Home > California CPA Magazine > November 2008 Issue > Seeing Red Over Yellow Book

Seeing Red Over Yellow Book

California CPA magazine: November 2008

Revisions Make it Toughest Collection of Audit Standards

By Leita A. Hart-Fanta, CPA

The 2007 revision of the Yellow Book (also known as generally accepted government auditing standards) is full of significant requirements that make it the toughest collection of audit standards out there. Along with adding to the AICPA standards, the Yellow Book is much firmer than the Institute of Internal Auditors’ Standards.

The Government Accountability Office holds to consistent, principled themes throughout the Yellow Book, including:

• Accountability: the responsibility to explain your actions to others;
• Transparency: the opposite of hiding
• and obscuring the truth;
• Competence: A combination of education and experience; and
• Service: A reminder that the ultimate customers and beneficiaries of a government audit is the tax-paying public.

These principles are directed at auditors to follow and exhibit—and therein lies the difficulty for some.

The following are the top seven aspects of the Yellow Book that, from my vantage point as an instructor on the matter, create difficulty for auditors, followed by the specific sections of the Yellow Book I am referring to.

1. Everyone who touches a Yellow Book engagement in a professional capacity—whether it’s to plan, direct, conduct or report—must get 24 hours of continuing professional education that directly relates to government auditing every two years. Previously, those who spent less than 20 percent of their time conducting a Yellow Book engagement were exempt.

2. Continuing education requirements for most folks involved in an audit under these standards skyrocket from 24 hours to 80 hours. Further, the additional 56 hours must relate to auditing, which means most tax courses, for example, do not count This is no big deal to CPAs, who can choose from plenty of eligible courses to meet the requirement. But, in a sense, this requirement discourages practitioners from doing both tax and government audit work because of the commitment to stay up-to-date on both.

2.46 For auditors, who are involved in any amount of planning, directing or reporting on GAGAS assignments, and those who are not involved in those activities, but charge 20 percent or more of their time annually to GAGAS assignments, also should obtain at least an additional 56 hours of CPE (for 80 total hours of CPE in every two-year period) that enhances the auditor’s proficiency to perform audits or attestation engagements.

For more information, visit www.gao.gov and download Guidance on GAGAS Requirements for Continuing Professional Education (GAO-05-568G).

3. Your peer review report must be shared with the public. The GAO suggests that you post your peer review report on a website. Many CPA firms accomplish this by joining the AICPA Government Audit Quality Center or Private Companies Practice Section Firm Practice Center since peer reviews for their members are on public file.

3.61 An external-audit organization should make its most recent peer review report publicly available by posting it on an external website or to a publicly available file designed for public transparency of peer review results. If neither of these options is available to the audit organization, then it should use the same transparency mechanism it uses to make other information public, and also provide the peer review report to others upon request.

4. Each year, audit organizations must create a monitoring report that describes how their quality control system is working, what deficiencies were noted and what is being done to correct these deficiencies. This annual monitoring report must be created even in the year that the peer review is being conducted, which goes beyond the AICPA’s quality control requirements.

3.54 The audit organization should analyze and summarize the results of its monitoring procedures at least annually, with identification of any systemic issues needing improvement, along with recommendations for corrective action. (Under GAGAS, reviews of the work and the report that are performed as part of supervision are not monitoring controls when used alone. However, these types of pre-issuance reviews may be used as a part of this analysis and summary.)

5. The GAO asks auditors to report on four things: internal control weaknesses, fraud, violations of contracts or grant agreements, and abuse. The last two items—violations of contracts and grant agreements and abuse—are unique to Yellow Book audits; the AICPA does not focus on them in their standards.

For abuse, the auditor simply must be alert to its existence, and also design the audit to detect instances of material non-compliance with grants and contracts. This makes sense, as the GAO is representing the grantor with these standards—and the grantor does not want the grantee to bypass the contract or grant requirements.
To design the audit to detect non-compliance, the auditor must understand compliance requirements, assess the risk of non-compliance and design procedures to respond to these risks, which is quite an intense requirement.

4.10 Auditors should design the audit to provide reasonable assurance of detecting misstatements that result from violations of provisions of contracts or grant agreements and could have a direct and material effect on the determination of financial statement amounts or other financial data significant to the audit objectives.

4.13 If during the course of the audit, auditors become aware of abuse that could be quantitatively or qualitatively material to the financial statements, auditors should apply audit procedures specifically directed to ascertain the potential effect on the financial statements, or other financial data significant to the audit objectives. After performing additional work, auditors may discover that the abuse represents potential fraud or illegal acts. Because the determination of abuse is subjective, auditors are not required to provide reasonable assurance of detecting abuse.

6. To make audit reports more readable, compelling and convincing, the GAO encourages the use of five elements when reporting any finding: criteria, condition, cause, effect and recommendation. Each of these elements answers critical questions that the reader might ask about the audit issue and shines more light on each audit issue—hence enhancing accountability and transparency. These elements of a finding are suggested, but not required, in the Institute of Internal Auditing standards, but not addressed in AICPA standards. It will be critical for CPA firms to renew their focus on the cause and effect elements.

5.21 In presenting findings such as deficiencies in internal control, fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse, auditors should develop the elements of the findings to the extent necessary to achieve the audit objectives. Clearly developed audit findings assist management or oversight officials of the audited entity in understanding the need for taking corrective action. If auditors sufficiently develop the elements of a finding, they may provide recommendations for corrective action.

7. The client gets a chance to respond to findings in the report, which adds a balanced tone to the report and enhances the transparency of the issues. But if auditors don’t agree with their response, or if it does not resolve the issue, auditors get the last word in the shape of a follow-up response in the reports. Starting in 2007, the GAO acknowledged that some clients just won’t play nice and allows auditors to publish the report after waiting for the client’s response for a reasonable amount of time. How long is reasonable is not specified.

5.37 When the audited entity’s comments are inconsistent or in conflict with findings, conclusions or recommendations in the draft report, or when planned corrective actions do not adequately address the auditors’ recommendations, the auditors should evaluate the validity of the audited entity’s comments. If the auditors disagree with the comments, their reasons should be explained in the report. Conversely, the auditors should modify their report as necessary if they find the comments valid and supported with sufficient and appropriate evidence.

5.38 If the audited entity refuses to provide comments or is unable to provide comments within a reasonable period of time, the auditors may issue the report without receiving comments from the audited entity. In such cases, the auditors should indicate in the report that the audited entity did not provide comments.

The GAO’s next revision will revolve around independence standards. The GAO has acknowledged that the ethics chapter, the independence section of the general standards, and the independence question-and-answer document contradict each other. There’s been talk that the GAO will prohibit auditors from both drafting and auditing financial statements in its next revision.  

Leita A. Hart-Fanta, CPA, CGFM is a course author and instructor for the California CPA Education Foundation in Austin, Texas. You can reach her at leita@auditskills.com.