Quality Control and Assurance

Requirement: Quality Control and Assurance

5.02

An audit organization conducting engagements in accordance with GAGAS must establish and maintain a system of quality control that is designed to provide the audit organization with reasonable assurance that the organization and its personnel comply with professional standards and applicable legal and regulatory requirements.

Application Guidance: Quality Control and Assurance

5.03

An audit organization’s system of quality control encompasses the organization’s leadership, emphasis on performing high-quality work, and policies and procedures designed to provide reasonable assurance of complying with professional standards and applicable legal and regulatory requirements. The nature, extent, and formality of an audit organization’s quality control system will vary based on the audit organization’s circumstances, such as size, number of offices and geographic dispersion, knowledge and experience of its personnel, nature and complexity of its engagement work, and cost-benefit considerations.

System of Quality Control

Requirement: System of Quality Control

5.04

An audit organization should document its quality control policies and procedures and communicate those policies and procedures to its personnel. The audit organization should document compliance with its quality control policies and procedures and maintain such documentation for a period of time sufficient to enable those performing monitoring procedures and peer reviews to evaluate the extent to which the audit organization complies with its quality control policies and procedures.

Leadership Responsibilities for Quality within the Audit Organization

Requirements: Leadership Responsibilities for Quality within the Audit Organization

5.05

The audit organization should establish policies and procedures on leadership responsibilities for quality within the audit organization that include designating responsibility for quality of engagements conducted in accordance with GAGAS and communicating policies and procedures relating to quality.

5.06

The audit organization should establish policies and procedures designed to provide reasonable assurance that those assigned operational responsibility for the audit organization’s system of quality control have sufficient and appropriate experience and ability, and the necessary authority, to assume that responsibility.

Application Guidance: Leadership Responsibilities for Quality within the Audit Organization

5.07

Appropriate policies and communications encourage a culture that recognizes that quality is essential in conducting GAGAS engagements and that audit organization leadership is ultimately responsible for the system of quality control.

Independence, Legal, and Ethical Requirements

Requirements: Independence, Legal, and Ethical Requirements

5.08

The audit organization should establish policies and procedures on independence and legal and ethical requirements that are designed to provide reasonable assurance that the organization and its personnel maintain independence and comply with applicable legal and ethical requirements.³⁵

5.09

At least annually, the audit organization should obtain written affirmation of compliance with its policies and procedures on independence from all of its personnel required to be independent.

Application Guidance: Independence, Legal, and Ethical Requirements

5.10

Policies and procedures pertaining to independence and legal and ethical requirements assist the audit organization in

1. communicating its independence requirements to its personnel and

2. identifying and evaluating circumstances and relationships that create threats to independence and taking appropriate action to eliminate those threats or reduce them to an acceptable level by applying safeguards or, if considered appropriate, withdrawing from the engagement where withdrawal is not prohibited by law or regulation.

5.11

Written affirmation of compliance with its policies and procedures on independence from all audit organization personnel required to be independent may be in paper or electronic form. By obtaining affirmation of retrospective compliance with the audit organization’s policies and procedures on independence during a specified period and taking appropriate action on information indicating noncompliance, or potential noncompliance, the organization demonstrates the importance that it attaches to independence and keeps the issue current for, and visible to, its personnel. An audit organization may obtain affirmation of required personnel’s compliance with policies and procedures on independence more frequently than once per year. For example, affirmation may be obtained on a per-engagement basis when such engagements last less than 1 year.

Initiation, Acceptance, and Continuance of Engagements

Requirement: Initiation, Acceptance, and Continuance of Engagements

5.12

The audit organization should establish policies and procedures for the initiation, acceptance, and continuance of engagements that are designed to provide reasonable assurance that the organization will undertake engagements only if it

1. complies with professional standards, applicable legal and regulatory requirements, and ethical principles;

2. acts within its legal mandate or authority; and

3. has the capabilities, including time and resources, to do so.

Application Guidance: Initiation, Acceptance, and Continuance of Engagements

5.13

Government audit organizations initiate engagements as a result of (1) legal mandates, (2) requests from legislative bodies or oversight bodies, and (3) audit organization discretion. In the case of legal mandates and requests, a government audit organization may be required to conduct the engagement and may not be permitted to make decisions about acceptance or continuance and may not be permitted to resign or withdraw from the engagement.

5.14

Audit organizations may operate with limited resources. Audit organizations may consider their workloads in determining whether they have the resources to deliver the range of work to the desired level of quality. To achieve this, audit organizations may develop systems to prioritize their work in a way that takes into account the need to maintain quality.

