Proposed Changes to GAO's Yellow Book Promote Harmonization of Auditing Standards

Revisions incorporate more formal conceptual framework for independence issues.

BY JAMES R. DALKIN, CPA
December 1, 2010

In August, the Government Accountability Office (GAO) issued proposed standards revising Generally Accepted Government Auditing Standards (GAGAS), commonly known as the “Yellow Book.” The update revises the July 2007 Yellow Book and is expected to be effective for audits beginning after Dec. 15, 2011, with the exception of the financial chapter, which will have an effective date to coincide with the AICPA’s Auditing Standards Board (ASB) Clarity Project. This article highlights the significant changes in the proposed standards.

The Yellow Book was first published in 1972 and has been updated and revised over the years. Two primary factors are driving the current Yellow Book update:

 

  • Continued modernization and harmonization of auditing standards by various standard-setting bodies, including technical updates to reflect standards that have already been revised.
  • Revisions to address issues and frequently asked questions from the GAO’s Yellow Book technical assistance line.

 

Another important consideration in updating the Yellow Book has been the ASB Clarity Project. As the ASB more closely aligns U.S. auditing standards with those issued by the International Auditing and Assurance Standards Board, the GAO reviews the standards and assesses their potential impact on GAGAS.

 

The proposed standards include other changes to further clarify and harmonize the standards. For instance, emphasis has been placed on removing duplication with ASB requirements and clarifying what represents an additive standard for GAGAS. Another example will be the elimination of the AICPA definitions for material weaknesses and significant deficiencies. These definitions will now be incorporated by reference. In addition, to provide a format consistent with the ASB Clarity Project, the footnote format has been refined to include only a direct reference to another standard.

 

CHAPTER REORGANIZATION

Readers will quickly notice a reorganization of the Yellow Book. Ethical principles, formerly in chapter two, have now been incorporated into chapter one on the foundational concepts of GAGAS. Chapter two now emphasizes the application of GAGAS. Also, financial audit chapters four and five have been merged into a single chapter.

 

INDEPENDENCE REVISIONS

Substantial changes have been incorporated into chapter three covering independence. The 2007 revision emphasized overarching principles of independence such as auditors not auditing their own work or taking the role of management. The principles were augmented by a question-and-answer guide that featured specific facts and circumstances. The guide had limitations in its applicability and usefulness due to its specificity.

 

The Yellow Book Advisory Council and staff concluded that a more formalized conceptual framework could provide a uniform structure for analyzing the many independence issues that can arise, each with its own facts and circumstances.

 

Under the new framework, the auditor identifies threats to independence and then assesses the significance of the threats. If identified threats are deemed significant to the engagement, the auditor then determines whether safeguards could be put in place to mitigate the threats to an acceptable level. The framework also provides guidance on the significance of certain specific threats and whether those threats can be mitigated.

 

This threat assessment and application of safeguards requires professional judgment. If the auditor concludes that there are no safeguards sufficient to reduce a threat to an acceptable level, then the threat would result in an impairment to independence, and the auditor should respond accordingly. The auditor is required to document any independence issue that requires significant discussion or analysis.

 

THREATS AND SAFEGUARDS

The proposed standards identify categories of threats that occur through:

 

  • Self-review. An auditor reviews his/ her own work.
  • Self-interest. An auditor has a vested interest in the audit results.
  • Bias. An auditor has a preconceived notion regardless of results.
  • Familiarity over time. An auditor has become too close to the subject of the audit.
  • Undue influence. Pressures may impair an auditor’s judgment.
  • Management participation. An auditor takes the role of management.
  • Structural. A governmental structure may create an appearance of impairment.

 

Under the proposed standards, if a nonaudit service is not expressly prohibited, the auditor should apply the conceptual framework to conclude whether a potential impairment exists. In some cases, safeguards may mitigate threats to an acceptable level. However, even if properly applied, safeguards may not always be sufficient to reduce some threats. The proposed standards identify safeguards created by the profession as well as those directly related to the work environment. Examples include:

 

  • Professional or regulatory monitoring and disciplinary procedures.
  • External reviews by third parties of reports.
  • Using different management and engagement teams with separate reporting lines for the provision of nonaudit services to an audited entity.
  • Additional review requirements for nonaudit services.
  • Additional oversight by the audited entity’s management over nonaudit services.

