GOVERNMENT AUDITING STANDARDS
Frequently Asked Questions: Establishing and Maintaining a System of Quality Management
By the Comptroller General of the United States
United States Government Accountability Office
This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately.
On February 1, 2024, we issued the 2024 revision to Government Auditing Standards, also known as the Yellow Book. The 2024 Yellow Book strengthens an audit organization’s framework for conducting high-quality government audits through its system of quality management. By considering the unique nature and circumstances in which it operates and conducts Yellow Book engagements, an audit organization can tailor its system of quality management to address its specific risks.
Since we issued the 2024 Yellow Book, we have received numerous questions about establishing and maintaining a system of quality management due to its importance to audit organizations that conduct audits of government entities, entities that receive government awards, and other entities. Accordingly, this document provides guidance to auditors and audit organizations by answering these frequently asked questions.
We provided this question-and-answer guidance in draft to the Comptroller General’s Advisory Council on Government Auditing Standards and discussed the content with other interested parties. The Advisory Council consists of experts in financial and performance auditing and reporting from federal, state, and local government; the private sector; and academia. We considered the views of all parties in finalizing this document, and I thank all those who asked questions and suggested improvements to the guidance.
You can access this document at https://www.gao.gov/yellowbook. If you have any questions regarding the document or the revised Government Auditing Standards, please contact the Yellow Book technical assistance hotline at YellowBook@gao.gov or (202) 512-9535.
Gene L. Dodaro
Comptroller General
of the United States
December 2025
Establishing and Maintaining a System of Quality Management
Background
In February 2024, GAO issued the 2024 revision of Government Auditing Standards, also known as the Yellow Book.[1] The 2024 Yellow Book provides enhancements that strengthen an audit organization’s framework for conducting high-quality government audits through its system of quality management. The 2024 Yellow Book emphasizes the responsibility of an audit organization’s leadership to proactively manage the quality of its engagements and requires an audit organization to design, implement, and operate a system of quality management.
Chapter 5 of the 2024 Yellow Book, “Quality Management, Engagement Quality Reviews, and Peer Review,” replaced chapter 5 in the 2018 Yellow Book, “Quality Control and Peer Review.” The new chapter 5 introduces the concept of quality management, which replaces the concept of quality control in chapter 5 of the 2018 Yellow Book. Quality management is scalable because the nature, extent, and formality of an audit organization’s system of quality management will vary based on its circumstances, including its size, number of offices, geographic dispersion, the knowledge and experience of its personnel, and the nature and complexity of its engagements.
Further, the 2024 Yellow Book requires establishing proactive and effective monitoring and remediation activities. The 2024 Yellow Book requires an audit organization to investigate the underlying causes of deficiencies in its system of quality management, design and implement remedial actions that respond to the underlying causes, and evaluate the remedial actions to determine if they are effective in addressing the quality management deficiencies and the related underlying causes. The 2024 Yellow Book also requires the senior-level official of the audit organization who is assigned responsibility and accountability for the system of quality management to perform an evaluation of the system of quality management at least annually. Finally, the 2024 Yellow Book requires an audit organization to design and implement a system of quality management that complies with the 2024 Yellow Book by December 15, 2025.
This guidance, Frequently Asked Questions: Establishing and Maintaining a System of Quality Management, is intended to help an audit organization in its deliberations about designing, implementing, and operating a system of quality management for engagements conducted in accordance with the Yellow Book. This guidance contains three sections:
Section I: Quality Management Risk Assessment Process
Section II: Quality Management Monitoring and Remediation Process
Section III: Engagement Quality Reviews
This guidance is generally accepted government auditing standards interpretive guidance in accordance with paragraph 2.06 of Government Auditing Standards.
The quality management risk assessment process is fundamental to the 2024 Yellow Book’s establishment of a risk-based system of quality management that is designed, implemented, and operated in an interconnected and coordinated manner. The quality management risk assessment process (depicted in fig. 1) requires an audit organization to
1. establish quality objectives, which are the desired outcomes relative to the components of the system of quality management
2. identify and assess quality risks, which are risks to achieving the quality objectives that have a reasonable possibility of both occurring and adversely affecting the achievement of one or more quality objectives
3. design and implement responses, which are policies and procedures that address one or more quality risks
The quality management risk assessment process is iterative. An audit
organization would typically review and update its quality management risk
assessment both at periodic intervals (e.g., annually) and as necessary to
respond to (1) deficiencies identified during the monitoring and remediation
process and (2) changes in the audit organization’s or its engagements’ nature
and circumstances.
