1 Yellow Book Update: 2010 Exposure Draft NASACT Middle Management Conference Marcia B. Buchanan Oklahoma City, Oklahoma April 19, 2010.

1

Yellow Book Update: 2010 Exposure Draft

NASACT Middle Management Conference

Marcia B. BuchananOklahoma City,

OklahomaApril 19, 2010

2

Session Objectives

• Review why Government Auditing Standards (the Yellow Book) is being revised

• Highlight areas that GAO expects to be revised in the next Yellow Book

• Discuss the anticipated timeline for the Yellow Book revision

3

Disclaimer Required to Receive a Preview

The revisions discussed are preliminary and subject to change based on

feedback from the Comptroller General’s Advisory Council on Government Auditing Standards and others

4

Why the Yellow Book is being revised

• Continue to promulgate high quality Government Auditing Standards

• Promote the modernization of auditing standards

• Streamline with standard setters• Encourage development of consistent, core

auditing standards

5

Why the Yellow Book is being revised (Continued)

• Address issues GAO has observed• Questions sent to Yellow Book Technical

Assistance• GAO’s work on the oversight of the American

Recovery and Reinvestment Act

6

Movements Towards Clarity

• Key aspects of the clarity conventions were incorporated in the 2007 Yellow Book

• “Must,” “is required,” and “should” designate requirements

• Uses active sentences

• Footnotes will now be used only to reference other standards or paragraphs within GAGAS

• Footnotes were either:• Moved into the text of the GAGAS standard• Moved to the GAGAS Appendix• Removed from the Yellow Book

7

Use of terminology

• Standardized language to define auditor requirements

• Consistent with SAS No. 102:• Must and is required indicate an

unconditional requirement• Should indicates a presumptively mandatory

requirement• Text not using the above conventions is

considered explanatory material

8

Must & Should Word Count

Chapter2007 YB 2011 YB

Must Should Must Should1 0 0 0 02 3 11 3 123 17 60 5 844 12 88 0 685 9 68 0 626 6 67 6 687 1 59 1 61

Appendix 0 1 0 1TOTALS 48 354 15 356

9

Yellow Book: Revisions Under Consideration

• Realigned chapters 1 and 2• Chapter 1 – concepts and ethics • Chapter 2 – requirements for the use and

application of GAGAS

• Defined reasonable assurance• Clarification of GAGAS attestation

engagements• Other definitions and clarifications

10


(Continued)

• Revised Independence• Replace current standards with conceptual

framework• Promote consistency with AICPA and IFAC,

particularly non-audit services

11


(Continued)

• Clarified CPE requirements for Specialists

• Clarified requirements for being considered an internal specialist

12


(Continued)

• Expanded discussion of quality control and assurance for the audit organization

• New types of peer review opinions

13


(Continued)

• Financial Audits• Consolidated requirements previously in

chapters 4 and 5, into a new chapter 4 • Streamlined with AICPA standards• Enhanced wording consistency with AICPA

14


(Continued)

• Attestation engagements• Incorporates examination-level engagements• Limits use of GAGAS for review-level

engagements and agreed-upon procedures to attestation engagements which are required by law or regulation

15


(Continued)

• Performance audits• Added definition of waste and related auditor

requirements • Revised requirement for reporting on fraud • Added requirement for reporting instances of

waste

16

Chapters 1 and 2

17

Reorganization of Chapters 1 and 2

Realigned Chapters 1 and 2• Chapter 1 - concepts and ethics that serve as

the foundation for the requirements and guidance for GAGAS

• Chapter 2 - requirements for the use and application of GAGAS

18

Definition of Reasonable Assurance

• Reasonable Assurance• Is a high level of assurance, not absolute

assurance• Supports the auditors’ reported findings and

conclusions within the context of the audit objectives

• For all audits under GAGAS, the auditor obtains reasonable assurance

19

Chapter 1 - Clarifications and Other Definitions

• Clarified or added definitions of• Auditor• Audit organization• Audit team• Audit period

• Transparency

20

Chapter 2 - Clarifications

• Overall discussion of audit documentation• Clarified citing compliance with GAGAS

• Departures from presumptively mandatory requirements

• Using GAGAS with other standards• Attestation engagements

• Additional objective for GAGAS financial audits

21

Attestation Engagements

• Auditors may cite compliance with GAGAS• Examination-level attestation engagements or• If a law or regulation requires auditors to

perform a review-level or an agreed-upon procedures engagement in accordance with GAGAS and the auditor follows• AICPA SSAEs applicable to review-level or

agreed-upon procedures and• GAGAS general standards in Chapter 3

22

GAGAS statement for Agreed-Upon Procedures Attestation

Engagement that cites GAGAS

“This agreed-upon procedures engagement was conducted in accordance with attestation

standards established by the American Institute of Certified Public Accountants and generally

accepted government auditing standards, issued by the Comptroller General of the United States.”

• Adopt similar language for review-level engagements

23

Chapter 3, General Standards

(Independence)

24

Conceptual Framework Approachfor Independence

• Current rules-based approach to independence • Does not provide needed flexibility to deal

with the diverse facts and circumstances that exist in practice

• AICPA and IFAC both have frameworks• GAGAS framework will:

• Provide consistent results when compared with AICPA / IFAC

• Address unique governmental structural issues

25

Conceptual Framework Approach for Independence

• Under the proposed GAGAS Conceptual Framework approach, auditors

• identify threats to independence;• evaluate the significance of the threats

identified; and• apply safeguards, when necessary, to

eliminate the threats or reduce them to an acceptable level

• GAO will retire current Questions and Answers to Independence Standard Questions guidance

26

Assess condition or activity for threats to independence

Is threat significant? Proceed

Identify and apply appropriate safeguard(s)

Is threat eliminated or reduced to an acceptable level?

Potential independence impairment; do not proceed

YES

NO

YES

NO

Assess safeguard effectiveness

Assess threat for significance

Threat identified?NO

YES

27

Broad Categories of Threats

Seven categories of threats:• Self-interest threat• Self-review threat• Bias threat• Familiarity threat• Undue influence threat • Management participation threat• Structural threat

28

Overarching Principles and Supplemental Safeguards from 2007 Yellow Book

• Incorporated into the Conceptual Framework approach to independence

• Covered by two threat categories in the conceptual framework• Management participation threat

• Audit organizations must not provide nonaudit services that involve performing management functions or making management decisions

• Self-review threat • Audit organizations must not audit their own work

or provide nonaudit services in situations in which the nonaudit services are significant or material to the subject matter of the audits

29

Threat Categories

• Self-interest—a financial or other interest will inappropriately influence the auditor’s judgment or behavior

• Self-review—an auditor will not appropriately evaluate the results of a previous judgment or service of the auditor or audit organization, on which the auditor will rely as part of providing a current service

30

Threat Categories (continued)

• Bias—an auditor will, as a result of political, ideological, social, or other convictions, promote a position to the point that the auditor’s objectivity is compromised

• Familiarity—due to a long or close relationship with an audited entity or employer, an auditor will be too sympathetic to their interests or too accepting of their work

31


• Undue influence—an auditor will be deterred from acting objectively because of actual or perceived pressures from individuals or groups (external impairments)

• Management participation—results when an auditor takes on a management role or otherwise performs management functions on behalf of and audited entity

32


• Structural—an audit organization’s placement within a government entity will impact the ability to perform work and report objectively (organizational impairments)• Applies only to audit organizations that are

organizationally located within government entities

33

Safeguards

• Controls that mitigate or eliminate threats to independence

• Effective controls eliminate the threat or reduce to an acceptable level the threat’s potential to impair independence

34

Safeguards (Continued)

• Two broad categories:• Safeguards created by the profession,

legislation, or regulation• Safeguards in the work environment

35

Safeguards Created by the Profession, Legislation or Regulation

• Regulations designed to ensure appropriate management of public resources

• Professional standards • Professional or regulatory monitoring and

disciplinary procedures• External review by a legally empowered third

party of the reports, communications or other information produced by the auditor

36

Safeguards in the Work Environment

• Documented policies regarding the need to: • Identify threats to independence, • Evaluate the significance of those threats,• Apply safeguards to eliminate or reduce the

threats to an acceptable level, and• when appropriate safeguards are not

available or cannot be applied, terminate or decline the relevant engagement

37

Safeguards in the Work Environment (Continued)

