System of Quality Management
5.02
The objective of a system of quality management for engagements performed in accordance with GAGAS is to provide the audit organization with reasonable assurance that the audit organization and its personnel
fulfill their responsibilities in accordance with professional standards and applicable laws and regulations and
perform and report on engagements in accordance with such standards and requirements.
5.03
In GAGAS, a system of quality management consists of the following components: governance and leadership; independence, legal, and ethical requirements; acceptance, initiation, and continuance of engagements; engagement performance; resources; and information and communication. It also includes two components that are processes. The risk assessment process includes assessing and responding to risks to achieving the quality objectives. The monitoring and remediation process includes (1) providing relevant, reliable, and timely information about the design, implementation, and operation of the system of quality management; (2) taking appropriate actions to respond to and remediate identified deficiencies in the system of quality management; and (3) enabling the audit organization to assess compliance with professional standards and with policies and procedures it has established to address quality risks.
5.04
GAGAS establishes a risk-based approach to designing, implementing, and operating the system of quality management in an interconnected and coordinated manner. This risk-based approach involves the following:
establishing the desired outcomes relative to the components of the system of quality management (referred to as quality objectives);
identifying and assessing risks to achieving the quality objectives (referred to as quality risks); and
designing and implementing responses to address quality risks.
Requirements: System of Quality Management
5.05
An audit organization conducting engagements in accordance with GAGAS must design, implement, and operate a system of quality management that provides it with reasonable assurance that the audit organization and its personnel
fulfill their responsibilities in accordance with professional standards and applicable laws and regulations and
perform and report on engagements in accordance with such standards and requirements.
5.06
Government audit organizations should comply with the GAGAS quality management requirements in paragraphs 5.05 through 5.138 and, if applicable, engagement quality review requirements in paragraphs 5.139 through 5.154. Nongovernment audit organizations not subject to the quality management standards of one of the recognized organizations in paragraph 5.07 should comply with the GAGAS quality management requirements in paragraphs 5.05 through 5.138 and, if applicable, engagement quality review requirements in paragraphs 5.139 through 5.154.
5.07
A nongovernment audit organization subject to the quality management standards of one of the following recognized organizations should comply with the respective organization’s quality management requirements and the requirements of paragraphs 5.55c, 5.55d, and 5.74c:
American Institute of Certified Public Accountants (AICPA)
International Auditing and Assurance Standards Board
Public Company Accounting Oversight Board
5.08
The audit organization should exercise professional judgment in designing, implementing, and operating a system of quality management, taking into account the nature and circumstances of the audit organization and its engagements.
Application Guidance: System of Quality Management
5.09
The public interest is served by the consistent performance of quality engagements.32 The design, implementation, and operation of the system of quality management enable the consistent performance of quality engagements by providing the audit organization with reasonable assurance that the objective of the system of quality management, stated in paragraph 5.02, is achieved. An audit organization obtains reasonable assurance when the system of quality management reduces to an acceptably low level the risk that the objective stated in paragraph 5.02 is not achieved.
5.10
Quality management is not a separate function of the audit organization; it is the integration of a culture that demonstrates a commitment to quality with the audit organization’s strategy, operational activities, and business processes. Designing the system of quality management and the audit organization’s operational activities and business processes in an integrated manner promotes a harmonious approach to managing the audit organization and enhances the effectiveness of quality management.
5.11
Audit organizations may be required or may elect to use GAGAS quality management standards. Nongovernment audit organizations, such as certified public accounting firms, may be subject to or required to follow the quality management standards of one of the recognized organizations in paragraph 5.07. Those audit organizations follow the standards of the recognized organizations and the specific additional GAGAS requirements in paragraph 5.07 to avoid maintaining separate systems of quality management.
Scalability Considerations
5.12
The design of the audit organization’s system of quality management, particularly the complexity and formality of the system, will vary based on the nature and circumstances of the audit organization (such as size, number of offices and geographic dispersion, knowledge and experience of its personnel, and cost-benefit considerations), and the nature and circumstances of its engagements. For example, an audit organization that conducts various types of GAGAS engagements for federal, state, and local governments may need a more complex and formalized system of quality management and supporting documentation than one that conducts performance audits of a single small government entity. Similarly, a large audit organization with multiple divisions and offices may need a more complex and formal system of quality management than a small audit organization with a few auditors at a single location.
Responsibility for the System of Quality Management
Requirements: Responsibility for the System of Quality Management
5.13
The audit organization should assign
5.13a
- responsibility and accountability for the system of quality management to a senior-level official within the audit organization and
5.13b
- operational responsibility for the system of quality management or specific aspects of the system of quality management to a specific individual or individuals.
5.14
The audit organization should determine that the individual or individuals in paragraph 5.13
possess the appropriate experience, knowledge, influence, and authority within the audit organization;
have sufficient time and resources to fulfill the assigned responsibility;
have a sufficient understanding of this chapter and other applicable GAGAS requirements, as well as application guidance and other explanatory material, to understand the objectives of the system of quality management and to apply the related requirements properly; and
understand the assigned roles and are held accountable for fulfilling them.
5.15
The audit organization should determine that those assigned operational responsibility for the system of quality management or aspects of the system of quality management are in direct communication with the senior-level official assigned responsibility and accountability for the system of quality management.
