External Peer Review

Requirements: General

5.60

Each audit organization conducting engagements in accordance with GAGAS must obtain an external peer review conducted by reviewers independent of the audit organization being reviewed. The peer review should be sufficient in scope to provide a reasonable basis for determining whether, for the period under review, (1) the reviewed audit organization’s system of quality control was suitably designed and (2) the organization is complying with its quality control system so that it has reasonable assurance that it is performing and reporting in conformity with professional standards and applicable legal and regulatory requirements in all material respects.

5.61

Audit organizations affiliated with one of the following recognized organizations should comply with the respective organization’s peer review requirements and the requirements listed throughout paragraphs 5.66 through 5.80.

1. American Institute of Certified Public Accountants

2. Council of the Inspectors General on Integrity and Efficiency

3. Association of Local Government Auditors

4. International Organization of Supreme Audit Institutions

5. National State Auditors Association

5.62

Any audit organization not affiliated with an organization listed in paragraph 5.61 should meet the minimum GAGAS peer review requirements throughout paragraphs 5.66 through 5.94.

Application Guidance: General

5.63

Each audit organization has discretion in selecting and accepting its peer review teams. Auditors in governments or jurisdictions without access to established peer review programs may engage other auditors, including public accounting firms, to conduct their peer reviews. If access to an established peer review program is not available, auditors may organize regional programs with other auditors.

5.64

In cases of unusual difficulty or hardship, extensions of the deadlines for submitting peer review reports exceeding 3 months beyond the due date may be granted by the entity that administers the peer review program with the concurrence of GAO.

5.65

Some audit organizations may be subject to or required to follow a peer review program of a recognized organization. Other audit organizations may follow a specific peer review program voluntarily. In instances where the audit organization follows a recognized organization’s peer review program voluntarily, the use of such a peer review program means compliance with the recognized organization’s entire peer review process, including, where applicable, standards for administering, performing, and reporting on peer reviews, oversight procedures, training, and related guidance materials.

Requirements: Assessment of Peer Review Risk

5.66

The peer review team should perform an assessment of peer review risk to help determine the number and types of engagements to select for review.

5.67

Based on the risk assessment, the peer review team should select engagements that provide a reasonable cross section of all types of work subject to the reviewed audit organization’s quality control system, including one or more engagements conducted in accordance with GAGAS.

Application Guidance: Assessment of Peer Review Risk

5.68

Peer review risk is the risk that the review team

1. fails to identify significant weaknesses in the reviewed audit organization’s system of quality control for its auditing practice, its lack of compliance with that system, or a combination thereof;

2. issues an inappropriate opinion on the reviewed audit organization’s system of quality control for its auditing practice, its compliance with that system, or a combination thereof; or

3. makes an inappropriate decision about the matters to be included in, or excluded from, the peer review report.

5.69

A selection approach that provides a cross section of all types of work is generally applicable to audit organizations that conduct a small number of GAGAS engagements in relation to other types of engagements. In these cases, one or more GAGAS engagements may represent more than what would be selected when looking at a cross section of the audit organization’s work as a whole. Some audit organizations conduct audit and attestation work in a number of functional areas. For example, an organization may conduct financial audits, attestation engagements, reviews of financial statements, and performance audits. The peer review team may consider reviewing a sample of engagements from each of the major functional areas included within the scope of the review.

5.70

A peer review is designed to test significant risk areas where it is possible that engagements are not being conducted, reported on, or both in conformity with professional standards and applicable legal and regulatory requirements in all material respects. A peer review is not designed to test every engagement, compliance with every professional standard, or every detailed component of the audit organization’s system of quality control.

