External Peer Review
Requirements: General
5.155
Each audit organization conducting engagements in accordance with GAGAS must obtain an external peer review conducted by reviewers independent of the audit organization being reviewed. The peer review should be sufficient in scope to provide a reasonable basis for determining whether, for the period under review, (1) the reviewed audit organization’s system of quality management was suitably designed and (2) the organization is complying with its system of quality management so that it has reasonable assurance that it is fulfilling its responsibilities in accordance with professional standards and performing and reporting in conformity with such standards in all material respects.
5.156
Audit organizations affiliated with one of the following recognized organizations should comply with the respective organization’s peer review requirements and the requirements listed throughout paragraphs 5.161 through 5.175.
American Institute of Certified Public Accountants
Council of the Inspectors General on Integrity and Efficiency
Association of Local Government Auditors
International Organization of Supreme Audit Institutions
National State Auditors Association
Application Guidance: General
5.158
Each audit organization has discretion in selecting and accepting its peer review teams. Auditors in governments or jurisdictions without access to established peer review programs may engage other auditors, including public accounting firms, to conduct their peer reviews. If access to an established peer review program is not available, auditors may organize regional programs with other auditors.
5.159
In cases of unusual difficulty or hardship, extensions of the deadlines for submitting peer review reports exceeding 3 months beyond the due date may be granted by the entity that administers the peer review program with the concurrence of GAO.
5.160
Some audit organizations may be subject to or required to follow a peer review program of a recognized organization. Other audit organizations may follow a specific peer review program voluntarily. In instances where the audit organization follows a recognized organization’s peer review program voluntarily, the use of such a peer review program means compliance with the recognized organization’s entire peer review process, including, where applicable, standards for administering, performing, and reporting on peer reviews, oversight procedures, training, and related guidance materials.
Requirements: Assessment of Peer Review Risk
5.161
The peer review team should perform an assessment of peer review risk to help determine the number and types of engagements to select for review.
5.162
Based on the risk assessment, the peer review team should select engagements that provide a reasonable cross section of all types of work subject to the reviewed audit organization’s system of quality management, including one or more engagements conducted in accordance with GAGAS.
Application Guidance: Assessment of Peer Review Risk
5.163
Peer review risk is the risk that the review team
fails to identify significant weaknesses in the reviewed audit organization’s system of quality management for its auditing practice, its lack of compliance with that system, or a combination thereof;
issues an inappropriate opinion on the reviewed audit organization’s system of quality management for its auditing practice, its compliance with that system, or a combination thereof; or
makes an inappropriate decision about the matters to be included in, or excluded from, the peer review report.
5.164
A selection approach that provides a cross section of all types of work is generally applicable to audit organizations that conduct a small number of GAGAS engagements in relation to other types of engagements. In these cases, one or more GAGAS engagements may represent more than what would be selected when looking at a cross section of the audit organization’s work as a whole. Some audit organizations conduct audit and attestation work in a number of functional areas. For example, an organization may conduct financial audits, attestation engagements, reviews of financial statements, and performance audits. The peer review team may consider reviewing a sample of engagements from each of the major functional areas included within the scope of the review.
5.165
A peer review is designed to test significant risk areas where it is possible that engagements are not being conducted, reported on, or both in conformity with professional standards in all material respects. A peer review is not designed to test every engagement, compliance with every professional standard, or every detailed component of the audit organization’s system of quality management.
5.166
Examples of the factors that may be considered when performing an assessment of risk for selecting engagements for peer review include
scope of the engagements, including size of the audited entity or engagements covering multiple locations;
functional area or type of government program;
types of engagements conducted, including the extent of nonaudit services provided to audited entities;
personnel (including use of new personnel or personnel not routinely assigned the types of engagements conducted);
initial engagements;
familiarity resulting from a long-standing relationship with the audited entity;
political sensitivity of the engagements;
budget constraints faced by the audit organization that could negatively affect engagement quality;
results of the peer review team’s review of the design of system of quality management;
results of the audit organization’s monitoring process; and
overall risk tolerance within the audit organization that could negatively affect engagement quality.
Requirements: Peer Review Report Ratings
5.167
The peer review team should use professional judgment in deciding on the type of peer review rating to issue; the ratings are as follows:
Peer review rating of pass: A conclusion that the audit organization’s system of quality management has been suitably designed and complied with to provide the audit organization with reasonable assurance of performing and reporting in conformity with professional standards in all material respects.
