Log Out

January 21, 2019

Major changes to government auditing standards from the U.S. Government Accountability Office mark the first major revision since 2011.

By Melisa Galasso, CPA
Galasso Learning Solutions, Charlotte, N.C.

In July 2018, the U.S. Government Accountability Office (GAO) issued Government Auditing Standards, 2018 Revision (GAO-18-568G). Government Auditing Standards go by several names, including Yellow Book, Generally Accepted Government Auditing Standards (GAGAS) and Government Auditing Standards (GAS). While there were many changes proposed in the exposure draft, the final 2018 revision did not end up including many of the proposals.

The GAO received more than 1,700 comment letters in response to its April 2017 exposure draft. The 2018 revision supersedes the 2011 GAS revision as well as 2005 Government Auditing Standards: Guidance on GAGAS Requirements for Continuing Professional Education and 2014 Government Auditing Standards: Guidance for Understanding the New Peer Review Ratings.

At First Glance

One of the first things a reader will notice is that chapters are in a new format. Requirements are boxed off and followed by application material, with more boxes of requirements followed by more application material. This will help users understand what are deemed requirements by Yellow Book and what is meant to help them in implementing those requirements. While requirements and application material separation are similar to the AICPA’s Auditing Standards, the layout and look is different. In addition, the numbering is different in Yellow Book.

Another noticeable change is related to the number of chapters. The 2011 Revision had seven chapters, while there are nine in the 2018 Revision. The new chapters take guidance that was combined with other materials and separates it into their own separate chapters. Chapter 1 of the 2011 Revision, “Government Auditing: Foundation and Ethical Principles,” is combined with Chapter 2 from the 2011 Revision, “Standards for Use and Application of GAGAS.” However, Chapter 3 of the 2011 Revision is broken out into four chapters: Chapter 2, “General Requirements for Complying with Government Auditing Standards”; Chapter 3, “Ethics, Independence, and Professional Judgment”; Chapter 4, “Competence and Continuing Professional Education”; and Chapter 5, “Quality Control and Peer Review.”

It makes sense to put CPE in its own chapter given the removal of the 2005 CPE document (discussed below). Those who frequently used the 2011 Revision appendices will also notice that the supplemental guidance from the appendices were either removed or incorporated into the individual chapters.

Changes to Audit Guidance

The biggest substantive change auditors will likely see as a result of the new guidance is related to independence requirements. The guidance splits nonaudit service independence requirements from other independence threats. In addition, preparation of financial statements from a trial balance or underlying records has been pulled out separately. The GAO provides two new flow charts that auditors should study careful to ensure they are correctly following independence standards.

The first path in the flow chart “Generally Accepted Government Auditing Standards (GAGAS) Conceptual Framework for Independence” (Figure 1) asks auditors to evaluate if they have identified any threats. The list of threats identified by GAO did not change from 2011. If the auditor answers yes, the path splits at this point between those threats that are related to nonaudit services and those that are not. For those threats unrelated to nonaudit services, the path is the same as the considerations in the 2011 revision. The auditor would have to evaluate the significance of the threat. If significant, they would have to identify safeguards that are sufficient to either eliminate the threat or reduce it to an acceptable level. Then the auditor would document the threat.

GAO Independence Framework

However, if the threat is related to a nonaudit service, the guidance changes. The auditor would first have to review the list of services explicitly stated in GAGAS to determine whether or not they are prohibited (i.e., if they automatically impair independence). If the nonaudit service is not prohibited, then the flow chart asks who requested the service. If it was not requested by the entity’s management, the auditor would proceed to the standard flowchart and evaluate the significance of the threat, identify safeguards and document.

If the entity’s management requested the nonaudit service, the auditor would have to evaluate the skills, knowledge and experience (SKE) of management. Management does not need to be able to perform the service, but does need the SKE to oversee the engagement. If management does not have the SKE to oversee, then independence is impaired and the auditor should not proceed. If management does have the SKE needed, then the auditor would have to document their knowledge of the SKE.