1. Our audit organization has established policies and procedures that meet 2018 Yellow Book requirements. We’ve received clean peer reviews on our system of quality control. Do we need to establish an entirely new set of policies and procedures to meet the 2024 Yellow Book quality management requirements?
It is unlikely that an audit organization would need to establish an entirely new set of policies and procedures when designing a system of quality management consistent with the requirements in the 2024 Yellow Book. The 2024 Yellow Book does not require an audit organization to abandon any of its current quality control activities. The extent to which changes to existing policies and procedures may be necessary will be determined by the results from the audit organization’s quality management risk assessment.
Under the 2018 Yellow Book, there was not necessarily a clear connection between the required high-level policies and procedures and the actions an audit organization needed to take to reasonably assure quality engagements. Personnel did not necessarily understand why certain policies and procedures existed.
The 2024 Yellow Book changes the terminology from “policies and procedures” to “responses.” The responses are policies and procedures, but the change in name signifies that the audit organization designs and implements the responses to address and clearly tie to one or more quality risks.
When designing and implementing a system of quality management, GAO advises an audit organization to map out its current policies and procedures to determine if and to what extent the current policies and procedures adequately address identified quality risks and thereby constitute “responses” under the 2024 Yellow Book. In doing this, the audit organization could determine any of the following for an individual component or the system of quality management as a whole:
· Current policies and procedures do not adequately address the identified quality risks. A substantial overhaul of the policies and procedures is necessary to convert them to responses that address quality risks.
· Current policies and procedures address some of the identified quality risks. However, the audit organization will need to adjust its existing policies and procedures to ensure that they respond to identified quality risks and create additional tailored responses to address gaps in the current policies and procedures.
· Current policies and procedures substantially address the identified quality risks. Minor adjustments may be necessary to tailor a few of the policies and procedures to address quality risks.
· A few current policies and procedures do not address an identified quality risk. The audit organization does not need to retain them in a system of quality management.
In short, an audit organization’s current quality control activities may or may not be appropriate in the audit organization’s system of quality management, and it may not be necessary to make significant changes to its current policies and procedures. The audit organization will make these determinations during the risk assessment process.
2. Does an audit organization need to complete its initial risk assessment as part of designing and implementing its system of quality management by December 15, 2025, or is the risk assessment part of the audit organization’s initial evaluation of its system of quality management to be performed by December 15, 2026?
An audit organization performing engagements in accordance with the Yellow Book should complete the required risk assessment by December 15, 2025. Completing a risk assessment is an essential step in designing and implementing a system of quality management. The initial evaluation of the system of quality management should be completed by the senior-level official assigned responsibility and accountability for the system of quality management by December 15, 2026.
3. Is an audit organization required to establish all the quality objectives in the 2024 Yellow Book?
Yes, an audit organization should establish all quality objectives specified in the Yellow Book. The quality objectives relate to the following six quality components:
· governance and leadership;
· independence, legal, and ethical requirements;
· acceptance, initiation, and continuance of engagements;
· engagement performance;
· resources; and
· information and communication.
The way an audit organization achieves these specific quality objectives may vary based on the size and complexity of the audit organization and its engagements. Further, an audit organization may, but is not required to, establish additional quality objectives to assist in designing and implementing its risk assessment process.
4. Does an audit organization have to identify one or more quality risks for each quality objective?
No. In rare circumstances, an audit organization may determine that there are no quality risks for a particular quality objective. This situation may arise when the audit organization concludes that the risks to achieving a quality objective do not have a reasonable possibility of occurring and adversely affecting the achievement of one or more quality objectives. Such risks do not rise to the level of quality risks.
