Tag Archives for " Yellow Book "

internal control reporting
Feb 05

Internal Control Reporting When There are No Issues

By Charles Hall | Auditing

In this post, I provide an overview of the internal control reporting requirements when no significant deficiencies or material weaknesses are noted in an audit of the financial statements. I also provide guidance for when such an engagement is subject to the Government Auditing Standards (i.e., Yellow Book). You’ll see a video that shows you what the audit opinion and Yellow Book reports look like when both are in play, and there are no issues. 

internal control reporting

Internal Control Reporting Standards

There are two sets of rules when you perform an audit that is subject to the Yellow Book requirements:

  1. Generally accepted auditing standards from AICPA
  2. Government Auditing Standards (i.e., Yellow Book) from GAO

And only one set of rules if the audit is not subject to the Yellow Book requirements:

  1. Generally accepted auditing standards from AICPA

Consider two scenarios.

1. Perform an audit not subject to Yellow Book 

If you perform an audit (not subject to Yellow Book) and have no significant deficiencies or material weaknesses, then no internal control letter is required (for anyone). I refer to this letter as the “SAS 115 letter” since that’s where the original generally accepted auditing rule came from. Some people opt to issue one anyway. But again, this is not required.

In this scenario, you issue one report:

Audit opinion (and no internal control letter is issued)

2. Perform an audit subject to Yellow Book 

If you perform an audit that is subject to Yellow Book and have no significant deficiencies or material weaknesses, then no SAS 115 internal control letter is requiredSome people opt to issue one anyway.

A Yellow Book report is required (even though there are no significant deficiencies or material weaknesses) and is included in the audited financial statements, usually after the notes to the financial statement. 

You do not need to send this report to anyone separately (i.e., the government) since it’s included in the bound audit report.

So, in this scenario, you issue two reports:

  1. Audit opinion, and
  2. Yellow Book report

But what do these reports look like? 

Yellow Book Report and Amendments to Audit Opinion

Here is a video that shows you what a Yellow Book reports looks like when there are no significant deficiencies or material weaknesses. 

I also show you how to amend your standard audit opinion (governmental example) when the Yellow Book report is provided. 

See my related article about capturing and reporting control deficiencies. I define significant deficiencies and material weaknesses in another post.

YouTube player
Yellow Book CPE
Jul 06

2018 Yellow Book CPE Requirements

By Charles Hall | Auditing , Local Governments

What are the 2018 Yellow Book CPE requirements?

You’ve heard about the new Yellow Book (effective for audits of years ending June 30, 2020, and after). So, now you’re wondering if there are any changes in CPE requirements. This article explains the Yellow Book continuing education requirements. 

Below we will address (1) who is subject to the Yellow Book CPE requirements and (2) what CPE classes satisfy those requirements.

Yellow Book CPE

Overview

Paragraph 4.16 of the Yellow Book states “Auditors who plan, direct, perform engagement procedures for, or report on an engagement conducted in accordance with GAGAS should develop and maintain their professional competence by completing at least 80 hours of CPE in every 2-year period.”

Nevertheless, Paragraph 4.26 states “nonsupervisory auditors who charge less than 40 hours of their time annually to engagements conducted in accordance with GAGAS may be exempted by the organization from all CPE requirements in paragraph 4.16.” Additionally, paragraph 4.27 allows an audit organization to exempt “college and university students employed on a temporary basis.”

Auditors not exempted by the provisions in paragraphs 4.26 or 4.27 must take at least 20 hours of CPE in each year of the two years. 

So, there is an 80 requirement. Additionally, there are two more requirements:

  1. 56-hour (every two years)
  2. 24-hour (every two years)

Below we’ll see:

  1. Who is subject to each requirement?
  2. What classes qualify for each requirement?

Before we get into the details, you may be wondering, “How do I know if I am subject to the Yellow Book CPE requirements?” To answer that question, consider whether a Yellow Book report is to be issued (or whether one was issued in a prior engagement). If yes, then consider the requirements below. In most audit reports, you’ll see the Yellow Book report just after the notes to the financial statements. And when must an entity comply with the Yellow Book requirements? Usually when a law or a grant requires it. 

