1. Yellow Book Update: 2010 Exposure Draft
NASACT Middle Management Conference
Marcia B. Buchanan
Oklahoma City, Oklahoma
April 19, 2010 1

2. Session Objectives
Review why Government Auditing Standards (the Yellow Book) is being revised
Highlight areas that GAO expects to be revised in the next Yellow Book
Discuss the anticipated timeline for the Yellow Book revision 2

3. Disclaimer Required to Receive a Preview
The revisions discussed are preliminary
and subject to change based on
feedback from the Comptroller General’s Advisory Council on Government
Auditing Standards and others

4. Why the Yellow Book is being revised
Continue to promulgate high quality Government Auditing Standards
Promote the modernization of auditing standards
Streamline with standard setters
Encourage development of consistent, core auditing standards

5. Why the Yellow Book is being revised (Continued)
Address issues GAO has observed
Questions sent to Yellow Book Technical Assistance
GAO’s work on the oversight of the American Recovery and Reinvestment Act
Example of GAO work on oversight of Recovery Act having an impact on GAGAS: Early communication of internal control and compliance deficiencies-No new standard but emphasizing requirement in SAS No. 115 to discuss the public interest of early communication so corrective action can start before the report is issued. (and in the case of single audit this report is due 9 months after the end of the entity’s fiscal year end.)

6. Movements Towards Clarity
Key aspects of the clarity conventions were incorporated in the 2007 Yellow Book
“Must,” “is required,” and “should” designate requirements
Uses active sentences
Footnotes will now be used only to reference other standards or paragraphs within GAGAS
Footnotes were either:
Moved into the text of the GAGAS standard
Moved to the GAGAS Appendix
Removed from the Yellow Book

7. Use of terminology
Standardized language to define auditor requirements
Consistent with SAS No. 102:
Must and is required indicate an unconditional requirement
Should indicates a presumptively mandatory requirement
Text not using the above conventions is considered explanatory material

8. Must & Should Word Count
Chapter
2007 YB
2011 YB
Must
Should 1 2 3 11 12 17 60 5 84 4 88 68 9 62 6 67 7 59 61
Appendix
TOTALS 48
354 15
356
* Chapter 1 indicates 2010 YB; however, to facilitate accurate comparison, the table uses chapter 2 data from 2007 YB in the chapter 1 row.
** Chapter 2 indicates 2010 YB; however, to facilitate accurate comparison, the table uses chapter 1 data from 2007 YB in the chapter 2 row.
*** Chapter 4 indicates 2010 YB; the 2007 YB column includes the sum of chapters 4 and 5 from 2007 YB to facilitate accurate comparison.
**** Chapters 5, 6, and 7 were Chapters 6, 7, and 8 in the 2007 YB.

9. Yellow Book: Revisions Under Consideration
Realigned chapters 1 and 2
Chapter 1 – concepts and ethics
Chapter 2 – requirements for the use and application of GAGAS
Defined reasonable assurance
Clarification of GAGAS attestation engagements
Other definitions and clarifications 9

10. Yellow Book: Revisions Under Consideration (Continued)
Revised Independence
Replace current standards with conceptual framework
Promote consistency with AICPA and IFAC, particularly non-audit services

11. Yellow Book: Revisions Under Consideration (Continued)
Clarified CPE requirements for Specialists
Clarified requirements for being considered an internal specialist

12. Yellow Book: Revisions Under Consideration (Continued)
Expanded discussion of quality control and assurance for the audit organization
New types of peer review opinions

13. Yellow Book: Revisions Under Consideration (Continued)
Financial Audits
Consolidated requirements previously in chapters 4 and 5, into a new chapter 4
Streamlined with AICPA standards
Enhanced wording consistency with AICPA

14. Yellow Book: Revisions Under Consideration (Continued)
Attestation engagements
Incorporates examination-level engagements
Limits use of GAGAS for review-level engagements and agreed-upon procedures to attestation engagements which are required by law or regulation

15. Yellow Book: Revisions Under Consideration (Continued)
Performance audits
Added definition of waste and related auditor requirements
Revised requirement for reporting on fraud
Added requirement for reporting instances of waste

16. Chapters 1 and 2

17. Reorganization of Chapters 1 and 2
Realigned Chapters 1 and 2
Chapter 1 - concepts and ethics that serve as the foundation for the requirements and guidance for GAGAS
Chapter 2 - requirements for the use and application of GAGAS

18. Definition of Reasonable Assurance
Is a high level of assurance, not absolute assurance
Supports the auditors’ reported findings and conclusions within the context of the audit objectives
For all audits under GAGAS, the auditor obtains reasonable assurance