Application Guidance: Responsibility for the System of Quality Management
5.16
Notwithstanding the assignment of responsibilities related to the system of quality management in accordance with paragraph 5.13, the audit organization remains ultimately responsible for the system of quality management and for holding individuals responsible and accountable for their assigned roles. Further, the audit organization is responsible for its system of quality management even when it uses resources from a service provider.33
5.17
The manner in which an audit organization assigns and describes roles, responsibilities, and authority may vary. Laws and regulations may impose requirements for an audit organization that may affect the structure of leadership and management and their assigned responsibilities. As such, professional judgment assists an audit organization in identifying the appropriate individual or individuals to whom to assign the responsibilities described in paragraph 5.13.
5.18
Delegating operational responsibility for the system of quality management or aspects of the system of quality management may depend on the size and complexity of the audit organization. For small or less complex audit organizations, the senior-level official responsible and accountable for the system of quality management may also be assigned operational responsibility for the system of quality management. For large or more complex audit organizations, more than one person may be assigned operational responsibility for the system of quality management or aspects of the system of quality management. For example, operational responsibility for aspects of a system of quality management that could be delegated include
compliance with independence requirements,
compliance with continuing professional education requirements,
compliance with professional standards, and
the monitoring and remediation process.
Quality Management Risk Assessment Process
Requirements: Quality Management Risk Assessment Process
5.19
The audit organization should design and implement a risk assessment process that establishes quality objectives, identifies and assesses quality risks, and designs and implements responses to address the quality risks.
5.20
The audit organization should establish the quality objectives specified by this chapter. The audit organization should also establish any additional quality objectives that the audit organization considers necessary to achieve the objective of the system of quality management.
5.21
The audit organization should identify and assess quality risks. To identify and assess quality risks, the audit organization should
obtain an understanding of the conditions, events, circumstances, actions, or inactions that may adversely affect the achievement of the quality objectives and
consider how, and the degree to which, the conditions, events, circumstances, actions, or inactions may adversely affect the achievement of the quality objectives.
5.22
The audit organization should design and implement responses to address the quality risks.
5.23
The audit organization should identify, analyze, and respond to changes in the nature and circumstances of the audit organization or its engagements that could affect the quality objectives, quality risks, or responses to address quality risks.
Application Guidance: Quality Management Risk Assessment Process
5.24
Establishing quality objectives, identifying and assessing quality risks, and designing and implementing responses is an iterative process.
5.25
An audit organization typically performs a quality management risk assessment
at specific periodic intervals, such as annually;
to respond to deficiencies in the system of quality management identified by the monitoring and remediation process; and
as necessary to respond to changes in the nature and circumstances of the audit organization, its engagements, or both.
5.26
An example of a change in the nature and circumstances of the audit organization includes when the audit organization has a change in its organizational structure or size.
5.27
Examples of changes in the nature and circumstances of an audit organization’s engagements include the following:
When a local government audit organization conducts audits of new state-provided emergency funding that requires additional audit procedures and the issuance of specialized reports.
When a change to an audited entity’s operations or programs subject to audit necessitates the use of specialized techniques or methods that require the skills of a specialist.
When an audit organization that solely conducted performance audits begins to conduct both financial and performance audits.
5.28
Appropriate responses to changes in the nature and circumstances of the audit organization or its engagements could include establishing additional quality objectives, quality risks, or responses to address quality risks; updating existing quality risks or responses to address quality risks; or determining that no changes are needed.
Quality Objectives
5.29
Quality objectives are the desired outcomes to be achieved by the audit organization in relation to the components of the system of quality management.
5.30
The quality objectives specified by this chapter relate to the following components:
5.31
There are no quality objectives for the quality management risk assessment process and the monitoring and remediation process.
5.32
The audit organization may identify additional quality objectives beyond those specified by this chapter that it determines are necessary to achieve the objective of the system of quality management. For instance, laws, regulations, contracts, grant agreements, or professional standards may establish requirements that give rise to additional quality objectives. The audit organization may also determine that additional quality objectives previously established are no longer necessary or need to be modified.
5.33
The need to establish additional quality objectives is not expected to be common. Therefore, not all audit organizations will find it necessary to establish quality objectives beyond those specified in this chapter.
Quality Risks
5.34
Quality risks are risks that have a reasonable possibility of
occurring and
adversely affecting the achievement of one or more quality objectives individually or in combination with other risks.
5.35
A risk arises from how, and the degree to which, a condition, event, circumstance, action, or inaction may adversely affect the achievement of a quality objective. Not all risks to achieving a quality objective meet the definition of a quality risk. Professional judgment assists the audit organization in determining whether a risk is a quality risk.
5.36
Conditions, events, circumstances, actions, or inactions that may adversely affect the achievement of the quality objectives may be related to the nature and circumstances of the audit organization. These may include
the complexity and operating characteristics of the audit organization;
the strategic and operational decisions and actions of the audit organization;
the characteristics and management style of leadership;
the resources of the audit organization, including those provided by service providers; and
law, regulation, professional standards, and the environment in which the audit organization operates.
5.37
Conditions, events, circumstances, actions, or inactions that may adversely affect the achievement of the quality objectives may relate to the nature and circumstances of the engagements that the audit organization performs. These may include
the types of engagements performed by the audit organization and the reports to be issued and
the types of entities for which and upon which such engagements are undertaken.
5.38
The degree to which a risk, individually or in combination with other risks, may adversely affect the achievement of one or more quality objectives may vary based on the conditions, events, circumstances, actions, or inactions giving rise to the risk, taking matters such as the following into account:
how the condition, event, circumstance, action, or inaction would affect the achievement of the quality objective(s);
how frequently the condition, event, circumstance, action, or inaction is expected to occur;
how long it would take after the condition, event, circumstance, action, or inaction occurred for it to have an effect, and whether in that time the audit organization would have an opportunity to respond to mitigate its effect; and
how long the condition, event, circumstance, action, or inaction would affect the achievement of the quality objective(s) once it has occurred.
