring system
• Descriptions of systemic quality control problems
• Actions taken to resolve the deficiencies.

Somewhat flexible

Over and over again, the GAO demonstrates that they appreciate that not every team has the luxury of having a standing quality-control team. A good number of audit shops and firms are one person operations! Obviously, the quality control system and monitoring process need to be appropriate and not ridiculously burdensome. But, these new requirements do make it a little tougher for a single person audit firm or shop to comply.

The quality control system must be documented no matter what your shop’s size. And a monitoring report must be created no matter how many people you employ.

Significant Change #3—Share your peer review with everyone!

First, let’s talk about what a peer reviewer does, and then we will talk about how auditors are now required to share the peer review report with those who contract with you and sometimes, with the public (sometimes).

Review every three years

The last general standard asks that you undergo an external peer review every three years. Each state accounting board has policies for peer review and this standard may mirror your state’s policy, or it may exceed it. If you are a CPA, be sure that you check out your state’s policy in conjunction with this standard.

3.55 Audit organizations performing audits and attestation engagements in accordance with GAGAS must have an external peer review performed by reviewers independent of the audit organization being reviewed at least once every 3 years.

What a peer reviewer does

And what does the peer reviewer do during this review? They make sure that the audit organization has a quality control system and that it is operating.

The external peer review should determine whether, during the period under review, the reviewed audit organization's internal quality control system was adequate and whether quality control policies and procedures were being complied with to provide the audit organization with reasonable assurance of conforming to applicable professional standards.

3.57 The peer review team should include the following elements in the scope of the peer review:
a. review of the audit organization’s quality control policies and procedures;
b. consideration of the adequacy and results of the audit organization’s internal monitoring procedures;
c. review of selected audit and attestation engagement reports and related documentation;
d. review of other documents necessary for assessing compliance with standards, for example, independence documentation, CPE records, and relevant human resource management files;
e. interviews with a selection of the reviewed audit organization’s professional staff at various levels to assess their understanding of and compliance with relevant quality control policies and procedures.

On a humorous note, because you might not be laughing right now after reading these more stringent requirements—3.57e, the requirement that peer reviewers chat with the audit staff—had a pleasant impact on one audit team. The director of the audit team was notoriously hard to work with, and he single handedly created one of my worst experiences as a trainer when I led a class on writing audit reports for his team. He heckled me and belittled his staff all day long! Not surprisingly, his team barely functioned because of the constant turmoil and fear he kept churning out. Because of the high turnover, they were unable to finish significant projects or keep good auditors on board.

The peer reviewer found out early that this director was causing the quality of the peer reviews to slip and wrote as much in his peer review report. He recommended counseling for the director, and the director took the recommendation to heart. After a few months of counseling and leadership coaching, the director is a changed man. His staff is happy and reports a much more pleasant work environment. I saw him speaking at a recent conference. And instead of wearing a dark suit with a power tie, he was wearing a soft pink button-down and spoke, with a tear in his eye, of being honored to be asked to share his experiences with the audience. I almost didn’t recognize him!

So for all of you stinkers out there, you’d better take your staff to lunch and atone for any evil acts before the peer review shows up, or you, too, will end up wearing pastels and crying in public.

Peer reviewers must get coverage on governmental engagements

Which audits get selected for review? In July 2007, the standards introduced the concept of a “risk-based” peer review. But the bottom line is that if you do just one government audit, that government audit will be chosen for a review by peer review. It says that in a very roundabout way, however. This acts as a mild deterrent to CPAs that do one or two governmental audits during the summer. Over and over again in the Yellow Book, they put up little hurdles that make it unappealing to dabble in governmental audits, and this is one of them.

3.58 The peer review team should perform a risk assessment to help determine the number and types of engagements to select. Based on the risk assessment, the team should use one or a combination of the following approaches to selecting individual audits and attestation engagements for review:
(1) select GAGAS audits and attestation engagements that provide a reasonable cross-section of the GAGAS assignments performed by the reviewed audit organization or
(2) select audits and attestation engagements that provide a reasonable cross-section from all types of work subject to the reviewed audit organization’s quality control system, including one or more assignments performed in accordance with GAGAS.

And, although this may seem like a no-brainer, the peer reviewer should actually know GAGAS. Even if you only do one governmental audit, your peer reviewer should know his or her stuff when it comes to governmental auditing:

3.60 The peer review team should meet the following criteria:
a. The review team collectively has current knowledge of GAGAS and government auditing.

And once all of that is taken care of, you get to share it with users of your audit reports and other concerned parties.

Sharing your report with everyone and their mother

One of the significant themes of the Yellow Book is transparency and not just transparency on behalf of the auditee, but also of the auditor. But being so transparent can hurt a bit!

Share your letter of comment with those contracting for the audit

The peer review report includes the letters of comment (the findings, if you will) of the peer review. Under the Yellow Book’s high standards, the whole report, including the letter of comment, goes to the folks that pay for the audit.

Older versions of the Yellow Book only required that you share your opinion letter with those contracting for the audit.

3.62 Information in external peer review reports and letters of comment may be relevant to decisions on procuring audit or attestation engagements. Therefore, audit organizations seeking to enter into a contract to perform an audit or attestation engagement in accordance with GAGAS should provide the following to the party contracting for such services:
a. the audit organization’s most recent peer review report and any letter of comment, and
b. any subsequent peer review reports and letters of comment received during the period of the contract.

External auditors share their peer review opinion letter with the public

And one final, very interesting change. External auditors (that usually includes CPA firms) must make their most recent peer review report available to the public! Posting the peer review report on a website is suggested.

3.61 An external audit organization should make its most recent peer review report (This requirement does not include the letter of comment).publicly available; for example, by posting the peer review report on an external Web site or to a publicly available file designed for public transparency of peer review results. If neither of these options is available to the audit organization, then it should use the same transparency mechanism it uses to make other information public, and also provide the peer review report to others upon request.

Internal audit organizations that report internally to management should provide a copy of the external peer review report to those charged with governance.

Government audit organizations should also communicate the overall results and the availability of their external peer review reports to appropriate oversight bodies.

Many audit firms can post their peer review report on their own website to satisfy this requirement.

So this short section of the Yellow Book in Chapter 3 (Sections 3.50–3.63) is rich with changes that will require action on behalf of most audit teams. The Yellow Book requires auditors to:

• Document a quality control system composed of six elements
• Generate internal monitoring reports annually
• Share your peer review report with a wide range of interested parties

On a related note, please go to the GAO’s website at www.gao.gov/govaud/ybk01.htm and download the Professional Requirements Tool. The GAO was nice enough to convert their mandatory requirements into a succinct list right before the end of 2007. This document will help you make sure that you are complying with all Yellow Book requirements on your audit and also in your audit shop.