1 independence the yellow book way aga winter conference nashville, tennessee january 2012 art...
TRANSCRIPT
1
INDEPENDENCETHE YELLOW BOOK WAY
AGA Winter Conference
Nashville, Tennessee
January 2012
Art “Bubba” Hayes
• Director, division of state audit
• 615-747-53971
22
3
EFFECTIVE DATES
• The 2011 revision of Government Auditing Standards will be effective for financial audits and attestation engagements for periods ending on or after December 15, 2012, and for performance audits beginning on or after December 15, 2011. Early implementation is not permitted.
3
4
• The Yellow Book is available on GAO’s website:– www.gao.gov/govaud/ybk01.htm
• For technical assistance:– [email protected]
4
5
• The Yellow Book is available on GAO’s website:– www.gao.gov/govaud/ybk01.htm
• For technical assistance:– [email protected]
5
6
Summary of Major Changes
• Re independence
• From the August 2010 transmittal letter:
• To add a conceptual framework approach for independence (Chapter 3)
6
7
summary of major changes
• A conceptual framework for independence was added to– Provide a means for auditors to
• assess auditor independence • in light of the unique circumstances that may apply to these determinations
and• are not expressly prohibited (3.02-3.52)
• further harmonization with AICPA and international standards (3.06-3.26)
• structurally located within the governments they audit. (3.27-3.42), and
• when performing nonaudit services, including identification of specific nonaudit services that would impair independence (3.43-3.51)
• Guidance on documentation necessary to support adequate consideration of auditor independence. (3.52)
7
8
• A practical consideration of four interrelated sections:– A. A conceptual framework for making
independence determinations based on facts and circumstances that are often unique to specific audit environments
– B. Guidance for auditors considering independence issues as they relate to audit organizations that are structurally located within the governments they audit
8
9
• C. Independence requirements when performing nonaudit services, including indication of specific nonaudit services that would normally impair independence, and
• D. Guidance on documentation necessary to support adequate consideration of auditor independence (3.05)
9
10
– 1. identify the threats to independence– 2. evaluate the significance of the threats,
and– 3. apply safeguards, when necessary, to
eliminate the threats or reduce them to an acceptable level.
10
11
• The independence section of the revised Yellow Book identifies six nonaudit services that would impair the auditors’ independence in the government environment. These nonaudit services include certain activities under the following categories of activities:
• Bookkeeping and preparing accounting records (para. 3.44)
• Preparing financial statements (Para. 3.46)• Internal Audit Services (Para. 3.47)• Internal control monitoring and assessments (Para. 3.49)• Information Technology systems services (Para. 3.50)• Valuation services (Para. 3.51)
11
12
Chapter 3general standards
• These general standards apply to financial audits, attestation engagements and performance audits conducted under GAGAS. (3.01)
• INDEPENDENCE. In all matters relating to the audit work, the audit organization and the individual auditor, whether government or public, must be independent. (3.02)
12
13
The two elements of independence
• Independence comprises:– A. Independence of mind– B. Independence in appearance (3.03)
13
14
Independence of the mind
• The state of mind that permits the expression of a conclusion without being affected by influences that compromise professional judgment– Thereby allowing an individual to act with
integrity and exercise objectivity and professional skepticism (3.03)
14
15
Independence in Appearance
• The avoidance of facts and circumstances that are so significant that a reasonable and informed third party would be likely to conclude, weighing all the specific facts and circumstances, that an organization’s, or a member of the audit team’s, integrity, objectivity or professional skepticism has been compromised. (3.03)
15
16
• Independence relates to both conducting the audit work and reporting on the work. (3.04)
16
17
• It allows auditors to address threats that result from activities not specifically prohibited by GAGAS. (3.06)
17
18
• The conceptual framework is to be applied at the:– Audit organization– Audit engagement, and– Individual auditor level
• In order to:– Identify threats to independence– Evaluate the significance of those threats, and– Apply safeguards as necessary to eliminate the
threats or reduce them to an acceptable level. (3.07)
18
19
Threats to independence
• Circumstances that could impair independence
• Whether independence is impaired depends on:– The nature of the threat– Whether it would be reasonable to expect that
the threat would compromise an auditor’s professional judgment, and, if so
• The specific safeguards applied to eliminate the threat or reduce it to an acceptable level. (3.09)
19
20
• Threats are conditions that need to be evaluated using the conceptual framework.
