The New GAO Independence Standard: What Auditors Need to Know

Maintain auditor independence while performing nonaudit services.


THE GAO AMENDED THE AUDITOR INDEPENDENCE provisions of its generally accepted government auditing standards (GAGAS). Originally, the amendment was to be effective for audits beginning on or after October 1, but the GAO extended the time frame to January 1, 2003.

THE GAO ISSUED THE NEW STANDARD to better serve the public interest by maintaining a high degree of integrity, objectivity and independence for CPAs, non-CPAs and other practitioners who audit government entities and organizations receiving government funds.

COMPLIANCE WITH THE NEW STANDARD hinges on the auditor’s observance of two overarching principles and seven safeguards. If the nonaudit service would violate either of the two principles, then the firm would be required to make a choice between providing the service or performing the audit.

PERSONAL, EXTERNAL AND ORGANIZATIONAL factors can impair auditor independence, but the amendment’s most significant changes pertain to personal impairments relating to nonaudit services.

A DE MINIMIS EXCEPTION APPLIES when an audit firm provides 40 or fewer hours of nonaudit services related to a specific audit engagement. For such de minimis services, the safeguard requiring separate engagement teams is waived but the auditors must observe the two overarching principles and other safeguards.

UNDER GRANDFATHERING PROVISIONS OF THE NEW standard, nonaudit services that would not have violated preexisting professional standards are exempt from the new standard if performed prior to January 25, 2002, or initiated, agreed to or performed by June 30, 2002, and completed by June 30, 2003.

LISA A. SNYDER, CPA, is director of the AICPA professional ethics division. Her e-mail address is . Ms. Snyder is an employee of the AICPA and her views, as expressed in this article, do not necessarily reflect the views of the Institute. Official positions are determined through certain specific committee procedures, due process and deliberation.

n January the GAO amended Government Auditing Standards (the yellow book), significantly tightening its auditor independence provisions. In issuing the new standard, the comptroller general stated that protecting the public interest and ensuring public confidence in the independence of auditors of government financial statements, programs and operations, both in form and substance, were the overriding considerations. The updated standard is required reading for auditors of government entities and of organizations receiving government funds.

The GAO originally scheduled the new provisions, Amendment no. 3, Independence, to take effect October 1, but many practitioners said certain of the provisions were ambiguous, especially with respect to nonaudit services. AICPA members and others also worried about the cumbersome nature of some of the new standard’s independence “safeguards” that, for example, mandated separate engagement teams for audit and nonaudit services.

In response, the GAO helped in two ways. In July it made the standard effective for all audits pertaining to periods beginning on or after January 1, 2003. At the same time it issued a series of questions and answers (Q&A) aimed at clarifying the new provisions and facilitating compliance with them. The supplemental guidance explains the standard’s underlying concepts, how to make the transition from the old standard to the new and how to apply the standard in specific nonaudit circumstances.

This article outlines the principal aspects of the new standard, explaining whom they affect and what they require of practitioners.

Because government auditing standards apply to a wide variety of entities, the many practitioners who audit their financial statements—CPAs, non-CPAs, government financial auditors and performance auditors—will have to comply with the new standard. Such entities include federal, state and local governments, as well as not-for-profit and for-profit recipients of federal (and some state) grant and loan assistance, such as

Colleges, universities and trade schools.
Charitable organizations.
Cities and counties.
School and utility districts.
Small businesses with SBA loans.
HUD projects and lenders and public housing authorities.
Many state-administered programs and contracts.

The standard addresses three types of independence impairments: personal, external and organizational. But it’s particularly important that practitioners comprehend the standard’s most important change, which involves personal independence impairments such as those discussed below.

New standard for nonaudit services. To comply with the provisions governing nonaudit services, auditors must clearly understand two overarching principles (see “Essential Compliance Precepts,” at right). The first bars firms from performing management functions or making management decisions for their clients; the second prohibits auditors from auditing their own work or providing nonaudit services when the services are material or significant to the subject matter of the audit. If a nonaudit service does not conflict with either principle, a firm may perform the service as long as the firm complies with each of the following safeguards:
Essential Compliance Precepts
Two overarching principles are critical to understanding the new nonaudit services rules:

Audit organizations (referred to in this article as “firms”) should not provide nonaudit services that involve performing management functions or making management decisions.
Firms should neither audit their own work nor provide nonaudit services in situations where the nonaudit services are significant or material to the subject matter of audits.

Personnel providing the nonaudit service cannot plan, conduct or review audit work related to the nonaudit service. Audit and nonaudit work must be performed by separate engagement teams.

The scope and extent of audit work cannot be reduced beyond the level that would be appropriate if the nonaudit work were performed by an unrelated party.

The firm should document its consideration of the nonaudit service, including its rationale that providing the service does not violate the two overarching principles.

The firm should establish and document an understanding with the client regarding the objectives, scope of work and deliverables of the nonaudit service, including an understanding that management is responsible for the results of the service.

The firm’s quality control system should include policies and procedures that ensure consideration of the effect of the nonaudit service on ongoing, planned and future audits.

