What’s New in Government Internal Control and Auditing Standards? Houston Institute of Internal Auditors 2015 Government Auditing Conference Page 1.

Slides:



Advertisements
Similar presentations
Yellow Book: Changes You Need to Know NASACT Training Webinar Marcia Buchanan May 4, 2011.
Advertisements

Code of Ethics for Professional Accountants
Internal Control–Integrated Framework
PRESENTATION ON MONDAY 7 TH AUGUST, 2006 BY SUDHIR VARMA FCA; CIA(USA) FOR THE INSTITUTE OF INTERNAL AUDITORS – INDIA, DELHI CHAPTER.
Federal Audit Executive Council (FAEC) June 2012 Bi-Monthly Meeting Heather I. Keister Doris G. Yanger June 14, 2012 Green Book Update.
Appendix B – Checklist for Review of Adherence to General Standards Peer Review Training – National Science Foundation August 16, 2012 Kieu Rubb, Treasury.
Discussion on SA-500 – AUDIT EVIDENCE
Assurance Services and Auditing Research Chapter 8.
GAO Standards Brian M. Leighton Virginia Department of Motor Vehicles.
1 Yellow Book: What You Need to Know AASHTO Accounting and Auditing Subcommittee Meeting Grand Hyatt Denver Tom Hackney July 27, 2011.
Assurance Services and Auditing Research Chapter 8.
Government Auditing Standards
Going “GAGAS” for the GAO Yellow Book
Yellow Book: What You Need to Know West Virginia AGA Spring Training MOV AGA Chapter Parkersburg, WV May 14, 2013 Nicole M. Burkart.
What’s New in Government Internal Control Standards?
Standards for Internal Control in the Government Going Green Standards for Internal Control in the Federal Government 1.
9.401 Auditing Chapter 1 Introduction. Definition of Auditing The accumulation and evaluation The accumulation and evaluation Of evidence about information.
Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.
Auditing A Risk-Based Approach To Conducting A Quality Audit
AICPA Governmental Audit Quality Center Member Conference Call on The New Standards on Quality Control and Practical Implementation Tips May 14, 2009.
SAFA- IFAC Regional SMP Forum
Purpose of the Standards
ISA 220 – Quality Control for Audits of Historical Financial Information
Auditing Standards IFTA\IRP Audit Guidance Government Auditing Standards (GAO) Generally Accepted Auditing Standards (GAAS) International Standards on.
Conducting the IT Audit
Internal Auditing and Outsourcing
The Yellow Book: What You Need to Know
Yellow Book: What You Need to Know Association of Government Accountants Audio Conference September 19, 2012 Marcia B. Buchanan.
1 Yellow Book: What You Need to Know Annual Conference of Federal Audit Executive Council (FAEC) Ft. McNair, D.C. Marcia B. Buchanan September 9, 2011.
D-1 McGraw-Hill/Irwin ©2005 by the McGraw-Hill Companies, Inc. All rights reserved. Module D Internal, Governmental, and Fraud Audits “I predict that audit.
Yellow Book: What You Need to Know AASHTO Internal/External Audit Conference July 17, 2012 Tempe, Arizona Tom Hackney - GAO.
2011 Yellow Book: What You Need to Know
WHAT ARE OMB CIRCULAR A-133 AUDITS? February 3, José E. Díaz Martínez, CPA, CGMA, MBA Orlando R. Torres, CPA David L. Dennis, CPA.
INTERNAL CONTROL OVER FINANCIAL REPORTING
Considering Internal Control
Standards for Internal Control in the Government Going Green Standards for Internal Control in the Federal Government 1.
Internal Control in a Financial Statement Audit
Standards for Internal Control in the Government Going Green Standards for Internal Control in the Federal Government 1.
1 INDEPENDENCE THE YELLOW BOOK WAY AGA Winter Conference Nashville, Tennessee January 2012 Art “Bubba” Hayes Director, division of state audit
NO FRAUD LEFT BEHIND The Effect of New Risk Assessment Auditing Standards on Schools Runyon Kersteen Ouellette.
Appendix E – Checklist for Review of Performance Audits Presented by: Ashton Coleman Department of Defense Office of the Inspector General August 16, 2012.
Copyright © 2007 Pearson Education Canada 1 Chapter 1: The Demand for Auditing and Assurance Services.
Chapter 21 Internal, Operational, and Compliance Auditing McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.
Harmonization Project FAS Meeting Harmonization project and ISSAI 200 Purpose and scope of the project The purpose is to provide a conceptual basis.
Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/Irwin.
Internal Controls FMC September Introduction Internal Controls and the BCR/CAFR Green Book Current State Vision for the Future Agenda.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin 7-1 Chapter Seven Auditing Internal Control over Financial Reporting.
©2012 Prentice Hall Business Publishing, Auditing 14/e, Arens/Elder/Beasley Section 404 Audits of Internal Control and Control Risk Chapter.
Standards for Internal Control in the Federal Government: The “Green Book” Kristen Kociolek Assistant Director, U.S. Government Accountability Office Harriet.
ICAJ/PAB - Improving Compliance with International Standards on Auditing Planning an audit of financial statements 19 July 2014.
Internal Audit Section. Authorized in Section , Florida Statutes Section , Florida Statutes (F.S.), authorizes the Inspector General to review.
©©2012 Pearson Education, Auditing 14/e, Arens/Elder/Beasley Considering Internal Control Chapter 10.
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall. Chapter
What’s New in Government Internal Control Standards? Page 1 Going Green.
What’s New in Government Internal Control Standards? Page 1 Going Green Northern Virginia AGA 2016 Spring Workshop.
What’s New in Government Auditing and Internal Control Standards? AGA/ASMC Professional Development Training March 24, 2015 Page 1.
AUDIT STAFF TRAINING WORKSHOP 13 TH – 14 TH NOVEMBER 2014, HILTON HOTEL NAIROBI AUDIT PLANNING 1.
Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
 Planning an audit of cost statements, records and other related documents is considered necessary to ensure achievement of audit objectives with available.
©2005 Prentice Hall Business Publishing, Auditing and Assurance Services 10/e, Arens/Elder/Beasley Internal Control and Control Risk Chapter 10.
Government Auditing Standards
Update on the Latest Developments in Government Auditing Standards
Internal and Governmental Financial Auditing and Operational Auditing
Professional Standards
Update on the Developments in Government Auditing Standards
Alignment of Part 4B with ISAE 3000
Update on the Developments in Government Auditing Standards
Update on the Developments in Government Auditing Standards
What’s New in Government Internal Control Standards?
Presentation transcript:

What’s New in Government Internal Control and Auditing Standards? Houston Institute of Internal Auditors 2015 Government Auditing Conference Page 1

Session Objectives To discuss GAO’s revision to the Standards for Internal Control in the Federal Government (Green Book) To discuss recent developments to the Government Auditing Standards (Yellow Book) To provide a general overview of the 2011 Yellow Book Page 2

Standards for Internal Control in the Federal Government Page 3 Going Green

1983Present Green Book Through the Years Page 4

What’s in Green Book for the Federal Government? Reflects federal internal control standards required per Federal Managers’ Financial Integrity Act (FMFIA) Serves as a base for OMB Circular A-123 Written for government Leverages the COSO Framework Uses government terms Page 5

What’s in Green Book for State and Local Governments? May be an acceptable framework for internal control on the state and local government level under proposed OMB Uniform Guidance for Federal Awards Written for government Leverages the COSO Framework Uses government terms Page 6

What’s in Green Book for Management and Auditors? Provides standards for management Provides criteria for auditors Can be used in conjunction with other standards, e.g. Yellow Book Page 7

Updated COSO Framework Released May 14, 2013 Page 8

The COSO Framework Relationship of Objectives and Components Direct relationship between objectives (which are what an entity strives to achieve) and the components (which represent what is needed to achieve the objectives) COSO depicts the relationship in the form of a cube: Three objectives: columns Five components: rows Organizational structure: third dimension Source: COSO Page 9

From COSO to Green Book: Harmonization COSO Green Book Page 10

Revised Green Book: Standards for Internal Control in the Federal Government Page 11 Overview Standards

Consists of two sections: Overview Standards Establishes: Definition of internal control Categories of objectives Components and principles of internal control Requirements for effectiveness Standards for Internal Control Page 12

Revised Green Book: Overview Explains fundamental concepts of internal control Addresses how components, principles, and attributes relate to an entity’s objectives Discusses management evaluation of internal control Overview Standards Page 13

Fundamental Concepts What is internal control in Green Book? OV1.01 Internal control is a process effected by an entity’s oversight body, management, and other personnel that provides reasonable assurance that the objectives of an entity will be achieved. What is an internal control system in Green Book? OV1.04 An internal control system is a continuous built-in component of operations, effected by people, that provides reasonable assurance, not absolute assurance, that an entity’s objectives will be achieved. Page 14

Overview: Components, Principles, and Attributes Achieve ObjectivesComponentsPrinciplesAttributes Overview Standards Page 15

Revised Green Book: Principles Page 16

Components and Principles Page 17

Component, Principle, Attribute Page 18

Overview: Principles and Attributes Overview Standards In general, all components and principles are required for an effective internal control system Principles and Attributes: Entity should implement relevant principles If a principle is not relevant, document the rationale of how, in the absence of that principle, the associated component could be designed, implemented, and operated effectively Attributes are considerations that can contribute to the design, implementation, and operating effectiveness of principles Page 19

Overview: Principles and Attributes (cont.) OV2.05: The 17 principles support the effective design, implementation, and operation of the associated components and represent requirements necessary to establish an effective internal control system. OV2.07 excerpt: The Green Book contains additional information in the form of attributes... Attributes provide further explanation of the principle and documentation requirements and may explain more precisely what a requirement means and what it is intended to cover, or include examples of procedures that may be appropriate for an entity. Page 20

Overview: Management Evaluation An effective internal control system requires that each of the five components are: Effectively designed, implemented, and operating Operating together in an integrated manner Management evaluates the effect of deficiencies on the internal control system A component is not effective if related principles are not effective Overview Standards Overview Standards Page 21

Overview: Additional Considerations The impact of service organizations on an entity’s internal control system Discussion of documentation requirements in the Green Book Applicability to state, local, and quasi-governmental entities as well as not-for-profits Cost/Benefit and Large/Small Entity Considerations Overview Standards Overview Standards Page 22

Revised Green Book: Standards Control Environment Risk Assessment Control Activities Information and Communication Monitoring Overview Standards Page 23

Revised Green Book: Standards Explains principles for each component Includes further discussion of considerations for principles in the form of attributes Overview Standards Page 24

Control Environment Page 25

Risk Assessment Page 26

Control Activities Page 27

Information & Communication Page 28

Monitoring Page 29

Controls Across Components Page 30

Other Key Considerations Standards vs. Framework Documentation Requirements Overview lists in OV4.08 the documentation requirements found in the principles which represent the minimum level of documentation necessary for an effective internal control system Page 31

Documentation Requirements Excerpt from OV2.06: If management determines a principle is not relevant, management supports that determination with documentation that includes the rationale of how, in the absence of that principle, the associated component could be designed, implemented, and operated effectively. Page 32

Documentation Requirements (cont.) Control Environment 3.09: Management develops and maintains documentation of its internal control system. Control Activities 12.02: Management documents in policies the internal control responsibilities of the organization. Page 33

Documentation Requirements (cont.) Monitoring 16.09: Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues : Management evaluates and documents internal control issues and determines appropriate corrective actions for internal control deficiencies on a timely basis : Management completes and documents corrective actions to remediate internal control deficiencies on a timely basis. Page 34

Accessibility of Green Book Comments raised during exposure identified new need: How do we make the Green Book more accessible to our user community? Page 35

The Green Book Layout Changed the layout of the Green Book itself to make it more user friendly: Introduced a highlights page Facsimile page Graphics throughout the overview and standards Page 36

Highlights Page Page 37

Facsimile Page Page 38

Cube as Navigation Aid Page 39

The Green Book in Action Relationship between the Green Book and Yellow Book Page 40

Green Book and Yellow Book Can be used by management to understand requirements Can be used by auditors to understand criteria Page 41

The Yellow Book: Framework for Audits Findings are composed of: Condition (What is) Criteria (What should be) Cause Effect (Result) Recommendation (as applicable) Page 42

Linkage Between Criteria (Yellow Book) and Internal Control (Green Book) Green Book provides criteria for the design, implementation, and operating effectiveness of an effective internal control system Page 43

The Yellow Book: Framework for Audits Findings are composed of: Condition (What is) Criteria (What should be) Cause Effect (Result) Recommendation (as applicable) Page 44

Linkage Between Findings (Yellow Book) and Internal Control (Green Book) Findings may have causes that relate to internal control deficiencies Page 45

Effective Date Green Book effective beginning fiscal year 2016 and for the FMFIA reports covering that year Management, at its discretion, may elect early adoption of the Green Book Page 46

Government Auditing Standards Yellow Book Update Page 47

Yellow Book Update New Interpretation Future Plans for Revision Page 48

New Interpretation: Peer Review Ratings GAO developed interpretive guidance on assessing and reporting on the results of peer reviews in government environment: New report ratings do not change the thresholds for deficiency reporting Matters identified during peer review that are not included in report may be communicated orally or in writing Page 49

Yellow Book Interpretations Same authority as Yellow Book Presented to Advisory Council Addressed with key stakeholders Posted to GAO website Page 50

Future Plans for Revision Plans for the next Yellow Book revision are underway Areas being considered for revision include: CPE Competence Further clarify updates Updates for ASB attest section modifications Peer review Page 51

Government Auditing Standards 2011 Yellow Book Page 52

Yellow Book = “GAGAS” GAGAS—Generally Accepted Government Auditing Standards: Broad statements of auditors’ responsibilities An overall framework for ensuring that auditors have the competence, integrity, objectivity, and independence in planning, conducting, and reporting on their work For financial audits and attestation engagements, incorporates and builds on the AICPA standards (SASs and SSAEs) Page 53

The 2011 Yellow Book: Applicability Chapters 1, 2, and 3 apply to all GAGAS engagements: Chapter 1: Government Auditing: Foundation and Ethical Principles Chapter 2: Standards for Use and Application of GAGAS Chapter 3: General Standards Chapter 4: Standards for Financial Audits – applies only to financial audits Chapter 5: Standards for Attestation Engagements – applies only to attestation engagements Page 54

The 2011 Yellow Book: Applicability (cont.) Chapters 6 and 7 apply only to performance audits: Chapter 6: Field Work Standards for Performance Audits Chapter 7: Reporting Standards for Performance Audit Appendix: Provides additional guidance (not requirements) for all GAGAS engagements Interpretations: Available on the Yellow Book web page. Provide additional guidance (not requirements) for areas of particular interest or sensitivity Page 55

Chapter 2: Types of GAGAS Engagements All audits begin with objectives, and those objectives determine the type of audit to be performed and the applicable standards to be followed The types of audits that are covered by GAGAS, as defined by their objectives, are classified in the Yellow Book as: Financial audits Attestation engagements Performance audits Page 56

Chapter 2: Use of Terminology Standardized language to define the auditor requirements Consistent with AU-C 200: Must indicates an unconditional requirement Should indicates a presumptively mandatory requirement Text not using the above conventions is considered explanatory material Page 57

Chapter 3: General Standar ds Independence Conceptual framework Provision of nonaudit services to auditees Professional judgment Competence Technical knowledge Continuing Professional Education Quality Assurance System of quality assurance Peer review Page 58

Chapter 3: Independence In all matters relating to the audit work, the audit organization and the individual auditor, whether government or public, must be independent Independence comprises: Independence of Mind Independence in Appearance Page 59

Applying the Framework Conceptual Framework: 1.Identify threats to independence 2.Evaluate the significance of the threats identified, both individually and in the aggregate 3.Apply safeguards as necessary to eliminate the threats or reduce them to an acceptable level 4.Evaluate whether the safeguard is effective Documentation Requirement: Para 3.24: When threats are not at an acceptable level and require application of safeguards, auditors should document the safeguards applied. Page 60

Independence Conceptual Framew ork Applying The Framework Threats could impair independence Do not necessarily result in an independence impairment Safeguards could mitigate threats Eliminate or reduce to an acceptable level Page 61

Additional Documentation Requirements 1.Auditors must document application of safeguards in place 2.Auditors must document assessment of skill, knowledge, and experience (SKE) Page 62

Applying the Framework: Categories of Threats 1.Management participation threat 2.Self-review threat 3.Bias threat 4.Familiarity threat 5.Undue influence threat 6.Self interest threat 7.Structural threat Page 63

Applying the Framework: Examples of Safeguards 1.Reassign individual staff members who may have a threat to independence 2.Have separate staff perform the non-audit and audit services 3.Have professional staff from outside of the team review the work 4.Use or consult with an independent third party 5.Involve another audit organization 6.Decline to do the requested scope of the non-audit service Page 64

Nonaudit Services 1.Determine if there is a specific prohibition. Unless specifically prohibited, nonaudit services MAY be permitted but should be documented 2.If not prohibited, assess the nonaudit service’s impact on independence using the conceptual framework 3.If the auditor assesses any identified threat to independence as higher than insignificant, assess the sufficiency of audited entity management’s skill, knowledge, and experience to oversee the nonaudit service 4.And… Page 65

Nonaudit Services (cont.) 4.If the auditor concludes that performance of the nonaudit service will not impair independence, document assessments in relation to both: Safeguards applied in accordance with the conceptual framework and The auditor’s assessment of sufficiency of audited entity managements’ skill, knowledge or experience to oversee the nonaudit service (paragraph 3.34) Page 66

Assessing Management’s Skill, Knowledge, and Experience Factors to document include management’s: Understanding of the nature of the nonaudit service Knowledge of the audited entity’s mission and operations General business knowledge Education Position at the audited entity Some factors may be given more weight than others GAGAS does not require that management have the ability to perform or reperform the service Page 67

Sufficiency of Skills, Knowledge and Experience Sufficient skills, knowledge and experience may be judged based in part on: Ability of the responsible audited entity personnel to understand the nature and results of the nonaudit service Ability of the responsible person to identify material errors or misstatements in a nonaudit service work product Ability and willingness and of the responsible person to take meaningful action in the event of identification of a problem with the nonaudit service Client prepared material in poor condition may indicate the client is not capable of taking responsibility for the service. Significant audit findings and adjustments may also be indicative of this issue. Page 68

Safeguards: Nonaudit Services Auditors should document safeguards when significant threats are identified: Auditor has responsibility to perform the assessment, this cannot be a management assertion Assessment should be in writing and indicate actions the auditor has taken to mitigate the threat Assessment should include a conclusion Auditor should document actions taken to mitigate the threat (safeguards) An example of safeguards for nonaudit services may include actions taken by the auditor to preserve independence such as an extra level of review or secondary review Page 69

Prohibited Nonaudit Services Management responsibilities (not a comprehensive list): Setting policies and strategic direction for the audited entity Directing and accepting responsibility for the actions of the audited entity’s employees in the performance of their routine, recurring activities Having custody of an audited entity’s assets Reporting to those charged with governance on behalf of management Deciding which of the auditor’s or outside third party’s recommendations to implement Page 70

Continuing Professional Education (CPE) No revision to overall requirements Minimum of 24 hours of CPE every 2 years Government Specific or unique environment Auditing standards and applicable accounting principles Additional 56 hours of CPE for auditors involved in Planning, directing, or reporting on GAGAS assignments or Charge 20 percent or more of time annually to GAGAS assignments Minimum of 20 hours of CPE each year Page 71

Chapter 3: General Standards System of Quality Control Each audit organization must document its quality control policies and procedures and communicate those policies and procedures to its personnel Page 72

Chapter 3: General Standards System of Quality Control Added a requirement that the quality control policies and procedures collectively address: Leadership responsibilities for quality within the audit organization Independence, legal, and ethical requirements Initiation, acceptance, and continuance of audit and attestation engagements Human resources Audit and attestation engagement performance, documentation, and reporting Monitoring of quality Page 73

Peer Review Ratings The peer review team uses professional judgment in deciding the type of peer review report Types of peer review ratings: Page 74

Chapter 4: Financial Audits Incorporate by reference AICPA Statements on Auditing Standards Additive requirements (performing and reporting) for financial audits Additional considerations for financial audits Page 75

Chapter 5: Attestation Engagements Separated attest requirements: Examination Review Agreed-Upon Procedures Update considerations: Clarified distinctions between engagement types Emphasized AICPA reporting requirements Page 76

Incorporate by reference AICPA Statements on Standards for Attestation Engagements (SSAEs) Additive requirements (performing and reporting) for financial audits Additional considerations for GAGAS attestations Chapter 5: Attestation Engagements Page 77

Chapter 6: Performance Audit Fieldwork Reasonable assurance Significance Audit Risk Planning Supervision Obtaining sufficient, appropriate evidence Audit documentation Page 78

Chapter 6: Performance Audits Level of Assurance Performance audits that comply with GAGAS provide reasonable assurance that the evidence is sufficient and appropriate to support the auditors’ findings and conclusions Page 79

Chapter 6: Performance Audits Sufficient, Appropriate Evidence Appropriateness is defined as a measure of quality of evidence that encompasses the relevance, validity, and reliability of evidence used for addressing the audit objectives and supporting findings and conclusions Sufficiency is defined as a measure of quantity of evidence used for addressing the audit objectives and supporting findings and conclusions Page 80

Chapter 6: Performance Audits Criteria Represent the laws, regulations, contracts, grant agreements, standards, measures, expected performance, defined business practices, and benchmarks against which performance is compared or evaluated Page 81

Chapter 6: Performance Audits Criteria Examples of criteria: Purpose or goals prescribed by law or regulation or set by officials of the audited entity Policies and procedures established by officials of the audited entity Technically developed standards or norms Expert opinions Page 82

Chapter 7: Performance Audits Reporting Auditors must issue audit reports communicating the results of each completed performance audit Auditors should use a form of the audit report that is appropriate for its intended use and is in writing or in some other retrievable form Page 83

Chapter 7: Performance Audits Report Contents Auditors should prepare audit reports that contain: Objectives, scope, and methodology of the audit Audit results, including findings, conclusions, and recommendations, as appropriate Statement about the auditors’ compliance with GAGAS Summary of the views of responsible officials Nature of any confidential or sensitive information omitted Page 84

Chapter 7: Performance Audits Reporting Views of Responsible Officials Auditors should: Obtain and report views of responsible officials concerning findings, conclusions, recommendations, and planned corrective actions Include in report an evaluation of the comments, as appropriate Page 85

Where to Find Us The Yellow Book is available on GAO’s website at: The Green Book is available on GAO’s website at: For technical assistance, contact us at: or or call (202) Page 86

Thank You Questions? Page 87