|
|
|
What Small Shops Should Know About Passing an ALGA Peer Review |
|
|
|
Written by Gary Blackmer, Portland, Webmaster
|
FOREWARD
Government Auditing Standards (GAS) help ensure that government auditors maintain competence, integrity, objectivity, and independence in planning, conducting, and reporting their work. Auditors enhance their credibility by following standards so their work can lead to improved government management, decision making, and oversight.
|
GAS require quality control, including peer review:
3.50 Each audit organization performing audits or
attestation engagements in accordance with GAGAS
must:
a. establish a system of quality control that is designed
to provide the audit organization with reasonable
assurance that the organization and its personnel
comply with professional standards and applicable legal
and regulatory requirements, and
b. have an external peer review at least once every 3 years.
The Association of Local Government Auditors (ALGA) established its peer review program in 1991 to assist its members in meeting the quality control standard. In its first fourteen years, ALGA peer review teams conducted 200 peer reviews of 91 different local government auditing organizations.
Although members have consistently rated peer review as one of ALGA’s best programs, many audit organizations have not taken advantage of it. Most notably, small local government audit organizations (1-2 audit staff), which comprise nearly 40 percent of ALGA’s membership, have not used the ALGA peer review program. In fact, very few small audit organizations have had an ALGA peer review. This publication provides guidance to encourage smaller audit organizations to participate in the peer review program.
|
|
Common Questions
Small audit organizations not participating in the peer review program frequently ask the following questions.
• What are the benefits of a peer review?
• How much will it cost?
• How should organizations prepare for a peer review?
• Is it harder for small organizations to comply with the standards?
• Will the peer review team understand a small organization?
|
What are the benefits of a peer review?
Peer review helps audit organizations answer the question, “Who audits the auditors?” Just as we conduct audits and attestation engagements to promote accountability and transparency within our organizations, peer review helps ensure that our audit organizations are accountable and our work is credible.
At the completion of the peer review, the peer review team issues a report communicating the results. The report includes the scope of the review, an independent opinion on whether the system of quality control was adequate and being complied with, the professional standards to which the organization is being held, and if applicable a management letter describing any findings and recommendations.
|
How much does a peer review cost?
The ALGA peer review program was designed to keep costs at a minimum and is an excellent value for its members. The audit organization pays for the travel, lodging, and out-of-pocket expenses incurred by review team members, but does not pay for the time/salary of reviewers. Instead, the audit organization agrees to send its own staff to other jurisdictions to perform peer reviews. ALGA administers the peer review program as a service to its members and does not charge a separate fee.
Travel costs may be reduced for small audit organizations because generally only two reviewers (instead of three) are needed for the peer review team. Moreover, the Review Coordinator can work with the audit organization to minimize travel costs by selecting team members from nearby areas.
|
|
How should organizations prepare for a peer review?
Taking the ALGA peer review course is helpful in preparing for a peer review. Not only does it prepare the auditor to carry out a peer review but dispels myths about the process and what is involved. ALGA offers the convenience of taking the class online or during the annual conference. Participating on a peer review (prior to scheduling one’s own peer review) is an excellent way to address any concerns related to peer review. Discussing standards with colleagues and reviewing other organizations’ work will broaden your understanding as to what others do to meet auditing standards.
We also encourage auditors to perform a self-assessment and see where you stand. Use the checklists and forms in the ALGA Peer Review Guide to help identify areas needing improvement. Most likely, you are closer than you think! Remember to think in terms of “what must be done to comply with standards” and not “how do large audit organizations operate.”
If you do not have one, prepare an audit manual with appropriate policies and procedures that describe your operations. The manual need be only a few pages – enough to show how you document compliance with audit standards in general and on an audit-by-audit basis.
|
|
Is it harder for small organizations to comply with standards?