Human Resources

Requirements: Human Resources

5.15

The audit organization should establish policies and procedures for human resources that are designed to provide the organization with reasonable assurance that it has personnel with the competence to conduct GAGAS engagements in accordance with professional standards and applicable legal and regulatory requirements.³⁶

5.16

The audit organization should establish policies and procedures to provide reasonable assurance that auditors who are performing work in accordance with GAGAS meet the continuing professional education (CPE) requirements, including maintaining documentation of the CPE completed and any exemptions granted.

Application Guidance: Human Resources

5.17

Effective recruitment processes and procedures help the audit organization select individuals of integrity who have the capacity to develop the competence and capabilities necessary to perform the audit organization’s work and possess the appropriate characteristics to enable them to perform competently. Examples of such characteristics include meeting minimum academic requirements established by the audit organization and leadership traits.

5.18

The audit organization may use a suitably qualified external person to conduct engagement work when internal resources, for example, personnel with particular areas of technical expertise, are unavailable.

5.19

Effective performance evaluation, compensation, and advancement procedures give due recognition and reward to developing and maintaining competent personnel. Steps that an audit organization may take in developing and maintaining competent personnel include the following:

1. making personnel aware of the audit organization’s expectations regarding performance and ethical principles;

2. providing personnel with an evaluation of, and counseling on, performance, progress, and career development; and

3. helping personnel understand that compensation and advancement to positions of greater responsibility depend on, among other things, performance quality, and that failure to comply with the audit organization’s policies and procedures may result in disciplinary action.

5.20

The size and circumstances of the audit organization are important considerations in determining the structure of the audit organization’s performance evaluation process. A smaller audit organization, in particular, may employ less formal methods of evaluating the performance of its personnel.

5.21

Objectives of the audit organization’s human resources policies and procedures may include

1. promoting learning and training for all personnel to encourage their professional development and to help ensure that personnel are trained in current developments in the profession and

2. helping ensure that personnel and any parties contracted to carry out work for the audit organization have an appropriate understanding of the environment(s) in which the organization operates and a good understanding of the work they are required to carry out.

Engagement Performance

Requirements: General

5.22

The audit organization should establish policies and procedures for engagement performance, documentation, and reporting that are designed to provide the audit organization with reasonable assurance that engagements are conducted and reports are issued in accordance with professional standards and applicable legal and regulatory requirements.

5.23

If auditors change the engagement objectives during the engagement, they should document the revised engagement objectives and the reasons for the changes.

5.24

The audit organization should establish policies and procedures designed to provide it with reasonable assurance that

1. appropriate consultation takes place on difficult or contentious issues that arise among engagement team members in the course of conducting a GAGAS engagement;

2. both the individual seeking consultation and the individual consulted document and agree upon the nature and scope of such consultations; and

3. the conclusions resulting from consultations are documented, understood by both the individual seeking consultation and the individual consulted, and implemented.

5.25

If an engagement is terminated before it is completed and an audit report is not issued, auditors should document the results of the work to the date of termination and why the engagement was terminated.

Application Guidance: General

5.26

The audit organization’s policies and procedures may address consistency in the quality of engagement performance. This is often accomplished through written or electronic manuals, software tools or other forms of standardized documentation, and industry-specific or subject matter-specific guidance materials. Matters addressed may include the following:

1. maintaining current policies and procedures;

2. briefing the engagement team to provide an understanding of the engagement objectives and professional standards;

3. complying with applicable engagement standards;

4. planning the engagement, supervision, staff training, and mentoring;

5. reviewing the work performed, the significant judgments made, and the type of report being issued;

6. documenting the work performed and the timing and extent of review;

7. reviewing the independence and qualifications of any specialists and the scope and quality of their work;

8. resolving difficult or contentious issues or disagreements among team members, including specialists;

9. obtaining and addressing comments from the audited entity on draft reports; and

10. reporting findings and conclusions supported by the evidence obtained and in accordance with professional standards and applicable legal and regulatory requirements.

5.27

The form and content of the documentation of the audit organization’s policies and procedures, as well as documentation of its compliance with those policies and procedures, are matters of professional judgment and will vary based on the organization’s circumstances.

5.28

Documentation of policies and procedures, as well as compliance with those policies and procedures, may be either electronic or manual. For example, large audit organizations may use electronic databases to document matters such as independence confirmations, performance evaluations, and the results of monitoring. Smaller audit organizations may use more informal methods in the documentation of their systems of quality control, such as manual notes, checklists, and forms.

5.29

Consultation includes discussion at the appropriate professional level with individuals within or outside the audit organization who have relevant specialized expertise.

5.30

Consultation uses appropriate research resources, as well as the collective experience and technical expertise of the audit organization. Consultation helps promote quality and improves the application of professional judgment. Appropriate recognition of consultation in the audit organization’s policies and procedures helps promote a culture in which consultation is recognized as a strength and personnel are encouraged to consult on difficult or contentious issues.