For example, if an audit organization consists of a single auditor, this audit organization may conclude that it does not have a quality risk associated with the quality objective that the engagement partner or director is “sufficiently and appropriately involved throughout the engagement” (para. 5.54(a)(2)) or, that there will be “differences of opinion within the engagement team, or between the engagement team and individuals performing activities within the audit organization’s system of quality management” (para. 5.54(e)).
5. Can an audit organization accept an unmitigated quality risk?
No, an audit organization cannot accept an unmitigated quality risk. Because a quality risk is a risk that has a reasonable possibility of occurring and adversely affecting the achievement of one or more quality objectives, an audit organization should design and implement responses to address all identified quality risks. A failure to design and implement a response to address an identified quality risk would be a deficiency in the design of the audit organization’s system of quality management.
Note, however, that this does not mean that an audit organization cannot accept risk. Not all risks to achieving a quality objective meet the definition of a quality risk.
6. When identifying a quality risk, does an audit organization evaluate the likelihood of the risk occurring without considering the response(s) designed and implemented to address the risk, or does the audit organization evaluate the likelihood of the risk occurring after considering the response(s) to address the risk?
An audit organization evaluates the inherent risk, or likelihood of the risk occurring, before considering any responses designed and implemented to address the risk. If, in the audit organization’s judgment, a response to address an identified quality risk reduces the likelihood or significance of the risk to an acceptable level, the risk is still considered to be a quality risk, and the response is considered adequate to mitigate the quality risk. If, however, a response to address an identified quality risk does not reduce the likelihood or the significance of the risk to an acceptable level, the audit organization would need to identify and develop additional responses.
By definition, a response is a policy or procedure that the audit organization designs and implements to address one or more quality risks. Therefore, designing and implementing an effective response to address an identified quality risk presumes the existence of a quality risk.
The concept of residual risk is relevant. When designing a system of quality management, conducting risk assessments, performing monitoring and remediation activities, and completing the periodic (e.g., annual) evaluation and conclusion on the system of quality management, the audit organization considers if residual risks to quality, both individually and in the aggregate, are at an acceptable level.
7. What information about the monitoring and remediation process should be communicated to the senior-level official who is assigned responsibility and accountability for the system of quality management?
The information about the monitoring and remediation process to be communicated to the senior-level official includes (1) a description of the monitoring activities performed; (2) the identified deficiencies, along with information about their severity and pervasiveness; and (3) the remedial actions to address identified deficiencies.
8. How often and in what form should information about the system of quality management be communicated to the senior-level official who is assigned responsibility and accountability for the system of quality management?
Communications about the system of quality management to the senior-level official assigned responsibility and accountability for the system may be ongoing or periodic. The form of the communication, frequency, and documentation of its occurrence is a matter of professional judgment, and an audit organization may document such determinations in its policies and procedures.
For example, an audit organization may establish a policy that requires the individual(s) assigned operational responsibility for the system of quality management to provide a written report of the results of monitoring activities to the senior-level official.
If an audit organization determines that oral communication to the senior-level official is sufficient, the audit organization may consider specifying in its communication policy the content to be communicated and require documentation that the communication occurred. For example, the audit organization may document, in the form of meeting minutes, the content that was discussed and the personnel in attendance.
Whether in written or oral form, the communication of the results of monitoring and remediation activities should be sufficient to enable the senior-level official to perform the required evaluation of the system.
9. Is there a template or guide that an audit organization can refer to in designing a system of quality management?
GAO has not published a template or guide for an audit organization to use in designing a system of quality management. However, some professional organizations, sponsors of peer review programs, and affiliation groups—such as the American Institute of Certified Public Accountants (AICPA), the International Auditing and Assurance Standards Board, and the Association of Local Government Auditors—have issued practice aids, templates, or other tools to assist audit organizations in designing a system of quality management.
These aids may or may not adequately address Yellow Book requirements. In addition, GAO reminds users of such materials that they need to establish quality objectives and identify and assess quality risks for their specific audit organization. An audit organization may determine that some practice aid examples may not be applicable or that it needs to develop additional policies and procedures that are not included in the practice aid to address quality risks.
