| Written by Mike Edmonds, Drew Harmon, Theresa McGrady, and Sam McCall,
|
ALGA established its peer review program in 1991 to assist member organizations in complying with the Government Auditing Standards’(yellow book) requirement to have an external peer review every three years. Since its inception, the ALGA peer review program has conducted over 160 yellow book peer reviews and has been one of the organization’s highest-rated programs.
The ALGA Board of Directors approved expanding the peer review program in 2005 to include reviews for member organizations following the International Standards for the Professional Practice of Internal Auditing (red book), adopted by the Institute of Internal Auditing (IIA). The Board concluded that expanding the peer review program would better serve member organizations, some of which follow the red book. Member organizations that follow the red book either choose to follow the red book or are required by law or regulation to do so. Many of the Canadian local government auditing organizations follow the red book.
The red book requires audit organizations to undergo an external assessment review every five years. The scope of a red book external review, however, is broader in scope than a yellow book external peer review. Red book reviews not only assess compliance with standards but also evaluate organizations against best practices. At this time, the Peer Review Committee (PRC) does not plan to offer these broader assessments. The red book, however, allows audit organizations to undergo a narrower scope review called a self-assessment with verification. The objective of this review is to assess the audit organization’s compliance with the red book. The ALGA red book peer review will offer this type of assessment, except we will not request the audit organization to perform a self-assessment. Thus, the scope of these red book reviews will essentially be the same as the ALGA yellow book reviews.
As Amanda Noble, PRC Chair, mentioned in the March 2006 Quarterly, the PRC has drafted a guide for conducting peer reviews of member organizations that follow the red book. This guide is patterned after the ALGA yellow book peer review guide, which was revised in 2004. The PRC expects the red book peer review guide to be available on the ALGA website by July.
To test the guide, we performed a peer review of the Tallahassee City Auditor’s Office. The office, under the leadership of City Auditor Sam McCall, graciously agreed to undergo our first red book review. The office was an ideal test case because they had undergone four yellow book peer reviews and was well-versed on the red book. In fact, Sam had authored a number of articles and had given presentations addressing the perceived conflict of interest between the yellow book’s independence standard and the red book’s use of the term of the “consulting” to define certain audit services.
The office follows both the yellow and the red book. Thus, the peer review team conducted a review of the office’s compliance with both the yellow book and the red book. The yellow book and red book standards address many of the same elements; however, the standards have some differences. The red book consists of three types of standards: 1) attribute standards, 2) performance standards, and 3) implementation standards. Attribute standards address the characteristics of audit organizations and parties performing internal audit activities. Performance standards describe the nature of internal audit activities and provide quality criteria against which the performance of these services can be evaluated. Implementation standards apply to specific types of engagements.
The attribute standards and the implementation standards are similar to the standards found in the yellow book. The attribute standards are comparable to the general standards found in the yellow book. For instance, the attribute standards deal with the purpose, authority, and responsibility of the internal audit activity, independence and objectivity, proficiency and due professional care, and quality assurance and improvements. The comparable general standards in the yellow book are independence, professional judgment, competence, and quality control.
The implementation standards address the planning, fieldwork, and reporting on specific audits. These standards address many of the same elements as the planning, fieldwork, and reporting standards for performance audits found in the yellow book.
The red book’s performance standards depart somewhat from the yellow book. These standards address the management of the internal audit activity and the nature of audit work. For instance, these standards state that the internal audit activity’s workplan should be based on a risk assessment, undertaken at least annually. Although many audit organizations that follow the yellow book do this, the yellow book does not address audit selection or the development of an annual workplan.
The red book’s performance standards also state that the internal audit activity should use a systematic and disciplined approach to evaluate and contribute to the improvement of the audited entity’s risk management, control, and governance processes. For instance, the performance standards state that the internal audit activity should evaluate the design, implementation, and effectiveness of the entity’s ethics-related objectives, programs and activities.
Preparations for the peer review began several months before the site visit with Sam and his staff completing two sets of questionnaires: one describing how its procedures addressed the yellow book and another describing how its procedures addressed the red book. The red book questionnaire contained 90 statements on the standards from the red book as compared to the 49 statements for the yellow book questionnaire. Completing the two questionnaires required considerable effort on the part of Sam’s staff.
Similarly, the peer review team had to review both sets of questionnaires and complete separate evaluations of the adequacy of the design of office’s system for ensuring compliance with both sets of standards. Reviewing the completed questionnaires provided the team with a more complete understanding of the differences between the two standards and the additional audit processes necessary to ensure compliance with the red book. Once we reviewed audit engagements on site, we realized that complying with both sets of standards is no easy task. We found that the red book tends to be more specific than the yellow book. For instance, the red book explicitly requires risk assessments during the engagement planning and fieldwork. The red book also requires the audit program to be approved before audit work begins. Further, the red book states that the internal audit activity should evaluate the design, implementation, and effectiveness of the entity’s ethics-related objectives, programs and activities. In the end, the team had to exercise more judgment in assessing whether the office’s policies and procedures addressed the standards in the red book.
Based on our review, the peer review team issued two separate opinions--one stating that the office fully complied with the yellow book and a second opinion stating that the office fully complied with the red book for the period we reviewed. In addition, we issued one management letter highlighting a number of the office’s strengths and offering several suggestions to improve their compliance with both the yellow book and the red book. The office, in their response, stated that it would implement the suggestions for improvement.
