The Government Accountability Office recently released a new version of Government Auditing Standards, also known as the Yellow Book. The revised version has been reorganized and realigned with the aim of making it easier for professionals to find relevant rules when performing research. The author summarizes the most significant changes in the new Yellow Book, with particular focus on the new standards for evaluating threats to auditor independence.
In July 2018, the U.S. Government Accountability Office (GAO) issued a revised version of Government Auditing Standards(GAS), often referred to as the “Yellow Book” (http://www.gao.gov/yellowbook). There are important new regulations that auditors who perform audits under GAS should be aware of, as well as some clarifying information that will also prove to be valuable to CPAs.
The 2018 Yellow Book goes into effect for financial audits, attestation engagements, and reviews of financial statements for the period ending on or after June 30, 2020, and performance audits beginning on or after July 1, 2019. Auditors should, however, consider the independence pro-visions of the 2018 Yellow Book prior to the effective date, as auditors performing nonaudit services for a financial statement audit will need to comply with the new independence requirements at the beginning of the audit period and be independent for the entire period that the financial statements relate to when performing audits for periods before the new rules apply. Early implementation of the new standards is not permitted, but auditors might want to consider the new rules when using judgment about the impact that nonaudit services have on independence. This will be explained in further detail below.
Single audits of federal awards must be performed under the Office of Management and Budget’s (OMB) Uniform Guidance (UG). As part of a single audit, auditors must also follow GAS. Because the rules contained in the UG are so detailed and specific, many auditors do not realize that they need to follow the GAS rules as well. Other situations where GAS must be followed include when the grantors of a not-for-profit organization make specific requests, such as the Department of Housing and Urban Development (HUD) in its consolidated audits and various state and local agencies.
CPAs familiar with the 2011 version of the Yellow Book will notice a stark contrast in the format of the 2018 version. The chapters have been reorganized and realigned; supplemental guidance from the appendices of the 2011 Yellow Book has been incorporated into the individual chapters in the 2018 Yellow Book or omitted if no longer relevant. The biggest and most useful change is that requirements are now displayed in a box, with the related application guidance included after the boxed requirements. Many, including this author, believe this makes it easier to find rules when performing research.
The standards use two categories of requirements: those that are unconditional, as designated by the term “must,” and those that are presumptively mandatory, as designated by the term “should.” While “must” is self-explanatory, caution should be followed if an auditor decides not to perform a procedure that is described as something that “should” be done. The requirements state that in the rare circumstance when an auditor deems it necessary to depart from a presumptively mandatory requirement, the auditor must document his justification for the departure and describe how the alternative audit procedures performed were sufficient to achieve the intent of the requirement.
Nonaudit Services and Independence
The most significant change to the standards relates to how auditors evaluate the nonaudit services they perform and whether the performance of those services creates significant threats that require safeguards to reduce those threats to an acceptable level. When nonaudit services are performed, an evaluation should be made to determine if the service creates a threat to independence. This evaluation should be documented and follow the existing GAS independence framework, which continues to be a part of the 2018 revised Yellow Book. To summarize the requirements of the independence framework, the first step is to identify any threats, including the performance of nonaudit services. The next step is for the auditor to evaluate the significance of the threat and consider the skills, knowledge, and experience of the persons at the entity charged with overseeing the service. If the threat is considered significant, then a safeguard must be implemented.
The new standards also make it clear that preparing financial statements in their entirety from a client-provided trial balance or underlying records is considered a significant threat to the auditors’ independence. While the AICPA’s 2011 Yellow Book Independence—Nonaudit Services Documentation Practice Aidprovides several examples to help auditors use their judgment on whether the preparation of financial statements creates a significant threat to independence, the 2018 Yellow Book clearly takes that judgment away from the auditor by stating this type of service automatically creates a significant threat. Because of this, the author recommends that auditors who are still performing audits under the 2011 Yellow Book take into account the rules in the 2018 Yellow Book when determining whether the nonaudit service of preparing substantially all of the financial statements is a significant threat or not.
The standards clarify other nonaudit services frequently performed by auditors that automatically impair independence such that no safeguard could possibly be applied to eliminate this threat. In these cases auditors must either refuse to perform the nonaudit service or resign from the audit. The following is a list of those services that automatically impair independence:
- Keeping the original books and records of the entity
- Changing journal entities, account coding, or classification
- Authorizing or approving the entity’s transactions
- Preparing or making changes to source documents without management approval.
Other frequently performed nonaudit services that do not automatically impair independence should be evaluated to determine if they create significant threats. These services include the following:
- Making cash to accrual conversions
- Performing reconciliations
- Preparing Form 990 and other taxes
- Maintaining depreciation schedules
- Recording transactions in the entity’s books that management has approved
- Preparing certain line items on financial statements based on information in the trial balance
- Posting entries that management has approved to the entity’s trial balance.