Many audit organizations, both large and small, have a misconception that GAS are rigid and not adaptable to their organizations. This concern is unfounded. In fact, GAS are flexible and recognize different audit organizations will likely have different internal control requirements and resources. GAS state:
"The nature, extent, and formality of an audit organization’s quality control system will vary based on the audit organization’s circumstances, such as the audit organization’s size, number of offices and geographic dispersion, the knowledge and experience of its personnel, the nature and complexity of its audit work, and cost-benefit considerations." (3.51)
Because GAS require audit organizations to implement internal controls that are appropriate for its organization, ALGA stresses flexibility in its peer review program. We provide training and tools for the peer review team to use to assess whether the audit organization (small, medium, or large) adheres to applicable standards – not whether the audit organization operates in a manner similar to other audit organizations.
|
|
Will the peer review team understand a small organization?
The extent of peer review procedures is tailored to the size and nature of an organization’s work. The review team spends about a week onsite at the audit organization’s offices reviewing audit documentation and administrative files and interviewing audit management and staff.
Experienced peer reviewers can help the audit organization better address standards in its specific environment. They become resources as audit organizations develop policies and practices in their changing environments.
The peer review team is comprised of two or three audit professionals. GAS require the peer review team to:
• Know GAS and the government environment
• Be independent of the audit organization being reviewed
• Know how to perform a peer review
ALGA ensures that the team members meet these requirements. The Review Coordinator recruits the review team after considering a number of factors including the size of the organization requesting a review and the types of work it performs. Coordinators match the needs of the organization undergoing the review to the skills and background of the review team members. For instance, if a large performance audit organization needs a review, the Review Coordinator will try to identify potential review team members from comparably-sized organizations that also do performance audits.
ALGA stresses experience and training in recruiting reviewers. At a minimum, the coordinators require someone to serve on at least one and usually two peer reviews before becoming a team leader. In completing the team, the coordinators look for auditors serving in supervisory or management positions. Using more experienced audit personnel helps to ensure that the review team has knowledge of the government environment and GAS, as well as judgment on how to apply the standards.
To ensure that the team members know how to perform a review, the coordinators try to recruit review members who have taken the ALGA Peer Review Training course.
Finally, to ensure that review team members are independent of the organization being reviewed, the coordinators require potential review team members to complete a qualifications and independence (Q & I) statement. The coordinators review these statements before completing the assignments to the team.
|
|
COMMON CONCERNS
Many small audit organizations have concerns about complying with the following standards:
- General Standards
- Independence
- Professional Judgment
- Competence
- Continuing Professional Education (CPE)
- Performance Fieldwork Standards
- Planning
- Supervision
- Evidence
- Validity of Data
- Audit documentation
- Performance Reporting Standards
- Audit Reports
- Illegal Acts, Noncompliance and Abuse
To address these concerns, ALGA provides the following guidance to the general and performance audit standards.
|
GENERAL STANDARDS
Independence
GAO’s Government Auditing Standards 2003 Revision incorporated changes made in Amendment #3 to the 1994 Revision. This amendment significantly altered requirements relating to nonaudit services and provided additional criteria regarding organizational independence. Audit organizations should refer to ALGA’s Peer Review Guide for general guidance.
Concern: Standard 3.07 states that personal impairments can “...result from relationships and beliefs that might cause auditors to limit the extent of the inquiry, limit disclosure, or weaken or slant audit findings in any way.” In small organizations, government auditors often interact with department managers and sometimes develop professional and personal relationships with future auditees.
Response: Personal and professional relationships with managers are not necessarily impairments to independence unless the relationship would cause the auditor to limit the extent of inquiry or disclosure in an audit. The 2003 revision provides examples of relationships that would impair an auditor’s independence, including an immediate or close family member who is director or officer of the audited entity or as an employee is in position to exert direct or significant influence over the entity or program under audit. Auditors should avoid situations that could lead reasonable third parties with knowledge of the relevant facts and circumstances to conclude that the auditors are not able to maintain independence. Professional relationships with managers would not generally fit this criteria. If a personal impairment exists, the audit organization should remove the impairment or withdraw from the audit. If neither of these options is possible, government auditors can perform the audit but must disclose the impairment in the scope section of the audit report to comply with GAS.
