Report Format. All reports should contain a transmittal letter, standardized language regarding
the review, an opinion paragraph, and required exhibits. The page subsequent to the signature
block should be entitled “Findings and Recommendations” and include all consequential matters
of interest. Findings should be presented on an “issue” basis, linked by commonality (e.g.,
similar causal factors, to promote cohesiveness, readability, and understanding). The detail
provided should be limited to that which is necessary to persuasively establish the nature and
extent of the weakness identified and the recommended corrective action. The reply of the
reviewed entity should be summarized after the Recommendations and, in cases of disagreement,
responded to, as necessary, by the external peer review team. A description of the external peer
review scope and methodology, a listing of the offices visited, and the individual audits reviewed
should be included as Exhibit A (see Attachment 1 for an example). General Comments, to
include positive statements regarding best practices, etc., should be included as Exhibit B (see
Attachment 2 for an example). The written reply of the reviewed organization should be
included in its entirety as Exhibit C.
Transmittal Letters. The initial, or “discussion” draft shall be transmitted to the reviewed OIG
prior to the exit conference (see Attachment 3 for an example). Subsequent to the exit
conference, the draft report should be modified as needed. The final, or “official,” draft should
then be transmitted with a request for formal written comments, generally within 30 days (see
Attachment 4 for an example). The final report should again be modified as needed based upon
the written response and transmitted to the reviewed OIG (see Attachment 5 for an example).
Opinions. Generally, three types of opinions can be issued: unmodified, modified, and adverse,
although provision has also been made for a disclaimer.
a. Unmodified Opinion. An unmodified opinion should be issued when the review team
found that the quality control system was designed adequately and was functioning as prescribed,
and thus yielded reasonable assurance that GAGAS was met.
b. Modified Opinion. A modified opinion should be considered when the quality control
system did not function satisfactorily as prescribed to preclude significant deficiencies from
arising in the conduct of audits; with the exception of the deficiencies noted, however, the
quality control system provided reasonable assurance that GAGAS had been met. It is to be
applied in situations where qualifications have been heretofore rendered; generally, the system
was deemed to be adequate “except for” the deficiencies noted.
1 A disclaimer of opinion, although considered highly unusual, is nonetheless included as an option. Disclaimers
would normally result only in those cases where records critical to selected audits could not be produced. In these
cases, due diligence should be exercised to provide assurance that the underlying audits were not significantly
flawed. Consideration may be given to selecting replacement audits (and thus lifting the disclaimer) only when the
explanation provided for the missing records was reasonable and the number of instances was isolated.
c. Adverse Opinion. An adverse opinion should be considered when the quality control
system was inadequate as prescribed, and not functioning adequately to provide reasonable assurance that the GAGAS was met.
d. Disclaimer of Opinion. A disclaimer should be issued when the review was limited by
conditions that precluded the application of one or more critical review procedures considered necessary in the circumstances and the review team could not accomplish the objectives of those procedures through alternative procedures.
The formulation of the opinion should be based upon the overall conclusion drawn from the evaluation of the design of the reviewed organization‟s internal quality control system and the findings disclosed when determining the extent of compliance with the system.
The significance of disclosed deficiencies in the review of audit reports should be determined by the extent to which it is found that the audits could not be relied upon due to failure to adhere to GAGAS. Reliability of reports can be impaired if, for example: evidence presented is untrue and findings are not correctly portrayed; findings and conclusions are not supported by sufficient, competent, and relevant evidence; evidence included in audit reports does not demonstrate the correctness and reasonableness of the matters reported; the report does not accurately describe the audit scope and methodology and findings and conclusions are not presented in a manner consistent with the scope of work; and/or the report contains errors in logic and reasoning. The pervasiveness (meaning identified in multiple audits issued by multiple organizational units) of the deficiencies should also be considered. A single, isolated (nonsystemic) deficiency would be insufficient to support a modified opinion unless extraordinary circumstances prevail (i.e., the magnitude of the deficiency significantly or irretrievably caused a lack of organizational credibility).
