the 2007 yellow book: what a beginner needs to understand a governmental audit quality center web...

1

The 2007 Yellow Book: What a Beginner Needs to UnderstandA Governmental Audit Quality Center Web EventFebruary 9, 2011

Governmental Audit Quality Center

Administrative Notes

If you encounter any technical difficulties (e.g., audio issues) during this event please take the following steps:• Press the F5 key on your computer to refresh• Close and re-start your browser• Check your speakers, ensure they are not on mute• Turn off your pop-up blocker• Re-start you computer• Call InterCall/Genesys Tech support 866.861.4872, Conf ID# 151828• If none of the above work, submit a request for help on the “Ask a

Question Box” located on the left hand side of your screen.

If are unable to get assistance from InterCall/Genesys for some reason, e-mail [email protected] or call 202-434-9207

2

mailto:[email protected]


Administrative Notes

We encourage you to submit your technical questions – please limit your questions to the content of today’s program

To submit a question, type it into the “Ask a Question” box on left side of your screen; we will answer as many as possible

You can also submit questions to the GAQC member forum for consideration by other members

This event is being recorded and will be posted in an archive format to the GAQC Web site

3


Continuing Professional Education

Must have registered for CPE credit prior to this event; a link to the CPE Credit Approval Form was e-mailed to youListen for announcement of 4 CPE codes (7 digit codes: ALL_ _ _ _ ) and 4 polling questions during the eventRecord CPE Codes on CPE Credit Approval Form and return completed form (by fax or mail) to AICPA Service Center for record of attendance; keep a copy for your records

If you are not receiving CPE for this call, ignore the CPE codes that we announce, but please answer the polling questions

4


Presenters

Flo Ostrum, CPA Grant Thornton LLP

Brian Schebler, CPA McGladrey & Pullen, LLP

Moderating:

Mary Foelster, CPA AICPA - GAQC

5


Background

Why are we hosting this event?

Proliferation of federal agencies beginning to require that for-profits undergo financial audits under Government Auditing Standards and compliance audits

Several federal agencies involved and differing types of for-profit entities

Many of the requirements are effective now for the first time

6

Governmental Audit Quality Center 7

Examples of New Federal Requirements

Housing and Urban Development (HUD) - Supervised Mortgagees (Depository Institutions)• Financial statement audit under Government Auditing Standards

and compliance audit using the Consolidated Audit Guide for Audits of HUD Programs (HUD Guide)

• Effective now!• See GAQC Alert #159 (available at www.aicpa.org/GAQC)

Commerce and Agriculture – Telecommunications Companies and Broadband Providers• Awards relate to expansion of broadband technology• Program-specific audit of federal awards and related

compliance audit using program-specific guidance (currently under development)

http://www.aicpa.org/GAQC


Examples of New Federal Requirements

Energy – Electric Utilities, Automotive Companies, Manufacturing Companies• Financial audit of schedule of Energy awards and related

compliance audit using Energy program-specific guidance• Effective now – Energy guidance to be issued any day• FAQ document at:

http://management.energy.gov/documents/ForProfit_AuditFAQ121610.pdf




What Will We Cover?

Basic overview of the requirements of the 2007 Yellow Book

Key differences between the Yellow Book and GAAS

Access to references, guidance and tools

Expected revision of the Yellow Book later in 2011


What Changes will a Yellow Book Engagement Require?

CPE requirements for the entire engagement team

Reporting on internal control over financial reporting and compliance

Additional independence considerations around nonaudit services

Provision of peer review report to contracting parties


Basic Overview of the 2007 Yellow Book

Proper name: Government Auditing Standards, July 2007 Revision;

Commonly referred to as the Yellow Book or Generally Accepted Government Auditing Standards (GAGAS)

Issued by the Comptroller General of the United States of the U.S. Government Accountability Office (GAO)

Revised periodically


Content of the Yellow Book

Chapter 1: Use and Application of GAGAS

Chapter 2: Ethical Principles in Government Auditing

Chapter 3: General Standards

Chapter 4: Field Work Standards for Financial Audits

Chapter 5: Reporting Standards for Financial AuditsChapter 6: General, Field Work, and Reporting Standards for Attestation Engagements

Chapter 7: Field Work Standards for Performance Audits

Chapter 8: Reporting Standards for Performance Audits

Appendix I: Supplemental Guidance

Appendix II: Comptroller General's Advisory Council on Government Auditing Standards

Index

*Bolded items will be covered in today’s presentation


Types of Audits and Attestation Engagements Covered by the Yellow Book

Financial • Financial statement audits• Other (e.g., special reports, auditing compliance, etc.) • Covered by first 5 chapters of Yellow Book

Attestation (will not be covering in today’s session)• Examination, Review, and AUP• Some federal agencies require attestation engagements for for-

profits (e.g., Department of Education audit guides)

Performance (will not be covering in today’s session)• Program evaluations/program effectiveness and results audits• Economy and efficiency audits• Operational audits


When Does the Yellow Book Apply?