 

PROHIBITIONS WITHIN CERTAIN NONAUDIT SERVICES

While the proposed standards provide a conceptual framework for independence issues, certain specific prohibitions still exist. These prohibitions involve areas that have been problematic in the past and particularly so in a governmental public-sector environment. It is important to note that the entire nonaudit service is not prohibited, just certain services. Within each of the following nonaudit categories, specific services are expressly prohibited:

 

Internal Audit Services

  • Establishing internal audit policies or strategic direction of the auditee.
  • Selecting or implementing internal audit recommendations.
  • Designing, implementing or maintaining internal control.

 

Internal Control Monitoring and Assessments

  • Providing ongoing monitoring procedures.

 

Information Technology (IT) Services

  • Designing or developing an information system that would be subject to an audit.
  • Modifying source code.
  • Operating or supervising an IT service.

 

Valuation Services

  • Providing valuation services that would have a material effect, separately or in the aggregate, on the financial statements or other information that is subject to an audit, and the valuation involves a significant degree of subjectivity.

 

Financial Statement Preparation, Bookkeeping, and Client Assistance

An area that the profession continues to struggle with involves maintaining independence when the auditor provides the audited entity with assistance in bookkeeping and financial statement preparation. Whether it involves converting cash statements to accrual basis or preparing financial statements, the auditor frequently walks a fine line between independence and impairment. The GAO’s proposed standards are consistent with those of the AICPA in identifying certain activities that create an automatic impairment. These include:

 

  • Determining or changing journal entries, account codings, classifications for transactions, or other accounting records without obtaining client approval.
  • Authorizing or approving transactions.
  • Preparing source documents.
  • Changing source documents without client approval.

 

The proposed standards do not expressly prohibit a practitioner from providing bookkeeping or financial statement preparation other than the activities listed as prohibited in the standards. Before performing bookkeeping and financial services not expressly prohibited, the auditor should evaluate them within the conceptual framework to determine whether an impairment exists.

 

For bookkeeping and financial statement activities that are not expressly prohibited, management charged with overseeing the nonaudit service should possess suitable skill, knowledge or experience to evaluate the adequacy and results of the services performed. If management does not have suitable skill knowledge or experience to evaluate the adequacy and results of the services performed, an impairment exists. This requirement currently exists for CPAs under the AICPA’s Code of Professional Conduct, Rule 101, Independence (Interpretation 101-3, Performance of Nonattest Services).

 

AUDITS SUBSEQUENT TO NONAUDIT SERVICES

The proposed standards introduce the concept of a post-impairment period. This period reflects the audit period immediately after the auditor provides an independence- impairing service. Under the proposed standards, auditors who perform independence-impairing nonaudit services may audit in subsequent periods only after sufficient safeguards have been identified to mitigate the threat. One example of a safeguard would be the performance of an audit by an auditor not providing the original nonaudit service. The auditor should also consider issues of independence in appearance that may arise should an audit be performed after an impairing nonaudit service has been provided.

 

QUESTION-AND-ANSWER GUIDE RETIREMENT

The Answers to Independence Standards Questions (QA Guide) issued in July 2002 will be superseded by the new standards once they are finalized. Under the new independence framework, unless the service is specifically prohibited, the conceptual framework should be applied. Certain specific situations addressed in the original QA Guide such as “de minimis,” nonaudit services, and safe harbors have not been included in the proposed standards and will no longer apply. Instead, under the more principle-based framework, auditors will need to address the threats and safeguards within the conceptual framework.

 

QUALITY CONTROL

The proposed standards have further harmonized quality control with that of the AICPA. Audit organizations and firms that are in compliance with AICPA quality-control requirements would be consistent with the requirements of the proposed standards.

 

SPECIALISTS AND CONTINUING EDUCATION REQUIREMENTS

The basic continuing professional education (CPE) requirements under GAGAS have not changed from the 2007 Yellow Book. However, the proposed standard clarifies continuing education requirements for internal specialists such as actuaries. Auditors who work under GAGAS should complete a minimum of 24 hours of CPE every two years. Internal specialists who apply their specialized knowledge to the audit should complete 24 hours of CPE in their area of specialty. For example, an actuary may satisfy the educational requirement with 24 hours of CPE training in actuarial science. Consistent with the extant standards, external specialists are not required to follow the CPE requirements; however, auditors are required to consider whether external specialists are qualified to serve an engagement.