5.39
The assessment of quality risks may include formal ratings or scores, although audit organizations are not required to use them.
Responses
5.40
Responses are the policies and procedures that the audit organization designs and implements to address one or more quality risks.
5.41
The audit organization is not required to design and implement a response to an identified risk for a specific quality objective unless the risk rises to the level of a quality risk.
5.42
The nature, timing, and extent of the responses to address quality risks are based on the assessments of those risks, that is, the conclusions drawn from considering how, and the degree to which, conditions, events, circumstances, actions, or inactions may adversely affect the achievement of one or more quality objectives.
5.43
Given the evolving nature of the system of quality management, the responses that the audit organization designs and implements may give rise to conditions, events, circumstances, actions, or inactions that result in further quality risks.
5.44
The responses that the audit organization designs and implements may operate at various levels within the audit organization. Such levels may include the entity, division or unit, and engagement level or a combination of actions taken at various levels.
Governance and Leadership
Requirement: Governance and Leadership
5.45
The audit organization should establish quality objectives that address its governance and leadership as follows:
The audit organization demonstrates a commitment to quality through a culture that exists throughout the audit organization.
Leadership is responsible and accountable for quality.
Leadership demonstrates a commitment to quality through its actions and behaviors.
The organizational structure and assignment of roles, responsibilities, and authority are appropriate to enable the design, implementation, and operation of the audit organization’s system of quality management.
Resource needs are planned for, obtained, allocated, and assigned in a manner consistent with the audit organization’s commitment to quality.
Application Guidance: Governance and Leadership
5.46
Demonstrating a commitment to quality through a culture that exists throughout the audit organization may include recognizing and reinforcing the following:
the audit organization’s role in serving the public interest by consistently performing quality engagements;
the importance of professional ethics, values, and attitudes;
the responsibility of all personnel for quality in performing engagements or activities within the system of quality management and their expected behavior; and
the importance of quality in the audit organization’s strategic decisions and actions.
Independence, Legal, and Ethical Requirements
Requirements: Independence, Legal, and Ethical Requirements
5.47
The audit organization should establish the following quality objectives that address fulfilling responsibilities in accordance with independence and legal and ethical requirements relevant to performing GAGAS engagements:
The audit organization and its personnel
understand the independence and legal and ethical requirements to which the audit organization and its engagements are subject and
fulfill their responsibilities in relation to the independence and legal and ethical requirements to which the audit organization and its engagements are subject.34
Service providers who are subject to the independence and legal and ethical requirements to which the audit organization and its engagements are subject
understand the independence and legal and ethical requirements that apply to them and
fulfill their responsibilities in relation to the independence and legal and ethical requirements that apply to them.
5.48
The audit organization should
establish policies and procedures for identifying, evaluating, and addressing threats to compliance with independence requirements and applicable legal and ethical requirements and appropriately responding to the causes and consequences of any breaches of these requirements and
at least annually, obtain written affirmation of compliance with its policies and procedures on independence from all personnel required to be independent.
Application Guidance: Independence, Legal, and Ethical Requirements
5.49
Policies and procedures pertaining to independence requirements and applicable legal and ethical requirements assist the audit organization in
communicating its independence requirements to its personnel and
identifying and evaluating circumstances and relationships that create threats to independence and taking appropriate action to eliminate those threats or reduce them to an acceptable level by applying safeguards or, if considered appropriate, withdrawing from the engagement where withdrawal is not prohibited by law or regulation.
5.50
Written affirmation of compliance with its policies and procedures on independence from all audit organization personnel required to be independent may be in paper or electronic form. By obtaining affirmation of retrospective compliance with the audit organization’s policies and procedures on independence during a specified period and taking appropriate action on information indicating noncompliance, or potential noncompliance, the audit organization demonstrates the importance that it attaches to independence and keeps the issue current for, and visible to, its personnel. An audit organization may obtain affirmation of required personnel’s compliance with policies and procedures on independence more frequently than once per year. For example, affirmation may be obtained on a per-engagement basis when such engagements last less than 1 year.
Acceptance, Initiation, and Continuance of Engagements
Requirement: Acceptance, Initiation, and Continuance of Engagements
5.51
The audit organization should establish a quality objective that addresses the acceptance, initiation, and continuance of engagements as follows:
The audit organization accepts, initiates, and continues engagements only if it
complies with professional standards, independence requirements, and applicable legal and ethical requirements;
acts within its legal mandate or authority; and
has the capabilities, including time and resources, to do so.
Application Guidance: Acceptance, Initiation, and Continuance of Engagements
5.52
Government audit organizations may initiate engagements as a result of (1) legal mandates, (2) requests from legislative bodies or oversight bodies, and (3) audit organization discretion. In the case of legal mandates and requests, a government audit organization may be required to conduct the engagement and may not be permitted to make decisions about acceptance or continuance or to resign or withdraw from the engagement.
5.53
An audit organization may operate with limited resources. An audit organization may consider its workload in determining whether it has the resources to perform quality engagements over the range of work. To achieve this, an audit organization may develop systems to prioritize its work in a way that considers the need to maintain quality.
Engagement Performance
Requirements: Engagement Performance
5.54
The audit organization should establish quality objectives that address the performance of engagements as follows:
5.54a
Engagement teams understand and fulfill their responsibilities in connection to engagements, including the overall responsibility of an engagement partner or director for
managing and achieving quality on the engagement and
being sufficiently and appropriately involved throughout the engagement.