If nonconformity with GAGAS is identified, the extent of the lack of adherence should be considered, given the flexibility afforded by the Standards. The field work standard related to supervision, for example, requires that “reviews of audit work should be documented.” As GAGAS is generally not prescriptive, it understandably contains limited specificity as to what actions must be evidenced to be considered “proper supervision.” In contrast, GAGAS provides
for substantial leeway in fulfilling the standard contingent upon the circumstances of the audit, to include “the significance of the work, and the experience of the staff.” Reasonableness and
judgment must be employed in assessing adherence with GAGAS. It is incumbent upon the peer reviewer to support assertions that GAGAS has not been met by citing the specific criteria (GAGAS provision) that was not compiled with and providing the basis for the conclusion.
In the absence of identifying significant and pervasive deficiencies in the audits reviewed, design deficiencies alone generally would not be sufficient to result in a modification of the peer review opinion. If, however, reports are identified which are found to be unreliable, the causes of the deficiencies need to be examined, particularly as to whether design deficiencies were the sole or contributing factor. Causes attributable to design flaws in the system generally are of greater concern in that the system should contain the necessary methods and measures to preclude, or detect in a timely manner, lack of adherence with GAGAS. If the design appears adequate as
prescribed but the deficiencies noted in reviewed reports were due to lack of compliance with the system, the design itself may need to be strengthened in order to foster compliance.
To (Name), Inspector General
(Name of Agency)
We have reviewed the system of quality control for the audit function of (name of the OIG) in effect for the year ended June 30, 20XX. A system of quality control encompasses the OIG‟s organizational structure, and the policies adopted and procedures established to provide it with reasonable assurance of conforming with generally accepted government auditing standards (GAGAS). The elements of quality control are described in GAGAS, promulgated by the Comptroller General of the United States. The design of the system, and compliance with it in all material respects, are the responsibility of (the reviewed OIG). Our objective was to determine whether the internal quality control system was adequate as designed and complied with to provide reasonable assurance that applicable auditing standards, policies, and procedures were met. Our responsibility is to express an opinion on the design of the system and the OIG‟s compliance with the system based on our review.
Our review was conducted in accordance with the guidelines established by the President‟s Council on Integrity and Efficiency and the Executive Council on Integrity and Efficiency. In performing our review, we obtained an understanding of the system of quality control for the OIG. In addition, we tested compliance with the OIG‟s quality control policies and procedures to
the extent we considered appropriate. These tests included the application of the OIG‟s policies and procedures on selected audits. Because our review was based on selective tests, it would not necessarily disclose all weaknesses in the system of quality control or all instances of lack of compliance with it. Nevertheless, we believe that the procedures we performed provide a reasonable basis for our opinion.
Because there are inherent limitations in the effectiveness of any system of quality control, departures from the system may occur and not be detected. Also, projection of any evaluation of a system of quality control to future periods is subject to risk that the system of quality control may become inadequate because of changes in conditions, or because the degree of compliance with the policies or procedures may deteriorate.
Our scope and methodology appears as Exhibit A. General comments (if applicable) appear as Exhibit B.
UNMODIFIED OPINION REPORT
In our opinion, the system of quality control for the audit function of the (name of OIG) in effect
for the year ended June 30, 20XX, has been designed to meet the requirements of the quality
control standards established by the Comptroller General of the United States for a Federal
Government audit organization and was complied with during the year ended to provide the OIG
with reasonable assurance of conforming with applicable auditing standards, policies, and
(If applicable, insert the following: We noted, however, conditions that warrant your attention
though they did not impact our opinion. These matters are described in the Findings and
Recommendations that follow. Also, refer to Exhibit B, General Comments, if applicable)
Findings and Recommendations2
Finding 1. Independence - Required Checklist Not Completed.