Based on the peer review of the Tallahassee City Auditor’s Office, we have the following comments. First, we believe that the results of the peer review demonstrate that the yellow book and red book are two compatible sets of professional standards. Consistent with the Board’s policy, we encourage audit organizations to follow the yellow book, but we encourage members to follow other professional standards as well. Furthermore, we commend Sam McCall and the staff of the Tallahassee City Auditor’s Office for their commitment to attaining high professional standards. Finally, we encourage other audit organizations that follow the red book to take advantage of the peer review program that is now available to them. We recommend that any organizations considering a red book review should follow the same advice that the PRC suggests for organizations obtaining yellow book reviews. That is, the organizations should tailor their procedures to address all the requirements in the standards they follow. These procedures should incorporate the use of an engagement checklist into your quality control system. The organizations should also conduct a self-assessment of your readiness for a peer review by using the Audit Organization Description of Quality Control System. Finally, volunteer audit staff to participate in peer reviews and take the peer review training course, either at the annual conference or online.
For organizations considering a red book review, the PRC will make several minor modifications to the red book guide based on our pilot review. We then plan to submit it to the IIA for their review. Furthermore, the PRC plans to follow the same administrative processes for coordinating red book reviews that currently follow for yellow book reviews. Member organizations should contact their regional coordinator to schedule a review. The coordinator will recruit a review team and ensure that the team meets the independence and qualification requirements. The organization will arrange for and pay for travel and other associated expenses but will not pay for the reviewers’ time. Instead, the organization will agree to provide qualified staff to participate on future reviews of other member organizations.Comments by Sam M. McCall
City Auditor of Tallahassee on the
ALGA Review of the Office of the City Auditor
Possibly, a question that many ALGA members may ask is, “Why would I want to reference both Government Auditing Standards and the Standards for the Professional Practice of Internal Auditing in issued reports? In our office, we answered that question by observing that both organizations standards provided excellent guidance.
I also believed that the Standards were compatible, as I had served on both the Comptroller General’s Government Auditing Standards Advisory Council and on the Institute of Internal Auditors International Internal Auditing Standards Board. I had an appreciation for performance auditing as described in Government Auditing Standards and also liked the part of The IIA definition of internal auditing as an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.
I had also worked with ALGA, the Government Relations Committee of The IIA, and with GAO staff to have recognition and agreement that the term “consulting” as used by The IIA was more like a “performance audit” as defined by the GAO. (Please see the December 2002 Internal Auditor, “The Auditor as Consultant” and the Fall 2003 AGA Journal of Government Financial Management, “ Reconciling “Consulting” Under GAO and IIA Audit Standards.”)
In the Office of the City Auditor, we first started referencing The IIA Standards, the red book, in November 2001. Having provided Standards, articles, and other materials from both organizations with staff, they became more comfortable as time passed with this additional reference in our reports. The Office of the City Auditor had been referencing the yellow book before I joined the City in 1999. A local CPA firm performed previous external quality assurance reviews. Since becoming City Auditor, we have had two peer reviews performed by ALGA I have been very pleased with both the quality of the reviews and the reviewers provided through the ALGA program. This program is similar to the National State Auditors Association Peer Review Program.
What was our experience from this review? First, we were very pleased that the review team concluded that our quality control system complied with Government Auditing Standards and the Standards for the Professional Practice of Internal Auditing. Second, we received suggestions that will help us improve our audit guide and audit processes, especially in better documenting some of the red book requirements. For example, the red book seems to place greater emphasis on “risk assessments” as the driver for audit planning and work. It places more emphasis on follow up (we have a very thorough follow up system) and addresses the need to review and document the organization’s ethics program.
I believe there is still need for GAO to further address consulting in the yellow book as examples provided focus more on financial statement auditing. The ALGA checklists are designed to review an engagement as an assurance activity or as a consulting activity. I would have put these checklists together in the same manner; however, future reviews may have to take into consideration that audit work may have elements of both types of services. Our audits are performed under the umbrella of a performance audit that, at times, may focus on internal control, compliance, outputs and outcomes, assurance and/or consulting. Our goal in the City is to be fair, to add value, and to improve the City’s risk management, control, and governance processes. We welcomed the issues addressed in the team’s letter of comments and we intend to make improvements to our Audit Process Guide. We will be working with our City Audit Committee to formally recognize, through our City Audit Policy, that we intend to continue to look to GAO and the IIA Standards. We owe a great deal of thanks to the ALGA Peer Review Committee for developing the additional IIA quality control review guides. We thank Alan Ash for continuing to express our desire for ALGA to do this review, and to the team assembled to conduct this review. They were knowledgeable, professional, helpful, and constructive in their approach to this review and in the reports issued.
ALGA can be very proud of its program and we are grateful to all involved in meeting the needs for a review under GAO and The IIA Standards.
Mike Edmonds (peer review team leader) is a Supervising Auditor with the San Jose City Auditor’s Office and is the Western Region Coordinator for peer review and is a member of the Peer Review Committee.
Drew Harmon (peer review team member) is the City Auditor for Roanoke, Virginia and is a member of the Peer Review Committee.
Theresa McGrady (peer review team member) is the Audit Director for Fairfax County Public Schools and is a member of the Peer Review Committee.
Sam McCall is the City Auditor for Tallahassee, Florida.
|
Peer Review