 

FINANCIAL AUDIT CHAPTER

The combined financial audit chapter does not contain any new requirements. However, the revision did reduce redundancy and changed certain terminology. Consistent with the ASB Clarity Project, the term “field work” has been replaced with “performance.” The proposed standards will continue to use the term “field work” when discussing attest engagements until the AICPA revises its wording in the AICPA attestation standards.

 

In addition, requirements already included in the AICPA audit standards have been eliminated from the proposed standards. These include:

 

  • Restatements.
  • Definitions of internal control deficiencies.
  • Communication of significant matters.
    Consideration of fraud and illegal acts.

ATTESTATION ENGAGEMENTS

The volume of calls to the Yellow Book technical assistance line prompted revisions to the chapter on attestation engagements. One area of confusion has been determining whether an engagement is a form of attest (examination, review, or agreed-upon procedure) or a performance audit. The chapter has been revised to more clearly delineate between the types of engagements. Additional guidance has been incorporated into the chapter to direct the reader to the proper service. In all cases, if the auditor provides attest services, he or she should review and follow all guidance provided by the AICPA on these services. The proposed standards provide supplemental requirements and guidance, while the AICPA audit standards provide the foundational requirements.

 

PERFORMANCE AUDITS

The performance audit chapter has been updated but has not been substantially changed. One change clarifies fraud reporting requirements within performance audits to specify that reporting is required for occurrences that are significant within the context of the audit objectives.

 

PRACTITIONER IMPLEMENTATION AND ASSISTANCE

As with any proposed standard, practitioners need to read carefully and understand the nature of the changes before attempting to apply them. The GAO offers technical assistance for questions related to government auditing standards. The AICPA offers guidance through its Governmental Audit Quality Center.

 

The comment deadline was Nov. 22, 2010. The Yellow Book Advisory Council and GAO are evaluating the comment letters and will make changes to the final draft as appropriate. Government Auditing Standards, 2010 Exposure Draft, can be downloaded at gao.gov/govaud/ybk01.htm.

 

 

AICPA Independence Rule 101 and the Yellow Book

 

by Lisa Snyder, CPA

 

The GAO independence proposal is substantially consistent with the independence requirements contained in the AICPA Code of Professional Conduct (AICPA Code) as well as the IESBA code. The GAO’s proposal, if adopted, would lead to greater harmonization of the accounting profession’s independence standards.

 

The GAO has recognized that a conceptual framework approach would provide a better means to address independence matters in today’s complex environment. With one exception, the GAO, AICPA and IFAC frameworks cover the same threats with minor differences in the name or description of the threats (for example, the GAO’s “bias threat” comprises both the AICPA’s “advocacy threat” and “adverse interest threat”). The GAO “structural threat” is unique in that it addresses the threat associated with an audit organization’s placement within a government entity.

 

There are some areas where the GAO proposal may be viewed as more restrictive than the AICPA rules. For example, the AICPA Code requires documentation of threats and safeguards in cases where threats to independence are not at an acceptable level and safeguards are applied to eliminate the threats or reduce them to an acceptable level. The GAO is proposing documentation in other circumstances as well, such as in areas of substantive discussion or analysis on independence. In addition, the proposal requires auditors to consider the impact that prohibited nonaudit services may have on independence in subsequent periods.

 

For example, auditors who design and implement a financial reporting system for a client may need to consider the (self-review) threat to independence in future periods including the possible safeguard of having another independent auditor perform an audit subsequent to the performance of the prohibited nonaudit services.

 

Another example where the GAO proposal is more restrictive involves the use of specialists on the audit. The GAO is proposing that auditors should assess the independence of specialists and apply any necessary safeguards in the same manner as they would for auditors contributing to the audit. Under the AICPA Code, external specialists are not required to be independent but, rather, the relevant auditing standards require that the auditor assess the objectivity and competence of any specialists used on the audit.

