Updates to the Government Auditing Standards are not typically the most titillating read—but the U.S. Government Accountability Office’s (GAO) recent revision to the Yellow Book (as the standards are commonly known) have some in the green eyeshade crowd squealing like Colleen Hoover fanboys.
What prompt this emotive response from otherwise staid and sober auditors? The GAO is now affording audit organizations the potential of freedom from the tyranny of bureaucracy in the form of unnecessary checklists that add drag but little value to an audit project. Well, to be clear, the GAO didn’t exactly say that auditors can throw out all their checklists, but GAO did suggest that audit organizations rethink their approach to ensuring high-quality audit work.
In the past, too many government audit organizations attempted to mitigate the risk of making a mistake by adding checklist after checklist for auditors to complete in their working papers, which their supervisors then had to verify. In our fast-moving, post-pandemic world, policy makers and the public need independent and objective insights now on government programs and spending—not 12-18 months from now after all the checklists are completed.
Let me be clear: I believe checklists have their place and can be a useful tool to ensure projects are completed in a systematic manner according to professional standards. I’m grateful that airline pilots and surgeons, for example, use checklists rather than just winging it or taking a stab at it. But checklist fatigue is real too. Over time, checklists can literally become about checking the little boxes and not the underlying activities. Checklists—especially when completed in a rote and disengaged manner—create a false veneer of quality without meaningful attention to the potential risks. I’m not suggesting doing away with audit checklists; I’m suggesting we take a critical look at our audit quality processes and keep what works and toss the rest.
In its 2024 revision, GAO fundamentally shifted the approach from quality control to a quality management framework approach. The quality management framework includes six components: governance and leadership; independence, legal and ethical requirements; acceptance, initiation, and continuance of engagements; engagement performance; resources, and information and communication. GAO also introduced two processes: the risk assessment process and the monitoring and remediation process.
According to GAO, audit organizations should conduct quality risk assessments at specific periodic intervals (such as annually), to respond to deficiencies identified through monitoring, or as necessary to respond to changes in the nature and circumstances in their audit engagements and environment. GAO provides specific “quality objectives” relating to the six components and guidance on how to conduct a quality risk assessment to evaluate quality risks to achieving these quality objectives. GAO identifies requirements for an effective monitoring and remediation program.
GAO also went to considerable effort to expand its views on “scalability” of quality management systems, placing new emphasis on “complexity” and “formality.”
“The design of the audit organization’s system of quality management, particularly the complexity and formality of the system, will vary based on the nature and circumstances of the audit organization (such as size, number of offices and geographic dispersion, knowledge and experience of its personnel, and cost-benefit considerations), and the nature and circumstances of its engagements. For example, an audit organization that conducts various types of GAGAS engagements for federal, state, and local governments may need a more complex and formalized system of quality management and supporting documentation than one that conducts performance audits of a single small government entity. Similarly, a large audit organization with multiple divisions and offices may need a more complex and formal system of quality management than a small audit organization with a few auditors at a single location.”(5.12)
In other words, there is no one-size-fits-all solution.
Now is the time for audit organizations to critically and objectively re-evaluate their system of quality management. Efficiencies can be identified which can help reduce audit cycle time without negativity affecting quality.
If your organization would like to discuss how I can assist you in conducting an independent audit quality risk assessment, designing an effective monitoring and remediation program, or sharing my risk management and audit executive experience, please contact me at BobWestbrooks.com or through LinkedIn.