• Threats do not necessarily impair independence. (3.09)
20
21
• Threats may be created by a wide range of relationships and circumstances. (3.10)
• At a minimum, auditors should evaluate the following broad categories of threats when threats are being identified and assessed:
21
22
Broad categories of threats
• Self-interest
• Self-review
• Bias
• Familiarity
• Undue influence
• Management participation
• Structural
22
23
Self review threat
• That an auditor will not appropriately evaluate the results of a previous judgment made or service performed by the auditor, or the audit organization, on which the auditor will rely when forming a judgment significant to an audit
23
24
Bias threat
• That an auditor will, as a result of political, ideological, social, or other convictions, promote a position held by the auditor or the audited entity ot the point that the auditor’s objectivity is compromised
24
25
Familiarity threat
• That due to a long or close relationship with management or personnel of an audited entity or employer, an auditor will be too sympathetic to their interests or too accepting of their work
25
26
Undue influence threat
• That external influences or pressures will impact an auditor or audit organization’s ability to make independent and objective judgments.
26
27
Management participation threat
• That results from an auditor’s taking on the role of management or otherwise performing management functions on behalf of the entity undergoing an audit or attestation engagement
27
28
Structural threat
• That an audit organization’s placement within a government entity, in combination with the structure of the government entity being audited, will impact the audit organization’s ability to perform work and report results objectively (3.10)
28
29
safeguards
• Are controls designed to eliminate threats to independence or reduce them to an acceptable level.
• Under the conceptual framework, the auditor applies safeguards that address the specific facts and circumstances under which the threats exist. (3.12)
29
30
List of safeguards
• Examples only…can’t cover every possible circumstance.
• So serves as a starting point
30
31
Categories of safeguards
• 1. in the work environment
• 2. created by the profession, legislation or regulation (3.13)
31
32
Safeguards in the work environment
• Determined by the specific conditions of that environment and the nature of the audits performed
• 2 types:– Audit organization-wide safeguards– Engagement-specific safeguards (3.14)
32
33
Examples of audit organization-wide safeguards
• Leadership that stresses the importance of auditor independence
• Leadership that establishes the expectation that members of an audit team will act in the public interest
• Policies and procedures to implement and monitor audit quality control
33
34
• Documented policies regarding the need to:– identify threats– Evaluate the significance of the threats, and– Apply safeguards to eliminate/reduce the
threats, OR• When appropriate safeguards are not available or
cannot be applied– Terminate or decline the relevant audit
34
35
• Documented internal policies and procedures requiring independence
• Policies and procedures that will enable the identification of interests or relationships between the audit organization or members of audit teams and audited entities.
35
36
• Policies and procedures to monitor and, if necessary, manage the reliance on revenue received from a single audited entity.
• Using different management and engagement teams with separate reporting lines for the provision of nonaudit services to an audited entity
36
37
• Policies and procedures to prohibit individuals who are not members of an audit team from inappropriately influencing the outcome of the audit
• Timely communication of an audit organization’s policies and procedures, including any changes, to audit management and professional staff, and appropriate training and education on such P and P.