5.71

Examples of the factors that may be considered when performing an assessment of risk for selecting engagements for peer review include

1. scope of the engagements, including size of the audited entity or engagements covering multiple locations;

2. functional area or type of government program;

3. types of engagements conducted, including the extent of nonaudit services provided to audited entities;

4. personnel (including use of new personnel or personnel not routinely assigned the types of engagements conducted);

5. initial engagements;

6. familiarity resulting from a long-standing relationship with the audited entity;

7. political sensitivity of the engagements;

8. budget constraints faced by the audit organization that could negatively affect engagement quality;

9. results of the peer review team’s review of the design of system of quality control;

10. results of the audit organization’s monitoring process; and

11. overall risk tolerance within the audit organization that could negatively affect engagement quality.

Requirements: Peer Review Report Ratings

5.72

The peer review team should use professional judgment in deciding on the type of peer review rating to issue; the ratings are as follows:

1. Peer review rating of pass: A conclusion that the audit organization’s system of quality control has been suitably designed and complied with to provide the audit organization with reasonable assurance of performing and reporting in conformity with professional standards and applicable legal and regulatory requirements in all material respects.

2. Peer review rating of pass with deficiencies: A conclusion that the audit organization’s system of quality control has been suitably designed and complied with to provide the audit organization with reasonable assurance of performing and reporting in conformity with professional standards and applicable legal and regulatory requirements in all material respects with the exception of a certain deficiency or deficiencies described in the report.

3. Peer review rating of fail: A conclusion, based on the significant deficiencies described in the report, that the audit organization’s system of quality control is not suitably designed to provide the audit organization with reasonable assurance of performing and reporting in conformity with professional standards and applicable legal and regulatory requirements in all material respects, or that the audit organization has not complied with its system of quality control to provide the audit organization with reasonable assurance of performing and reporting in conformity with professional standards and applicable legal and regulatory requirements in all material respects.

5.73

The peer review team should determine the type of peer review rating to issue based on the observed matters’ importance to the audit organization’s system of quality control as a whole and the nature, causes, patterns, and pervasiveness of those matters. The matters should be assessed both alone and in aggregate.

5.74

The peer review team should aggregate and systematically evaluate any observed matters (circumstances that warrant further consideration by the peer review team) and document its evaluation.³⁷ The peer review team should perform its evaluation and issue report ratings as follows:

1. If the peer review team’s evaluation of observed matters does not identify any findings (more than a remote possibility that the reviewed audit organization would not perform, report, or both in conformity with professional standards and applicable legal and regulatory requirements), or identifies findings that are not considered to be deficiencies, the peer review team issues a pass rating.

2. If the peer review team’s evaluation of findings identified deficiencies but did not identify any significant deficiencies, the peer review team issues a pass with deficiencies rating and communicates the deficiencies in its report.

3. If the peer review team’s evaluation of deficiencies identified significant deficiencies, the peer review team issues a fail rating and communicates the deficiencies and significant deficiencies in its report.

Application Guidance: Peer Review Report Ratings

5.75

Deficiencies are findings that because of their nature, causes, pattern, or pervasiveness, including their relative importance to the audit organization’s system of quality control taken as a whole, could create a situation in which the audit organization would not have reasonable assurance of performing, reporting, or both in conformity with professional standards and applicable legal and regulatory requirements in one or more important respects.

5.76

Significant deficiencies are one or more deficiencies that the peer review team concludes result from a condition in the audit organization’s system of quality control or compliance with that system such that the system taken as a whole does not provide reasonable assurance of performing, reporting, or both in conformity with professional standards and applicable legal and regulatory requirements.

Requirements: Availability of the Peer Review Report to the Public

5.77

An external audit organization should make its most recent peer review report publicly available. If a separate communication detailing findings, conclusions, and recommendations is issued, the external audit organization is not required to make that communication publicly available. An internal audit organization that reports internally to management and those charged with governance should provide a copy of its peer review report to those charged with governance.

5.78

An external audit organization should satisfy the publication requirement for its peer review report by posting the report on a publicly available website or to a publicly available file. Alternatively, if neither of these options is available, then the audit organization should use the same mechanism it uses to make other reports or documents public.

5.79

Because information in peer review reports may be relevant to decisions on procuring audit services, an audit organization seeking to enter into a contract to conduct an engagement in accordance with GAGAS should provide the following to the party contracting for such services when requested:

1. the audit organization’s most recent peer review report and

2. any subsequent peer review reports received during the period of the contract.

5.80

Auditors who are using another audit organization’s work should request a copy of that organization’s most recent peer review report, and the organization should provide this document when it is requested.

Application Guidance: Availability of the Peer Review Report to the Public

5.81

To help the public understand the peer review reports, an audit organization may include a description of the peer review process and how it applies to its organization. Examples of additional information that audit organizations may include to help users understand the meaning of the peer review report follow:

1. Explanation of the peer review process.

2. Description of the audit organization’s system of quality control.

3. Explanation of the relationship of the peer review results to the audited organization’s work.

4. If a peer review report is issued with a rating of pass with deficiencies or fail, explanation of the reviewed audit organization’s plan for improving quality controls and the status of the improvements.

Additional Requirements for Audit Organizations Not Affiliated with Recognized Organizations

Requirement: Peer Review Scope

5.82

The peer review team should include the following elements in the scope of the peer review:

1. review of the audit organization’s design of, and compliance with, quality control and related policies and procedures;

2. consideration of the adequacy and results of the audit organization’s internal monitoring procedures;

3. review of selected audit reports and related documentation and, if applicable, documentation related to selected terminated engagements prepared in accordance with paragraph 5.25, if any terminated engagements are selected from the universe of engagements used for the peer review sample;

4. review of prior peer review reports, if applicable;

5. review of other documents necessary for assessing compliance with standards, for example, independence documentation, CPE records, and relevant human resource management files; and

6. interviews with selected members of the audit organization’s personnel in various roles to assess their understanding of and compliance with relevant quality control policies and procedures.

Application Guidance: Peer Review Scope

5.83

Review of documentation related to terminated engagements can provide information on the audit organization’s response to threats to independence. For example, the documentation may include information on whether an engagement was terminated as a result of an undue influence from outside the audit organization.

Requirement: Peer Review Intervals

5.84

An audit organization not already subject to a peer review requirement should obtain an external peer review at least once every 3 years. The audit organization should obtain its first peer review covering a review period ending no later than 3 years from the date an audit organization begins its first engagement in accordance with GAGAS.

Application Guidance: Peer Review Intervals

5.85

The period under review in a peer review generally covers 1 year.

Requirement: Written Agreement for Peer Review

5.86

The peer review team and the reviewed audit organization should incorporate their basic agreement on the peer review into a written agreement. The written agreement should be drafted by the peer review team, reviewed by the reviewed audit organization to ensure that it accurately describes the agreement between the parties, and signed by the authorized representatives of both the peer review team and the reviewed audit organization prior to the initiation of work under the agreement. The written agreement should state that the peer review will be conducted in accordance with GAGAS peer review requirements.

Application Guidance: Written Agreement for Peer Review

5.87

The written agreement is meant to ensure mutual consent on the fundamental aspects of the peer review and to avoid any potential misunderstandings. The written agreement may address the following:

1. scope of the peer review;

2. staffing and time frame;

3. compensation for conducting the peer review, if applicable;

4. preliminary findings, if applicable;

5. reporting results;

6. administrative matters; and

7. access to audit documentation.

5.88

The peer review team is responsible for ensuring that the peer review is conducted in accordance with GAGAS peer review requirements.

Requirement: Peer Review Team

5.89

The peer review team should meet the following criteria:

1. The review team collectively has adequate professional competence and knowledge of GAGAS and government auditing.

2. The organization conducting the peer review and individual review team members are independent (as defined in GAGAS) of the audit organization being reviewed, its personnel, and the engagements selected for the peer review.³⁸

3. The review team collectively has sufficient knowledge to conduct a peer review.

Application Guidance: Peer Review Team

5.90

Peer review knowledge and professional competence may be obtained from on-the-job training, training courses, or a combination of both. Having individuals on the peer review team with prior experience on a peer review or internal inspection team is desirable.

Requirement: Report Content

5.91

The peer review team should prepare one or more written reports communicating the results of the peer review, which collectively include the following elements:

1. a description of the scope of the peer review, including any limitations;

2. a rating concluding on whether the system of quality control of the reviewed audit organization was adequately designed and complied with during the period reviewed and would provide the audit organization with reasonable assurance that it conformed to professional standards and applicable legal and regulatory requirements;

3. specification of the professional standards and applicable legal and regulatory requirements to which the reviewed audit organization is being held;

4. reference to a separate written communication, if issued under the peer review program;

5. a statement that the peer review was conducted in accordance with GAGAS peer review requirements; and

6. a detailed description of the findings, conclusions, and recommendations related to any deficiencies or significant deficiencies identified in the review.

Application Guidance: Report Content

5.92

When the scope of the peer review is limited by conditions that preclude the application of one or more peer review procedures considered necessary in the circumstances and the peer review team cannot accomplish the objectives of those procedures through alternative procedures, the report can be modified by including a statement in the report’s scope paragraph, body, and opinion paragraph. The statement describes the relationship of the excluded engagement(s) or functional area(s) to the reviewed audit organization’s full scope of practice as a whole and system of quality control and the effects of the exclusion on the scope and results of the review.

Requirements: Audit Organization’s Response to the Peer Review Report

5.93

If the reviewed audit organization receives a report with a peer review rating of pass with deficiencies or fail, the reviewed audit organization should respond in writing to the deficiencies or significant deficiencies and related recommendations identified in the report.

5.94

With respect to each deficiency or significant deficiency in the report, the reviewed audit organization should describe in its letter of response the corrective actions already taken, target dates for planned corrective actions, or both.

Application Guidance: Audit Organization’s Response to the Peer Review Report

5.95

When an audit organization receives a peer review rating of pass with deficiencies or fail that relates to its GAGAS engagements, critical evaluation of the design and implementation of the system of quality control is a factor in determining the audit organization’s ability to accept and perform future GAGAS engagements.

Figure 3: Developing Peer Review Communications for Observed Matters in Accordance with Generally Accepted Government Auditing Standards

Tip: Click the figure to view a larger version in a new browser tab.

1. Peer reviewer observes a matter. (A circumstance that warrants further consideration by the peer review team)
2. Peer review team aggregates and systematically evaluates matters and documents evaluation.
3. Does evaluation of matters identify one or more findings? (More than a remote possibility that the reviewed audit organization would not perform, report, or both in conformity with professional standards and applicable legal and regulatory requirements)

1. No - Report rating: Pass

4. Yes - Peer review team aggregates and systematically evaluates findings and documents evaluation.
5. Does evaluation of finding identify one or more deficiencies? (Findings that because of their nature, causes, pattern, or pervasiveness, including their relative importance to the audit organization’s system of quality control taken as a whole, could create a situation in which the audit organization would not have reasonable assurance of performing, reporting, or both in conformity with professional standards and applicable legal and regulatory requirements in one or more important respects)

1. No - Report rating: Pass

6. Yes - Peer review team aggregates and systemically evaluates deficiencies and documents evaluation
7. Does evaluation of deficiencies identify one or more significant deficiencies? (Audit organization’s system of quality control does not provide reasonable assurance of performing, reporting, or both in conformity with professional standards and applicable legal and regulatory requirements)

1. No - Report rating: Pass with deficiencies. Communicate deficiencies in the peer review report.
2. Yes - Report rating: Fail. Communicate deficiencies and significant deficiencies in the peer review report

---

37. See fig. 3 for a flowchart on developing peer review communications for observed matters in accordance with GAGAS.↩︎

38. See paras. 3.18 through 3.108 for discussion of independence.↩︎