When required (for example, by law, regulation, or contract)

Usually participation in federal programs (such as grants or loan programs) over a certain dollar threshold triggers a Yellow Book (and related compliance audit) requirement

Client may decide to voluntarily apply the Yellow Book in which case they would engage the auditor to perform the audit using those standards


Relationship of Yellow Book with Other Standards

AICPA field work and reporting standards are incorporated by reference for financial audits and then Yellow Book requires additional standards

Public Company Accounting Oversight Board (PCAOB) and International Auditing and Assurance Standards Board (IAASB) standards can be used in conjunction with GAGAS for financial statement audits

GAO guidance document provides guidance on using the Yellow Book with PCAOB standards (http://www.gao.gov/govaud/gagaspcaob2007.pdf)

http://www.gao.gov/govaud/gagaspcaob2007.pdf


Two Categories of Professional Requirements in the Yellow Book

Use of “must” or “is required” refer to unconditional requirements for which auditors are required to comply with

Use of “should” equates to a presumptively mandatory requirement• Departure from these requirements rare• Need to provide documentation supporting justification for the

departure and how an alternative procedure achieved the objective

Tool available on GAO Web site which identifies all unconditional and presumptively mandatory requirements (http://www.gao.gov/new.items/d08210g.pdf)

http://www.gao.gov/new.items/d08210g.pdf


Ethical Principles

The ethical principles guiding the work of auditors under GAGAS are:• The public interest• Integrity• Objectivity• Proper use of government information, resources,

and position• Professional behavior


General Standards

The Yellow Book does not adopt the AICPA general standards; instead, it establishes its own

The four general standards are:• Independence• Professional judgment• Competence• Quality Control and Assurance


Yellow Book Independence Versus AICPA

GAAS audit = AICPA’s Code of Professional Conduct Rule 101, Independence

GAGAS audit = Yellow Book independence requirements

Some Yellow Book independence rules very similar to AICPA rules

Other Yellow Book independence rules are more stringent

AICPA has made available a comparison between the two sets of standards at: http://www.aicpa.org/InterestAreas/ProfessionalEthics/Resources/Tools/DownloadableDocuments/2004_02AICPA-GAO_rules_comparison.pdf

http://www.aicpa.org/InterestAreas/ProfessionalEthics/Resources/Tools/DownloadableDocuments/2004_02AICPA-GAO_rules_comparison.pdf




Yellow Book Independence

GAGAS states that the audit organization and the individual auditor must: • Be free from personal, external, and organizational impairments

to independence• Avoid the appearance of such impairments of independence.

Comprehensive independence Q&A issued by GAO and available at: http://www.gao.gov/govaud/d02870g.pdf (currently effective)

The Yellow Book defines certain steps an audit organization should take if an impairment to independence is identified after the audit report is issued.

http://www.gao.gov/govaud/d02870g.pdf


Yellow Book Independence

Chapter 3 of the Yellow Book addresses when auditors their organizations are independent from the following impairments:• Personal • External• Organizational

If one or more of these impairments affects or can be perceived to affect independence, the audit organization (or auditor) should decline to perform the work

Yellow Book adopts an engagement-team-focused approach similar to AICPA Code for matters such as financial interests of an individual auditor


Yellow Book Independence and Specialists

Assess the specialist's ability to perform the work and report results impartially as it relates to their relationship with the program or entity under audit

If the specialist's independence is impaired, auditors should not use the work of that specialist


Nonaudit Services

Need to consider the effects of any nonaudit services performed on independence for current, future, and planned audit services.