37
38
• Designating a member of senior management to be responsible for overseeing the adequate functioning of the audit organization’s quality control system
• Advising professional staff of entities from which independence is required
• A disciplinary mechanism to promote compliance with P & P’s
38
39
• Published P & P’s to encourage and empower staff to communicate to senior levels within the audit org. any issue relating to independence. (3.15)
39
40
• Depending on the nature of the audit– An auditor may also be able to place limited
reliance on safeguards that the audited entity has implemented
– BUT– It is not possible to rely solely on such
safeguards (3.17)
40
41
Examples of engagement-specific safeguards in the work environment
• Having a professional staff member who was not involved in the nonaudit service review any nonaudit work performed
• Having a professional staff member who was not a member of the audit team review the audit work performed
• Consulting an independent third party, such as a professional organization, a professional regulatory board or another auditor
41
42
• Discussing independence issues with those charged with governance of the audited entity
• Disclosing to those charged with governance of the audited entity the nature of audit and nonaudit services provided, and
• Involving another audit organization to perform or re-perform part of the audit (3.16)
42
43
Examples of safeguards within the audited entity’s systems and
procedures—THEM!!
• An audited entity requirement that persons other than management ratify or approve the appointment of an audit organization to perform an audit
• Internal procedures at the audited entity that ensure objective choices in commissioning nonaudit services
43
44
• Audited entity employees with suitable skill, knowledge, and/or experience making management decisions at the audited entity, and
• A governance structure at the audited entity that provides appropriate oversight and communications regarding the audit organization’s services. (3.18)
44
45
Safeguards created by the Profession, Legislation or Regulation—THE
ENFORCERS
• These safeguards can augment, but cannot replace, audit organization-wide and engagement-level safeguards. (3.19)
45
46
Application of the conceptual framework
• To assess threats to independence when– The facts and circumstances create or
augment threats
• Such facts and circumstances may include, but are not limited to:– Start of a new engagement
– Assigning new staff to an ongoing engagement
– Taking on a nonaudit service engagement at an audited entity (3.20)
46
47
A threat is not acceptable if it either
• A. Could impact the auditors’ abililty to express a conclusion without being affected by influences that compromise professional judgment, (INTERNAL, MENTAL) or
• B. Could expose the auditors to facts and circumstances such that objective third parties with knowledge of the relevant info would be likely to conclude that the audit organization’s or a member of the audit team’s integrity, objectivity, or profesional skepticism has been compromised (APPEARANCE). (3.21)
47
48
• When the auditor identifies threats, and– Based on an evaluation of those threats
• Determines they are not at an acceptable level
– The auditor should determine whether appropriate safeguards are available and can be applied to eliminate or reduce them
– Apply professional judgment– Take into account both independence of mind
and appearance
48
49
• Evaluate both qualitative and quantitative factors
• Apply these steps when deciding whether to accept or continue an audit, or whether a particular individual may be a member of the audit team
• Evaluate any new information about a threat which comes to the attention of the audit org. (3.22)
49
50
RUT ROW
• Certain conditions may lead to threats that are so significant that they cannot be eliminated or reduced through the application of safeguards.
• Such conditions may require the auditor to decline to perform a prospective audit or terminate an audit in progress. (3.23)
50
51
THE AUDIT ENGAGEMENT PERIOD
• Auditors should be independent from an audited entity during the audit and professional engagement period:– A. Any period of time that falls within the
scope of the audit– B. The audit engagement period
• Starting when the audit team begins to perform the audit procedures or when auditors formally agree to accept the engagement, whichever is earlier
– Through the issuance of the report (3.24)
51
52
POST FACTO
• If a threat is initially identified after the audit report is issued– Assess the threat’s impact on the audit and on GAGAS
compliance.• If the threat would have resulted in the audit report being different,
the auditor should– Notify entity management, those charged with governance, the
requesters or regulatory agencies that have jurisdiction over the audited entity, and any persons known to be using the audit report
– About the threat and its impact on the audit• In writing or in the same manner in which the audit report was
originally communicated. (3.25)
52
53
Independence of consultants and specialists
• Auditors should assess the independence of consultants and specialists– And apply the necessary safeguards in the same manner
they would for auditors contributing to those audits.• Specialists include but are not limited to:
– Actuaries– Appraisers– Attorneys– Engineers– Environmental consultants– Medical professionals– Statisticians and geologists (3.26)
53
54
Audit organization structureexternal auditor independence
• In addition to the criteria in par. 3.28 and 3.29, GAGAS recognize that there may be other organizational structures under which external auditors could be considered independent.