 

To assist members and other interested parties in analyzing the GAO independence proposal, the AICPA has prepared a comparison of the GAO proposal to relevant provisions of the AICPA and IESBA codes. The document is available at tinyurl.com/2fsztfu.

 

Lisa Snyder (lsnyder@aipca.org) is AICPA director–Professional Ethics Division.

EXECUTIVE SUMMARY

 In August, the Government Accountability Office (GAO) issued proposed changes to the July 2007 Generally Accepted Government Auditing Standards (GAGAS), or “Yellow Book.” One of the primary factors driving the changes is a goal to further harmonize GAGAS to standards issued by other standard setters.

 

 Other than the financial chapter, which will have an effective date to coincide with the AICPA’s Auditing Standards Board (ASB) Clarity Project, the proposed standards will be effective for audits beginning after Dec. 15, 2011.

 

 The proposed standards provide a more formalized conceptual framework for analyzing independence issues. Under the new framework, the auditor identifies threats and safeguards to independence and determines if safeguards could be put in place to mitigate the threat.

 

 The proposed standards expressly prohibit certain nonaudit services in areas that have been problematic in the past,

particularly in a governmental public-sector environment.

 

 The concept of a postimpairment period has been introduced through the proposed standards. Auditors who perform independence-impairing nonaudit services may audit in subsequent periods only after sufficient safeguards have been identified to mitigate the threat.

 

 In response to calls to the Yellow Book technical assistance line on how to determine whether an engagement is a form of attest, the proposed standards more clearly delineate between types of engagements.

 

James R. Dalkin ( dalkinj@gao.gov) is a director in the GAO’s Financial Management and Assurance Division.

 

To comment on this article or to suggest an idea for another article, contact Loanna Overcash, senior editor, at lovercash@aicpa.org or 919-402-4462.

 

 

AICPA RESOURCES

 

Publications

  • Government Auditing Standards and Circular A-133 Audits—AICPA Audit Guide (#0127410)
  • Government Auditing Standards and Circular A-133 Developments Audit Risk Alert (#0224510)
  • State and Local Governments—Audit and Accounting Guide (#0126610)
  • State and Local Governmental Developments—Audit Risk Alert (#0224310)

 

For more information or to place an order, go to cpa2biz.com or call the Institute at 888-777-7077.

 

On-Site Training

  • Applying A-133 to Nonprofit and Governmental Organizations (#EO-OMB)
  • The Revised Yellow Book: Government Auditing Standards (#EO-YB)
  • Solving Complex Single Audit Issues for Government and Nonprofit Organizations (#EO-SAI)

 

Go to aicpalearning.org to access courses. Click on “On-Site Training” then search by “Acronym Index.” If you need assistance, please contact a training representative at 800-634-6780 (option 1).

 

Archived GAQC Web event (open to the public)

“What You Need to Know About the 2010 Yellow Book Exposure Draft—Member Web Event,” presented by both GAO staff and AICPA Ethics Division representatives, tinyurl.com/2vsygde

 

Independence Comparison Tool

To assist members and other interested parties in analyzing the GAO independence proposal, the AICPA has prepared a comparison of the GAO proposal to relevant provisions of the AICPA and IESBA codes. The document is available at tinyurl.com/2fsztfu.

 

Governmental Audit Quality Center

The Governmental Audit Quality Center (GAQC) is a firm membership center that helps member firms achieve the highest standards in Yellow Book, not-for-profit, HUD or government audits through targeted e-mail alerts, resources and teleconferences. Visit the GAQC at aicpa.org/GAQC.

 

More from the JofA:

 

 Find us on Facebook      Follow us on Twitter

 

PROFESSIONAL DEVELOPMENT: EARLY CAREER

Making manager: The key to accelerating your career

Being promoted to manager is a key development in a young public accountant’s career. Here’s what CPAs need to learn to land that promotion.

PROFESSIONAL DEVELOPMENT: MIDDLE CAREER

Motivation and preparation can pave the path to CFO

CPAs in business and industry face intense competition to land a coveted CFO job. Learn how to best prepare yourself for the role.

PROFESSIONAL DEVELOPMENT: LATE CAREER

Second act: Consulting

CPAs are using experience to carve out late-career niches. Learn how to successfully make a late-career transition to consulting, from CPAs who have done it.