Two Overarching Principles apply to the auditor assessing the impact of performing a nonaudit service:• Should not provide nonaudit services that involve performing

management functions or making management decisions; and • Should not audit own work or provide nonaudit services in

situations where the nonaudit services are material to the subject matter of audit


Nonaudit Services

Nonaudit services generally fall into one of the following categories:• Nonaudit services that do not impair the audit

organization's independence• Nonaudit services that would not impair the audit

organization's independence with respect to the entities it audits as long as the audit organization complies with identified supplemental safeguards

• Nonaudit services that do impair the audit organization's independence


Nonaudit Services

Supplemental Safeguards • Document consideration of nonaudit services, including

impact on independence• Establish in writing an understanding with audited entity

about the nonaudit service and management responsibilities

• Exclude personnel who provided the nonaudit services from planning, conducting, or reviewing audit work in the subject matter of the nonaudit services

• Do not reduce the scope and extent of audit work below what would have been done if nonaudit service done by an unrelated party


Nonaudit Services

Examples of nonaudit services provided in connection with a financial statement audit

Assistance with:• Drafting of financial statements and footnotes• Maintenance of fixed asset records• Implementation of an accounting standard• Preparation of tax return(s)


Common Yellow Book Independence Deficiencies

Failure to identify and address potential or the appearance of impairments such as:• Nonaudit services provided• Making management decisions• Failure to consider the GAO standards and related

Q&A • Failure to comply or document compliance with

supplemental safeguards

Key to compliance with Yellow Book independence is document, document, document!


Professional Judgment

Requires that auditors must use professional judgment in planning and performing audits and in reporting the results

Includes exercising reasonable care and professional skepticism

Similar to AICPA standard on due professional care

However, GAGAS expands the discussion of professional judgment as it relates to its importance in audit engagements (chapter 3 of the Yellow Book provides further guidance and description)


Competence

Competence is derived from a blending of education and experience

The staff assigned must collectively possess adequate professional competence for the tasks required and include:• knowledge of GAGAS applicable to the type of work being performed• general knowledge of the environment in which the audited entity

operates• skills to communicate clearly and effectively, both orally and in writing• skills appropriate for the work being performed

If using GAGAS with other standards, auditors need to be knowledgeable and competent in applying those standards.


CPE Requirement

Should complete every 2 years, at least 24 hours of Continuing Professional Education (CPE) that directly relates to government auditing, the government environment, or the specific or unique environment in which the audited entity operates


CPE Requirement

An additional 56 hours of CPE (for a total of 80 hours of CPE in every 2-year period) is needed that enhances the auditor's professional proficiency to perform audits or attestation engagements

Applicable to: • Auditors involved in any amount of planning, directing, or

reporting on GAGAS assignments; AND• Auditors who are not involved in those activities but charge 20

percent or more of their time annually to GAGAS assignments

Auditors required to take the total 80 hours of CPE should complete at least 20 hours of CPE in each year of the 2-year periods


CPE Requirement

For Specialists:• Internal specialists who are part of the audit

organization and perform as a member of the audit team must comply with GAGAS, including the CPE requirements

• External specialists are not required to meet the CPE requirements but have to be qualified and maintain professional competence

• Auditors using the work of external specialists should assess the professional qualifications and document their findings and conclusions


CPE Requirements

GAO has issued a guidance document on the GAGAS CPE requirements that can be found at: http://www.gao.gov/govaud/ybcpe2005.pdf

Matters Covered:• Who is subject to the requirements?• How should compliance with CPE requirements be measured?• What qualifies as acceptable CPE?• Measuring CPE hours• How are CPE requirements to be administered?

http://www.gao.gov/govaud/ybcpe2005.pdf


Quality Control and Assurance

Paragraph 3.50 – 3.54 of Yellow Book discuss QC Requirements

Each organization performing GAGAS audits must:• Establish a system of quality control that is designed

to provide reasonable assurance that the organization and its personnel comply with professional standards and applicable legal and regulatory requirements; and

• Have an external peer review at least once every 3 years



Keep in mind that you will also have to apply the AICPA Statements on Quality Control Standards (SQCS)

Yellow Book requirements for system of quality control are generally consistent with the SQCS

SQCS can be found at:

http://www.aicpa.org/Research/Standards/AuditAttest/Pages/SQCS.aspx







Additional GAGAS RequirementsAudit organizations must make their most recent peer review report publicly available

Those audit organizations seeking to enter into a contract to perform a GAGAS audit or attestation engagement should provide the following to the party contracting for such services: • The audit organization’s most recent peer review report and any letter

of comment• Any subsequent peer review reports and letters of comment received

during the period of the contract

Auditors who are using another audit organization’s work should request:• The audit organization’s latest peer review report• Any letter of comment



Documentation

Must document & communicate

Policies must address:• Leadership Responsibilities• Independence, Legal & Ethical Requirements• Initiation, Acceptance and Continuance of

Engagements• Human Resources• Engagement performance, documentation and

reporting• Monitoring



Monitoring

Monitoring is another difference between AICPA and GAGAS

GAGAS requirements state that reviews of the work and the report that are normally part of supervision are not monitoring controls when used alone