54
55
• If appropriately designed and implemented, these structures prevent the audited entity from interfering with the audit org’s ability to perform the work and report the results impartially.
• The audit org should have all of the following safeguards, should document how each safeguard was satisfied and provide the documentation to quality control and peer reviewers to determine they are in place. (3.30)
55
56
STATUTORY PROTECTIONS
• Statutory protections that:– prevent the audited entity from abolishing the
audit org– Require that if the head of the audit org is
removed from office, the head of the agency report this fact and the reasons for the removal to the legislative body
– Prevent the audited entity from interfering with the
• Initiation, scope, timing and completion of the audit56
57
– Prevent the audited entity from interfering with audit reporting
• Including the findings and conclusions or
• The manner, means or timing of the audit org’s reports
– Require the audit org to report to a legislative body or other independent governing body on a recurring basis
– Give the audit org sole authority over the selection, retention, advancement and dismissal of its staff, and
57
58
• Statutory access to records and documents related to the agency, program or function being audited and
• Access to government officials or other individuals as needed to conduct the audit (3.30)
58
59
Internal auditors
• Can be independent
• (3.31-3.32)
59
60
Providing nonaudit services to audited entities
• Traditionally provided to audit clients
• BUT can create threats to the audit org or to team members (3.33)
60
61
General requirements for performing nonaudit services
• Before accepting an engagement for provide the nonaudit services to an audited entity:– Determine whether this will create a threat
with respect to any GAGAS or attestation engagement
• Evaluate the threats collectively
61
62
CAN’T DO IT
• If the threat cannot be eliminated or reduced,
• The auditor should either decline to perform the nonaudit service or decline or terminate the audit engagement, except per paragraph 3.42 which will result in a modification of the GAGAS compliance statement. (3.34) SEE SLIDE 73
62
63
Things that are too threatening to be safeguarded against
• Too significant
• If a member of the team assumes management responsibility for the audited entity.– Can’t specify every questionable activity, but
involve:• Leading and directing an entity
– Significant decisions re the acquisition, deployment and control of human, financial, physical and intangible resources (3.35)
63
64
Laundry List of examples of management responsibility
paragraph 3.36
• a. setting policies and strategic direction for the audited entity;
• b. directing and accepting responsibility for the actions of the audited entity's employees in the performance of their routine, recurring activities;
65
• c. having custody of an audited entity's assets;
• d. reporting to those charged with governance on behalf of management; e. deciding which of the auditor's or outside third party's recommendations to implement;
66
• f. accepting responsibility for the management of an audited entity's project;
• g. accepting responsibility for designing, implementing, or maintaining internal control;
• h. providing services that are intended to be used as management's primary basis for making decisions that are significant to the subject matter of the audit;
67
• i. developing an audited entity's performance measurement system when that system is material or significant to the subject matter of the audit; and:
• j. serving as a voting member of an audited entity's management committee or board of directors.
68
Whether a particular activity is management’s responsibility
• Depends on the specific circumstances.• Examples of activities that are management
responsibilities are (paragraph 3.36):• a. setting policies and strategic direction for the
audited entity; • b. directing and accepting responsibility for the
actions of the audited entity's employees in the performance of their routine, recurring activities;
• c. having custody of an audited entity's assets;• d. reporting to those charged with governance
on behalf of management;
69
• e. deciding which of the auditor's or outside third party's recommendations to implement;
• f. accepting responsibility for the management of an audited entity's project;
• g. accepting responsibility for designing, implementing, or maintaining internal control;
70
• h. providing services that are intended to be used as management's primary basis for making decisions that are significant to the subject matter of the audit;
• i. developing an audited entity's performance measurement system when that system is material or significant to the subject matter of the audit; and:
• j. serving as a voting member of an audited entity's management committee or board of directors.