The nature, timing, and extent of direction and supervision of engagement teams and review of the work performed are appropriate based on the nature and circumstances of the engagements and the resources assigned or made available to the engagement team.
Engagement teams exercise appropriate professional judgment, which includes exercising reasonable care and professional skepticism.35
Consultation on difficult or contentious matters is undertaken and, as appropriate, documented. Conclusions agreed to from the consultation are implemented and, as appropriate, documented.
Differences of opinion within the engagement team, or between the engagement team and individuals performing activities within the audit organization’s system of quality management, are brought to the attention of officials at the appropriate level of the audit organization; resolved; and, as appropriate, documented.
Engagement documentation of the work performed, results obtained, and conclusions reached is assembled on a timely basis and is appropriately maintained and retained to meet the needs of the audit organization and comply with professional standards, independence requirements, and applicable legal and ethical requirements.
Audit procedures and audit reports are appropriate in the context of the engagement objectives.
5.55
The audit organization should take the following steps:
5.55a
- Assign responsibility to the engagement partner or director for determining that they have taken overall responsibility for managing and achieving quality on the engagement.
5.55b
- Assign responsibility to the engagement partner or director for determining that independence and ethical requirements have been fulfilled for each engagement prior to issuing the audit report.
5.55c
- If an engagement is terminated before it is completed and an audit report is not issued, document the results of the work to the date of termination and why the engagement was terminated.
5.55d
- If auditors change the engagement objectives during the engagement, document the revised engagement objectives and the reasons for the changes.
5.55e
- Determine if an engagement quality review is an appropriate response to address one or more quality risks.36
Application Guidance: Engagement Performance
5.56
Examples of engagement supervision include the following:
tracking the progress of the engagement;
considering the competence of individual members of the engagement team, whether they understand their instructions, and whether the work is being carried out in accordance with the planned approach to the engagement;
addressing significant findings and issues arising during the engagement, considering their significance, and modifying the planned approach appropriately; and
identifying matters for consultation or consideration by engagement team members with appropriate levels of skill and proficiency in auditing, specialists, or both during the engagement.
5.57
A review of the work performed may include determining whether
the work has been performed in accordance with professional standards and applicable laws and regulations;
significant findings and issues have been raised for further consideration;
appropriate consultations have taken place and the resulting conclusions have been documented and implemented;
the nature, timing, and extent of the work performed are appropriate and without need for revision;
the work performed supports the conclusions reached and is appropriately documented;
the evidence obtained is sufficient and appropriate to support the report; and
the objectives of the engagement procedures have been achieved.
5.58
When an audit organization consists of a single auditor, the requirement for an engagement team member to review work performed by other team members may be achieved through alternative procedures.
5.59
Consultation involves a discussion at the appropriate professional level with individuals within or outside the audit organization who have specialized expertise.
5.60
Consultation uses appropriate research, as well as the collective experience and technical expertise of the audit organization. Consultation helps promote quality and improves the application of professional judgment.
5.61
Effective consultation on technical, ethical, and other matters within the audit organization or, when applicable, outside the audit organization can be achieved when
those consulted are given all the relevant facts that will enable them to provide informed advice;
those consulted have appropriate knowledge, authority, and experience; and
conclusions resulting from consultations are appropriately documented and implemented.
5.62
Difficult or contentious matters on which consultation is needed may be specified by the audit organization, or the engagement team may identify matters that require consultation. The audit organization may also specify how conclusions should be agreed upon and implemented.
5.63
The audit organization may encourage identifying differences of opinion at an early stage and may specify the steps to be taken in raising and dealing with them, including how the matter is to be resolved and how the related conclusions should be implemented and documented.
5.64
The appropriate level of official to whom differences of opinion are raised may vary. For example, a partner or director may be an appropriate level of official to resolve differences of opinion in the engagement team. The senior-level official assigned accountability and responsibility for the system of quality management may be an appropriate level of official to resolve differences of opinion between the engagement team and individuals performing activities within the audit organization’s system of quality management.
5.65
Law, regulation, or professional standards may prescribe the time frames in which the assembly of final engagement files for specific types of engagements is to be completed.
5.66
Whether engagement documentation is in paper, electronic, or other form, the integrity, accessibility, and retrievability of the underlying information could be compromised if the documentation is altered, added to, or deleted without the auditors’ knowledge or if the documentation is lost or damaged.
5.67
Law, regulation, or professional standards may prescribe the retention periods for engagement documentation. If the retention periods are not prescribed, the audit organization may consider the nature of the engagements that it performs and its circumstances.
5.68
The engagement partner or director takes overall responsibility for managing and achieving quality by being sufficiently and appropriately involved throughout the engagement. This enables the engagement partner or director to have a basis for determining that the significant judgments made and conclusions reached are appropriate given the nature and circumstances of the engagement.
5.69
Determining whether and how to communicate the reason for terminating an engagement or changing the engagement objectives to those charged with governance, appropriate officials of the audited entity, the entity contracting for or requesting the engagement, and other appropriate officials will depend on the facts and circumstances and therefore is a matter of professional judgment.
5.70
An engagement quality review is an objective evaluation of the engagement team’s significant judgments and the conclusions reached thereon that the engagement quality reviewer performs and completes before the audit report is released.
5.71
The audit organization may determine that an engagement quality review is appropriate for all GAGAS engagements, specific types of GAGAS engagements, or specifically identified GAGAS engagements. The audit organization may determine that engagement quality reviews are not necessary to address quality risks.
