Proposed Changes to GAO's Yellow Book Promote Harmonization of Auditing Standards
Revisions incorporate more formal conceptual framework for independence issues.
By James R. Dalkin, CPA
December 2010
In August, the Government Accountability Office (GAO) issued proposed standards revising Generally Accepted Government Auditing Standards (GAGAS), commonly known as the “Yellow Book.” The update revises the July 2007 Yellow Book and is expected to be effective for audits beginning after Dec. 15, 2011, with the exception of the financial chapter, which will have an effective date to coincide with the AICPA’s Auditing Standards Board (ASB) Clarity Project. This article highlights the significant changes in the proposed standards.
The Yellow Book was first published in 1972 and has been updated and revised over the years. Two primary factors are driving the current Yellow Book update:
Continued modernization and harmonization of auditing standards by various standard-setting bodies, including technical updates to reflect standards that have already been revised.
Revisions to address issues and frequently asked questions from the GAO’s Yellow Book technical assistance line.
Another important consideration in updating the Yellow Book has been the ASB Clarity Project. As the ASB more closely aligns U.S. auditing standards with those issued by the International Auditing and Assurance Standards Board, the GAO reviews the standards and assesses their potential impact on GAGAS.
The proposed standards include other changes to further clarify and harmonize the standards. For instance, emphasis has been placed on removing duplication with ASB requirements and clarifying what represents an additive standard for GAGAS. Another example will be the elimination of the AICPA definitions for material weaknesses and significant deficiencies. These definitions will now be incorporated by reference. In addition, to provide a format consistent with the ASB Clarity Project, the footnote format has been refined to include only a direct reference to another standard.
CHAPTER REORGANIZATION
Readers will quickly notice a reorganization of the Yellow Book. Ethical principles, formerly in chapter two, have now been incorporated into chapter one on the foundational concepts of GAGAS. Chapter two now emphasizes the application of GAGAS. Also, financial audit chapters four and five have been merged into a single chapter.
INDEPENDENCE REVISIONS
Substantial changes have been incorporated into chapter three covering independence. The 2007 revision emphasized overarching principles of independence such as auditors not auditing their own work or taking the role of management. The principles were augmented by a question-and-answer guide that featured specific facts and circumstances. The guide had limitations in its applicability and usefulness due to its specificity.
The Yellow Book Advisory Council and staff concluded that a more formalized conceptual framework could provide a uniform structure for analyzing the many independence issues that can arise, each with its own facts and circumstances.
Under the new framework, the auditor identifies threats to independence and then assesses the significance of the threats. If identified threats are deemed significant to the engagement, the auditor then determines whether safeguards could be put in place to mitigate the threats to an acceptable level. The framework also provides guidance on the significance of certain specific threats and whether those threats can be mitigated.
This threat assessment and application of safeguards requires professional judgment. If the auditor concludes that there are no safeguards sufficient to reduce a threat to an acceptable level, then the threat would result in an impairment to independence, and the auditor should respond accordingly. The auditor is required to document any independence issue that requires significant discussion or analysis.
THREATS AND SAFEGUARDS
The proposed standards identify categories of threats that occur through:
Self-review. An auditor reviews his/ her own work.
Self-interest. An auditor has a vested interest in the audit results.
Bias. An auditor has a preconceived notion regardless of results.
Familiarity over time. An auditor has become too close to the subject of the audit.
Undue influence. Pressures may impair an auditor’s judgment.
Management participation. An auditor takes the role of management.
Structural. A governmental structure may create an appearance of impairment.
Under the proposed standards, if a nonaudit service is not expressly prohibited, the auditor should apply the conceptual framework to conclude whether a potential impairment exists. In some cases, safeguards may mitigate threats to an acceptable level. However, even if properly applied, safeguards may not always be sufficient to reduce some threats. The proposed standards identify safeguards created by the profession as well as those directly related to the work environment. Examples include:
Professional or regulatory monitoring and disciplinary procedures.
External reviews by third parties of reports.
Using different management and engagement teams with separate reporting lines for the provision of nonaudit services to an audited entity.
Additional review requirements for nonaudit services.
Additional oversight by the audited entity’s management over nonaudit services.
PROHIBITIONS WITHIN CERTAIN NONAUDIT SERVICES
While the proposed standards provide a conceptual framework for independence issues, certain specific prohibitions still exist. These prohibitions involve areas that have been problematic in the past and particularly so in a governmental public-sector environment. It is important to note that the entire nonaudit service is not prohibited, just certain services. Within each of the following nonaudit categories, specific services are expressly prohibited:
Internal Audit Services
Establishing internal audit policies or strategic direction of the auditee.
Selecting or implementing internal audit recommendations.
Designing, implementing or maintaining internal control.
Internal Control Monitoring and Assessments
Providing ongoing monitoring procedures.
Information Technology (IT) Services
Designing or developing an information system that would be subject to an audit.
Modifying source code.
Operating or supervising an IT service.
Valuation Services
Providing valuation services that would have a material effect, separately or in the aggregate, on the financial statements or other information that is subject to an audit, and the valuation involves a significant degree of subjectivity.