YouTube player

Now, let’s start our review of Yellow Book CPE requirements.

The 24-Hour Requirement – Who is Subject?

Who is subject to the 24-hour requirement? If you work on a Yellow Book engagement as an auditor, you are subject to the 24-hour requirement. Even so, if you are a nonsupervisory auditor that works less than forty hours annually on Yellow Book engagements, your audit organization can exempt you from Yellow Book requirements. (See paragraph 4.26 of the Yellow Book.) Additionally, audit organizations can exempt college students hired temporarily. (See paragraph 4.27 of the Yellow Book.)

Next, let’s see who is subject to the 56-hour requirement?

The 56-Hour Requirement – Who is Subject?

Who is subject to the 56-hour requirement? Auditors who are involved in:

1. Planning,
2. Directing, or
3. Reporting 

These are usually partners, managers, and in-charges. 

Additionally, the 56-hour requirement applies to auditors who are not involved in planning, directing, or reporting but charge 20 percent or more of their annual time to GAGAS engagements. This category usually includes professional staff personnel. 

So, consider this example. You have a staff member that has:

  • 2,000 hours of total time each year
  • 140 hours in two GAGAS (Yellow Book) engagements for the year
  • He is not involved in planning, directing, or reporting

He is not subject to the 56-hour requirement (his GAGAS time is less than 20% of the total hours), though he is subject to the 24-hour requirement.

But suppose he is promoted during the year and becomes a manager on the second Yellow Book engagement. Even though his time is less than 20% of his annual time, he is now subject to the 56-hour requirement. Why? He is directing the engagement. 

Now, let’s see what classes qualify for Yellow Book CPE. 

What Classes Qualify for Yellow Book CPE?

Paragraph 4.21 of the Yellow Book states, “Determining what subjects are appropriate for individual auditors to satisfy the CPE requirements is a matter of professional judgment to be exercised by auditors in consultation with appropriate officials in their audit organization.” Moreover, there are differences in the 56-hour requirement and the 24-hour requirement. Otherwise, only one category would exist. The 56-hour requirement is broader and the 24-hour requirement is more specific. 

Yellow Book CPE

Okay, let’s define the differences in the 56-hour and 24-hour requirements. 

The 56-Hour Rule – Classes that Qualify

The 56-hour rule is broad, encompassing any CPE that enhances the auditor’s professional expertise to conduct engagements.  So, CPE classes about better writing, for example, would qualify. 

Paragraph 4.24 of the Yellow Book provides the following as examples of acceptable topics:

  • Subject matter categories for the 24-hour requirement listed in paragraph 4.23 (the 24-hour requirement–see below)
  • General ethics and independence
  • Communicating clearly in writing or verbally
  • Managing time
  • Leadership
  • Political science

Now, let’s compare the general 56-hour requirements with the more specific 24-hour requirements. 

The 24-Hour Rule – Classes that Qualify

Each auditor performing work under GAGAS should complete, every two years, at least twenty-four hours of CPE that directly relates to government auditing, the government environment, or the specific or unique environment in which the audited entity operates.

Paragraph 4.23 of the Yellow Book provides the following as examples of acceptable topics:

  • GAO generally accepted government auditing standards (GAGAS)
  • AICPA Statements of Auditing Standards (SASs)
  • AICPA Statements on Standards for Attestation Services (SSAEs)
  • AICPA Statements on Accounting and Review Services (SSARS)
  • Standards issued by the Institute of Internal Auditors
  • Standards issued by the Public Company Accounting and Oversight Board
  • U.S. Generally Accepted Accounting Principles (FASB and GASB)
  • Standards for Internal Control in the Federal Government
  • COSO Internal Controls–Integrated Framework
  • Relevant audit guides (including information technology auditing and forensic auditing)
  • Fraud and abuse in a governmental environment
  • Compliance with laws and regulations
  • Topics related to the governmental environment such as financing, economics, appropriations, program performance
  • Governmental ethics and independence

Notice these topics are more directly related to auditees than those in the 56-hour requirement. But again, use judgment to determine whether a CPE class is in the 24-hour or the 56-hour bucket. 

Since the GAO, a governmental agency, issues the Yellow Book, we tend to associate Yellow Book engagements with audits of governments. But the Yellow Book can be in play for entities such as banks or electric membership corporations. 

Specific or Unique Environment in Which the Audited Entity Operates

Suppose you audit electric membership corporations (EMCs) subject to the Yellow Book. A CPE class about electric supply grids qualifies for the 24-hour requirement. Or if you audit banks subject to Yellow Book requirements (e.g., FHA loans), then a CPE class dealing with lending qualifies. These classes address issues unique to the environment in which the entity operates.

So, are there CPE classes that don’t qualify as GAGAS hours?

CPE that Does Not Qualify as Yellow Book Hours

Some CPE classes will not qualify as GAGAS hours. Paragraph 4.36 of the Yellow Book provides the following examples:

  • On-the-job training
  • Resume writing
  • Improving parent-child relations
  • Personal investments
  • Money management
  • Retirement planning

Additionally, paragraph 4.35 states that some taxation classes may not qualify such as estate planning. It is possible that a tax class would qualify if “topics relate to an objective of the subject matter of an engagement.”

Your head might be spinning from all of the above rules. So, you might be wondering, can my audit organization use a standard two-year cycle for all employees? You’d like to keep this as simple as possible. 

Two-Year Cycle

An audit organization can adopt a standard two-year period for all of its auditors to simplify the administration of CPE requirements.

But can you carry over excess CPE credit earned in the two-year period?

Carryover Credit

Auditors are not allowed to carry over hours in excess of the 24-hour or 56-hour rule to the next reporting period.

And what are the Yellow Book CPE requirements for a new employee?

Proration of Hours for New-Hires (or Those Newly Assigned to a Yellow Book Audit)

You will prorate the hourly requirements based on the remaining full 6-month intervals in your two-year reporting period. For example, you hire Joan on May 1, 2021, and the firm’s two-year cycle ends on December 31, 2021. There is one remaining full 6-month period. So, if Joan is subject to the 24-hour rule, she will multiply 25% (one six-month period divided by the four six-month periods in the two-year cycle) times 24 to compute the required hours: 6 hours.

And when is the 2018 Yellow Book effective?

Effective Date of Yellow Book Guidance

The 2018 Yellow Book is effective for audits of financial statements for periods ending on or after June 30, 2020. Early implementation is not permitted.

But, didn’t the GAO provide COVID-19 relief? Yes. 

COVID-19 GAO Guidance

The above information is provided without consideration of the COVID-19 guidance issued on February 29, 2020. See the GAO COVID-19 guidance here

Yellow Book Independence
Feb 02

Threats to Yellow Book Independence

By Charles Hall | Auditing , Local Governments

Yellow Book independence is a big deal. And if you prepare financial statements in a Yellow Book audit, you need to be aware of the independence rules. Below I tell you how to maintain your independence—and stay out of hot water,

Yellow Book Independence

Yellow Book Independence Impairment in Peer Review

Suppose that--during your peer review--it is determined your firm lacks independence in regard to a Yellow Book engagement.

What could happen? Well, I can't say for sure, but I think it would be nasty. At a minimum, you would probably receive a finding for further consideration. The engagement is definitely nonconforming (not conforming to professional standards).

Then, you'd need to provide a response--explaining what you intend to do about the lack of independence. And this could get very interesting. Not where you want to be.

Preparation of Financial Statements is a Significant Threat

If you prepare financial statements (a nonattest service) for your audit client, you have a significant threat. Why? You are auditing something (the financial statements) that you created. There is a self-review threat. 

When there is a significant threat, you must use a safeguard (to lessen the threat). Such as? A second partner review. So, for example, you might have a second audit partner (someone not involved in the audit) review the financial statements. Since the second partner did not create the financial statement, the self-review threat is mitigated.

Notice the safeguard (the second partner review) is something the audit firm does--and not an action of the audit client. Therefore, it qualifies as a safeguard.

2018 Yellow Book

The 2018 Yellow Book states the following in paragraph 3.88:

Auditors should conclude that preparing financial statements in their entirety from a client-provided trial balance or underlying accounting records creates significant threats to auditors' independence, and should document the threats and safeguards applied to eliminate and reduce threats to an acceptable level...or decline to provide the services. 

But My Client has Sufficient SKE

You've heard your audit client must have sufficient skill, knowledge and experience (SKE) and that they must oversee and assume responsibility for nonattest services. This is true and is always required when nonattest services are provided to an audit client. 

Even so, the client's SKE does not address the self-review threat

Think of the SKE issue as a minimum requirement. Do not pass "go" if the client does not assign someone (with SKE) to oversee the nonattest service. You are not independent. End of discussion. (If the client does not have sufficient SKE, see section below titled Inadequate Skill, Knowledge, and Experience.)

SKE is not a safeguard

The January AICPA Reviewer Alert distinguishes the SKE requirement from safeguards saying, "Client SKE should not be viewed as a safeguard, but rather a mandatory condition before performing any nonaudit services."

Once the client SKE issue is dealt with, consider if auditor safeguards are necessary. Why? A self-review threat may be present. 

The AICPA (in its AICPA Yellow Book Practice aid) provides examples of safeguards (again, these are actions of the audit firm) including:

  • Obtaining secondary reviews of the nonaudit services by professional personnel who were not involved in planning or supervising the audit engagement.
  • Obtaining secondary reviews of the nonaudit services by professional personnel who were not members of the audit engagement team.

See Appendix E of the AICPA Yellow Book Practice Aid for additional examples of safeguards and how to apply them.

Independence Documentation is Required

The Yellow Book requires that your independence be documented. If it is not, a violation of professional standards exists. 

So, document the SKE of the client and the safeguards used to address significant threats. Also, document which nonattest services are signficiant threats. Peer reviewers focus on Independence documentation.

Document Significant Threats

The January 2019 Reviewer Alert (an AICPA newsletter provided to peer reviewers) provides a scenario where an audit firm performs a Yellow Book audit and prepares financial statements. Then the firm has an engagement quality control review (EQCR) performed, but it does not identify the preparation of financial statements as a significant threat. The newsletter states "the engagement would ordinarily be deemed nonconforming for failure to document identification of a significant threat." So, even if a safeguard (e.g., a second partner review) is in use, the lack of documentation makes the engagement nonconforming.

Judging Client's SKE

Here are examples of client personnel that might be available to oversee the financial statements preparation service:
  1. A 15 year mayor who is a businessman, no accounting education, no formal training in reading governmental financial statements. He understands the fund level statements but can't grasp the reconciliation between the government-wide financial statements and the fund level financial statements.
  2. Second year finance director with no prior accounting experience, graduated from a two year college with a degree in general business.
  3. Finance director with 25 years experience and is a CPA and a member of GFOA. She trains others in governmental accounting.
  4. Finance director with a high school education but has extensive governmental accounting training from the Carl Vinson Institute. He has the ability to create the financial statements from scratch.

As you can see, the Yellow Book independence assessment will sometimes be black and white, but other times, not so. Regardless, the audit client has to have someone with sufficient skill, knowledge and experience to oversee the financial statements preparation. Why? The auditor can't assume responsibility for the statements. This is a management responsibility.

Management Responsibilities

The 2018 Yellow Book (paragraph 3.75) says the following about management responsibilities:

In cases where the audited entity is unable or unwilling to assume these responsibilities (for example, the audited entity does not have an individual with suitable skill, knowledge, or experience to oversee the nonaudit services provided, or is unwilling to perform such functions because of lack of time or desire), auditors should concluded that the provisions of these services is an impairment to independence.

Additionally, paragraph 3.73 of the Yellow Book states:

Auditors should determine that the audited entity has designated an individual who possesses suitable skill, knowledge, or experience and that the individual understands the services to be provided sufficiently to oversee them.

If the government has no one with sufficient SKE, then the external auditor is not independent and can't perform the audit.

So, is there another option when the client does not have sufficient SKE?

Inadequate Skill, Knowledge, and Experience

If the auditor can't get comfortable with the client's SKE (e.g., the client's ability to review the financial statements and assume responsibility), what can be done? The audited entity can hire someone with sufficient SKE. For example, the entity could contract with a CPA not affiliated with the external audit firm to review the financial statements on their behalf.

Many smaller governments need to contract with an outside person in order to have sufficient SKE. The problem, however, is they may not have the funds to do so. If you as the auditor make this suggestion, be prepared for this question: "Isn't this why I hired you?" Regardless, the client has to have sufficient SKE before the auditor can issue an opinion. 

In Summary

Here's the lowdown to protect your firm:

  1. Document the nonattest services you are to perform
  2. Document the client person that will oversee and assume responsibility for the nonattest service
  3. Document the SKE of the designated person
  4. Consider whether any nonattest services are significant threats 
  5. Document which, if any, nonattest services are significant threats
  6. Use (and document) a safeguard to address each significant threat (examples of safeguards include an EQCR or a second-partner review)

Looking for a tool to document Yellow Book independence? Consider the AICPA's practice aid. Here is the free PDF version. You can also purchase the fillable version here. (Cost is $39 for AICPA members.) This is the 2011 Yellow Book aid. I am thinking the AICPA will create a 2018 Yellow Book version as well. 

Yellow Book
Jul 17

Government Auditing Standards: 2018

By Charles Hall | Auditing , Local Governments

Government Auditing Standards 2018 Revision

The Government Accountability Office just issued the new Yellow Book titled Government Auditing Standards 2018 Revision.

Government Auditing Standards 2018 Revision

Get Your Free Copy

An electronic version of the 2018 Yellow Book can be accessed on GAO’s Yellow Book web page at http://www.gao.gov/yellowbook.

Major Changes

The introduction to the new Yellow Book summarizes the significant changes as follows:

This revision contains major changes from, and supersedes, the 2011 revision. These changes, summarized below, reinforce the principles of transparency and accountability and strengthen the framework for high quality government audits.

  • All chapters are presented in a revised format that differentiates requirements and application guidance related to those requirements.
  • Supplemental guidance from the appendix of the 2011 revision is either removed or incorporated into the individual chapters.
  • The independence standard is expanded to state that preparing financial statements from a client-provided trial balance or underlying accounting records generally creates significant threats to auditors’ independence, and auditors should document the threats and safeguards applied to eliminate and reduce threats to an acceptable level or decline to perform the service.
  • The peer review standard is modified to require that audit organizations comply with their respective affiliated organization’s peer review requirements and GAGAS peer review requirements. Additional requirements are provided for audit organizations not affiliated with recognized organizations.
  • The standards include a definition for waste.
  • The performance audit standards are updated with specific considerations for when internal control is significant to the audit objectives.

Effective with the implementation dates for the 2018 revision of Government Auditing Standards, GAO is also retiring Government Auditing Standards: Guidance on GAGAS Requirements for Continuing Professional Education (GAO-05-568G, April 2005) and Government Auditing Standards: Guidance for Understanding the New Peer Review Ratings (D06602, January 2014).

Effective Dates

The 2018 revision of Government Auditing Standards is effective for financial audits, attestation engagements, and reviews of financial statements for periods ending on or after June 30, 2020, and for performance audits beginning on or after July 1, 2019.

Early implementation is not permitted.

The 2018 revision of Government Auditing Standards supersedes the 2011 revision (GAO-12-331G, December 2011), the 2005 Government Auditing Standards: Guidance on GAGAS Requirements for Continuing Professional Education (GAO-05-568G, April 2005), and the 2014 Government Auditing Standards: Guidance for Understanding the New Peer Review Ratings (D06602, January 2014). 

>