In short, designing a system of quality management involves using professional judgment in considering the nature, circumstances, and complexity of the audit organization and its engagements. The Yellow Book allows an audit organization to appropriately scale the design of its system of quality management based on these considerations. GAO cautions that a “copy and paste” approach from a practice aid may lead an audit organization to adopt policies or procedures that are not appropriate for its size or complexity or omit other policies and procedures that are needed to address quality risks.
10. Could an audit organization receive a peer review rating of “pass with deficiencies” or “fail” if it does not design and implement a system of quality management consistent with the 2024 Yellow Book?
Yes, if an audit organization that performs Yellow Book engagements does not design and implement a system of quality management that complies with the Yellow Book, it is possible that the organization will receive a peer review rating of “pass with deficiencies” or “fail.”
An audit organization’s documentation of its system of quality management will be a focus of its peer review. It is therefore important that an audit organization sufficiently document its system of quality management, including
· identification of the senior-level official assigned responsibility and accountability for the system of quality management and any individual(s) assigned operational responsibility for the system of quality management,
· the organization’s quality management risk assessment,
· information about the monitoring and remediation process,
· the conclusion about whether the system of quality management provides the audit organization with reasonable assurance that the objective of the system is being achieved, and
· the basis for its conclusion.
GAO recommends that an audit organization refer to its respective peer review program for any updates, guidelines, and expectations associated with transitioning the system of quality control to a system of quality management.
11. My audit organization is subject to the AICPA’s Statements on Quality Management Standards. Can my audit organization just use the AICPA’s Statements on Quality Management Standards to design and implement its system of quality management?
No. However, your audit organization does not need to design, implement, and operate two systems of quality management—one that meets the AICPA’s requirements and a separate one that meets the Yellow Book’s requirements.
A nongovernment audit organization conducting engagements in accordance with the Yellow Book that is also subject to quality management standards from the AICPA, the International Auditing and Assurance Standards Board (IAASB), or the Public Company Accounting Oversight Board (PCAOB) should comply with that organization’s quality management requirements and the following additional Yellow Book requirements:
· If an engagement is terminated before it is completed and an audit report is not issued, document the results of the work to the date of termination and why the engagement was terminated (para. 5.55(c)).
· If auditors change the engagement objectives during the engagement, document the revised engagement objectives and the reasons for the changes (para. 5.55(d)).
· Establish a quality objective that auditors performing work in accordance with generally accepted government auditing standards (GAGAS) meet the GAGAS continuing professional education requirements (para. 5.74(c)).
By complying with AICPA, IAASB, or PCAOB quality management requirements, plus the additional Yellow Book requirements listed above, a nongovernment audit organization may design, implement, and operate a single system of quality management that complies with both the recognized organization’s quality management standards and Yellow Book quality management standards.
The purpose of the Yellow Book monitoring and remediation process is to provide management of the audit organization reasonable assurance that (1) the policies and procedures related to the system of quality management are suitably designed and operating effectively, (2) auditors have fulfilled their responsibilities in accordance with professional standards and applicable laws and regulations, and (3) auditors have performed and reported on engagements in accordance with such standards and requirements.
The monitoring and remediation process also facilitates continual improvement in engagement quality and the system of quality management.
12. Our audit organization established policies and procedures for monitoring its system of quality control in accordance with the 2018 Yellow Book. In what ways does the 2024 Yellow Book change the requirements for monitoring, if at all?
An audit organization’s current policies and procedures are a good place to start when considering the monitoring and remediation requirements in the 2024 Yellow Book. However, an audit organization will need to assess its policies and procedures to determine if they are sufficient or if modifications are necessary to design a monitoring and remediation process that complies with the 2024 Yellow Book.
For example, the 2024 Yellow Book clarifies and expands the monitoring requirements in the 2018 Yellow Book and provides additional requirements to
· assess compliance with established policies and procedures to address quality risks (para. 5.90(c));
· identify deficiencies in the system of quality management, including deficiencies that might exist in the monitoring and remediation process (para. 5.109); and
· design and implement remedial actions to address the deficiencies, evaluate the effectiveness of the remedial actions, and modify them as necessary if the actions are not effective (paras. 5.119 through 5.121).
To the degree that an audit organization already has policies and procedures to identify underlying causes of quality-related deficiencies and evaluate the effectiveness of remedial actions, it may not need significant changes. However, other audit organizations may determine that they need to formalize and document existing informal procedures or develop and implement new processes to address the requirements in the 2024 Yellow Book. An audit organization will need to review its existing policies and procedures to determine the extent to which it may need to revise them to include the additional requirements in the 2024 Yellow Book.
13. What is the relationship between the risk assessment process and the monitoring and remediation process?
As shown in figure 2, there is a relationship between the risk assessment process and the monitoring and remediation process. An audit organization would consider its quality objectives, its identified quality risks, and the responses it designed and implemented to address the quality risks to identify and develop appropriate monitoring activities. Changes to quality objectives, quality risks, and responses may also necessitate changes to relevant monitoring activities. Equally important, the results of monitoring activities inform the audit organization about changes needed related to its quality objectives, quality risks, and responses.
For example, an audit organization may establish a policy that identifies certain key audit documentation that the engagement partner or director must “sign off” on to document review and approval. In this scenario, this policy would serve as a response to address identified quality risk(s) relating to the quality objective that the nature, timing, and extent of review of the work performed are appropriate.
To monitor its policy’s effectiveness, the audit organization may choose to perform inspections of completed engagements. As a result of performing these inspections, the audit organization identified several instances in which specific key audit documentation did not contain evidence of the engagement partner or director’s timely review and approval in accordance with the established policy.
The audit organization would then evaluate the severity and pervasiveness of this finding. If the audit organization determines that it is a deficiency in the system of quality management because implementing the response (the policy requiring documentation of partner or director review and approval) did not reduce to an acceptably low level the likelihood that the quality risk (inadequate, inappropriate, or untimely engagement partner or director review of work performed) would occur, the audit organization would then determine that it needs to revise its response and might create an engagement partner or director checklist to more clearly specify the requirements for documenting the engagement partner or director’s review and approval of key audit workpapers.
14. How should an audit organization respond to deficiencies identified through monitoring activities?
An audit organization should design and implement remedial actions to address underlying causes of deficiencies identified through monitoring activities in a timely manner. Furthermore, the audit organization should evaluate the effectiveness of the remedial actions. If the audit organization determines that the remedial actions are not effective in addressing the deficiencies, then the audit organization should modify the remedial actions so that the deficiencies and their underlying causes are addressed.
As part of evaluating and concluding on the system of quality management, the senior-level official assigned responsibility and accountability for the system considers (1) the deficiencies identified by monitoring activities performed and (2) the effectiveness of the remedial actions to address the deficiencies. Therefore, to the extent possible, the audit organization may schedule monitoring activities and evaluation of remedial actions to support this evaluation and conclusion.
15. The Yellow Book notes that monitoring is most effective when performed by persons who do not have responsibility for the specific activity being monitored. Does this mean that a very small audit organization is required to hire another audit organization or service provider to monitor the system of quality management?
No. The Yellow Book does not preclude individuals from performing monitoring activities, including inspections, of their own compliance with a system of quality management. However, such self-monitoring activities may be less effective than monitoring activities performed by another qualified individual. This is because individuals monitoring their own activities may be less likely to identify noncompliance than if another individual performed the monitoring activities.
An audit organization may use another audit organization or a service provider to perform monitoring activities of its system of quality management, but the audit organization is not required to do so. The audit organization may consider evaluating the benefits of having another qualified individual or audit organization perform monitoring activities of its system of quality management with the costs of such an arrangement. Additionally, an audit organization might consider arranging reciprocal monitoring activities with a similarly sized audit organization.
The audit organization is responsible for ensuring that the monitoring activities, regardless of type or form, fulfill the intended purpose of monitoring as discussed in the introduction to this section.
16. For the years when the audit organization undergoes peer review, can the senior-level official assigned responsibility and accountability for the system of quality management rely on the peer review report to evaluate and conclude on the system of quality management?