19. Chapter 1 - Clarifications and Other Definitions
Clarified or added definitions of
Auditor
Audit organization
Audit team
Audit period
Transparency
a. The term “auditor” as it is used throughout GAGAS describes individuals performing work under GAGAS (including audits and attestation engagements) regardless of job title. Therefore, individuals who may have the titles auditor, analyst, practitioner, evaluator, inspector, or other similar titles are considered auditors in GAGAS.
b. The term “audit organization” as it is used throughout the standards refers to government audit organizations as well as public accounting or other firms that perform audits and attestation engagements using GAGAS.
c. The term “audit team” as it is used throughout GAGAS describes the individuals performing work under GAGAS, including planning, directing, performing audit procedures, or reporting on the audit. The audit team includes those individuals involved in the quality control process prior to the report issuance. The audit team does not include external specialists, consultants, and individuals who perform only routine clerical functions, such as word processing and photocopying.
d. The term “audit period” as it is used throughout GAGAS is the period of time from the date of the notification or engagement letter to the date that the audit report is issued or the audit engagement is terminated.

20. Chapter 2 - Clarifications
Overall discussion of audit documentation
Clarified citing compliance with GAGAS
Departures from presumptively mandatory requirements
Using GAGAS with other standards
Attestation engagements
Additional objective for GAGAS financial audits

21. Attestation Engagements
Auditors may cite compliance with GAGAS
Examination-level attestation engagements or
If a law or regulation requires auditors to perform a review-level or an agreed-upon procedures engagement in accordance with GAGAS and the auditor follows
AICPA SSAEs applicable to review-level or agreed-upon procedures and
GAGAS general standards in Chapter 3

22. Adopt similar language for review-level engagements
GAGAS statement for Agreed-Upon Procedures Attestation Engagement that cites GAGAS
“This agreed-upon procedures engagement was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants and generally accepted government auditing standards, issued by the Comptroller General of the United States.”
Adopt similar language for review-level engagements

23. Chapter 3, General Standards (Independence)

24. Conceptual Framework Approach for Independence
Current rules-based approach to independence
Does not provide needed flexibility to deal with the diverse facts and circumstances that exist in practice
AICPA and IFAC both have frameworks
GAGAS framework will:
Provide consistent results when compared with AICPA / IFAC
Address unique governmental structural issues

25. Conceptual Framework Approach for Independence
Under the proposed GAGAS Conceptual Framework approach, auditors
identify threats to independence;
evaluate the significance of the threats identified; and
apply safeguards, when necessary, to eliminate the threats or reduce them to an acceptable level
GAO will retire current Questions and Answers to Independence Standard Questions guidance

26. Assess condition or activity for threats to independence
Threat identified?
YES
Assess threat for significance NO
Is threat significant?
Proceed
YES
Identify and apply appropriate safeguard(s)
The auditors might note that in the previous year the client has a significant deficiency in internal control over financial reporting. Consequently the client’s internal controls are probably not sufficient to safeguard against the threat to independence that would result from the auditors’ participation in preparing the financials. The auditors would then have to decide whether they will perform the audit or the nonaudit service.
GAGAS could adopt the pre-defined categories that would best serve government audit, and add new categories that apply specific to government audits.
In particular, we think Self-review, Familiarity, Self-interest, and Management participation threats are major threat categories in government auditing. We would propose adding another threat, “Bias threat.”
While preconceived ideas and biases can degrade the quality of any audit, the need to guard against these threats in government audits is especially important due to the sensitive and public nature of many government audits, and the qualitative nature of some performance audits.
Assess safeguard effectiveness
Is threat eliminated or reduced to an acceptable level?
YES
Potential independence impairment; do not proceed NO 26

27. Broad Categories of Threats
Seven categories of threats:
Self-interest threat
Self-review threat
Bias threat
Familiarity threat
Undue influence threat
Management participation threat
Structural threat
Self-interest—the threat that a financial or other interest will inappropriately influence the auditor’s judgment or behavior
Self-review—The threat that an auditor will not appropriately evaluate the results of a previous judgment made or service performed by the auditor or audit organization, on which the auditor will rely when forming a judgment as part of providing a current service
Bias—the threat that an auditor will, as a result of political, ideological, social, or other convictions, promote a position to the point that the auditor’s objectivity is compromised
Familiarity—the threat that due to a long or close relationship with an audited entity or employer, an auditor will be too sympathetic to their interests or too accepting of their work
Undue influence—the threat than an auditor will be deterred from acting objectively because of actual or perceived pressures from individuals or groups
Management participation—the threat that results when an auditor takes on a management role or otherwise performs management functions on behalf of and audited entity
Structural—the threat than an audit organization’s placement within a government entity, in combination with the structure of the government entity being audited, will impact the audit organization’s ability to perform work and report objectively. A structural threat differs from other threat categories in that it applies only to audit organizations that are organizationally located within government entities