• Policies and procedures that will enable the identification interest or relationships between the audited entities and:• The audit organization• Members of engagement teams

38

Safeguards in the Work Environment (continued)

• Using different management and engagement teams

• Timely communication of an audit organization’s policies and procedures

• Designating a member of senior management to oversee the adequate functioning of the audit organization’s quality control system

39

Independence Framework ExamplePayroll Accruals

• Client requests auditor to assist with payroll accruals for financial statements prepared using GASB accounting standards

• Threat—self-review threat

• Safeguard-Knowledgeable staff at client that is able to review and check reasonableness of numbers based on analytical calculation

• Safeguard-Staff assigned are not connected to the audit team

40


Is threat significant?(material) Proceed

Identify and apply appropriate safeguard(s) (Knowledgeable

management)

Is threat eliminated or reduced to an acceptable level? Potential independence

impairment; do not proceed

YESNO

YES

NO

Assess safeguard effectiveness-depends on confidence on managements knowledge

Assess threat for significance

Threat identified? (self-review threat)

NO

YES

Payroll Accruals example

41

Independence Framework ExampleSlaughterhouse

• Auditor, who is a vegetarian, is asked to work on an audit of a slaughterhouse• Threat – bias threat

• Significance of the threat• Why is the auditor a vegetarian? (Health or

personal views)

• Safeguards• Role and responsibilities of the auditor on the

engagement• Activity being audited (Payroll or slaughter

operations)

42


Is threat significant?(material) Proceed

Identify and apply appropriate safeguard(s)(level of the auditor, subject of the audit)

Is threat eliminated or reduced to an acceptable level?

Potential independence impairment; do not proceed

YES

NO

YES

NO

Assess safeguard effectiveness

Assess threat for significance (reason for being vegetarian)

Threat identified? (bias threat)NO

YES

Slaughterhouse example

43

Chapter 3, General Standards (Professional Judgment,

Competence and Quality Control and Assurance)

44

Professional Judgment

• Added discussion on using professional judgment in applying the conceptual framework for independence

45

Continuing Professional Education (CPE)

• 2007 Revision of GAGAS incorporated the revised CPE requirements that were issued in April 2005 (GAO-05-568G)

• No revision to overall requirements• 24 hours of CPE every 2 years directly related to

GAGAS engagements• Additional 56 hours of CPE, involved in planning,

directing, or reporting on GAGAS assignments or charge 20 percent or more of time annually to GAGAS assignments

• 20 hours of CPE each year

46

Prorating CPE

• Clarified prorating required CPE hours for auditors hired or assigned to a GAGAS engagement after the beginning of the CPE period

47

Clarified CPE Requirements for Specialists

• External specialists

• Internal specialists

• Internal consultants

48

System of Quality Control

• Expanded discussion of quality control and assurance for the audit organization • Policies and procedures for each element of

the system of quality control, but do not have to be separate

• Audit organization may establish overall policies and procedures that collectively address multiple elements of the system of quality control

49

Peer Review

• Aligned the types of peer review opinions with the new types of opinions used in the AICPA peer review program• Some peer review programs may still use the

prior terminology

50

Chapters 4 and 5Financial Audits and

Attestation Engagements

51

Financial Audits and Attestation Engagements

• Informally adopted a tiered writing approach to Chapters 4 and 5• Retain linkage between AICPA standards and

GAGAS

• Clearly note additional requirements beyond the AICPA to address the accountability and transparency needs of governments• No new requirements added in this revision

52

Financial Audits

• Emphasized governmental considerations for AICPA standards • Materiality• Ongoing investigations or legal proceedings• Early communication of deficiencies

53

Financial Audits

• Deleted the following:• Requirement for reporting on restatements• Requirement for the audit organization to

develop policies to deal with requests by outside parties to obtain access to audit documentation

• Requirement on documentation for terminated engagements

• Definitions of internal control deficiencies, since definitions of material weakness and significant deficiency are incorporated by reference in SAS 115

54

Reporting on Restatements

• GAO staff proposes removal of requirement for reporting on restatement

• AICPA issued an exposure draft, Subsequent Events and Subsequently Discovered Facts

• GAO staff will continue to monitor the language of the proposed SAS and any revisions made from the exposure draft