5.72
Criteria that an audit organization establishes to determine if an engagement quality review is appropriate may relate to the types of engagements that the audit organization performs and the types of entities for which it undertakes engagements. Examples of conditions, events, circumstances, actions, or inactions that could create quality risks for which an engagement quality review may be an appropriate response include
engagements that involve a high level of complexity or judgment, such as performance audits that are highly technical in nature and financial audits for entities with significant accounting estimates with a high degree of estimation uncertainty;
engagements on which issues have been encountered, such as recurring inspection findings;
entities that hold a significant amount of assets in a fiduciary capacity for a large number of stakeholders;
audited entities with deficiencies in internal control that are significant within the context of the engagement objectives;
for financial audits, audited entities with material restatements in their financial statements; and
performance audits involving controversial or contentious subject matters or high-risk engagements.
5.73
The audit organization’s responses to address quality risks may include other forms of review that are not engagement quality reviews.
Resources
Requirement: Resources
5.74
The audit organization should establish quality objectives that address appropriately obtaining, developing, using, maintaining, allocating, and assigning resources in a timely manner to enable the design, implementation, and operation of a system of quality management as follows:
Personnel are hired, developed, and retained who have the competence and capabilities to consistently perform quality engagements and carry out responsibilities related to the operation of the audit organization’s system of quality management.
Personnel develop and maintain the appropriate competence to perform their roles and are held accountable or recognized for doing so through timely evaluation, compensation, promotion, and/or other incentives.
5.74c
Auditors who are performing work in accordance with GAGAS meet the continuing professional education (CPE) requirements.
The audit organization has sufficient resources to consistently perform quality engagements and enable the operation of the audit organization’s system of quality management.
Individuals assigned to engagements or to perform activities within the system of quality management have appropriate competence and capabilities, including sufficient time, to perform their duties.
Appropriate technological and intellectual resources are obtained or developed, implemented, maintained, and used to enable the operation of the audit organization’s system of quality management and the performance of engagements.
Human, technological, or intellectual resources from service providers are appropriate for use in the audit organization’s system of quality management and in performing engagements.
Application Guidance: Resources
5.75
The policies and procedures designed and implemented relating to hiring, developing, and retaining personnel may address issues such as the following:
recruiting individuals who have, or are able to develop, appropriate competence;
training programs focused on developing personnel’s competence and continuing professional development;
evaluation mechanisms that are undertaken at appropriate intervals and include competency areas and other performance measures; and
compensation, promotion, and other incentives for all personnel, including engagement partners or directors and those assigned roles and responsibilities related to the audit organization’s system of quality management.
5.76
Effective performance evaluation, compensation, and advancement procedures are conducive to developing and maintaining competent personnel. Steps that an audit organization may take in developing and maintaining competent personnel include the following:
making personnel aware of the audit organization’s expectations regarding performance and ethical principles;
providing personnel with an evaluation of, and counseling on, performance, progress, and career development; and
helping personnel understand that compensation and advancement to positions of greater responsibility depend on, among other things, performance quality, and that failure to comply with the audit organization’s policies and procedures may result in disciplinary action.
5.77
The size and circumstances of the audit organization are important considerations in determining the structure of the audit organization’s performance evaluation process. A smaller audit organization, in particular, may employ less formal methods of evaluating the performance of its personnel.
5.78
The audit organization may use a suitably qualified external individual or group of individuals or service provider to conduct engagement work or perform activities within the system of quality management when internal resources, for example, personnel with particular areas of technical expertise, are unavailable.
5.79
A service provider is an individual or organization external to the audit organization that provides a human, technological or intellectual resource that the audit organization uses in its system of quality management or in performing its engagements.
5.80
Intellectual resources include the information that the audit organization uses to enable the operation of the system of quality management and promote consistency in performing engagements. Examples of intellectual resources include written policies and procedures, methodologies, guides, standardized documentation, and access to information sources such as subscription-based databases.
Information and Communication
Requirement: Information and Communication
5.81
The audit organization should establish quality objectives that address obtaining, generating, or using information regarding the system of quality management and communicating information to enable the design, implementation, and operation of the system of quality management as follows:
The audit organization’s information system identifies, captures, processes, and maintains relevant and reliable information that supports the system of quality management.
Relevant and reliable information is communicated to personnel and engagement teams to enable them to understand and carry out their responsibilities within the system of quality management or engagements.
Personnel and engagement teams communicate relevant and reliable information to the audit organization when performing activities within the system of quality management or engagements.
Relevant and reliable information is communicated to external parties.
Application Guidance: Information and Communication
5.82
Obtaining, generating, or communicating information is generally an ongoing process that involves all personnel and encompasses disseminating information within the audit organization and externally. Information and communication are part of all components of the system of quality management.
5.83
Relevant and reliable information includes information that is accurate, complete, timely, and valid to enable the proper functioning of the system of quality management and to support decisions regarding the system of quality management.
5.84
The audit organization may recognize and reinforce the responsibility of personnel and engagement teams to exchange information with the audit organization and one another by establishing communication channels to facilitate communication across the audit organization.
5.85
Laws, regulations, and professional standards may require information to be communicated externally, particularly to support external parties’ understanding of the system of quality management.
Scalability Considerations
5.86
The complexity and formality of an audit organization’s mechanisms for communicating with personnel or engagement teams information relevant to the system of quality management will vary. For example, a smaller or less complex audit organization may find informal staff meetings effective for communicating with personnel or engagement teams. A larger or more complex audit organization may need formal mechanisms, such as written reports, intranet portals, or periodic official meetings, for communicating such information.
