The Governmental Accountability Office (GAO) recently released a new version of Government Auditing Standards (GAS), commonly known as the Yellow Book, and there are some key changes you should be aware of ahead of your next audit.
The 2018 Yellow Book revision is effective for financial audits, attestation engagements, and reviews of financial statements for periods ending on or after June 30, 2020. It is effective for performance audits beginning on or after July 1, 2019. Early implementation is not permitted.
GAS audits continue to be heavily scrutinized in the peer review process and by other regulators. The GAO worked to provide a better organized document for users to easily read and understand, as well as find relevant information. The 2018 Yellow Book’s new format better differentiates requirements and application guidance. The requirements are listed first in a boxed area, with the application guidance following. The supplemental guidance in the appendixes of previous versions of the Yellow Book were removed entirely if not relevant or incorporated into the new chapters. Here’s what you should know.
Independence as It Relates to Nonaudit Services
The standards for independence were expanded regarding the evaluation of nonaudit services that are performed and whether these nonaudit services create significant threats to independence. If a threat is identified, safeguards need to be put into place to reduce the threats identified to an acceptable level. Auditors will be evaluating and documenting threats to independence using the Generally Accepted Government Auditing Standards (GAGAS) Conceptual Framework for Independence, which is included in the 2018 Yellow Book.
The new standard makes it clear that preparing financial statements from a client-provided trial balance or underlying accounting records generally creates significant threats to auditors’ independence. Auditors will need to document the threats and safeguards applied to eliminate and reduce threats to an acceptable level or decline to perform the service. Nonaudit services that would have to be evaluated would also include cash to accrual conversions and any account reconciliations that are prepared by the auditors. In short, auditors can still prepare financial statements that they then audit, but they must take additional steps to provide assurance that they remain independent.
The 2011 Yellow Book provided examples relating to financial statement preparation creating a specific threat to independence. However, it was found that auditors were not always evaluating these nonaudit services as a significant threat. Therefore, the 2018 Yellow Book clearly includes that these services do create a significant threat that must be evaluated. It is recommended that these nonaudit services be evaluated prior to the effective date of the 2018 Yellow Book, as auditors who are performing nonaudit services will need to ensure that they comply with the independence standards for the entire period under audit. In addition, if auditors prepared financial statements previous to the period they now audit, this includes auditing beginning balances, which creates a threat that must be identified and evaluated.
Routine activities, such as an auditor providing advice or educating staff and responding to questions as well as providing clerical assistance such as typing, formatting, printing and binding of financial statements is unlikely to be a significant threat per the new standards.
Prior to auditors agreeing to provide nonaudit services the auditors need to determine if the entity has a designated individual who possesses suitable skill, knowledge, or experience (SKE) and clearly understands the services to be provided to sufficiently oversee the auditor. Auditors are required to documentation SKE for management’s ability to oversee these services. Auditors should be asking questions to document SKE for these individuals overseeing the nonaudit services. The designated individual is not required to possess the expertise to perform or reperform the services that the auditor performs; however, they need to be able to effectively oversee the nonaudit services and the reasonableness of the results of the nonaudit services and to recognize a material error, omission or misstatement in the results on the nonaudit services performed. Management must be able to accept responsibility for nonaudit services that are being performed. Independence will always be impaired if management does not have SKE. Audit engagement letters should address each nonaudit service so that management is aware of their responsibilities.
Check out our series on common single audit findings and how to ensure your governmental entity remains in compliance.
The 2018 Yellow Book includes a new concept referred to as “waste” and there are new considerations for the auditor’s role in addressing waste. Waste is defined in the 2018 Yellow Book as “the act of using or expending resources carelessly, extravagantly, or to no purpose. Waste can include activities that do not include abuse and does not necessarily involve a violation of law.” If auditors identify possible waste, they will need to consider the underlying internal control that caused the waste and evaluate if there is an internal control deficiency or other noncompliance with provisions of laws, regulations, contracts and grant agreements that will need to be reported.
Waste primarily relates to the mismanagement, inappropriate action, and inadequate oversight. This can be very subjective and dependent on facts and circumstances. Examples could be making travel choices or incurring unnecessary and extravagant expenses not in accordance with policies in place; procurement or vendor selections which are not in accordance with policies in place; creating unnecessary overtime; personal errands; misusing position for personal gain. You should be familiar with this new concept and the auditor’s role if potential waste is found.
Performance auditing is a fast-growing area for local governments, and they are certainly not meant to replace financial statement audits. A performance audit is an engagement that provides objective analysis, findings and conclusions to assist management and those charged with governance and oversight to improve program performance and operations, reduce costs, facilitate decision making and contribute to public accountability. The 2018 Yellow Book provides for specific considerations for when internal control is significant to the audit objectives. When internal control is deemed significant the auditors will need to assess and document their assessment. During this process auditors may have more questions for the auditee and this could potentially result in internal control deficiencies.
The changes in the 2018 Yellow Book have the potential to impact your next engagement, and knowing what to expect can help make you maximize the value of your audit. Eide Bailly is here to help you make sense of the changes, so don’t hesitate to contact us if you need more clarity on this important topic.