The 2018 GAO Yellow Book revisions have finally been published! By far, the biggest change is the addition of the Green Book which is all about internal controls.
I have lovingly been called a ‘control freak’ a few times by my friends and family. However, they are blissfully unaware of what auditing entails and how we eat, breathe and sleep internal controls.
Directed by Yellow Book standards, public sector auditors consider internal controls in almost every step of the audit process. At a minimum, auditors must consider internal controls when gaining an understanding of the audit subject matter, assessing risk, designing testing, drawing conclusions and reporting findings.
With the 2018 version of the GAO Yellow Book, internal controls will now be on auditors’ minds even more! The biggest change to the Yellow Book for performance auditors is the inclusion of references to the 2014 Green Book, an internal control standard. Both titles are authored by the Government Accountability Office (GAO), the legislative auditor for the federal government. You can find free copies of the Yellow Book and the Green Book on the (GAO) website.
With the 2018 version of the Yellow Book, internal controls will now be on auditors’ minds even more!
Formal titles of the Yellow and Green Books
The Yellow Book is another name for Generally Accepted Government Auditing Standards (GAGAS). This 2018 version has updated formatting and includes a variety of new paragraphs to align more closely with AICPA standards.
The Green Book, issued in 2014, is the informal name for Standards for Internal Control in the Federal Government. It’s the federal government’s version of the 2013 COSO (Committee of Sponsoring Organizations of the Treadway Commission) model of internal controls. The Green Book is the gold standard of internal controls according to the Yellow Book as well as the Uniform Administrative Requirements, Cost Principles and Audit Requirements for Federal Awards.
A focus on internal controls
By referring to the Green Book inside of the 2018 Yellow Book, the GAO is calling on auditors to:
- Expand internal control documentation
- Increase disclosures regarding internal controls in audit reports
- Consider internal controls as the cause of findings
1. Expand internal control documentation
The Green Book breaks the five components of internal control (control environment, risk assessment, control activities, information and communication/monitoring) into 17 new underlying principles. The 2018 Yellow Book asks auditors to document controls as follows:
Section 8.40: If it is determined that internal control is significant to the audit objectives, auditors should obtain an understanding of such internal control.
Section 8.42: If internal control is significant to the audit objectives, auditors determine which of the five components of internal control and underlying principles are significant to the audit objectives…
As a result, your internal controls documentation must include the 17 principles as well as the five components. This increases the volume of the internal control documentation significantly, but it’s not as bad as it sounds. You are only responsible for evaluating controls relevant to your audit objective.
Therefore, if you limit your objectives – both in number and in scope – you will reduce your documentation burden.
Do you want some advice on writing limited objectives? Then check out the IIA’s Engagement Planning: Establishing Objectives and Scope Practice Guide (2017).
2. Increase disclosures in the audit report
The GAO promotes transparency and encourages auditors to disclose their internal control responsibilities to their audit report readers. Now, the GAO asks auditors to address (you guessed it!) the 17 principles in the audit report.
Section 9.29: When internal control is significant within the context of the audit objectives, auditors should include in the audit report (1) the scope of their work on internal control and (2) any deficiencies in internal control that are significant within the context of the audit objectives and based upon the audit work performed.
Section 9.30: If not some but not all internal control components are significant to the audit objectives, the auditor should identify as part of the scope those internal control components and underlying principles that are significant to the audit objectives.
Again, more granularity and more volume. The more objectives you cover in your audit, the bigger this section of the audit report will be. (Side note: the objective, scope and methodology sections for GAO audit reports often run over six pages!)
3. Internal controls are the cause
The GAO is not just in the business of pushing auditors to keep up with the latest techniques and model. They are also willing to share their hard-earned audit wisdom, such as the five elements (also known as the “five Cs”) of a finding. The GAO pushes for transparency by requiring auditors to use the elements of a finding to describe each reportable condition. The auditor details any reportable condition they find by sharing the condition, effect, cause, criteria, and corrective action (i.e., recommendation) for any issue.
Out of these five elements, the cause is often the most difficult to identify and support with evidence. Thankfully, the new Yellow Book gives us a key to writing a finding so it’s easier for auditors to find and support the cause:
Section 8.129: The cause of a finding may relate to an underlying internal control deficiency…
Section 8.130: Considering internal control in the context of a comprehensive internal control framework, such as Standards for Internal Control in the Federal Government or Internal Control—Integrated Framework, can help audits determine whether underlying internal control deficiencies exist as the root cause of findings…
Ideally, the condition statement should state the problem and the cause statement should describe the control weakness causing the problem. For example, your audit finds the student financial aid office gave money to ineligible students. The condition could state ineligible students are receiving financial aid and the cause is no one reviewed the applications against eligibility criteria (i.e., a control weakness).
If the auditor ignores the advice of the Yellow Book and starts with the control weakness as the condition, the cause ends up vaguely personal and mildly insulting. It’s difficult to say why a control failed without blaming someone. For instance, if the condition is that no one reviewed the applications against eligibility criteria, where do you go with the cause? You might have to say the student financial aid staff needs training, implying they are not too smart. Or, they did not prioritize their work properly, which is a euphemism for poor time management.
Both of these causes are personal and hard to back up with evidence. Auditors following the Yellow Book performance audit standards assert they used evidence to support their findings, as stated in:
Section 9.03: We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.
By encouraging auditors to use the control weakness as the cause, the GAO also encourages auditors to perform two kinds of testing:
- A test of fact to support the condition
- A test of controls to support the cause
Why all this hubbub about internal controls?
The GAO Yellow Book encourages auditors to be more thorough in evaluating internal controls. As a result, auditors will end up indirectly educating the managers of government-funded programs on internal controls and holding them to a higher standard. Better internal controls should lead to improvements in government programs and processes. Ultimately, this is good for us all.
The renewed emphasis on internal control documentation is onerous, but it is good for you, program managers and taxpayers alike. The 2018 Yellow Book introductory letter sums it up nicely: Audits provide essential accountability and transparency over government programs. Given the current challenges facing governments and their programs, the oversight provided through auditing is more critical than ever. Government auditing provides the objective analysis and information needed to make the decisions necessary to help create a better future.
What should a forward-thinking auditor do now?
Does your whole team understand the 17 principles? If not, it is time to learn and embrace the principles, which is now necessary for internal control documentation. Stay on the lookout for GAO’s internal controls documentation tool. In the interim, you could create something yourself and practice using it to document internal controls.
Look at how you structure your findings and ask yourself if your causes are valid. Are causes backed-up with evidence? Did you use a control weakness as the cause or as the condition? Make sure you are performing tests of both facts and tests of controls so you can support your finding with evidence.
Get up to speed
I recommend reading Sections 8.39-8.58 and 9.29-9.34 of the Yellow Book. The GAO has significantly revamped their requirements regarding internal controls in these sections. Make sure you and your team are on track to comply.
If you do all this, you can shrug off anyone shaming you and proudly declare yourself an ‘internal control freak.’
Yellowbook-CPE.com is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: