The Yellow Book: What You Need to Know AASHTO Audit Subcommittee Portland, Oregon July 2015 Drummond Kahn, City of Portland Advisory Council on Government Auditing Standards Drummond.Kahn@PortlandOregon.gov

Session Objective Provide a general overview of the Yellow Book

Yellow Book = “GAGAS” GAGAS—Generally Accepted Government Auditing Standards Broad statements of auditors’ responsibilities An overall framework for ensuring that auditors have the competence, integrity, objectivity, and independence in planning, conducting, and reporting on their work For financial audits and attestation engagements, incorporates and builds on the AICPA standards (SASs and SSAEs) 3

The 2011 Yellow Book: Applicability Chapters 1, 2, and 3 apply to all GAGAS engagements Chapter 1: Government Auditing: Foundation and Ethical Principles Chapter 2: Standards for Use and Application of GAGAS Chapter 3: General Standards Chapter 4: Standards for Financial Audits – applies only to financial audits Chapter 5: Standards for Attestation Engagements - applies only to attestation engagements

The 2011 Yellow Book Applicability (Continued) Chapters 6 and 7 apply only to performance audits Chapter 6: Field Work Standards for Performance Audits Chapter 7: Reporting Standards for Performance Audits Appendix: Provides additional guidance (not requirements) for all GAGAS engagements Interpretations: Available on the Yellow Book web page. Provide additional guidance (not requirements) for areas of particular interest or sensitivity.

Chapter 2: Types of GAGAS Engagements All audits begin with objectives, and those objectives determine the type of audit to be performed and the applicable standards to be followed. The types of audits that are covered by GAGAS, as defined by their objectives, are classified in the Yellow Book as Financial audits, Attestation engagements, and Performance audits. 6

Chapter 2: Attestation Engagements Attestation engagements can cover a broad range of financial or non-financial objectives and may provide different levels of assurance about the subject matter or assertion depending on the users’ needs. The three types of attestation engagements are: Examination Review Agreed-Upon Procedures

Chapter 2: Performance Audits Performance audits are defined as audits that provide findings or conclusions based on an evaluation of sufficient, appropriate evidence against criteria Performance audits provide objective analysis to assist management and those charged with governance and oversight in using the information to Improve program performance and operations Reduce costs Facilitate decision making, and Contribute to public accountability

Chapter 2: Use of Terminology Standardized language to define the auditor requirements Consistent with AU-C 200: Must indicates an unconditional requirement Should indicates a presumptively mandatory requirement Text not using the above conventions is considered explanatory material

Chapter 3: General Standards Independence Conceptual framework Provision of nonaudit services to auditees Professional judgment Competence Technical knowledge Continuing Professional Education Quality Assurance System of quality assurance Peer review 10

Chapter 3: Independence In all matters relating to the audit work, the audit organization and the individual auditor, whether government or public, must be independent. Independence comprises: Independence of Mind Independence in Appearance

Independence Conceptual Framework Allows the auditor to assess unique circumstances Adaptable Consistent with AICPA and IFAC frameworks Significant differences from ET-101-3 Entry point for independence assessment Emphasis on services “in aggregate” Documentation requirements 12

Applying the Framework Conceptual Framework: Identify threats to independence Evaluate the significance of the threats identified, both individually and in the aggregate Apply safeguards as necessary to eliminate the threats or reduce them to an acceptable level Evaluate whether the safeguard is effective Documentation Requirement: Para 3.24: When threats are not at an acceptable level and require application of safeguards, auditors should document the safeguards applied.

Applying the Framework Threats could impair independence Do not necessarily result in an independence impairment Safeguards could mitigate threats Eliminate or reduce to an acceptable level

GAGAS Conceptual Framework for Independence

Applying the Framework: Categories of Threats Management participation threat Self-review threat Bias threat Familiarity threat Undue influence threat Self interest threat Structural threat 16

Applying the Framework: Examples of Safeguards Reassign individual staff members who may have a threat to independence. Have separate staff perform the non-audit and audit services. Have professional staff from outside of the team review the work. Use or consult with an independent third party. Involve another audit organization. Decline to do the requested scope of the non-audit service.

Nonaudit Services Determine if there is a specific prohibition. Unless specifically prohibited, nonaudit services MAY be permitted but should be documented. If not prohibited, assess the nonaudit service’s impact on independence using the conceptual framework. If the auditor assesses any identified threat to independence as higher than insignificant, assess the sufficiency of audited entity management’s skill, knowledge, and experience to oversee the nonaudit service. And…

Nonaudit Services (Continued) If the auditor concludes that performance of the nonaudit service will not impair independence, document assessments in relation to both: safeguards applied in accordance with the conceptual framework and the auditor’s assessment of sufficiency of audited entity managements’ skill, knowledge or experience to oversee the nonaudit service.

Assessing Management’s Skill, Knowledge, and Experience Factors to document include management’s: Understanding of the nature of the nonaudit service Knowledge of the audited entity’s mission and operations General business knowledge Education Position at the audited entity Some factors may be given more weight than others GAGAS does not require that management have the ability to perform or reperform the service

Prohibited Nonaudit Services Management responsibilities (not a comprehensive list): Setting policies and strategic direction for the audited entity Directing and accepting responsibility for the actions of the audited entity’s employees in the performance of their routine, recurring activities Having custody of an audited entity’s assets Reporting to those charged with governance on behalf of management Deciding which of the auditor’s or outside third party’s recommendations to implement

Independence: Documentation Requirements Para 3.59 summarizes documentation requirements for independence: Threats that require the application of safeguards along with the safeguards applied Safeguards in place if an audit organization is structurally located within a government entity Consideration of sufficiency of audited entity management’s skill, knowledge, and experience to take responsibility for and effectively oversee the nonaudit services The auditor’s understanding with an audited entity regarding nonaudit services to be provided

Chapter 3 – General Standards: Continuing Professional Education (CPE) No revision to overall requirements: Minimum of 24 hours of CPE every 2 years Government Specific or unique environment Auditing standards and applicable accounting principles Additional 56 hours of CPE for auditors involved in Planning, directing, or reporting on GAGAS assignments; or Charge 20 percent or more of time annually to GAGAS assignments Minimum of 20 hours of CPE each year 23

Chapter 3 - General Standards: System of Quality Control Each audit organization must document its quality control policies and procedures and communicate those policies and procedures to its personnel. 24

Chapter 3: General Standards- System of Quality Control Added a requirement that the quality control policies and procedures collectively address: Leadership responsibilities for quality within the audit organization Independence, legal, and ethical requirements Initiation, acceptance, and continuance of audit and attestation engagements Human resources Audit and attestation engagement performance, documentation, and reporting Monitoring of quality 25

Chapter 3: Changes to Quality Control Monitoring Procedures Audit organizations should analyze and summarize, in writing, the results of monitoring procedures at least annually: Include identification of any systemic issues needing improvement Include recommendations for corrective action Communicate deficiencies noted to appropriate personnel and make recommendations for remedial action

Chapter 3: Peer Review Each audit organization performing audits in accordance with GAGAS must have an external peer review performed by reviewers independent of the audit organization being reviewed at least once every three years.

Chapter 3: Peer Review Scope Review of the audit organization’s quality control policies and procedures Consideration of the adequacy and results of the audit organization’s internal monitoring procedures Review of selected auditors’ reports and related documentation

Chapter 3: Peer Review Scope (continued) Review of other documents necessary for assessing compliance with standards, for example, independence documentation, CPE records, and relevant human resource management files Interviews with a selection of the reviewed audit organization’s professional staff at various levels to assess their understanding of and compliance with relevant quality control policies and procedures

Chapter 3: Changes Related to Peer Reviews The peer review team uses professional judgment in deciding the type of peer review report. The following are the types of peer review reports: Peer review rating of pass Peer review rating of pass with deficiencies Peer review rating of fail 30

Chapter 4: Financial Audits Incorporate by reference AICPA Statements on Auditing Standards Additive requirements (performing and reporting) for financial audits Additional considerations for financial audits

Chapter 4: Additional Requirements for Performing Financial Audits Additional requirements relate to Auditor communication Previous audits and attestation engagements Noncompliance with provisions of contracts or grant agreements, or abuse Developing elements of a finding Audit Documentation

Chapter 4: Additional Requirements for Reporting on Financial Audits Additional requirements relate to Reporting auditors’ compliance with GAGAS Reporting on internal control, compliance with provisions of laws, regulations, contracts, and grant agreements Communicating deficiencies in internal control, fraud, noncompliance with provisions of laws, regulations, contracts, and grant agreements, and abuse Reporting views of responsible officials Reporting confidential or sensitive information Distributing reports

Chapter 5: Attestation Engagements Separated attest requirements Examination Review Agreed-Upon Procedures Update considerations Clarified distinctions between engagement types Emphasized AICPA reporting requirements

Chapter 5: Attestation Engagements Incorporate by reference AICPA Statements on Standards for Attestation Engagements (SSAEs) Additive requirements (performing and reporting) for financial audits Additional considerations for GAGAS attestations 35

Chapter 5: Additional Requirements for Performing Attestations Additional requirements relate to Auditor communication Previous audits and attestation engagements Fraud, noncompliance with provisions of contracts or grant agreements, or abuse Developing elements of a finding Documentation

Chapter 5: Additional Requirements for Reporting on Attestations Additional requirements relate to Reporting auditors’ compliance with GAGAS Reporting deficiencies in internal control, fraud, noncompliance with provisions of laws, regulations, contracts, and grant agreements, and abuse Reporting views of responsible officials Reporting confidential or sensitive information Distributing reports

Chapter 6: Performance Audit Fieldwork Reasonable assurance Significance Audit Risk Planning Supervision Obtaining sufficient, appropriate evidence Audit documentation

Chapter 6: Performance Audits Level of Assurance Performance audits that comply with GAGAS provide reasonable assurance that the evidence is sufficient and appropriate to support the auditors’ findings and conclusions.