No. The audit organization is responsible for establishing a process to monitor the design, implementation, and operation of its system of quality management to provide a basis for identifying and remediating deficiencies on a timely basis. A peer review does not replace or fulfill an audit organization’s responsibility to perform monitoring activities sufficient to identify and timely remediate deficiencies and provide a basis for the senior-level official’s conclusion on the effectiveness of the audit organization’s system of quality management.
An external peer review is an independent evaluation of an audit organization’s system of quality management. If the senior-level official were to rely on the peer review report to evaluate and conclude on the system of quality management, the peer review would have effectively become part of the audit organization’s system of quality management. Additionally, because a peer review is performed after the period being reviewed, it does not provide timely information about the system of quality management. Therefore, it would not enable the audit organization to take appropriate actions to respond to identified deficiencies so that they are remediated on a timely basis.
17. How is an engagement quality review different from an engagement inspection?
An engagement quality review proactively helps ensure that the audit organization achieves its quality standards on its audits. Because the review takes place before report issuance, an engagement quality review may be likened to a preventive measure or control activity to help ensure that engagements that do not meet quality standards are not issued until the identified quality concerns are sufficiently addressed.
By contrast, an engagement inspection is a retrospective evaluation of the adequacy of the audit organization’s policies and procedures, its personnel’s understanding of those policies and procedures, and the extent of compliance with them. An inspection is often performed after the audit organization issues the audit report. It is generally a more comprehensive evaluation of the audit organization’s policies and procedures and the degree to which personnel understand the procedures and comply with them than engagement quality review. In this sense, it may be thought of as a test of the consistency and effectiveness of the audit organization’s policies and procedures for ensuring quality.
18. What happens if the senior-level official assigned responsibility and accountability for the system of quality management concludes that the system does not provide the audit organization with reasonable assurance that the objective of the system of quality management is being achieved?
If the senior-level official concludes that, due to deficiencies that have a severe and pervasive effect on the system of quality management, the audit organization’s system of quality management does not provide reasonable assurance that the objective of the system of quality management is being achieved, the audit organization would be noncompliant with an unconditional Yellow Book requirement (i.e., a “must” requirement).[2] As a result, the audit organization should include a modified generally accepted government auditing standards compliance statement in reports on Yellow Book engagements, in accordance with paragraphs 2.16 through 2.23, until the underlying severe and pervasive deficiencies are appropriately remediated and their effect(s) corrected.
Such a conclusion should not be a surprise to the audit organization or to the senior-level official assigned responsibility and accountability for the system of quality management. This scenario would not likely occur if the audit organization were performing its monitoring and remediation activities effectively and communicating in a timely manner the results to responsible officials within the audit organization.
An engagement quality review is an objective evaluation of an engagement team’s significant judgments and conclusions regarding an engagement. It is performed by an individual who is not a member of the engagement team and is completed before the audit report is released.
An audit organization is required to determine whether an engagement quality review is an appropriate response to address one or more quality risks. If it is an appropriate response, then the audit organization is required to design and implement policies and procedures to perform engagement quality reviews. The Yellow Book does not require an audit organization to perform engagement quality reviews.
19. Is it possible for an audit organization to perform a review of an engagement that is not an engagement quality review, but is an effective response to address one or more quality risks?
Yes. An audit organization may determine that certain aspects of an engagement quality review are unnecessary to address quality risks for some or even all engagements. Instead, the audit organization may design and implement a type of quality control review that is tailored to the nature and circumstances of the audit organization and the engagements that it conducts. Such a tailored form of review may be a better response to address quality risks than an engagement quality review as prescribed by the Yellow Book.
The audit organization uses professional judgment to determine which kinds of reviews, if any, are appropriate to address quality risks. However, if the audit organization calls its reviews “engagement quality reviews,” it needs to be sure that the reviews meet all the related Yellow Book requirements. If the reviews omit or contradict the Yellow Book requirements for engagement quality review, they should not be called or considered engagement quality reviews.
20. Is an engagement quality reviewer subject to Yellow Book continuing professional education (CPE) requirements if the reviewer does not perform engagements in accordance with the Yellow Book?