For every audit, the OIG's quality control policies and procedures require each member of the
audit team to complete a checklist designed to help identify personal and external impairments to
independence and document compliance with the Government Auditing Standards‟ independence requirements. These checklists were not completed on three of the ten audits
reviewed. Based on discussions with the members of the audit teams involved, we concluded that
no actual impairments existed.
Recommendation - The OIG should reemphasize its policy on independence checklists and amend its referencing checklist to include a review item for the completion of the independence
Views of Responsible Official. Agree.
Finding 2. Audit Performance – Timeliness of Supervisory Review of Work
The OIG's policies and procedures require that supervisors be involved and review work on an
on-going basis throughout the audit. On four of ten audits reviewed, documentation of the
supervisory review of the work indicated it occurred solely at the end of the audit. According to
the supervisors involved, review was performed onsite during the course of the audit but was not
always documented at the time of the review. We confirmed these assertions via review of travel
vouchers and did not note any other deficiencies in the audit process in the reports we reviewed.
2 The findings presented in this Addendum are for the purpose of illustrating the reporting format. They
are not intended to illustrate complete presentations of findings. Other information, such as in which or how many
offices a condition was found, the cause of a problem, and the potential or actual effect should be included for a
complete presentation of the findings.
Recommendation - OIG management should reemphasize the need to document supervisory
reviews in a timely manner.
Views of Responsible Official. Agree.
MODIFIED OPINION REPORT
In our opinion, except for the deficiency(ies) described in the following Findings and
Recommendations, the system of quality control for the audit function of the (name of OIG) in
effect for the year ended June 30, 20XX, has been designed to meet the requirements of the
quality control standards established by the Comptroller General of the United States for a
Federal Government audit organization and was complied with during the year ended to provide
the OIG with reasonable assurance of conforming with applicable auditing standards, policies,
Findings and Recommendations
Finding 1. Systemic Noncompliances in Audit Reports
Deficiencies were identified in four of the ten audit reports we examined that limited the
reliability of the reports. These four audits were issued by two of the four audit divisions
reviewed. We attributed these deficiencies to the absence of control measures in the
organization‟s policies and procedures designed to assure compliance with stated requirements.
The deficiencies found, and the impact they had on the reliability of the reports, are summarized
1. Report No. xx, “Title” (Date). Our review of this report disclosed eight significant
deficiencies that impacted the report. (Provide examples, such as: “The report stated that
the actions taken by the program office were in noncompliance with Departmental
Regulation No. xx „Title.‟ The support contained in the audit documentation shows that
the program office was in compliance with the regulation as it existed at the time the
program office took the action. The audit documentation shows that the issue for which
noncompliance was cited did not become effective until six months later. Therefore, the
report finding was inaccurate and the recommendation was not applicable. Although an
independent referencing step in the guide called for validation of the finding‟s criteria, we
were informed that it was not performed due to time constraints.”
2. (et al) Report No. xx, "Title" (Date)
Recommendation - The OIG should strengthen its referencing requirements to include a
certification by the referencer that all required steps have been completed.
Views of Responsible Official. Agree. The OIG will revise its referencing checklist as
Reportable Conditions Not Affecting the Opinion
Finding 2. Continuing Professional Education Records Incomplete
Our review of the continuing professional education (CPE) records of 20 employees selected at
random disclosed that 9 (45%) were incomplete. The records showed that the nine employees
had accrued between 55-70 CPE hours, whereas GAGAS requires at least 80 hours every 2 years.
Our further review disclosed that 7 of the 9 employees had evidence to show that they had, in
fact, earned the requisite number of hours but the official records had not been properly or timely
updated. The remaining 2 employees could not provide any additional documentation to support
that the required 80-hour threshold had been met. Accurate CPE records are critical evidence to
support an OIG‟s fulfillment of the General Standard of Competence.