Monitoring and Remediation Process
Requirement: Monitoring and Remediation Process
5.87
The audit organization should establish a process to monitor the design, implementation, and operation of the system of quality management to provide a basis for identifying deficiencies and remediating them on a timely basis.
Application Guidance: Monitoring and Remediation Process
5.88
Monitoring of quality is a process comprising ongoing consideration and evaluation of the audit organization’s system of quality management. The purpose of monitoring is to provide management of the audit organization with reasonable assurance that (1) the policies and procedures related to the system of quality management are suitably designed and operating effectively in practice, (2) auditors have fulfilled their responsibilities in accordance with professional standards and applicable laws and regulations, and (3) auditors have performed and reported on engagements in accordance with such standards and requirements.
5.89
In addition to enabling the evaluation of the system of quality management, the monitoring and remediation process facilitates the proactive and continual improvement of engagement quality and the system of quality management.
Requirements: Designing and Performing Monitoring and Remediation Activities
5.90
The audit organization should design and perform monitoring and remediation activities to
provide relevant, reliable, and timely information about the design, implementation, and operation of the system of quality management;
take appropriate actions to respond to identified deficiencies so that they are remediated on a timely basis; and
enable it to assess compliance with professional standards and with policies and procedures it has established to address quality risks.
5.91
The audit organization should establish policies and procedures that address the objectivity of the individuals performing the monitoring and remediation activities and require those individuals to have sufficient competence, authority, and time to perform these activities.37
Application Guidance: Designing and Performing Monitoring and Remediation Activities
5.92
Monitoring is most effective when performed by persons who do not have responsibility for the specific activity being monitored.
5.93
Monitoring activities will vary based on the audit organization’s facts and circumstances.
5.94
Monitoring activities may include the following:
assessing the appropriateness of the audit organization’s policies and procedures, guidance materials, and any practice aids;
evaluating new developments in professional standards and applicable legal and regulatory requirements and how they are reflected in the audit organization’s policies and procedures, when appropriate;
reviewing written affirmation of compliance with policies and procedures on independence;
inspecting engagement documentation and reports for a selection of engagements;
assessing the effectiveness of staff training;
evaluating decisions related to acceptance and continuance of relationships with audited entities and specific engagements; and
assessing audit organization personnel’s understanding of the audit organization’s quality management policies and procedures and implementation thereof.
5.95
In determining the nature, timing, and extent of the monitoring activities, the audit organization may consider the following:
Quality management risk assessments
The design of the responses to address quality risks
The design of the audit organization’s quality management risk assessment process and monitoring and remediation process
Changes to the audit organization’s operating environment or in the system of quality management
The results of previous monitoring activities, including whether
previous monitoring activities continue to be relevant in evaluating the audit organization’s system of quality management and
remedial actions to address previously identified deficiencies were effective
Other relevant information, including
complaints and allegations about
failures to perform work in accordance with professional standards and applicable laws and regulations or
noncompliance with the audit organization’s policies and procedures related to the system of quality management and
information from inspections
5.96
The audit organization’s monitoring activities may comprise a combination of ongoing monitoring activities and periodic monitoring activities. Ongoing monitoring activities are generally routine activities built into the audit organization’s processes and performed on a real-time basis. Periodic monitoring activities are conducted at certain intervals by the audit organization.
5.97
When performing monitoring activities, the audit organization may determine that changes to the nature, timing, and extent of the monitoring activities are needed, such as when findings concerning the system of quality management indicate the need for more extensive monitoring activities.
5.98
How the audit organization’s quality management risk assessment process is designed (for example, whether it is a centralized or decentralized process or the frequency of review) may affect the nature, timing, and extent of the monitoring activities, including those over the audit organization’s quality management risk assessment process.
5.99
Changes in the system of quality management may include
changes to address an identified deficiency in the system of quality management and
changes to the quality objectives, quality risks, or responses to address the quality risks resulting from changes in the nature and circumstances of the audit organization and its engagements.
5.100
When changes in the system of quality management occur, the audit organization’s previous monitoring activities may no longer provide it with information to support the evaluation of the system of quality management. Therefore, the audit organization’s monitoring activities may include monitoring of those changes.
5.101
Inspection is a retrospective evaluation of the adequacy of the audit organization’s quality management policies and procedures, its personnel’s understanding of those policies and procedures, and the extent of its compliance with them. The extent and nature of inspection procedures vary based on the audit organization’s quality management policies and procedures and on the existence, effectiveness, and results of other monitoring activities.
5.102
The manner in which the inspection is organized depends on many factors, such as the following:
the size of the audit organization;
the number and geographical location of offices;
the results of previous monitoring activities;
the degree of authority of both personnel and offices (for example, whether individual offices are authorized to conduct their own inspections or whether only the head office may conduct them);
the nature and complexity of the audit organization’s practice and structure; and
the risks associated with entities that the audit organization audits and specific engagements.
5.103
Inspection procedures may include the review of engagements to determine if responses to address quality risks at the engagement level have been implemented as designed and are operating effectively. The matters considered during an inspection of an individual engagement depend on how the inspection will be used to monitor the system of quality management.
5.104
The results of inspection procedures or other relevant information may indicate that previous monitoring activities that the audit organization undertook failed to identify a deficiency in the system of quality management. This information may affect the audit organization’s consideration of the nature, timing, and extent of the monitoring activities.
5.105
A peer review is not a substitute for monitoring activities. However, audit organizations may use the results of a peer review to consider improvements to the system of quality management.