28. Overarching Principles and Supplemental Safeguards from 2007 Yellow Book
Incorporated into the Conceptual Framework approach to independence
Covered by two threat categories in the conceptual framework
Management participation threat
Audit organizations must not provide nonaudit services that involve performing management functions or making management decisions
Self-review threat
Audit organizations must not audit their own work or provide nonaudit services in situations in which the nonaudit services are significant or material to the subject matter of the audits

29. Threat Categories
Self-interest—a financial or other interest will inappropriately influence the auditor’s judgment or behavior
Self-review—an auditor will not appropriately evaluate the results of a previous judgment or service of the auditor or audit organization, on which the auditor will rely as part of providing a current service

30. Threat Categories (continued)
Bias—an auditor will, as a result of political, ideological, social, or other convictions, promote a position to the point that the auditor’s objectivity is compromised
Familiarity—due to a long or close relationship with an audited entity or employer, an auditor will be too sympathetic to their interests or too accepting of their work

31. Threat Categories (continued)
Undue influence—an auditor will be deterred from acting objectively because of actual or perceived pressures from individuals or groups (external impairments)
Management participation—results when an auditor takes on a management role or otherwise performs management functions on behalf of and audited entity

32. Threat Categories (continued)
Structural—an audit organization’s placement within a government entity will impact the ability to perform work and report objectively (organizational impairments)
Applies only to audit organizations that are organizationally located within government entities

33. Safeguards Controls that mitigate or eliminate threats to independence
Effective controls eliminate the threat or reduce to an acceptable level the threat’s potential to impair independence
Safeguards created by the profession, legislation, or regulation
Regulations designed to ensure appropriate management of public resources.
Professional standards.
Professional or regulatory monitoring and disciplinary procedures.
External review by a legally empowered third party of the reports, communications or other information produced by the auditor.
The organizational structure of how the head of the audit organization is appointed and removed from office
Safeguards in the work environment
Documented policies regarding the need to identify threats to independence, evaluate the significance of those threats, and apply safeguards to eliminate or reduce the threats to an acceptable level or, when appropriate safeguards are not available or cannot be applied, terminate or decline the relevant engagement.
Policies and procedures that will enable the identification of interests or relationships between the audit organization or members of engagement teams and audited entities.
Using different management and engagement teams with separate reporting lines for the provision of nonaudit services to an audited entity.
Timely communication of an audit organization’s policies and procedures, including any changes to them, to all partners and professional staff, and appropriate training and education on such policies and procedures.
Designating a member of senior management to be responsible for overseeing the adequate functioning of the audit organization’s quality control system.

34. Safeguards (Continued)
Two broad categories:
Safeguards created by the profession, legislation, or regulation
Safeguards in the work environment

35. Safeguards Created by the Profession, Legislation or Regulation
Regulations designed to ensure appropriate management of public resources
Professional standards
Professional or regulatory monitoring and disciplinary procedures
External review by a legally empowered third party of the reports, communications or other information produced by the auditor

36. Safeguards in the Work Environment
Documented policies regarding the need to:
Identify threats to independence,
Evaluate the significance of those threats,
Apply safeguards to eliminate or reduce the threats to an acceptable level, and
when appropriate safeguards are not available or cannot be applied, terminate or decline the relevant engagement

37. Safeguards in the Work Environment (Continued)
Policies and procedures that will enable the identification interest or relationships between the audited entities and:
The audit organization
Members of engagement teams

38. Safeguards in the Work Environment (continued)
Using different management and engagement teams
Timely communication of an audit organization’s policies and procedures
Designating a member of senior management to oversee the adequate functioning of the audit organization’s quality control system

39. Independence Framework Example Payroll Accruals
Client requests auditor to assist with payroll accruals for financial statements prepared using GASB accounting standards
Threat—self-review threat
Safeguard-Knowledgeable staff at client that is able to review and check reasonableness of numbers based on analytical calculation
Safeguard-Staff assigned are not connected to the audit team