Purpose:• Ensure adherence to requirements• Ensure QC is appropriately designed• Ensure QC policies & procedures are operating effectively



Monitoring

Engagement Supervision Alone is not Monitoring

Audit organizations to analyze and summarize the results of monitoring procedures at least annually• Include identification of any systemic issues needing

improvement• Include recommendations for corrective action

Should be performed by individuals that collectively have sufficient expertise and authority


Documentation

AICPA and GAGAS requirements for documentation very similar

Experienced auditor concept should be met

GAGAS provides additional considerations relating to:• Auditors should document evidence of supervisory review prior

to report issuance• Departures from GAGAS requirements due to law, regulation,

scope limitations, or other issues impacting audit should be documented along with the impact on audit

• Policies and procedures should be established for safe custody and retention

• Auditors should make appropriate individuals and audit documentation available upon request


GAGAS Field Work – Internal Control Over Financial Reporting

Generally, GAGAS identical to that of AICPA requirements

Additional GAGAS requirements• Communicate information (during planning) about the nature of

the planned work and level of assurance to be provided on internal control

• Any potential restrictions on the scope of the audit should be communicated

• Evaluate whether the entity has taken appropriate corrective action to address findings and recommendations from previous engagements


GAGAS Field Work – Compliance

GAGAS and AICPA requirements very similar for consideration of compliance with laws, regulations, as well as fraud and errors

Additional GAGAS requirements• Communicate information (during planning) about the nature of

the planned work and level of assurance to be provided on compliance

• Design audit to detect material misstatements due to noncompliance with provisions of contracts or grants

• If evidence that possible illegal acts exist that could have a material indirect effect on the financial statements, apply procedures to ascertain whether illegal act occurred

• Evaluate whether appropriate corrective action to address findings and recommendations from previous engagements


GAGAS Field Work – Abuse

Additional requirement of GAGAS

Abuse involves behavior that is deficient or improper when compared with behavior that a prudent person would consider reasonable and necessary

May be the result of internal control deficiency

Examples provided in GAGAS:• Unneeded overtime• Staff performing personal errands• Misusing position for personal gain• Extravagant or expensive travel choices• Procurement or vendor selections that are contrary to policies


GAGAS Field Work – Abuse

Not required to design audit to detect

We are not providing reasonable assurance of detecting abuse

Must follow-up when auditor becomes aware of abuse that could be material to the financial statements• Quantitative considerations• Qualitative considerations


GAGAS – Management Representations

Additional representations from management:• Responsibility for compliance and internal control over financial

reporting• Identification of all direct and material laws, regulations, and

provisions of contracts and grants • Has process for tracking status of audit findings and

recommendations• Has identified previous audits and other studies related to audit

objective and whether recommendations implemented• Has provided views on auditor’s reported findings, conclusions,

and recommendations as well as corrective actions


GAGAS Reporting Requirements

In addition to providing opinion on financial statements the auditor must:• Report on internal control over financial reporting• Report on compliance with laws, regulations, and

provisions of contracts or grant agreements• Report on certain fraud and abuse



Additional Yellow Book requirements:• Auditors’ compliance with GAGAS • Internal control and compliance with laws,

regulations, and provisions of contracts or grant agreements

• Deficiencies in internal control, fraud, illegal acts, violations of provisions of contracts grant agreements, and abuse

• Communicating additional significant matters in the auditors’ report (always have the option)



Additional Yellow Book requirements:• Restatement of previously-issued financial

statements (goes beyond what AICPA requires)• Views of responsible officials (should be included in

findings write-ups)• Confidential or sensitive information (if prohibited

from public disclosure auditor should disclose in report that omitted and reason)

• Distributing reports (should clarify report distribution responsibilities with auditee)



When auditors comply with all applicable GAGAS requirements, they should include a statement in the auditors’ report that they performed the audit in accordance with GAGAS

GAGAS do not prohibit auditors from issuing a separate report conforming only to AICPA or other standards


GAGAS Reporting – The Yellow Book Report

Proper report title:

Report on Internal Control Over Financial Reporting and on Compliance and Other Matters Based on an Audit of Financial

Statements Performed in Accordance With Government Auditing Standards

Include description of scope of the auditor’s testing of internal control over financial reporting and compliance

State whether tests performed provided sufficient, appropriate evidence

When reporting separate from the financial statement opinion (which is common practice) must add linkage paragraph to the financial statement opinion• That issued GAGAS report • That GAGAS report is integral to the audit


GAGAS Reporting – The Yellow Book Report

Include significant deficiencies and material weaknesses• Schedule of Findings and Responses• Schedule of Findings and Questioned Costs

Include all instances of fraud and illegal acts unless inconsequential

Include violations of provisions of contracts or grants and abuse that could have a material effect on the financial statements

Direct the reader to a management letter, when issued, if it addresses control deficiencies and/or noncompliance, fraud, or abuse that is other than inconsequential.