Peer review rating of pass with deficiencies: A conclusion that the audit organization’s system of quality management has been suitably designed and complied with to provide the audit organization with reasonable assurance of performing and reporting in conformity with professional standards in all material respects with the exception of a certain deficiency or deficiencies described in the report.
Peer review rating of fail: A conclusion, based on the significant deficiencies described in the report, that the audit organization’s system of quality management is not suitably designed to provide the audit organization with reasonable assurance of performing and reporting in conformity with professional standards in all material respects, or that the audit organization has not complied with its system of quality management to provide the audit organization with reasonable assurance of performing and reporting in conformity with professional standards in all material respects.
5.168
The peer review team should determine the type of peer review rating to issue based on the observed matters’ importance to the audit organization’s system of quality management as a whole and the nature, causes, patterns, and pervasiveness of those matters. The matters should be assessed both alone and in aggregate.
5.169
The peer review team should aggregate and systematically evaluate any observed matters (circumstances that warrant further consideration by the peer review team) and document its evaluation.40 The peer review team should perform its evaluation and issue report ratings as follows:
If the peer review team’s evaluation of observed matters does not identify any findings (more than a remote possibility that the reviewed audit organization would not perform, report, or both in conformity with professional standards), or identifies findings that are not considered to be deficiencies, the peer review team issues a pass rating.
If the peer review team’s evaluation of findings identified deficiencies but did not identify any significant deficiencies, the peer review team issues a pass with deficiencies rating and communicates the deficiencies in its report.
If the peer review team’s evaluation of deficiencies identified significant deficiencies, the peer review team issues a fail rating and communicates the deficiencies and significant deficiencies in its report.
Application Guidance: Peer Review Report Ratings
5.170
Deficiencies are findings that because of their nature, causes, pattern, or pervasiveness, including their relative importance to the audit organization’s system of quality management taken as a whole, could create a situation in which the audit organization would not have reasonable assurance of performing, reporting, or both in conformity with professional standards in one or more important respects.
5.171
Significant deficiencies are one or more deficiencies that the peer review team concludes result from a condition in the audit organization’s system of quality management or compliance with that system such that the system taken as a whole does not provide reasonable assurance of performing, reporting, or both in conformity with professional standards.
Requirements: Availability of the Peer Review Report to the Public
5.172
An external audit organization should make its most recent peer review report publicly available. If a separate communication detailing findings, conclusions, and recommendations is issued, the external audit organization is not required to make that communication publicly available. An internal audit organization that reports internally to management and those charged with governance should provide a copy of its peer review report to those charged with governance.
5.173
An external audit organization should satisfy the publication requirement for its peer review report by posting the report on a publicly available website or to a publicly available file. Alternatively, if neither of these options is available, then the audit organization should use the same mechanism it uses to make other reports or documents public.
5.174
Because information in peer review reports may be relevant to decisions on procuring audit services, an audit organization seeking to enter into a contract to conduct an engagement in accordance with GAGAS should provide the following to the party contracting for such services when requested:
the audit organization’s most recent peer review report and
any subsequent peer review reports received during the period of the contract.
5.175
Auditors who are using another audit organization’s work should request a copy of that organization’s most recent peer review report, and the organization should provide this document when it is requested.
Application Guidance: Availability of the Peer Review Report to the Public
5.176
To help the public understand the peer review reports, an audit organization may include a description of the peer review process and how it applies to its organization. Examples of additional information that audit organizations may include to help users understand the meaning of the peer review report follow:
Explanation of the peer review process
Description of the audit organization’s system of quality management
Explanation of the relationship of the peer review results to the audited organization’s work
If a peer review report is issued with a rating of pass with deficiencies or fail, explanation of the reviewed audit organization’s plan for improving its system of quality management and the status of the improvements
Additional Requirements for Audit Organizations Not Affiliated with Recognized Organizations
Requirement: Peer Review Scope
5.177
The peer review team should include the following elements in the scope of the peer review:
review of the audit organization’s design of, and compliance with, quality management and related policies and procedures;
consideration of the adequacy and results of the audit organization’s internal monitoring procedures;
review of selected audit reports and related documentation and, if applicable, documentation related to selected terminated engagements prepared in accordance with paragraph 5.55c, if any terminated engagements are selected from the universe of engagements used for the peer review sample;
review of prior peer review reports, if applicable;
review of other documents necessary for assessing compliance with standards, for example, independence documentation, CPE records, and relevant human resource management files; and
interviews with selected members of the audit organization’s personnel in various roles to assess their understanding of and compliance with relevant quality management policies and procedures.