40. Payroll Accruals example
Assess condition or activity for threats to independence
Payroll Accruals example NO
Threat identified? (self-review threat)
YES
Assess threat for significance
Is threat significant?(material)
Proceed NO
YES
Identify and apply appropriate safeguard(s) (Knowledgeable management)
Assess safeguard effectiveness-depends on confidence on managements knowledge
The auditors might note that in the previous year the client has a significant deficiency in internal control over financial reporting. Consequently the client’s internal controls are probably not sufficient to safeguard against the threat to independence that would result from the auditors’ participation in preparing the financials. The auditors would then have to decide whether they will perform the audit or the nonaudit service.
GAGAS could adopt the pre-defined categories that would best serve government audit, and add new categories that apply specific to government audits.
In particular, we think Self-review, Familiarity, Self-interest, and Management participation threats are major threat categories in government auditing. We would propose adding another threat, “Bias threat.”
While preconceived ideas and biases can degrade the quality of any audit, the need to guard against these threats in government audits is especially important due to the sensitive and public nature of many government audits, and the qualitative nature of some performance audits.
YES
Is threat eliminated or reduced to an acceptable level?
Potential independence impairment; do not proceed NO 40

41. Independence Framework Example Slaughterhouse
Auditor, who is a vegetarian, is asked to work on an audit of a slaughterhouse
Threat – bias threat
Significance of the threat
Why is the auditor a vegetarian? (Health or personal views)
Safeguards
Role and responsibilities of the auditor on the engagement
Activity being audited (Payroll or slaughter operations)

42. Slaughterhouse example
Assess condition or activity for threats to independence NO
Slaughterhouse example
Threat identified? (bias threat)
YES
Assess threat for significance (reason for being vegetarian) NO
Is threat significant?(material)
Proceed
YES
Identify and apply appropriate safeguard(s)
(level of the auditor, subject of the audit)
Assess safeguard effectiveness
YES
Is threat eliminated or reduced to an acceptable level?
Potential independence impairment; do not proceed NO

43. Chapter 3, General Standards
(Professional Judgment, Competence and Quality Control and Assurance)

44. Professional Judgment
Added discussion on using professional judgment in applying the conceptual framework for independence

45. Continuing Professional Education (CPE)
2007 Revision of GAGAS incorporated the revised CPE requirements that were issued in April 2005 (GAO G)
No revision to overall requirements
24 hours of CPE every 2 years directly related to GAGAS engagements
Additional 56 hours of CPE, involved in planning, directing, or reporting on GAGAS assignments or charge 20 percent or more of time annually to GAGAS assignments
20 hours of CPE each year 45

46. Prorating CPE
Clarified prorating required CPE hours for auditors hired or assigned to a GAGAS engagement after the beginning of the CPE period

47. Clarified CPE Requirements for Specialists
External specialists
Internal specialists
Internal consultants

48. System of Quality Control
Expanded discussion of quality control and assurance for the audit organization
Policies and procedures for each element of the system of quality control, but do not have to be separate
Audit organization may establish overall policies and procedures that collectively address multiple elements of the system of quality control

49. Peer Review
Aligned the types of peer review opinions with the new types of opinions used in the AICPA peer review program
Some peer review programs may still use the prior terminology

50. Chapters 4 and 5 Financial Audits and Attestation Engagements

51. Financial Audits and Attestation Engagements
Informally adopted a tiered writing approach to Chapters 4 and 5
Retain linkage between AICPA standards and GAGAS
Clearly note additional requirements beyond the AICPA to address the accountability and transparency needs of governments
No new requirements added in this revision

52. Financial Audits
Emphasized governmental considerations for AICPA standards
Materiality
Ongoing investigations or legal proceedings
Early communication of deficiencies

53. Financial Audits Deleted the following:
Requirement for reporting on restatements
Requirement for the audit organization to develop policies to deal with requests by outside parties to obtain access to audit documentation
Requirement on documentation for terminated engagements
Definitions of internal control deficiencies, since definitions of material weakness and significant deficiency are incorporated by reference in SAS 115

54. Reporting on Restatements
GAO staff proposes removal of requirement for reporting on restatement
AICPA issued an exposure draft, Subsequent Events and Subsequently Discovered Facts
GAO staff will continue to monitor the language of the proposed SAS and any revisions made from the exposure draft
This proposed SAS addresses the responsibility of the auditor to respond appropriately to facts that become known to the auditor after the date of the auditor’s report that, had they been known to the auditor at that date, may have caused the auditor to amend the auditor’s report. This proposed SAS requires auditors to:
Discuss the matter with management and where appropriate, those charged with governance
Determine whether the f/s amendment and if so, inquire how management intends to address the matter in the f/s.
If management amends the financial statements, auditor should:
Carry out the audit procedures necessary to audit the amendment
If the “old” audited financial statements were available to third parties, assess whether the steps taken by management are timely and appropriate to ensure that anyone in receipt of the incorrect f/s is informed of the situation, including that the “old” financial statements are not to be relied upon
Extend audit procedures to the date of the new auditor’s report and provide a new report on the amended financial statements
If the opinion on the amended f/s is different, include an additional paragraph that discloses 1) date of the previous report, 2) type of opinion previously expressed, 3) circumstances/events that caused the auditor to express a different opinion, 4) that the opinion is different
If management does not amend the financial statements, the auditor should:
If not made available to third parties, notify management and those charged with governance not to make available externally. If made available externally nevertheless, auditor take appropriate actions to seek to prevent reliance on auditor’s report
If made available to third parties, 1)assess steps taken by management (whether timely and appropriate to prevent reliance2)If management does not take the necessary steps,notify mgt. & those charged with governance that auditor will seek to prevent further reliance on the auditor’s report 54