5.31

Effective consultation on significant technical, ethical, and other matters within the audit organization or, when applicable, outside the audit organization can be achieved when

1. those consulted are given all the relevant facts that will enable them to provide informed advice;

2. those consulted have appropriate knowledge, authority, and experience; and

3. conclusions resulting from consultations are appropriately documented and implemented.

5.32

Documentation of consultations with other professionals that involve difficult or contentious matters contributes to an understanding of

1. the issue on which consultation was sought and

2. the results of the consultation, including any decisions made, the basis for those decisions, and how they were implemented.

5.33

An audit organization needing to obtain specialized or technical expertise from external providers may take advantage of services provided by

1. other audit organizations,

2. professional and regulatory bodies, and

3. commercial organizations that provide relevant quality control services.

5.34

Before contracting for services, consideration of the competence and capabilities of the external provider helps the audit organization determine whether the external provider is suitably qualified for that purpose.

5.35

Determining whether and how to communicate the reason for terminating an engagement or changing the engagement objectives to those charged with governance, appropriate officials of the audited entity, the entity contracting for or requesting the engagement, and other appropriate officials will depend on the facts and circumstances and therefore is a matter of professional judgment.

Requirements: Supervision

5.36

The audit organization should establish policies and procedures that require engagement team members with appropriate levels of skill and proficiency in auditing to supervise engagements and review work performed by other engagement team members.

5.37

The audit organization should assign responsibility for each engagement to an engagement partner or director with authority designated by the audit organization to assume that responsibility and should establish policies and procedures requiring the organization to

1. communicate the identity and role of the engagement partner or director to management and those charged with governance of the audited entity and

2. clearly define the responsibilities of the engagement partner or director and communicate them to that individual.

Application Guidance: Supervision

5.38

Appropriate teamwork and training help less experienced members of the engagement team to clearly understand the objectives of the assigned work.

5.39

Engagement supervision includes the following:

1. tracking the progress of the engagement;

2. considering the competence of individual members of the engagement team, whether they understand their instructions, and whether the work is being carried out in accordance with the planned approach to the engagement;

3. addressing significant findings and issues arising during the engagement, considering their significance, and modifying the planned approach appropriately; and

4. identifying matters for consultation or consideration by engagement team members with appropriate levels of skill and proficiency in auditing, specialists, or both during the engagement.

5.40

A review of the work performed includes consideration of whether

1. the work has been performed in accordance with professional standards and applicable legal and regulatory requirements;

2. significant findings and issues have been raised for further consideration;

3. appropriate consultations have taken place and the resulting conclusions have been documented and implemented;

4. the nature, timing, and extent of the work performed is appropriate and without need for revision;

5. the work performed supports the conclusions reached and is appropriately documented;

6. the evidence obtained is sufficient and appropriate to support the report; and

7. the objectives of the engagement procedures have been achieved.

5.41

In the case of a sole proprietor, the requirement for a second auditor to review work performed and related documentation may be achieved through alternative procedures.

Monitoring of Quality

Requirements: Monitoring of Quality

5.42

The audit organization should establish policies and procedures for monitoring its system of quality control.

5.43

The audit organization should perform monitoring procedures that enable it to assess compliance with professional standards and quality control policies and procedures for GAGAS engagements. Individuals performing monitoring should have sufficient expertise and authority within the audit organization.

5.44

The audit organization should analyze and summarize the results of its monitoring process at least annually, with identification of any systemic or repetitive issues needing improvement, along with recommendations for corrective action. The audit organization should communicate to the relevant engagement partner or director, and other appropriate personnel, any deficiencies noted during the monitoring process and recommend appropriate remedial action. This communication should be sufficient to enable the audit organization and appropriate personnel to take prompt corrective action related to deficiencies, when necessary, in accordance with their defined roles and responsibilities. Information communicated should include the following:

1. a description of the monitoring procedures performed;

2. the conclusions reached from the monitoring procedures; and

3. when relevant, a description of systemic, repetitive, or other deficiencies and of the actions taken to resolve those deficiencies.

5.45

The audit organization should evaluate the effects of deficiencies noted during monitoring of the audit organization’s system of quality control to determine and implement appropriate actions to address the deficiencies. This evaluation should include assessments to determine if the deficiencies noted indicate that the audit organization’s system of quality control is insufficient to provide it with reasonable assurance that it complies with professional standards and applicable legal and regulatory requirements, and that accordingly the reports that the audit organization issues are not appropriate in the circumstances.

5.46

The audit organization should establish policies and procedures that require retention of engagement documentation for a period of time sufficient to permit those performing monitoring procedures and peer review of the organization to evaluate its compliance with its system of quality control or for a longer period if required by law or regulation.