Concern: A significant number of government auditors report to Finance Directors, Controllers, City Managers or County Administrators rather than directly to the public (elected) or the legislative body (appointed). Auditors in these reporting structures are not confident they satisfactorily meet the organizational independence requirement.
Response: GAS provide for a variety of reporting models. If the head of the audit agency is accountable, reports to the head or deputy head of the entity, and is not located organizationally in the management function being audited, then the audit agency is independent to report to the entity's management. The standards provide alternatives for enhancing independence in these reporting relationships. If an organizational independence impairment exists, compliance with GAS is attained if this fact is disclosed in the scope section of the audit report.
Concern: Performance of nonaudit services might impair independence.
Response: GAS are not applicable to nonaudit services. However, providing nonaudit services may affect an audit organization’s independence to conduct audits. If audit organizations provide nonaudit services, audit organizations need to consider whether providing these services creates a personal impairment either in fact of appearance that adversely affects their independence for conducting audits. Before an audit organization agrees to perform nonaudit services, it should consider that auditors should avoid situations that could lead reasonable third parties with knowledge of the relevant facts and circumstances to conclude that auditors are not able to maintain independence in conducting audits. In conducting the assessment, the audit organization should apply two overarching principles:
(1) audit organizations should not provide nonaudit services that involve performing management functions or making management decisions and
(2) audit organizations should not audit their own work or provide nonaudit services in situations where the nonaudit services are significant/material to the subject matter of audits. Audit organization should comply with the safeguards identified in the standards.
|
|
Professional Judgment
Concern: Small audit organizations do not have sufficient resources to meet the standard at the same level as a large audit organization.
Response: GAS are broad and rely on the auditors' commitment to professionalism. The best way for a small audit organization to meet this standard is to adopt and follow policies and procedures. Auditors should disclose in the scope section of the report when they do not follow a standard, including the reasons they did not follow the standard, and how not following the standard affected, or could have affected, the results of the audit. If a standard is not applicable, auditors should document why it is not applicable in the audit documentation but do not need to disclose in the audit report they did not follow the standard. Some audit organizations use ALGA's Peer Review Guide checklist to document that auditors used professional judgment in completing audit work. In addition, the audit organization may ask knowledgeable third parties such as ALGA's Peer Review Committee or other ALGA members to review established policies and procedures for consistency with GAGAS.
Competence - Continuing Professional Education (CPE)
Concern: It is difficult to obtain sufficient funding to meet this standard. Many small audit organizations are located away from major training facilities and travel costs are high.
Response: GAO has issued guidance that provides a variety of options for meeting CPE requirements at minimal cost. Examples include: internal training programs, university courses, internet and web based training, self-study guides, or serving as an instructor in a group program.
ALGA also offers low cost CPE opportunities for training including the national conference, regional training sessions and internet-based training. ALGA Quizzers are a no-cost member benefit allowing you to obtain one credit of CPE just by reading your Local Government Auditing Quarterly. The Quizzers and more detailed instructions are available on the ALGA website. You can repeat the process with each Quarterly for another CPE credit.
|
|
PERFORMANCE FIELDWORK STANDARDS
Planning
Concern: Small audit organizations often conduct audits with very limited objectives and scopes. Additionally, these audits may be relatively short in duration. There is a perception that this work may not qualify as a "real audit."
Response: GAS require work to be adequately planned and planning to be documented. However, the extent of planning work depends on the audit objective, so narrowly scoped audits require less planning. GAS specifically note that performance audits encompass a variety of objectives and may entail a broad or narrow scope (2.09). GAS do not define audits by the amount of work conducted or evidence compiled. As long as auditors follow standards so that the planning and evidence are sufficient to meet the objectives and the report describes the objectives, scope, methodology, and findings, the report is an audit. Auditors can use a checklist to help ensure that audit planning is adequate.
Concern: In some instances, the original audit program is not followed. There is a perception that all steps should be completed as originally written.
Response: Planning activities continue throughout the audit. The planning standard recognizes that audit steps may be added or deleted after the original audit program has been developed. These changes should be noted on the original audit program or in a revised audit program.
|
Supervision
Concern: Supervision may be nonexistent or limited in a one- or two-person audit organization. Therefore, these audit organizations might be found to be noncompliant with this standard. A noncompliant finding might be perceived as being politically or professionally unacceptable.