Under the new standards, the most important factors in determining whether the nonaudit service should be considered a significant threat to independence are the extent to which the outcome of the service could have a material effect on the financial statements, the degree of subjectivity in determining amounts, and the extent of the audited entity’s involvement in determining significant matters of judgment.
The identification of a significant threat does not prohibit an auditor from performing an audit unless it is one of the prohibited services outlined above. In these circumstances, however, the auditor must implement a safeguard that will eliminate or reduce the treat to an acceptable level. Auditors should use judgment in deciding which safeguard will best eliminate or reduce the threat to an acceptable level. Common safeguards that have been known to be effective include the following:
- Assigning separate engagement personnel for audit and nonaudit services
- Obtaining secondary reviews by personnel who were not involved in planning or supervising the engagement
- Educating management on the nonaudit services performed
- Requiring such engagements to undergo an engagement quality control review (EQCR)
- Having an independent organization perform a secondary review of the file or reports
- Having a partner not involved with planning or supervising the audit engagement review the financial statements before releasing them
- Educating management so they are in a position to review and approve the financial statements
- Requesting that the audited entity complete a disclosure checklist as part of its overall review.
The new standards include one important clarification: providing clerical assistance, such as typing, formatting, printing, and binding financial statements, is unlikely to be a significant threat. The nature of these services should, however, be evaluated and documented.
Required Competence and CPE
The other major impact of the new standards is the clarification on how continuing professional education (CPE) affects the competence auditors should have regarding skills, ability, and knowledge of specific GAS requirements. Those who were following the Yellow Book exposure draft should be aware that the proposed requirement to take four hours of GAS-specific CPE was not included in the finalized 2018 Yellow Book; instead, the standards state that obtaining CPE on specific GAS topics, particularly during years in which there are revisions to the standards, may assist auditors in maintaining the competence necessary to conduct GAS engagements. The standards also state that auditors assigned to an engagement must collectively possess competence for the engagement’s objectives and GAS before beginning work on the engagement.
The rules state that auditors who plan, direct, perform, and report on an engagement in accordance with GAS should develop their competency by completing 80 hours of CPE during every two-year period, with a minimum of 20 hours of CPE in each year of that period. Of those 80 hours, at least 24 hours of subject matter needs to be directly related to the government environment, government auditing, or the specific environment in which the audited entity operates; the remaining 56 hours of subject matter should directly enhance professional expertise to conduct engagements. The new standards provide examples of topics that qualify under each of those categories. In addition, the audit organization should maintain documentation of each auditor’s CPE.
There are several exceptions and exemptions to these rules. If an auditor charges less than 20% of her time annually to engagements conducted in accordance with GAS and only performs procedures (i.e., does not plan, direct, or report), she is only required to meet the 24-hour requirement over the two-year period and is exempt from the 56-hour requirement. In addition, nonsupervisory auditors who charge less than 40 hours to GAS auditors are exempted from all CPE requirements.
The 2018 Yellow Book introduces a new concept referred to as “waste.” Waste is defined as the act of using or expending resources carelessly, extravagantly, or to no purpose. This is an expansion of a concept introduced in the 2011 Yellow Book, referred to as “abuse.” While auditors are not responsible for designing their tests to detect waste or abuse, they are cautioned that the discovery of waste or abuse may indicate that fraud or noncompliance with provisions of laws, regulations, contracts, and grant agreements exists. Auditors are required to consider internal control deficiencies in evaluating the cause of a finding, and the discovery of waste or abuse should be examined in the context of a possible internal control weakness that needs to be reported.
The 2018 Yellow Book clarifies that an audit organization is required to establish policies and procedures designed to provide reasonable assurance that the audit organization only undertakes engagements it has the capability to perform. Audit organizations should establish policies and procedures for engagement performance, documentation, and reporting that include receiving and maintaining independence affirmations from all personnel who are required to be independent. Those audit organizations affiliated with any one of five recognized organizations are required to comply with the respective organization’s peer review requirements; the AICPA is one of those five recognized organizations.
The 2018 Yellow Book adds standards for review engagements for the first time. It reflects the issuance of Statement on Standards for Attestation Engagements (SSAE) 18, Attestation Standards: Clarification and Recodification, and Statement on Standards for Accounting and Review Services (SSARS) 21, Statements on Standards for Accounting and Review Services: Clarification and Recodification.
Increased Scrutiny of GAS Audits
The 2018 Yellow Book offers professionals a new format with which to read and understand the rules. As audits under GAS continue to be highly scrutinized and receive increased attention during peer review, CPAs who perform these audits need to be familiar with the detailed rules or risk having problems in peer review or with licensing regulators. This article should provide a good start in guiding CPAs to the essential information they need to know.