Financial Statement Preparation, Bookkeeping, and Client Assistance
An area that the profession continues to struggle with involves maintaining independence when the auditor provides the audited entity with assistance in bookkeeping and financial statement preparation. Whether it involves converting cash statements to accrual basis or preparing financial statements, the auditor frequently walks a fine line between independence and impairment. The GAO’s proposed standards are consistent with those of the AICPA in identifying certain activities that create an automatic impairment. These include:
Determining or changing journal entries, account codings, classifications for transactions, or other accounting records without obtaining client approval.
Authorizing or approving transactions.
Preparing source documents.
Changing source documents without client approval.
The proposed standards do not expressly prohibit a practitioner from providing bookkeeping or financial statement preparation other than the activities listed as prohibited in the standards. Before performing bookkeeping and financial services not expressly prohibited, the auditor should evaluate them within the conceptual framework to determine whether an impairment exists.
For bookkeeping and financial statement activities that are not expressly prohibited, management charged with overseeing the nonaudit service should possess suitable skill, knowledge or experience to evaluate the adequacy and results of the services performed. If management does not have suitable skill knowledge or experience to evaluate the adequacy and results of the services performed, an impairment exists. This requirement currently exists for CPAs under the AICPA’s Code of Professional Conduct, Rule 101, Independence (Interpretation 101-3, Performance of Nonattest Services).
AUDITS SUBSEQUENT TO NONAUDIT SERVICES
The proposed standards introduce the concept of a post-impairment period. This period reflects the audit period immediately after the auditor provides an independence- impairing service. Under the proposed standards, auditors who perform independence-impairing nonaudit services may audit in subsequent periods only after sufficient safeguards have been identified to mitigate the threat. One example of a safeguard would be the performance of an audit by an auditor not providing the original nonaudit service. The auditor should also consider issues of independence in appearance that may arise should an audit be performed after an impairing nonaudit service has been provided.
QUESTION-AND-ANSWER GUIDE RETIREMENT
The Answers to Independence Standards Questions (QA Guide) issued in July 2002 will be superseded by the new standards once they are finalized. Under the new independence framework, unless the service is specifically prohibited, the conceptual framework should be applied. Certain specific situations addressed in the original QA Guide such as “de minimis,” nonaudit services, and safe harbors have not been included in the proposed standards and will no longer apply. Instead, under the more principle-based framework, auditors will need to address the threats and safeguards within the conceptual framework.
QUALITY CONTROL
The proposed standards have further harmonized quality control with that of the AICPA. Audit organizations and firms that are in compliance with AICPA quality-control requirements would be consistent with the requirements of the proposed standards.
SPECIALISTS AND CONTINUING EDUCATION REQUIREMENTS
The basic continuing professional education (CPE) requirements under GAGAS have not changed from the 2007 Yellow Book. However, the proposed standard clarifies continuing education requirements for internal specialists such as actuaries. Auditors who work under GAGAS should complete a minimum of 24 hours of CPE every two years. Internal specialists who apply their specialized knowledge to the audit should complete 24 hours of CPE in their area of specialty. For example, an actuary may satisfy the educational requirement with 24 hours of CPE training in actuarial science. Consistent with the extant standards, external specialists are not required to follow the CPE requirements; however, auditors are required to consider whether external specialists are qualified to serve an engagement.
FINANCIAL AUDIT CHAPTER
The combined financial audit chapter does not contain any new requirements. However, the revision did reduce redundancy and changed certain terminology. Consistent with the ASB Clarity Project, the term “field work” has been replaced with “performance.” The proposed standards will continue to use the term “field work” when discussing attest engagements until the AICPA revises its wording in the AICPA attestation standards.
In addition, requirements already included in the AICPA audit standards have been eliminated from the proposed standards. These include:
Restatements.
Definitions of internal control deficiencies.
Communication of significant matters.
Consideration of fraud and illegal acts.
ATTESTATION ENGAGEMENTS
The volume of calls to the Yellow Book technical assistance line prompted revisions to the chapter on attestation engagements. One area of confusion has been determining whether an engagement is a form of attest (examination, review, or agreed-upon procedure) or a performance audit. The chapter has been revised to more clearly delineate between the types of engagements. Additional guidance has been incorporated into the chapter to direct the reader to the proper service. In all cases, if the auditor provides attest services, he or she should review and follow all guidance provided by the AICPA on these services. The proposed standards provide supplemental requirements and guidance, while the AICPA audit standards provide the foundational requirements.
PERFORMANCE AUDITS
The performance audit chapter has been updated but has not been substantially changed. One change clarifies fraud reporting requirements within performance audits to specify that reporting is required for occurrences that are significant within the context of the audit objectives.
PRACTITIONER IMPLEMENTATION AND ASSISTANCE
As with any proposed standard, practitioners need to read carefully and understand the nature of the changes before attempting to apply them. The GAO offers technical assistance for questions related to government auditing standards. The AICPA offers guidance through its Governmental Audit Quality Center.
The comment deadline was Nov. 22, 2010. The Yellow Book Advisory Council and GAO are evaluating the comment letters and will make changes to the final draft as appropriate. Government Auditing Standards, 2010 Exposure Draft, can be downloaded at gao.gov/govaud/ybk01.htm.
http://www.journalofaccountancy.com/Issues/2010/Dec/20102944
No comments:
Post a Comment