Where a nonaudit service is deemed to conflict with the audit (because the service violates one or both of the overarching principles), the firm should inform the client—prior to beginning the nonaudit service engagement—it will be unable to perform subsequent audit work related to the subject matter of the nonaudit service.

For audits selected during peer review, the firm should identify to its peer reviewer all related nonaudit services and provide all related audit documentation.

Routine activities. It is important to note that under the standard, practitioners can perform routine activities for clients without impairing their independence—provided the practitioners neither make management decisions nor perform management functions. Such ordinary services do not violate the overarching principles and are not subject to the safeguards described above. For example, practitioners can participate on a client’s committees or task forces in an advisory capacity. Auditors can share their skills and knowledge with clients, as long as the clients make all decisions. Practitioners may also give clients routine advice to help

Establish internal controls.

Implement audit recommendations.

Answer technical questions.

Provide training.

Provide tools and methodologies, such as best practice guides, benchmarking studies, and internal-control-assessment methodologies.

Prepare tax returns.

Assist with preparing tax deposits.

Represent audited entities in IRS matters.

Examples of prohibited and permitted nonaudit services. Both the new standard and subsequent Q&A guidance include specific examples of nonaudit services that are expressly prohibited and others that are permissible (as long as the auditor complies with the two overarching principles and all required safeguards). For a summary of the examples, see “ Nonaudit Services Under the GAO Independence Standard, ” at the end of this article.

Clarification on providing accounting assistance. The GAO’s Q&A guidance says a practitioner may prepare a trial balance based on management’s chart of accounts, as well as draft financial statements and note disclosures as long as the client’s management reviews and approves them. This is so because these activities constitute technical assistance and are part of the audit. Therefore the engagement team that performed these services also could perform the financial statement audit provided it observes all other safeguards.

Similarly, the engagement team that converted the client’s cash-based financial statements to the accrual basis also could perform the audit because this service is roughly equivalent to proposing adjusting entries to the client’s books. In all cases the standard requires the client’s management to specify, in its representation letter, the audit firm’s role in providing these services. The letter also must state that management reviews, approves and is responsible for the services.

In addition, the Q&A guidance describes several types of accounting services, including some that would impair independence and others that would not. The GAO standard permits certain bookkeeping services if the audit organization does not reconstruct the books and records of the audited entity and management is sufficiently knowledgeable to evaluate, approve and take responsibility for the services the auditor performs.

De minimis exception. The Q&A guidance provides an exception for nonaudit services that involve a de minimis amount of time. If a firm provides no more than 40 hours of nonaudit services relating to a specific audit engagement, the safeguard requiring separate engagement teams is waived. But all other safeguards apply and the nonaudit service still must comply with the overarching principles. When determining the total number of hours they spent on performing nonaudit services, practitioners should include all related services in their calculations.

Other personal impairments. Similar to the AICPA, the SEC and the International Federation of Accountants, the GAO adopted an engagement-team-focused approach to auditor independence for matters such as a practitioner’s financial interests. The GAO standard requires all individuals participating in the audit engagement, and others within the firm who can directly influence the outcome of the audit, to be free from personal impairments. When the personal impairment affects only an individual on a particular engagement, the audit firm can cure it by requiring the individual to eliminate the impairment. For example, the individual could sell the financial interest that created the independence impairment or remove himself or herself from the audit engagement.
Government Auditing Standards Amendment no. 3, Independence, emphasizes form over substance in determining whether performance of a nonaudit service impairs auditor independence. Auditors therefore should use reasonable judgment in considering

The nature of the nonaudit service.

The significance or materiality to the audit’s subject matter.

The totality of services provided to the audited entity.

External and organizational impairments. The standard lists external factors that may, by interfering with an audit or with a practitioner’s ability to form independent and objective opinions and conclusions, constitute an external impairment. This could consist of pressure from management and employees of the audit client or from oversight organizations. For example, interference by management to limit or modify the scope of the audit or pressure to reduce the extent of work performed in order to reduce fees could threaten independence.

The standard also addresses organizational impairments, which, due to the government auditor’s place within government and the structure of the government entity the auditor audits, hinder a government audit organization’s ability to perform work and report results impartially. The standard specifically describes ways (for example, where the audit organization is assigned to a level of government other than the one to which the audited entity is assigned, such as a federal auditor auditing a state government program) that government audit organizations can be free from organizational impairments when reporting externally to third parties or when reporting internally to management.
Educational Tools and Links
To help members and others better understand the new standard, the AICPA has developed the following educational tools, which are available on the Institute’s Web site ( ):

GAO independence standard.
AICPA-GAO comparison of independence rules governing nonaudit services.

In addition, the GAO issued a series of questions and answers relating to the standard ( ).

The Q&A guidance clarifies that nonaudit services performed prior to January 25, 2002, in compliance with preexisting professional standards are deemed compliant with the new rules as well. The GAO also will exempt, or grandfather, from the standard all nonaudit services initiated, agreed to or performed by June 30, 2002, provided the work is completed no later than June 30, 2003. However, any extensions or change orders to such contracts would result in new contracts, making the overarching principles and safeguards applicable.