The next fork in the road is related to the type of nonaudit service. If the service is unrelated to preparing accounting records and financial statements, after documenting SKE the auditor returns back to the original path to evaluate the significance of the threat, identify and apply safeguards and then document their considerations. However, if the nonaudit service is preparing accounting records and financial statements, the GAO heavily clarified next steps including a separate flow chart for the auditor to consider.
Another flowchart, “Independence Considerations for Preparing Accounting Records and Financial Statements,” asks if there is separate preparation of financial statements in their entirety from client-provided trial balance or accounting records from other preparation. Preparing financial statements in their entirety from client-provided trial balances or accounting records is considered to be a significant threat, so no evaluation of the significance is required. The auditor would then identify safeguard to eliminate the threat or reduce it to an acceptable level. It is important to notice that SKE is NOT a safeguard. It is basically a prerequisite to move forward in the process. The auditor must identify another safeguard (i.e., concurring reviewer) to reduce the self-review threat to an acceptable level. Then the auditor would have to assess the effectiveness of the safeguard and document.
Peer Review Revision

The peer review section also received an update. The section separates those audit organizations that are subject to recognized peer review organizations (including the American Institute of CPAs and National State Auditors Association) from those that are not. The 2018 Revision lists recognized programs. If the audit organization is subject to one of the approved organizations, then they would follow that organization’s processes (and certain requirements in the 2018 Revision). However, for those not subject to a recognized program, the revision provides additional requirements for those organizations.

Continuing Education

In terms of Yellow Book CPE, many of the proposed changes in this area were removed in the final version. The CPE hour requirement stays the same at 24 and 56. However, the GAO did add application guidance that emphasizes the need to obtain GAGAS-specific CPE (especially when there are revisions to the standards).

One of the biggest changes to CPE is the incorporation of the 2005 Guidance on GAGAS Requirements for Continuing Professional Education. The 2011 Revision left the 2005 document as a standalone resource. This time, the GAO incorporated all CPE guidance into the 2018 Revision to make it easier to ensure compliance with CPE. The guidance expands on various roles or levels that one may have within an organization (nonsupervisory auditors, supervisory auditors and partners and directors) when considering competence. It also defines key terms like planning, directing, performing audit engagement procedures and reporting. One of the areas that received particular attention was related to CPE for audit specialists. External specialists are not subject to GAGAS. However, if an internal specialist performs engagement procedures on a Yellow Book client, they are subject to GAGAS CPE requirements. CPE in their area of specialization does count to the 24-hour requirement.

Other Considerations

In the exposure draft, the GAO had proposed adding a reporting requirement of waste in addition to abuse. Ultimately, the organization backed away from this stance. In fact, they moved abuse out of the requirements and into application guidance. GAO does provide a definition for waste and gives examples of both waste and abuse, but auditors are not required to perform specific procedures to detect waste or abuse. However, internal control considerations may impact reporting of waste or abuse if it comes to the auditor’s attention. It is important to note that the Uniform Guidance incorporated abuse as a requirement back in 2013.

In the 2011 Revision, engagements subject to Yellow Book included financial audits, attestation engagements and performance audits. Yellow Book incorporated by reference the Statements on Auditing Standards (SAS) and the Attestation Standards (SSAE). But the 2011 Revision made no mention of Statement on Standards for Accounting and Review Services (SSARS) engagements. The 2018 Revision adds reviews of financial statements performed under SSARS to the engagement types. The attestation engagements section (a new Chapter 7) is augmented to include Yellow Book guidance when performing a review of a financial statement under SSARS and Yellow Book.

Effective Date

The new Yellow Book is effective for financial audits, attestation engagements and reviews of financial statements for periods ending on or after June 30, 2020, and for performance audits beginning on or after July 1, 2019. Early implementation is not permitted. Despite the fact that 2020 sounds so far away (it’s NOT), it is important for auditors to remember how the independence rules work. The auditor must be independent for the entire audit period, which means that the beginning of the audit period (July 1, 2019) really kicks off the independence rules. If an auditor performs nonaudit services, they need to be careful of the effective date to ensure they do not accidentally impair independence.

Melisa Galasso, CPA, is the founder of Galasso Learning Solutions LLC in Charlotte, N.C., where she designs and facilitates courses in advanced technical accounting and auditing topics, including nonprofit and governmental accounting. She is a member of the VSCPA Board of Directors and the Disclosures Editorial Task Force.