I just finished my first high-level review of the exposure draft of the yellow book (GAGAS), and thought I’d go ahead and share with you the things that stood out to me. That does not mean that this list is comprehensive! The GAO has done us all a favor and included a comprehensive list of the changes in the beginning pages of the exposure draft. (Here is where to find the exposure draft: https://www.gao.gov/products/
Nor does it mean that what I think is important is what you think is important. I write books and teach classes on yellow book standards to a wide variety of auditors who conduct all three (now 4!) types of engagements identified by the yellow book. This past year, I have also been conducting audit working paper reviews for a federal inspector general and have started leading peer reviews using the standards.
Often when I approach the yellow book with a question in mind, I learn something new. And my questions this time are:
- What do these changes mean to audit teams?
- How do these changes impact quality control reviewers and peer reviewers?
- What happened to the CPE requirements?
What do these changes mean to audit teams?
Internal controls take center stage
Throughout the exposure draft, the GAO emphasizes internal controls. They mention the Green Book (The Standards for Internal Control in the Federal Government) and the five components of internal controls. They also remind auditors that internal control weaknesses often serve as the cause in findings. The GAO also mentions that internal controls should work together in an integrated manner in both the yellow book and the Green Book. Are you getting the point that the GAO wants auditors to focus on internal controls? Here are some relevant exposure draft clauses:
YB EXPOSURE DRAFT 2017 8.37 Auditors should document the significance of internal control to the audit objectives.
YBED2017 8.38 Consideration of internal control in a performance audit begins with assessing the significance of internal control to the audit objectives and documenting that assessment. Some factors that may be considered when assessing the significance of internal control to the audit objectives include:
a. the subject matter under audit, such as the program or program component under audit, including the audited entity’s objectives for the program and associated inherent risks;
b. the nature of findings and conclusions expected to be reported, based on the needs and interests of audit report users;
c. the three categories of entity objectives; and
d. the five components of internal control and the integration of the components.
YBED 20176.27 Considering internal control in the context of a comprehensive internal control framework, such as Standards for Internal Control in the Federal Government or Internal Control Integrated Framework can help auditors to determine whether potential underlying internal control deficiencies exist as the root cause of findings. Identifying these deficiencies can help provide the basis for developing meaningful recommendations for corrective actions.
Independence becomes a matter of time
The proposed independence standards now say that auditors should consider independence during the scope of the engagement. Yes, of course they should. But shouldn’t they also worry about creating the subject matter they audit a year later? I am still wrapping my head around this one… but here are some relevant quotes to ponder:
YBED2017 3.20 Except under the limited circumstances discussed in paragraph 3.79, auditors should be independent from an audited entity during
a. any period of time that falls within the period covered by the financial statements or subject matter of the engagement and
b. the period of professional engagement.
YBED2017 3.23 The period of professional engagement begins when the auditors either sign an initial engagement letter or other agreement to conduct an engagement or begin to conduct an engagement, whichever is earlier. The period lasts for the duration of the professional relationship – which, for recurring engagements, could cover many periods – and ends with the formal or informal notification, either by the auditors or the audited entity, or the termination of the professional relationship or with the issuance of a report, whichever is later. Accordingly, the period of professional engagement does not necessarily end with the issuance of a report and recommence with the beginning of the following year’s engagement or a subsequent engagement with a similar objective.
3.78 Nonaudit services provided by auditors can affect independence of mind and in appearance in periods after the nonaudit service was provided. For example, if auditors have designed and implemented an accounting and financial reporting system that is expected to be in place for many years, a threat to independence in appearance may exist in subsequent periods for future engagements conducted by those auditors. For recurring engagements, having another independent audit organization conduct an audit of the areas affected by the nonaudit service may provide a safeguard that allows the audit organization that provided the nonaudit service to mitigate the threat to its independence.
Another reportable condition
In the 2011 version of the yellow book, four less-than-stellar behaviors trigger a finding – fraud, non-compliance, an internal control weakness and abuse. This time the GAO is adding a fifth reportable condition, waste – which is different than abuse. Here are the definitions of both waste and abuse:
YBED2017 6.17 Waste is the act of using or expending resources carelessly, extravagantly, or to no purpose. Waste involves the taxpayers not receiving reasonable value for money in connection with any government-funded activities because of an inappropriate act or omission by parties with control over or access to government resources. Importantly, waste can include activities that do not include abuse and does not necessarily involve a violation of law. Rather, waste relates primarily to mismanagement, inappropriate actions, and inadequate oversight.
YBED2017 6.18 Abuse is behavior that is deficient or improper when compared with behavior that a prudent person would consider reasonable and necessary business practice given the facts and circumstances, but excludes fraud and noncompliance with provisions of laws, regulations, contracts, and grant agreements. Abuse also includes misuse of authority or position for personal financial interests or those of an immediate or close family member or business associate. Because the determination of abuse is subjective, auditors are not required to perform procedures to detect abuse in financial audits. Auditors may discover that abuse is indicative of fraud or noncompliance with provisions of laws, regulations, contracts, and grant agreements.