Response: In its truest sense, the supervision standard is not applicable for one-person audit organizations whose individual auditors, by necessity, have responsibility for an entire audit.
GAS allow for the nature of supervisory reviews to vary depending upon the significance of the work or the experience of the staff. There is no requirement for the supervisor to review and initial every page of the work.
Examples of how supervisors in small audit organizations can ensure that work is appropriately supervised include drafting and following audit programs, double-checking important calculations, documenting milestones and/or problems, and completing ALGA's Quality Control Review Engagement Checklist. The audit organization also can address the supervision issue in its policies and procedures manual.
|
|
Evidence - Validity of Data
Concern: Small audit organizations generally do not have information technology auditors on staff. Auditors and reviewers may perceive that in-house expertise in evaluating computer controls is substandard.
Response: Audit guidance on assessing the reliability of computer-processed information can be found on GAO and ALGA web sites. Use of data does not always require a system test. The same evidence standard applies to computer-processed data as to other types of data. Most of the techniques used to assess computer-processed data are standard auditing techniques used all of the time. In many cases, the auditor can simply cite the source of the data and state why they believe the data are valid. In addition, the auditor can still comply with this standard by disclosing in the scope section of the audit report the limits of work performed and by refraining from making unwarranted conclusions or recommendations.
Concern: What is sufficient, competent, and relevant evidence that computer-processed data are valid and reliable when these data are significant to the auditor’s findings?
It depends on
• the scope of the audit,
• the audit objectives,
• the auditor’s findings,
• how the auditor uses the data,
• the source of the data,
• the effectiveness of the controls over the system that produced the data,
• etc…
Peer review teams look for policies and internal controls addressing GAS requirements, and then they look for documentation that the policies and internal controls were effectively carried out during the review period.
|
|
Audit documentation
Concern: Audit documentation may not be as sophisticated as those prepared in large audit organizations. Because the audit documentation may not be as elaborate, a peer review team may find them unacceptable.
Response: GAS state that audit documentation should contain
a) the objectives, scope, and methodology, including any sampling criteria used;
b) documentation of the work performed to support significant conclusions and judgments; and
c) evidence of supervisory review of the work performed.
These elements can be documented in a summary format covering the underlying audit documentation . This allows an experienced auditor, having no previous connection with the audit, to ascertain from them evidence supporting the auditor’s significant conclusions and judgments. As long as audit documentation meets those standards, compliance with GAS is maintained.
|
|
PERFORMANCE REPORTING STANDARDS
Audit Reports
Concern: Reports are not always issued on a timely basis, because audit efforts may need to be redirected to unforeseen critical projects.
Response: Timeliness focuses on the basis of when the information is needed, not an arbitrary timeline. In cases where reports cannot be completed as originally scheduled, interim reports can be issued. If such events do occur, documenting the delay in the audit documentation and communicating the delay to the auditee and to other known report users can maintain compliance with standards. This communication can be oral as well as written. Evidence of oral communication should be documented.
Illegal Acts, Noncompliance and Abuse
Concern: Small audit organizations have insufficient resources to develop and conduct in-depth risk assessments. Accordingly, illegal acts, noncompliance, and abuse may not be discovered. In addition, auditors may not be properly trained in fraud investigations. Consequently, if illegal acts are discovered they may not be handled properly.
Response: Standard 7.10 offers suggestions on how to determine whether laws and regulations are significant to audit objectives. ALGA's web site has member links to some organizations with web-based risk assessment programs, which can be adapted for use by small audit organizations. ALGA's listserv may also be valuable.
|
Responsibility for this Publication/Comments
The ALGA Peer Review Committee is responsible for maintaining this publication. We thank all those who contributed their thoughts and ideas. If you have any questions or comments you would like us to address in future updates, please contact the Chair of the Peer Review Committee noted in the ALGA Member Directory. We appreciate your comments.
May 2005
|
|
|
|
|
Peer Review