5.106
The audit organization may consider threats to objectivity when designing the policies and procedures addressing the objectivity of the individuals performing the monitoring activities. Examples of threats to objectivity include when
an individual who performs an inspection of an engagement was an engagement team member or the engagement quality reviewer for that engagement and
an individual who performs another type of monitoring activity participated in designing, executing, or operating the response being monitored.
5.107
Individuals are not precluded from performing monitoring activities, including inspections, of their own compliance with a system of quality management. However, such self-inspections may be less effective than compliance inspections by another qualified individual. When individuals inspect their own compliance with an audit organization’s policies and procedures, the audit organization has a higher risk that noncompliance will not be detected or reported through monitoring activities. To effectively self-monitor for compliance, it is necessary that individuals be able to critically review their own performance, assess their own strengths and weaknesses, and maintain attitudes of continual improvement.
5.108
An audit organization may use a service provider, including another audit organization, to monitor or assist in the monitoring of the system of quality management.
Requirements: Evaluating Quality Management Findings and Quality Management Deficiencies
5.109
The audit organization should evaluate findings concerning the system of quality management to determine whether deficiencies exist, including in the monitoring and remediation process.
5.110
The audit organization should evaluate the severity and pervasiveness of identified deficiencies in the system of quality management by investigating their underlying causes and evaluating their effect, both individually and in the aggregate, on the system of quality management.
Application Guidance: Evaluating Quality Management Findings and Quality Management Deficiencies
5.111
A finding in relation to a system of quality management is information about the design, implementation, and operation of the system of quality management that the audit organization has accumulated through the performance of monitoring activities and from other relevant sources, which indicates that one or more deficiencies may exist.
5.112
The audit organization accumulates findings from monitoring activities, including inspections, and other relevant sources. Information that the audit organization accumulates from the monitoring activities, including inspections, and other relevant sources may lead to observations about the audit organization’s system of quality management, such as
actions, behaviors, or conditions that have given rise to positive outcomes in the context of quality or the effectiveness of the system of quality management or
similar circumstances in which no findings were noted (for example, engagements in which no findings were noted but the engagements have a similar nature to the engagements in which findings were noted).
5.113
The information that the audit organization accumulates from the monitoring activities and other relevant sources may also lead to other observations that may be useful to the audit organization. Such information may assist the audit organization in investigating the underlying causes of identified deficiencies, indicate practices that it can support or apply more extensively (for example, across all engagements), or highlight opportunities for it to enhance its system of quality management. The results of the monitoring and remediation process provide information about the operation of the system of quality management that is relevant to the audit organization’s quality management risk assessment process.
5.114
A deficiency in the audit organization’s system of quality management exists when
a quality objective required to achieve the objective of the system of quality management is not established;
a quality risk, or combination of quality risks, is not identified or properly assessed;
a response, or combination of responses, does not reduce to an acceptably low level the likelihood of a related quality risk occurring because the responses are not properly designed, implemented, or operating effectively; or
another aspect of the system of quality management is absent, or not properly designed, implemented, or operating effectively, such that a requirement of this chapter has not been addressed.
5.115
The audit organization exercises professional judgment in determining whether findings, individually or in combination with other findings, give rise to a deficiency in the system of quality management. In making the judgment, the audit organization may consider the relative importance of the findings in the context of the quality objectives, quality risks, responses, or other aspects of the system of quality management to which they relate. The audit organization’s judgments may be affected by quantitative and qualitative factors relevant to the findings. In some circumstances, the audit organization may deem it appropriate to obtain more information about the findings to determine whether a deficiency exists. Not all findings, including findings about specific engagements, will be a deficiency.
5.116
Factors the audit organization may consider in evaluating the severity and pervasiveness of an identified deficiency include the following:
The nature of the identified deficiency, including the aspect of the audit organization’s system of quality management to which the deficiency relates, and whether the deficiency is in the design, implementation, or operation of the system of quality management
In the case of an identified deficiency related to a response, whether there are compensating responses to address the quality risk to which the response relates
The underlying causes of the identified deficiency
The frequency with which the matter giving rise to the identified deficiency occurred
The magnitude of the identified deficiency, how quickly it occurred, and its duration and effect on the system of quality management.
5.117
The nature, timing, and extent of the procedures undertaken to understand the underlying causes of an identified deficiency may also be affected by the nature and circumstances of the audit organization, such as the following:
The complexity and operating characteristics of the audit organization
The size of the audit organization
The geographical dispersion of the audit organization
How the audit organization is structured or the extent to which the audit organization concentrates or centralizes its processes or activities
5.118
Evaluating findings and identifying deficiencies and evaluating the severity and pervasiveness of identified deficiencies, including investigating the underlying causes of identified deficiencies, is an iterative process.
Requirements: Responding to Identified Quality Management Deficiencies
5.119
The audit organization should design and implement remedial actions that respond to the results of the analysis of underlying causes to address identified deficiencies in the system of quality management.
5.120
The audit organization should evaluate the remedial actions to determine whether they are effective in addressing the identified quality management deficiencies and their related underlying causes.
5.121
If the audit organization’s evaluation indicates that the remedial actions are not effective in addressing the quality management deficiencies, the audit organization should modify the remedial actions such that identified deficiencies and their related underlying causes are addressed.