Application Guidance: Peer Review Scope
5.178
Review of documentation related to terminated engagements can provide information on the audit organization’s response to threats to independence. For example, the documentation may include information on whether an engagement was terminated as a result of an undue influence from outside the audit organization.
Requirement: Peer Review Intervals
5.179
An audit organization not already subject to a peer review requirement should obtain an external peer review at least once every 3 years. The audit organization should obtain its first peer review covering a review period ending no later than 3 years from the date an audit organization begins its first engagement in accordance with GAGAS.
Application Guidance: Peer Review Intervals
5.180
The period under review in a peer review generally covers 1 year.
Requirement: Written Agreement for Peer Review
5.181
The peer review team and the reviewed audit organization should incorporate their basic agreement on the peer review into a written agreement. The written agreement should be drafted by the peer review team, reviewed by the reviewed audit organization to ensure that it accurately describes the agreement between the parties, and signed by the authorized representatives of both the peer review team and the reviewed audit organization prior to the initiation of work under the agreement. The written agreement should state that the peer review will be conducted in accordance with GAGAS peer review requirements.
Application Guidance: Written Agreement for Peer Review
5.182
The written agreement is meant to ensure mutual consent on the fundamental aspects of the peer review and to avoid any potential misunderstandings. The written agreement may address the following:
scope of the peer review;
staffing and time frame;
compensation for conducting the peer review, if applicable;
preliminary findings, if applicable;
reporting results;
administrative matters; and
access to audit documentation.
5.183
The peer review team is responsible for ensuring that the peer review is conducted in accordance with GAGAS peer review requirements.
Requirement: Peer Review Team
5.184
The peer review team should meet the following criteria:
The review team collectively has adequate professional competence and knowledge of GAGAS and government auditing.
The organization conducting the peer review and individual review team members are independent (as defined in GAGAS) of the audit organization being reviewed, its personnel, and the engagements selected for the peer review.41
The review team collectively has sufficient knowledge to conduct a peer review.
Application Guidance: Peer Review Team
5.185
Peer review knowledge and professional competence may be obtained from on-the-job training, training courses, or a combination of both. Having individuals on the peer review team with prior experience on a peer review or internal inspection team is desirable.
Requirement: Report Content
5.186
The peer review team should prepare one or more written reports communicating the results of the peer review, which collectively include the following elements:
a description of the scope of the peer review, including any limitations;
a rating concluding on whether the system of quality management of the reviewed audit organization was adequately designed and complied with during the period reviewed and would provide the audit organization with reasonable assurance that it conformed to professional standards;
specification of the professional standards to which the reviewed audit organization is being held;
reference to a separate written communication, if issued under the peer review program;
a statement that the peer review was conducted in accordance with GAGAS peer review requirements; and
a detailed description of the findings, conclusions, and recommendations related to any deficiencies or significant deficiencies identified in the review.
Application Guidance: Report Content
5.187
When the scope of the peer review is limited by conditions that preclude the application of one or more peer review procedures considered necessary in the circumstances and the peer review team cannot accomplish the objectives of those procedures through alternative procedures, the report can be modified by including a statement in the report’s scope paragraph, body, and opinion paragraph. The statement describes the relationship of the excluded engagement(s) or functional area(s) to the reviewed audit organization’s full scope of practice as a whole and system of quality management and the effects of the exclusion on the scope and results of the review.
Requirements: Audit Organization’s Response to the Peer Review Report
5.188
If the reviewed audit organization receives a report with a peer review rating of pass with deficiencies or fail, the reviewed audit organization should respond in writing to the deficiencies or significant deficiencies and related recommendations identified in the report.
5.189
With respect to each deficiency or significant deficiency in the report, the reviewed audit organization should describe in its letter of response the corrective actions already taken, target dates for planned corrective actions, or both.
Application Guidance: Audit Organization’s Response to the Peer Review Report
5.190
When an audit organization receives a peer review rating of pass with deficiencies or fail that relates to its GAGAS engagements, critical evaluation of the design and implementation of the system of quality management is a factor in determining the audit organization’s ability to accept and perform future GAGAS engagements.