Recommendation – The OIG should establish controls to provide reasonable assurance that CPE
records are accurate, up-to-date, and that all affected employees meet the GAGAS CPE
Views of Responsible Officials. Agree. The OIG will establish controls to ensure the CPE requirements are met and that the centralized record is accurate.
ADVERSE OPINION REPORT
In our opinion, because of the deficiency(ies) described in the following Findings and
Recommendations, the system of quality control for (the OIG) in effect for the year ended June
30, 20XX, has not been designed to meet the requirements of the quality control standards
established by the Comptroller General of the United States for a Federal Government audit
organization and was not complied with during the year ended, to provide reasonable assurance
of conforming with applicable auditing standards, policies, and procedures.
Findings and Recommendations
Finding 1. Quality Control System Weaknesses
The OIG‟s quality control system does not include a quality control process for each audit, such
as independent referencing, and was not otherwise compensated for. As a result, the system as
designed did not provide reasonable assurance that applicable auditing standards, policies, and
procedures were met. The system design inadequacies were attributable to management‟s
determination that a quality control process for each audit was redundant, given other control
measures, such as supervisory reviews. In addition, our review of individual audits disclosed
significant deficiencies in eight of the ten audit reports reviewed. These eight audit reports were
issued by all four of the audit divisions reviewed. In our opinion, these deficiencies had not been
precluded or detected in a timely manner due to the quality control system weaknesses. The
significant deficiencies found and the impact they had on the reliability of these eight reports are
1. Report No. xx, “Title” (Date). Our review of this report disclosed fifteen significant
deficiencies that negatively impacted the reliability of the audit report. (Provide examples, such
as: “The audit report stated that internal controls had been evaluated over the program activity
audited but the audit program did not include a provision for internal control testing nor did the
audit documentation reflect the performance of any such tests. Our discussions with audit
management and assigned staff disclosed that they interpreted program compliance issues to be
internal control weaknesses, and thus formalized testing was not needed. We attributed the
report‟s misstatements to a lack of formalized policies and procedures requiring an independent
quality control process for each audit.”
2-8. Report No. xx, “Title” (Date).
Recommendation - The OIG should develop and implement policies for providing reasonable
assurance of the accuracy of data in final audit reports such as a quality control process for each
Views of Responsible Official. Agree. The OIG will immediately develop and implement policies establishing an independent referencing process to provide reasonable assurance of the
accuracy of data in final audit reports.
DISCLAIMER OF OPINION
We were unable to express an opinion on the system of quality control for the audit function of
the (name of OIG) in effect for the year ended June 30, 20XX, because audit documentation
requested for selected audits was not made available and the absence of these records precluded
the application of alternative tests.
Accordingly, the scope of our work was not sufficient to enable us to express, and we do not
express, an opinion on the system of quality control.
Note: Verbiage used in the reporting examples throughout this Addendum, though modified, was drawn
extensively from the AICPA‟s “Standards for Performing and Reporting on Peer Reviews.”
Attachment 1 REPORTS ON EXTERNAL PEER REVIEWS
Peer Review Scope and Methodology (Exhibit A)
Scope and Methodology
Identify the peer review scope and methodology. For example:
We tested compliance with the Office of Inspector General‟s system of quality control to the
extent we considered appropriate. These tests included a review of X of XX audit reports issued
during the September 30, 20XX, March 31, 20XX, and semiannual reporting periods. In
addition, we reviewed the financial statement audit and [and/or] monitoring activities covering
the FY 20XX financial statements for [Agency/Department] [that were performed under contract
by [CPA firm].] We also reviewed the internal quality control reviews performed by the
OIG Offices Reviewed
Identify locations visited/reviewed. For example:
We visited the Houston, TX; Louisville, KY; and Atlanta, GA offices of the [OIG organization
Audit Reports Reviewed
Identify audit reports selected for review. For example:
Report Number Report Date Report Title
AA9908765C 12/30/20XX Audit Report on Research on the
Hibernating Habits of Polar Bears