Quality Management Findings About a Particular Engagement
5.122
The audit organization should respond to circumstances when quality management findings indicate that there is an engagement for which
required procedures were omitted during the performance of the engagement or
the report issued may not comply with professional standards or applicable laws or regulations.38
Application Guidance: Responding to Identified Quality Management Deficiencies
5.123
The nature, timing, and extent of remedial actions may depend on a variety of factors, including
the underlying causes;
the severity and pervasiveness of the identified deficiency and therefore the urgency with which it needs to be addressed; and
the effectiveness of the remedial actions in addressing the underlying causes, such as whether the audit organization needs to implement more than one remedial action to effectively address the underlying causes, or it needs to implement remedial actions as interim measures until it is able to implement more effective remedial actions.
5.124
In some circumstances, the remedial action may include establishing additional quality objectives, or adding or modifying quality risks or responses, to address identified deficiencies.
Evaluating the System of Quality Management
Requirements: Evaluating and Concluding on the System of Quality Management
5.128
The senior-level official assigned responsibility and accountability for the audit organization’s system of quality management should evaluate the system of quality management. The evaluation should be undertaken as of a point in time and performed at least annually. Based on this evaluation, the senior-level official should conclude and document one of the following:
The system of quality management provides the audit organization with reasonable assurance that the objective of the system of quality management is being achieved.
Except for matters related to identified deficiencies that have a severe but not pervasive effect on its design, implementation, and operation, the system of quality management provides the audit organization with reasonable assurance that the objective of the system of quality management is being achieved.
The system of quality management does not provide the audit organization with reasonable assurance that the objective of the system of quality management is being achieved.
5.129
When evaluating and concluding on the system of quality management, the senior-level official assigned responsibility and accountability for the system of quality management should consider
the audit organization’s quality management risk assessment process, including its quality objectives, quality risks, and responses and the extent to which the audit organization’s responses address the quality risks, and
the results of the monitoring and remediation process.
Application Guidance: Evaluating and Concluding on the System of Quality Management
5.130
To evaluate and conclude on the system of quality management, the senior-level official assigned responsibility and accountability for the system of quality management may consider
the severity and pervasiveness of identified deficiencies and the effect on the achievement of the objective of the system of quality management;
whether remedial actions have been designed and implemented by the audit organization and whether the remedial actions taken up to the time of the evaluation are effective; and
whether the effect of identified deficiencies on the system of quality management has been appropriately addressed, such as whether further actions have been taken in accordance with paragraph 5.121.
5.131
There may be circumstances when identified deficiencies that are severe (including those that are severe and pervasive) have been appropriately remediated and their effect corrected at the point in time of the evaluation. In such cases, the senior-level official assigned responsibility and accountability for the system of quality management may conclude that the system of quality management provides the audit organization with reasonable assurance that the objective of the system of quality management is being achieved.
Documentation
Requirements: Documentation
5.132
The audit organization should document its system of quality management in a manner sufficient to
support personnel’s consistent understanding of the system of quality management, including an understanding of their roles and responsibilities with respect to the system of quality management and performing engagements;
support the consistent implementation and operation of the responses to address quality risks; and
provide evidence of the design, implementation, and operation of the responses to address quality risks to support the evaluation of the system of quality management by the senior-level official assigned responsibility and accountability for it.
5.133
The audit organization should include the following in its documentation of its system of quality management:
Identification of the
The audit organization’s quality management risk assessment, including its quality objectives, quality risks, and a description of the responses and how the audit organization’s responses address the quality risks, as discussed in paragraphs 5.19 through 5.23.
Regarding the monitoring and remediation process,
evidence of the monitoring activities performed, as discussed in paragraph 5.90;
the evaluation of findings, and identified deficiencies and their related underlying causes, as discussed in paragraphs 5.109 and 5.110;
remedial actions to address identified deficiencies and the evaluation of the design and implementation of such remedial actions, as discussed in paragraphs 5.119 and 5.120; and
communications about monitoring and remediation, as discussed in paragraphs 5.125 and 5.126.
The conclusion and the basis for the conclusion reached pursuant to paragraph 5.128.
5.134
The audit organization should establish a period of time for document retention for the system of quality management that is sufficient to enable the audit organization and its peer reviewer to monitor the design, implementation, and operation of the system of quality management or for a longer period if required by law or regulation.
Application Guidance: Documentation
5.135
An audit organization’s judgments about the form, content, and extent of documentation may be affected by factors related to the nature and complexity of the audit organization itself and the engagements it performs. Areas of greater quality risk, matters involving more complex judgments, and changes to aspects of the system of quality management may have a greater effect on the form, content, and extent of documentation.
5.136
In some instances, an external oversight authority may establish additional documentation requirements, either formally or informally, due to inspection findings or external peer review results or for reasons that the external oversight authority deems necessary.
5.137
The audit organization is not required to document the consideration of every condition, event, circumstance, action, or inaction for each quality objective or each risk that may give rise to a quality risk.
5.138
In documenting the quality risks and how its responses address the quality risks, the audit organization may document the assessments given to each quality risk (that is, the considered occurrence and effect achieving one or more quality objectives) to support the consistent implementation and operation of the responses.
See paras. 3.07 and 3.08 for additional guidance on the public interest.↩︎
See paras. 3.02 through 3.16 for a discussion of ethical principles and paras. 3.18 through 3.108 for independence requirements and guidance.↩︎
See paras. 3.109 through 3.117 for a discussion of professional judgment.↩︎
See paras. 5.139 through 5.154 for requirements and application guidance on performing engagement quality reviews.↩︎
See para. 5.106 for guidance concerning threats to objectivity and para. 5.107 for guidance relating to individuals performing self-monitoring activities.↩︎
See para. 9.68 and AU-C section 560, Subsequent Events and Subsequently Discovered Facts (AICPA, Professional Standards) for requirements relating to the discovery of insufficient audit evidence after report release.↩︎