Application Guidance: Monitoring of Quality

5.47

Monitoring of quality is a process comprising an ongoing consideration and evaluation of the audit organization’s system of quality control, including inspection of engagement documentation and reports for a selection of completed engagements. The purpose of monitoring is to provide management of the audit organization with reasonable assurance that (1) the policies and procedures related to the system of quality control are suitably designed and operating effectively in practice and (2) auditors have followed professional standards and applicable legal and regulatory requirements.

5.48

Monitoring is most effective when performed by persons who do not have responsibility for the specific activity being monitored.

5.49

Monitoring procedures will vary based on the audit organization’s facts and circumstances.

5.50

Ongoing consideration and evaluation of the audit organization’s system of quality control may identify circumstances that necessitate changes to, or improve compliance with, the audit organization’s policies and procedures to provide the audit organization with reasonable assurance that its system of quality control is effective.

5.51

Ongoing consideration and evaluation of the audit organization’s system of quality control may include matters such as the following:

1. review of selected administrative and human resource records pertaining to the quality control elements;

2. review of engagement documentation and reports;

3. discussions with the audit organization’s personnel;

4. determination of corrective actions to be taken and improvements to be made in the system, including providing feedback on the audit organization’s policies and procedures relating to education and training;

5. communication to appropriate audit organization personnel of weaknesses identified in the system, in the level of understanding of the system, or compliance with the system; and

6. follow-up by appropriate audit organization personnel so that necessary modifications are promptly made to the quality control policies and procedures.

5.52

Monitoring procedures may also include an assessment of the following:

1. the appropriateness of the audit organization’s guidance materials and any practice aids;

2. new developments in professional standards and applicable legal and regulatory requirements and how they are reflected in the audit organization’s policies and procedures, when appropriate;

3. written affirmation of compliance with policies and procedures on independence;

4. the effectiveness of staff training;

5. decisions related to acceptance and continuance of relationships with audited entities and specific engagements; and

6. audit organization personnel’s understanding of the organization’s quality control policies and procedures and implementation thereof.

5.53

Reviews of the work by engagement team members prior to the date of the report are not monitoring procedures.

5.54

The extent of inspection procedures depends, in part, on the existence and effectiveness of the other monitoring procedures. Inspection is a retrospective evaluation of the adequacy of the audit organization’s quality control policies and procedures, its personnel’s understanding of those policies and procedures, and the extent of the audit organization’s compliance with them. The nature of inspection procedures varies based on the audit organization’s quality control policies and procedures and the effectiveness and results of other monitoring procedures.

5.55

The inspection of a selection of completed engagements may be performed on a cyclical basis. The manner in which the inspection cycle is organized, including the timing of selection of individual engagements, depends on many factors, such as the following:

1. the size of the audit organization;

2. the number and geographical location of offices;

3. the results of previous monitoring procedures;

4. the degree of authority of both personnel and office (for example, whether individual offices are authorized to conduct their own inspections or whether only the head office may conduct them);

5. the nature and complexity of the audit organization’s practice and structure; and

6. the risks associated with entities audited by the audit organization and specific engagements.

5.56

The inspection process involves the selection of individual engagements, some of which may be selected without prior notification to the engagement team. In determining the scope of the inspections, the audit organization may take into account the scope or conclusions of a peer review or regulatory inspections.

5.57

Reporting of identified deficiencies to individuals other than the relevant engagement partner or director need not include identifying the specific engagements concerned, unless such identification is necessary for individuals other than the engagement partner or director to properly discharge their responsibilities.

5.58

Whether engagement documentation is in paper, electronic, or other form, the integrity, accessibility, and retrievability of the underlying information could be compromised if the documentation is altered, added to, or deleted without the auditors’ knowledge or if the documentation is lost or damaged.

5.59

Appropriate documentation relating to monitoring may include, for example, the following:

1. monitoring procedures, including the procedure for selecting completed engagements to be inspected;

2. a record of the evaluation of the following:

   1. adherence to professional standards and applicable legal and regulatory requirements,

   2. whether the system of quality control has been appropriately designed and is effectively implemented and operating, and

   3. whether the audit organization’s quality control policies and procedures have been appropriately applied so that the reports that are issued by the audit organization are appropriate in the circumstances; and

3. identification of the deficiencies noted, an evaluation of their effect, and the basis for determining whether and what further action is necessary.

---

35. See paras. 3.02 through 3.16 for a discussion of ethical principles and paras. 3.18 through 3.108 for independence requirements and guidance.↩︎

36. Refer to paras. 4.02 through 4.15 for requirements and guidance on competence.↩︎