The National Defense Authorization Act of 2013 updated the IG Act to include a requirement that DoD OIG conduct or approve the arrangements for the conduct of external peer reviews of audit organizations in the Department of Defense. This report summarizes the results of the first round of peer reviews completed under this new requirement. Our objective was to highlight systemic issues identified in 19 of the 21 Department of Defense audit organizations most recent peer review reports issued from November 2012 through June 2015. W e d id not review the U. S. Army Internal Review and National Guard Bureau audit organizations. See Appendix A, Scope and Methodology, for further details. The systemic issues identified in the report can be used by the Department of Defense audit organizations to share lessons learned and as a training tool to improve their systems of quality control.
Peer reviews are performed on a three year cyclical basis. Recommendations made in a peer review report are followed up on during the next scheduled peer review. Two recommendations - additional training and improvements to internal policies and procedures - were common in the reports. We believe the deficiencies presented in this summary report would be improved upon if the recommendations made in the peer review reports were implemented. Our intent was not to provide additional recommendations. Of the 19 audit organizations referred to in this report, 12 received a rating of pass, 5 received a rating of pass with deficiencies, and 2 received a rating of fail. We encourage all the DoD audit organizations to pay more attention in the areas where systemic issues in their quality control systems are highlighted.
Results of the Compilation of Peer Review Report Deficiencies
We compiled the deficiencies using the Council of the Inspectors General for Integrity and Efficiency Guide for Conducting Peer Reviews of Audit Organizations of Federal Offices of Inspector General, Appendixes A-E.
Policies and Procedures
Deficiencies for policies and procedures affecting the most DoD audit organizations were the general standards, followed by fieldwork standards for performance audits, standards for attestation engagements, and finally reporting standards for performance audits. A common deficiency was not having policies and procedures for nonaudit services. In addition, some DoD audit organizations policies and procedures for their systems of quality control needed improvement.
Adherence to General Standards
The deficiency area for adherence to general standards affecting the most DoD audit organizations was quality control and assurance, followed by competence, and finally independence. A common deficiency was not performing the required monitoring of quality requirement. Also, there were deficiencies in continuing professional education and not evaluating independence prior to performing nonaudit services.
Deficiencies for financial audits affecting the most DoD audit organizations were the American Institute of Certified Public Accountants (AICPA) field work standards for planning and supervision and AICPA and Generally Accepted Government Audit Standards (GAGAS) reporting standards. Issues identified included not including the views of responsible officials and not including all of the required information in the engagement letter.
The deficiency area for attestation engagements affecting the most DoD audit organizations was examination engagements, followed by general standards, and finally attestation engagements. Specifically, some DoD audit organizations were not following GAGAS requirements by not including all the elements of a finding, not including the views of responsible officials, not evaluating previous audits or attestation engagements, and not documenting and retaining evidence of auditor’s independence. Also, some DoD audit organizations were not following all the AICPA standards for attestation engagements.
The deficiency area for performance audits affecting the most DoD audit organizations was evidence and documentation and quality control and assurance, followed by independence, planning, report contents, supervision, and finally professional judgment. For evidence and documentation, deficiencies included insufficient evidence to support conclusions, not evaluating computer-processed data, lack of documented supervisory review, and insufficient audit documentation. In addition, quality control and assurance deficiencies included not following policies and procedures, ineffective supervisory reviews, inadequate independent reference reviews, and improvement needed in cross-referencing.
We do not require a written response to this report.
This report is a result of Project No. D2015-DAPOIA-0202.000.