55. Update terminology
AICPA will eliminate the ten standards, and replace these standards as part of clarity
Revision to the AICPA standards will cause the GAGAS incorporation to be out of date

56. SAS 115 - Revised Definitions for Internal Control Deficiencies
Defines the terms deficiency in internal control, significant deficiency, and material weakness
Provides guidance on evaluating the severity of deficiencies in internal control
No change in practice since “likelihood” and “magnitude” are used as criteria to determine whether control deficiencies should be reported

57. SAS 115 - Revised Definitions for Internal Control Deficiencies (Continued)
Requires the auditor to communicate, in writing, to management and those charged with governance, significant deficiencies and material weaknesses identified in an audit
Current proposal does not include the definitions in GAGAS, since they are already incorporated through the AICPA standards

58. “New” vs. “Old” Internal Control Deficiency Definitions
New Definition - SAS 115
2007 GAGAS Definition (SAS 112)
Significant Deficiency
A deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance
A deficiency in internal control or combination of deficiencies, that adversely affects the entity’s ability to initiate, authorize, record, process, or report financial data reliably in accordance with GAAP such that there is more than a remote likelihood that a misstatement of the entity’s financial statements that is more than inconsequential will not be prevented or detected.
Material Weakness
A deficiency, or combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected on a timely basis
A significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that material misstatement of the financial statements will not be prevented or detected

59. Early Communication of Internal Control and Compliance Deficiencies
No new standard but emphasizing requirement in SAS No. 115
Discuss the public interest of early communication
Allow corrective action to start before the report is issued

60. GAO Interim Guidance on Reporting Deficiencies in Internal Control
Issued November 2008 to assist auditors in complying with
SAS No. 115, Communicating Internal Control Related Matters Identified in an Audit (effective for periods ending on or after December 15, 2009)
SSAE No. 15, An Examination of an Entity’s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements
Revised AICPA standards have different definitions of material weaknesses and significant deficiencies than GAGAS
Pending the revision, auditors may use the AICPA’s new definition for GAGAS purposes

61. Chapters 6 and 7 Performance Audits

62. Fraud and Waste Added a definition of waste Reporting requirements
Same auditor responsibility as for abuse
Reporting requirements
Instances of fraud that are significant within the context of the audit objectives, rather than all fraud
Instances of waste that are significant within the context of the audit objectives

63. Performance Audits Deleted the following:
Discussion of reasonable assurance, defined for all types of audits in chapter 1
Requirement for the audit organization to develop policies to deal with requests by outside parties to obtain access to audit documentation

64. 2011 Yellow Book Projected Dates
June 2010:
Issue Exposure Draft of 2011 Revision of GAGAS
September 2010:
Comments due on Exposure Draft
January – February 2011:
Issue 2011 Revision of GAGAS
AICPA proposed date of clarified standards is December 15, 2011:
GAO staff will propose an effective date based on final AICPA date

65. GAO’s Accountability & Standards Team
Yellow Book Team:
Jim Dalkin (202)
Marcia Buchanan (202)
Cheryl Clark (202)
Kristen Kociolek (202)
Gail Vallieres (202)
Michael Hrapsky (202)
Heather Keister (202)
Theresa Phipps (202)
Tom Hackney (303)
Eric Holbrook (202)
Mark Kaufman (202)
Andrew Seehusen (202)
We also get lots of help from:
Bob Dacey, GAO Chief Accountant
Jennifer Allison, Advisory Council Administrator
Contact us at
Challenges to Government and Not-For-Profit Community
Fiscal condition of government grantor organizations (federal, state, and local governments) may impact long-term grant revenues and design of programs
Need for services is increasing
Expectations for an unprecedented level of transparency and accountability
Qualified personnel needed to implement proper controls and accountability at all levels of government
Close and ongoing coordination needed among federal, state and local governments, and the grantee organizations
Evolving standards and requirements 65

66. Where to Find the Yellow Book
The Yellow Book is available on GAO’s website at:
For technical assistance, contact us at 66