No. If an individual is not involved in planning, directing, performing engagement procedures for, or reporting on an engagement in accordance with the Yellow Book, they are not required to obtain CPE to serve as an engagement quality reviewer (or assistant to an engagement quality reviewer). The Yellow Book requires an audit organization using engagement quality reviews as a response to address one or more quality risks to establish policies and procedures that specify the eligibility criteria to be an engagement quality reviewer or an assistant to an engagement quality reviewer. The specific criteria to serve as an engagement quality reviewer are subject to the audit organization’s professional judgment.
The audit organization may consider defining in its policies and procedures the specific requirements that address the reviewer’s competence and capabilities, such as a minimum level of CPE, even if the engagement quality reviewer or an assistant are otherwise exempt from the Yellow Book CPE requirements.
21. Is an individual who references an audit report considered to be a member of the engagement team and therefore ineligible to serve as an engagement quality reviewer for that engagement?
It depends. An audit organization exercises professional judgment in determining the qualifications necessary to perform key roles, such as referencing and engagement quality review, and establishes policies and procedures that incorporate these judgments accordingly.
Many audit organizations use referencing to address quality risks, particularly in performance audits. The Yellow Book describes referencing as a process in which an experienced auditor who is independent of the engagement checks that (1) statements of facts, figures, and dates are correctly reported; (2) the evidence in the engagement documentation adequately supports the findings; and (3) the conclusions and recommendations flow logically from the evidence. Such an individual could potentially serve as an engagement quality reviewer, provided that the individual meets the eligibility criteria to serve in that role.
However, a modified version of referencing, performed by an experienced auditor who is not independent from the engagement, may still be an appropriate response to address one or more quality risks. When an individual performing referencing is part of the engagement team, then that individual is ineligible to serve as an engagement quality reviewer for that engagement.
- The Yellow Book requires any engagement quality reviews to be completed before issuing the report. How can an audit organization balance performing an engagement quality review with issuing a timely report?
It is not necessary for the engagement quality reviewer to perform procedures only during the reporting phase of the engagement. In establishing its policies and procedures for performing engagement quality reviews, an audit organization should consider the engagement quality reviewer’s responsibility to perform procedures at appropriate points in time during the engagement to provide an appropriate basis for an objective evaluation of the engagement team’s significant judgments and conclusions. This permits any potential issues to be identified and resolved in a timely manner.
Additionally, the policies and procedures may address the engagement team’s responsibility to schedule and coordinate the review with the engagement quality reviewer. The engagement partner or director shares a responsibility with the engagement quality reviewer to ensure that the reviewer has sufficient time to perform and conclude the review before the issuance of the audit report.
GAO Project Team
James R. Dalkin, Director
Michael F. Bingham, Assistant Director
Roger J. Bradley, Auditor in Charge
Ajane P. Hinton, Senior Auditor
Kristen A. Kociolek, Managing Director, Financial Management and Assurance
Robert F. Dacey, Chief Accountant
Staff
In addition to the project team named above, also contributing were Melissa K. Bentley and Giovanna Cruz.
The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony
The fastest and easiest way to obtain copies of GAO documents at no cost is through our website. Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. You can also subscribe to GAO’s email updates to receive notification of newly posted products.
Order by Phone
The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, https://www.gao.gov/ordering.htm.
Place orders by calling (202) 512-6000, toll free (866) 801-7077,
or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information.
Connect with GAO
Connect with GAO on X,
LinkedIn, Instagram, and YouTube.
Subscribe to our Email Updates. Listen to our Podcasts.
Visit GAO on the web at https://www.gao.gov.
To Report Fraud, Waste, and Abuse in Federal Programs
Contact FraudNet:
Website: https://www.gao.gov/about/what‑gao‑does/fraudnet
Automated answering system: (800) 424-5454
Media Relations
Sarah Kaczmarek, Managing Director, Media@gao.gov
Congressional Relations
A. Nicole Clowers, Managing Director, CongRel@gao.gov
General Inquiries
[1]GAO, Government Auditing Standards: 2024 Revision, GAO‑24‑106786 (Washington, D.C.: February 2024).
[2] See para. 5.05 of GAO, Government Auditing Standards: 2024 Revision, GAO‑24‑106786 (Washington, D.C.: February 2024).