GAGAS Reporting – The Management Letter

Auditors should communicate in writing:• Violations of provisions of contracts or grant agreements or

abuse that have an effect that is less than material but more than inconsequential

Determining whether and how to communicate the following is a matter of professional judgment:• Illegal acts, violations of provisions of contracts or grant

agreements or abuse that is inconsequential • Internal control deficiencies that have an inconsequential effect

on the financial statements


Other Reporting Matters

Restricted Use Reports versus general use reports

Transition from GAAS only to Yellow Book (i.e., comparative financial statements)


Development of Findings

Findings include control deficiencies, fraud, illegal acts, violations of provisions of contracts or agreements, and abuse

Elements of a finding:• Criteria• Condition• Cause• Effect or potential effect (prevalence)• Recommendation(s) for improvement • Management’s corrective action plan(s)


Development of Findings

When reporting view of responsible officials, auditors should:• Obtain and report views of responsible officials

concerning findings, conclusions, recommendations, and planned corrective actions,

• Include in report an evaluation of the comments, as appropriate

If the audited entity does not provide comments, auditors may issue the report and indicate that the audited entity did not provide comments


References, Guidance and Tools

GAO Web Site for Yellow Book: http://www.gao.gov/yellowbook

Government Auditing Standards, July 2007 Revision (GAO-07-731G) http://www.gao.gov/new.items/d07731g.pdf

Government Auditing Standards: Guidance on GAGAS Requirements for Continuing Professional Education (GAO-05-568G, April 2005) http://www.gao.gov/govaud/ybcpe2005.pdf

Government Auditing Standards: Answers to Independence Standard Questions (GAO-02-870G, July 2002) http://www.gao.gov/govaud/d02870g.pdf

http://www.gao.gov/yellowbook








Guidance on Complying with Government Auditing Standards Reporting Requirements for the Report on Internal Control for Audits of Certain Entities Subject to the Requirements of the Sarbanes-Oxley Act of 2002 and Government Auditing Standards (December 2007) http://www.gao.gov/govaud/gagaspcaob2007.pdf

AICPA has made available a comparison between AICPA and GAGAS independence standards at: http://www.aicpa.org/InterestAreas/ProfessionalEthics/Resources/Tools/DownloadableDocuments/2004_02AICPA-GAO_rules_comparison.pdf








Tool available on GAO Web site which identifies all unconditional and presumptively mandatory requirements (http://www.gao.gov/new.items/d08210g.pdf)

For technical or practice questions directly related to Government Auditing Standards, our e-mail address is: [email protected]


mailto:[email protected]



GAQC Web site: http://aicpa.org/GAQC

AICPA Government Auditing Standards and Circular A-133 Audits and related Risk Alert available at http://www.cpa2biz.com/ • Chapters 1-4 relevant to GAGAS• Report illustrations

http://aicpa.org/GAQC

http://www.cpa2biz.com/


Future Revision of the Yellow Book

Final issuance of 2011 revision of Yellow Book expected later this year

Government Auditing Standards, 2010 Exposure Draft (GAO-10-853G, August 2010) and available at: http://www.gao.gov/new.items/d10853g.pdf

Primary area of change is independence requirements (to align the Yellow Book more closely with AICPA rules

Effective date

GAQC Archived Web event, What You Need to Know About the 2010 Yellow Book Exposure Draft, provides you with summary of major changes proposed http://www.aicpa.org/InterestAreas/GovernmentalAuditQuality/Resources/Pages/WhatYouNeedtoKnowAboutthe2010YBED–MemberWebEvent.aspx



http://www.aicpa.org/InterestAreas/GovernmentalAuditQuality/Resources/Pages/WhatYouNeedtoKnowAboutthe2010YBED%E2%80%93MemberWebEvent.aspx



Questions ???

61

the 2007 yellow book: what a beginner needs to understand a governmental audit quality center web...

Documents

related compliance audit

consolidated audit guide

event record cpe codes

aicpa service center

cpe credit approval

polling questions

technical questions

cpa aicpa gaqc