The GAO realizes firms can perform certain services as either performance audits or consulting engagements. During performance audits—which do not evaluate a business’s financial records and statements, but rather assess how a particular activity implements company policy and procedures—a firm would not be subject to the independence standard but would have to comply with the performance audit standards under generally accepted government auditing standards, including the general, fieldwork and reporting provisions.

While the GAO has no immediate plans to issue additional questions and answers on the new independence standard, it has not ruled out the possibility of doing so if it determines that additional guidance is necessary. The new independence standard and Q&A guidance are available at the GAO Web site ( ).

Nonaudit Services Under the GAO Independence Standard
Nonaudit service Permitted Prohibited
Basic accounting assistance, including bookkeeping and record-keeping services

Generally, these permitted services are considered part of the audit and are not subject to the safeguard requiring separate engagement teams.

Providing basic accounting assistance limited to services such as preparing draft financial statements that are based on management’s chart of accounts and trial balance and any adjusting, correcting and closing entries management has approved; preparing draft notes to the financial statements based on information management determined and approved; preparing a trial balance based on management’s chart of accounts; maintaining depreciation schedules for which management has determined the method of depreciation, rate of depreciation and salvage value of the asset; proposing adjusting and correcting entries identified during the audit, so long as management makes the decision on accepting these entries; converting cash-based financial statements to accrual-based financial statements, as long as management can make informed judgments to review, approve and take responsibility for the appropriateness of the conversion. Maintaining or preparing the audited entity’s basic accounting records (for example, general ledger, purchase orders, payroll time records); taking responsibility for basic financial or other records the audit organization will audit; posting transactions (whether coded or not coded) to the entity’s financial records or to other records that subsequently provide data to the entity’s financial records.
Payroll services Providing payroll services limited to services such as computing pay amounts for the entity’s employees based on time records, salaries or pay rates and deductions from pay the entity maintains and approves; generating unsigned payroll checks; transmitting a client-approved payroll to a financial institution, provided management has approved the transmission and limited the financial institution to make payments only to previously approved individuals. Processing the entity’s entire payroll where payroll is a material amount to the subject matter of the audit.
Tax services

Generally, these are considered “routine” services and therefore, not subject to the required authorities and any safeguards.

Providing routine tax services such as preparing routine tax filings in accordance with federal tax laws and rules and regulations of the IRS and state and local tax authorities and any applicable laws; representing an audited entity before the IRS under 5 U.S.C. 500 in IRS matters, such as in an IRS audit or in obtaining IRS rulings or other agreements; preparing IRS Form 990, Return of Organization Exempt from Income Tax. Not applicable.
Human resources services Providing human resources services to assist management in evaluating potential candidates, limited to activities such as serving on an evaluation panel to review applications; interviewing candidates to advise management which of them are best qualified. Recommending a single individual for a specific position; conducting an executive search or a recruiting program for the audited entity.
Information technology services Providing information technology services such as advising on system design, system installation and system security if management acknowledges responsibility for the design, installation and internal control over the entity’s system and does not rely on the auditor’s work as the primary basis for determining whether to implement a new system, the adequacy of the new system design, the adequacy of major design changes to an existing system and the adequacy of the system to comply with regulatory or other requirements; training on off-the-shelf accounting packages. Operating or supervising the operation of the entity’s information technology system; installing an off-the-shelf accounting system; selling accounting or other financial systems software to an audited entity which was developed or designed by the audit organization; significantly modifying computer software that the audit organization purchased from another firm or off the shelf.
Appraisal or valuation services Providing appraisal or valuation services limited to services such as reviewing the work of the entity or a specialist employed by the entity when the entity or specialist provides the primary support for the balances recorded in financial statements or other information that will be audited; valuing an entity’s pension, other post-employment benefit or similar liabilities, provided management has determined and taken responsibility for all significant assumptions and data. Performing the valuation of the audited entity’s employee benefit plan where the pension expense or liability is material to the financial statements.
Internal audit services Not applicable. Performing internal audit services because such services are considered a management function.
Providing indirect cost proposals or cost allocation plans Preparing an entity’s indirect cost proposal or cost allocation plan, provided management has taken responsibility for all significant assumptions and data. Conducting the required audit when indirect costs recovered by the entity during the prior year exceeded $1 million. (In accordance with Office of Management and Budget policy, auditors who prepare the entity’s indirect cost proposal are prohibited from performing such services.)


Year-end tax planning and what’s new for 2016

Practitioners need to consider several tax planning opportunities to review with their clients before the end of the year. This report offers strategies for individuals and businesses, as well as recent federal tax law changes affecting this year’s tax returns.


News quiz: Retirement planning, tax practice, and fraud risk

Recent reports focused on a survey that gauges the worries about retirement among CPA financial planners’ clients, a suit that affects tax practitioners, and a guide that offers advice on fraud risk. See how much you know with this short quiz.


Bolster your data defenses

As you weather the dog days of summer, it’s a good time to make sure your cybersecurity structure can stand up to the heat of external and internal threats. Here are six steps to help shore up your systems.