Chapter 6: Performance Audits Concept of Significance Significance: The relative importance of a matter within the context in which it is being considered, including quantitative and qualitative factors, including the: magnitude of the matter in relation to the subject matter of the audit nature and effect of the matter, relevance of the matter, needs and interests of an objective third party, and impact of the matter on the audited program or activity.

Chapter 6: Performance Audits Audit Risk Auditors must plan the audit to reduce audit risk to an appropriate level for the auditors to provide reasonable assurance that the evidence is sufficient and appropriate to support the auditors’ findings and conclusions.

Chapter 6: Performance Audits Audit Risk Audit risk is the possibility that the auditors’ findings, conclusions, recommendations, or assurance may be improper or incomplete, as a result of factors such as evidence that is not sufficient and/or appropriate, an inadequate audit process, or intentional omissions or misleading information due to misrepresentation or fraud.

Chapter 6: Performance Audits Planning Auditors must adequately plan and document the planning of the work necessary to address the audit objectives Auditors should assess audit risk and significance by gaining an understanding of: Nature and profile of the program and user needs Internal control Information systems controls Legal and regulatory requirements, contract provisions or grant agreements, fraud, or abuse Previous audits

Chapter 6: Performance Audits Internal Control Auditors should obtain an understanding of internal control that is significant within the context of the audit objectives. For those internal controls that are significant within the context of the audit objectives, auditors should: assess whether the internal controls have been properly designed and implemented. plan to obtain sufficient, appropriate evidence to support their assessment about the effectiveness of those controls.

Chapter 6: Performance Audits Fraud In planning the audit, auditors should assess risks of fraud occurring that is significant within the context of the audit objectives. Auditors should Discuss fraud risks among the audit team Gather and assess information to identify risk of fraud that are significant within the scope of the audit objectives or that could affect the findings and conclusions

Chapter 6: Performance Audits Fraud When auditors identify factors or risks related to fraud that has occurred or is likely to have occurred that are significant within the context of the audit objectives, they should design procedures to provide reasonable assurance of detecting such fraud.

Chapter 6: Performance Audits Abuse If auditors become aware of indications of abuse that could be quantitatively or qualitatively significant to the program under audit, auditors should apply audit procedures specifically directed to ascertain the potential effect on the program under audit within the context of the audit objectives. However, because the determination of abuse is subjective, auditors are not required to provide reasonable assurance of detecting abuse. After performing additional work, auditors may discover that the abuse represents potential illegal acts.

Chapter 6: Performance Audits Criteria Represent the laws, regulations, contracts, grant agreements, standards, measures, expected performance, defined business practices, and benchmarks against which performance is compared or evaluated. 48

Chapter 6: Performance Audits Criteria Examples of criteria: purpose or goals prescribed by law or regulation or set by officials of the audited entity, policies and procedures established by officials of the audited entity, technically developed standards or norms, expert opinions 49

Chapter 6: Performance Audits Sufficient, Appropriate Evidence Appropriateness is defined as a measure of quality of evidence that encompasses the relevance, validity, and reliability of evidence used for addressing the audit objectives and supporting findings and conclusions. Sufficiency is defined as a measure of quantity of evidence used for addressing the audit objectives and supporting findings and conclusions.

Chapter 6: Performance Audits Elements of a Finding Auditors should plan and perform procedures to develop the elements of a finding necessary to address the audit objectives: Criteria Condition Cause Effect or potential effect 51 51

Chapter 7: Performance Audits Reporting Auditors must issue audit reports communicating the results of each completed performance audit. Auditors should use a form of the audit report that is appropriate for its intended use and is in writing or in some other retrievable form.

Chapter 7: Performance Audits Report Contents Auditors should prepare audit reports that contain: objectives, scope, and methodology of the audit; audit results, including findings, conclusions, and recommendations, as appropriate; statement about the auditors’ compliance with GAGAS; summary of the views of responsible officials; and nature of any confidential or sensitive information omitted.

Chapter 7: Performance Audits Reporting Views of Responsible Officials Auditors should obtain and report views of responsible officials concerning findings, conclusions, recommendations, and planned corrective actions include in report an evaluation of the comments, as appropriate 54 54

Chapter 7: Performance Audits Issuing and Distributing Reports Distribution of reports depends on The relationship of the auditors to the audited organization The nature of the information contained in the report GAGAS establishes different requirements for Government audit organizations (external) Internal audit organizations in government Public accounting firms 55 55

The Yellow Book: What You Need to Know Questions ?

Where to Find the Yellow Book The Yellow Book is available on GAO’s website at: www.gao.gov/yellowbook For technical assistance, contact: yellowbook@gao.gov or call (202) 512-9535 57 57