71
Obtain assurances that management performs certain listed functions
(Paragraph 3.37)• a. assumes all management responsibilities; • b. oversees the services, by designating an
individual, preferably within senior management, who possess suitable skill, knowledge, or experience;[Footnote 32]
• c. evaluates the adequacy and results of the services performed; and:
• d. accepts responsibility for the results of the services.
72
If management can’t give assurances
• For example, doesn’t have an individual to adequately assume the responsibilities– The auditor’s provision of the services
WOULD IMPAIR INDEPENDENCE (3.38)
72
73
In connection with nonaudit services
• Auditors should establish and document in writing their understanding with the audited entity re:– Objective of the engagement– Services to be performed– Audited entity’s acceptance of its
responsibilities– Auditors’ responsibilities– Any limitations of the engagement (3.39)
73
74
Timing of nonaudit services
• Auditors who previously performed N/A services for a prospective audit client– Should evaluate the impact before accepting
the audit engagement
• If the N/A services were performed in the period covered by the audit– Evaluate any threat and address it per the
framework
74
75
TAG TEAM AUDITS
• For recurring audits– These threats may in some cases be
eliminated or reduced if the audits are performed by another independent auditor.
• Having another independent audit org audit the areas affected by the N/A service may provide a safeguard that could allow the audit org that provided the N/A service to mitigate the risk to their independence.
– Use professional judgment to make that determination (3.40)
75
76
Audits for Periods beyond the period of the N/A service
• Or first subsequent period
• May be a threat, for years to come– Example:– Auditors designed and implemented an
accounting and reporting system that is expected to be in place for many years
• May? Be an appearance threat in future periods (3.41)
76
77
If you’re stuck
• If you have to do both the audit and the N/A service due to constitutional or statutory requirements over which you have no control– And cannot implement safeguard or decline
the incompatible service
• The auditor should disclose the nature of the threat(s) and modify the GAGAS compliance statement accordingly. (3.42)
77
78
NonAudit Services that Flat Out Impair Independence
• By their nature, they directly support the entity’s operations and impair mental and apparent independence
• And they are frequently requested by government audit clients– And this is not an exhaustive listing!!– Use the conceptual framework to assess
independence given facts and circumstances not specifically prohibited in this section (3.43)
78
79
• Bookkeeping and Preparing Accounting Records (3.44-3.46)
• Certain internal audit assistance services (3.47-3.48)
79
80
• Internal control monitoring and assessments (3.49)– Except separate evaluations are often performed
by individuals who are not directly involved in the operation of the controls being monitored.
– BUT in such cases, the auditor should evaluate the significance of the threat created by performing the separate evaluations of the control and the safeguards that should be applied when necessary to eliminate or reduce those threats
• Assess the frequency of the evaluations and the scope or extent of the controls in relation to the scope of the audit being performed
80
81
IT systems services
• Include the design or implementation of hardware and software systems
• IT services that would impair independence include:– Design or development of a financial or other
IT system that would play a significant role in the management of an area of operations that is or will be an audit’s subject matter
81
82
• Services that entail making other than insignificant modifications to the source code underlying such a system, and
• Operating or supervising the operation of such a system. (3.50)
82
83
Valuation services
• Making assumptions with regard to future developments
• The application of appropriate methodologies and techniques, and
• The combination of both to compute a certain value, or range of values, for an asset, a liability, or a business as a whole
83
84
• If the valuations would have a material effect, separately or in the aggregate, on the financial statements or other information on which it is reporting, AND– The valuation involves a significant degree of
subjectivity
• The audit org’s independence WOULD BE IMPAIRED (3.51)
84
8585
4U
1. This is the single most important idea I got from this
session._________________________________________________
2. This is why it is important (This what I will gain from its
use):____________________________________________________
3. This is how I will use it: (What to do) (How to do it) (When to do it) (With
whom) _______________________________________________
4. I will share these ideas with _____________________________ not later than ________________ because ___________________________
85
8686
GOOD LUCK
I HOPE I HAVE HELPED!
REMEMBER—
IT IS NEVER TOO LATE
TO HAVE A HAPPY CHILDHOOD
86