55

Update terminology

• AICPA will eliminate the ten standards, and replace these standards as part of clarity• Revision to the AICPA standards will cause

the GAGAS incorporation to be out of date

56

SAS 115 - Revised Definitions for Internal Control Deficiencies

• Defines the terms deficiency in internal control, significant deficiency, and material weakness

• Provides guidance on evaluating the severity of deficiencies in internal control• No change in practice since “likelihood” and

“magnitude” are used as criteria to determine whether control deficiencies should be reported

57

SAS 115 - Revised Definitions for Internal Control Deficiencies (Continued)

• Requires the auditor to communicate, in writing, to management and those charged with governance, significant deficiencies and material weaknesses identified in an audit

• Current proposal does not include the definitions in GAGAS, since they are already incorporated through the AICPA standards

58

“New” vs. “Old” Internal Control Deficiency Definitions

New Definition - SAS 115 2007 GAGAS Definition (SAS 112)

Significant Deficiency

A deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance

A deficiency in internal control or combination of deficiencies, that adversely affects the entity’s ability to initiate, authorize, record, process, or report financial data reliably in accordance with GAAP such that there is more than a remote likelihood that a misstatement of the entity’s financial statements that is more than inconsequential will not be prevented or detected.

Material Weakness

A deficiency, or combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected on a timely basis

A significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that material misstatement of the financial statements will not be prevented or detected

59

Early Communication of Internal Control and Compliance Deficiencies

• No new standard but emphasizing requirement in SAS No. 115• Discuss the public interest of early

communication • Allow corrective action to start before the

report is issued

60

GAO Interim Guidance on Reporting Deficiencies in Internal Control

• Issued November 2008 to assist auditors in complying with

• SAS No. 115, Communicating Internal Control Related Matters Identified in an Audit (effective for periods ending on or after December 15, 2009)

• SSAE No. 15, An Examination of an Entity’s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements

• Revised AICPA standards have different definitions of material weaknesses and significant deficiencies than GAGAS

• Pending the revision, auditors may use the AICPA’s new definition for GAGAS purposes

61

Chapters 6 and 7Performance Audits

62

Fraud and Waste

• Added a definition of waste• Same auditor responsibility as for abuse

• Reporting requirements• Instances of fraud that are significant within

the context of the audit objectives, rather than all fraud

• Instances of waste that are significant within the context of the audit objectives

63

Performance Audits

• Deleted the following:• Discussion of reasonable assurance, defined

for all types of audits in chapter 1• Requirement for the audit organization to

develop policies to deal with requests by outside parties to obtain access to audit documentation

64

2011 Yellow BookProjected Dates

June 2010: • Issue Exposure Draft of 2011 Revision of GAGAS

September 2010:• Comments due on Exposure Draft

January – February 2011:• Issue 2011 Revision of GAGAS

AICPA proposed date of clarified standards is December 15, 2011:• GAO staff will propose an effective date based on

final AICPA date

65

Yellow Book Team:• Jim Dalkin (202) 512-3133• Marcia Buchanan (202) 512-9321• Cheryl Clark (202) 512-9377• Kristen Kociolek (202) 512-2989• Gail Vallieres (202) 512-9370• Michael Hrapsky (202) 512-9535• Heather Keister (202) 512-2943• Theresa Phipps (202) 512-2574• Tom Hackney (303) 572-7304• Eric Holbrook (202) 512-5232• Mark Kaufman (202) 512-9341• Andrew Seehusen (202) 512-4896

We also get lots of help from:• Bob Dacey, GAO Chief Accountant• Jennifer Allison, Advisory Council Administrator

Contact us at [email protected]

GAO’s Accountability & Standards Team

66

Where to Find the Yellow Book

The Yellow Book is available on GAO’s website at:

www.gao.gov/govaud/ybk01.htm

For technical assistance, contact us [email protected]

http://www.gao.gov/govaud/ybk01.htm

mailto:[email protected]

1 Yellow Book Update: 2010 Exposure Draft NASACT Middle Management Conference Marcia B. Buchanan Oklahoma City, Oklahoma April 19, 2010.

Documents

yellow book slide

yellow book revision

application of gagas

gagas chapter

aicpa slide

regulation slide

totals4835415356 slide

yellow book update