How do these changes impact quality control reviewers and peer reviewers?
Are you a supervisor or a reviewer or both?
For the first time, the GAO makes it clear what reviewers do and what supervisors do, and gives us a list of tasks for both. The GAO has, in my memory, always asked that the working papers evidence supervisory review before the report is issued. But does this imply that the supervisor is also the reviewer? I am subcontracting with a federal inspector general to review working papers, not supervise the audits. This is probably a good time for your team to sit down and talk about who does what on the audit and make sure that what they do to and do with the working papers is clearly described. I know I will be clearing that up with my clients.
YBED2017 5.33 Engagement supervision includes the following:
a. tracking the progress of the engagement;
b. considering the competence of individual members of the engagement team, whether they understand their instructions, and whether the work is being carried out in accordance with the planned approach to the engagement;
c. addressing significant findings and issues arising during the engagement, considering their significance, and modifying the planned approach appropriately; and
d. identifying matters for consultation or consideration by more experienced engagement team members, specialists, or both during the engagement.
YBED2017 5.34 A review of the audit work performed consists of consideration of whether
a. the work has been performed in accordance with applicable professional standards and legal and regulatory requirements;
b. significant findings and issues have been raised for further consideration;
c. appropriate consultations have taken place and the resulting conclusions have been documented and implemented;
d. the nature, timing, and extent of the work performed is appropriate and without need for revision;
e. the work performed supports the conclusions reached and is appropriately documented;
f. the evidence obtained is sufficient and appropriate to support the report; and
g. the objectives of the engagement procedures have been achieved.
Monitoring gets some love
The exposure draft moves chunks of the 2011 appendix addressing monitoring into chapter 5. This should get the monitoring function the attention it deserves. I am afraid that many teams I work with are still not implementing monitoring procedures. Monitoring is not the same thing as review! Monitoring is done AFTER the whole project is completed and the report is issued. Here is a relevant clause:
YBED2017 5.53 Reviews of the work by engagement team members prior to the date of the report, such as second partner reviews, are not monitoring procedures because it is expected that quality issues identified during such reviews will be addressed prior to the date of the report. Monitoring procedures, by contrast, are performed on completed engagements.
Clear that a peer review covers only one year
I recently conducted a peer review and we had a debate both with the client and among our team about the scope of the peer review; should our review cover all three years of the cycle or just one? The way the answer was presented in the 2011 yellow book was confusing. The exposure draft makes it clear that the client was right; the review should cover only one year.
YBED2017 5.83 The period under review in a peer review generally covers 1 year.
What happened to the CPE requirements?
The Q&A document is dead
The CPE requirements have been static (until now) since 2003. In 2005, the GAO issued a Q&A document that answered people’s granular questions about what qualifies for CPE, who has to take it, how to measure it, and how to keep good CPE records, etc. Now all of this specificity of the 2005 Q&A is included in the text of the yellow book. It makes for really exciting reading. But you’d better read the whole thing – all of chapter 4. Sorry. Here is a sample of the fascinating things you’ll be reading:
YBED2017 4.39 For newly assigned auditors who are subject to the 24-hour requirement, the number of prorated hours may be calculated in a similar manner: 3/4 x 24 hours = 18 hours, in this example. The prorated amount of hours would be the total requirement over the partial period. The 20-hour minimum for each CPE year would not apply when the prorated number of hours is being used to cover a partial 2-year CPE period.
4 hours
The GAO has always required auditors to earn 24 hours of auditee-relevant CPE every two years. No issue there. But now the GAO has added the following language. No doubt, I will be offering something specific to satisfy this requirement – although from the of qualifying topics below, much of what I currently offer will satisfy:
YBED2017 4.17 To update their GAGAS Qualification, auditors should complete at least 4 hours of CPE in GAGAS topics each time the Comptroller General issues a revision of GAGAS. These CPE hours should be completed by the end of each auditor’s next full 2-year CPE period after the GAGAS revision is issued. The audit organization should maintain documentation of each auditor’s CPE.
GAGAS Topics for GAGAS Qualification (4-Hour Requirement)
YBED2017 4.23 GAGAS topics include the following:
a. standards for ethics, independence, professional judgment, competence and CPE, quality control, and peer review as established in GAGAS;
b. the types of GAGAS engagements;
c. the relationship between GAGAS and other standards;
d. stating compliance with GAGAS in the auditor’s report;
e. additive GAGAS requirements for financial audits and examination engagements;
f. additive GAGAS requirements for review and agreed-upon procedures engagements;
g. GAGAS fieldwork standards for performance audits;
h. GAGAS reporting standards for performance audits; and
i. internal control as addressed in GAGAS.
There is more, but those are the big ones for me. I look forward to digging into the requirements deeper and sending a letter to the GAO before the deadline for feedback on the exposure draft. I’ll share that with you soon.
Thanks mucho mucho!
Leita
Yellowbook-CPE.com is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: