Government Auditing Standards 2018 Revision (Hot Off the Press)

By Charles Hall | Auditing , Local Governments

Yellow Book Independence: When Should You Apply Safeguards?

By Charles Hall | Auditing

In some me Yellow Book audits, you need to apply safeguards to lessen threats to independence. This article provides you with guidance about those safeguards.

When I was a kid living in Donalsonville, Georgia, my mother would drive into our open garage, leave the keys in the ignition (where they remained for the evening), and then would walk into our home (which had not been locked all day).

Over time, I noticed that she left the keys in the car less and less, and we began to lock the doors of our home. At one point we even bought deadlocks.

Why?

It seems our neighbors were, from time to time, having small thefts, and one even had a burglar in the home as they returned one afternoon.

My parents were responding to risks. The greater the thefts and burglaries, the greater the safeguards.

Safeguards Required by Yellow Book

Whenever an external auditor performs nonattest services (e.g., preparation of financial statements), then the auditor should consider whether the nonattest service adversely affects his independence.

The Government Auditing Standards (known as the Yellow Book) requires that safeguards be applied whenever independence threats are significant – but only if they are significant – in order to eliminate or reduce such threats to an acceptable level.

Yellow Book Independence Safeguards

Examples of safeguards that may eliminate or reduce significant threats to an acceptable level include the following:

• Discussing independence issues with those charged with governance of the entity
• Assigning separate engagement personnel for the audit and nonaudit service
• Obtaining secondary reviews of the nonaudit services by professional personnel who were not members of the audit engagement team (e.g., second partner review of financial statements prepared by the external audit firm)
• Discussing the significance of the threats to management participation or self-review with the engagement team and emphasizing the risks associated with such threats
• Educating management on the nonaudit services performed by reviewing and explaining the reason and basis for all significant transactions, as well as authoritative standards, so that management is in a position to determine or approve all assumptions and judgments and take responsibility for the nonaudit services
• When financial statement preparation is the nonaudit service being performed, determining that there has been review of the financial statements and successful completion of a disclosure checklist by the audited entity

Not all safeguards listed would be appropriate for all significant threats identified and, often, may require combinations of more than one safeguard. When determining the type and number of safeguards to be applied, the auditor should consider the significance of the threats, both individually and in the aggregate.

Some safeguards have a higher level of mitigation of threats than others. Also safeguards that involve personnel who are independent of the audit process are generally more effective than those who are not independent.

Determining which safeguards to apply involves professional judgment and is dependent on the facts and circumstances of each specific situation.

Prohibited Services

Finally remember that safeguards cannot be used to ameliorate risk related to prohibited services (e.g., the external audit firm signs checks for the client); if the external auditor performs prohibited services, then safeguards cannot remedy the lack of independence. Examples of prohibited services follow:

• Setting policies and the strategic direction for the audited entity
• Directing and accepting responsibility for the actions of the audited entity’s employees in the performance of their routine, recurring activities
• Having custody of an audited entity’s assets
• Accepting responsibility for designing, implementing, or maintaining internal control

Preparing Financial Statements 

Yellow Book Independence Documentation is Important

By Charles Hall | Accounting and Auditing , Local Governments

I just received the June 2016 AICPA Reviewer Alert (a monthly newsletter for peer reviewers). It provides the following Yellow Book independence documentation guidance:

Yellow Book contains specific requirements for documentation related to independence which may be in addition to the documentation that auditors have previously maintained. The 2011 Yellow Book Chapter 3 emphasizes that documentation is required for the evaluation of each of the elements of independence, which consists of:

1. Management’s ability to oversee the nonaudit services, including whether management has skills, knowledge, and experience
2. Significant threats that require the application of safeguards along with the safeguards applied
3. Understanding established with the audited entity regarding the nonaudit services to be performed

Failure to document one or more of these elements is considered a departure from professional standards that causes the engagement to be deemed nonconforming. The reviewed firm and reviewer should be aware that verbal explanation and vague completion of a checklist does not provide for a thoughtful evaluation and documentation of management’s abilities related to each nonaudit service and will be unlikely sufficient to comply with the standards.

Yellow Book Independence Forms

All firms that perform Yellow Book engagements need to make sure their system of quality control provides guidance for documentation of the three items listed above. Consider using the AICPA’s 2011 Yellow Book Independence form. The electronically fill-able version is $28 for AICPA members and can be found here. The free PDF version can be found here.

For information about determining if your client’s skill, knowledge, and experience are sufficient, click here.

Findings from Peer Reviews of Governmental Engagements

By Charles Hall | Accounting and Auditing , Local Governments

The AICPA has identified governmental engagements as a high-risk area. While governmental accounting is complex, the addition of Yellow Book and Single Audit standards (when applicable) make these engagements even more challenging.

I recall in the pre-GASB 34 days reviewing physical ledger sheets that contained all of the transactions for a local government. There were no Yellow Book or Single Audit requirements. Those idyllic days of simplicity are gone, and the complexity of governmental audits has increased a hundred-fold.

Governmental regulators have complained that CPAs are not performing these audits in conformity with professional standards. In addition, these regulators are saying that the present peer review process is not identifying non-conforming engagements.

AICPA’s Testing of Peer Review Process

In response to these concerns–and those related to other high-risk areas such as benefit plans–the AICPA performed enhanced oversights to gauge how well peer reviewers are performing.

Here are some of the key takeaways from the oversights performed on that initial sample of engagements:

• Approximately 40 percent of the engagements selected as part of this pilot program were identified as non-conforming with the applicable professional standards by the industry experts.
• The peer reviewers on these engagements had identified only around one out of ten as non-conforming.
• Over the 2012 to 2014 peer review cycle, 8 percent of the must-select engagements reviewed were identified as non-conforming by their reviewers.

Peer review statistics related to governmental engagements reflect similar dynamics:

• Significantly more GAGAS/single audit engagements were determined to be non-conforming by the oversighters and were not recognized as being non-conforming by the peer reviewers. There was an approximate 40 percent nonconforming rate for oversights of governmental engagements while none of these engagements were identified as nonconforming by the peer reviewers.

Governmental Engagement Deficiencies

The enhanced oversights identified the following governmental engagement deficiencies (many of these are related to Yellow Book and Single Audit):

• Compliance requirements documented as applicable, but no testing performed for the compliance requirement
• A lack of testing of internal controls over direct and material compliance requirements
• A lack of documentation of management’s skills, knowledge, and experience to effectively oversee nonaudit services performed by the auditor
• A lack of documentation or incomplete documentation related to the risk assessment of type A or type B programs
• A lack of documentation supporting the assessment that compliance requirements were not applicable for the identified major programs
• A lack of documentation showing the consideration of fraud risk regarding noncompliance for major programs
• A lack of documentation of the internal control assessment over the preparation of the Schedule of Federal Awards (SEFA)
• The Schedule of Findings and Questioned Costs missing required elements
• Financial statements presented under GAAP instead of GASB
• No materiality calculation on opinion units
• A lack of documentation detailing the risk of management override of controls.
• A lack of documentation to support the client’s designation as a low-risk auditee
• Type A programs that were designated as low risk when they did not meet all of the requirements
• An auditor’s report on internal control that did not include all required elements
• The report on compliance with requirements applicable to each major program and internal controls over compliance that did not contain all of the required elements
• A data collection form that did not properly summarize the auditor’s results
• A calculation of amounts tested as major programs that was incorrect
• The omission of a federal program from a cluster that should have been included when testing major programs

Increased Scrutiny

Expect increased peer review scrutiny of governmental engagements in peer reviews.

The CPA community must take these concerns seriously. If we don’t, we may end up with a complete change of the present peer review process. Without positive improvement, CPA firms could, one day, be reviewed by governmental regulators — think IRS audits. It is imperative that we self-regulate in an effective manner.

Yellow Book Independence and Preparing Financial Statements – Sufficient SKE

By Charles Hall | Accounting and Auditing , Fraud

Are you a CPA that prepares city or county financial statements for an audit client? If yes, are you independent under the Yellow Book independence standards?

Yellow Book Independence

The 2011 Yellow Book (effective for periods ending after December 15, 2012; http://www.gao.gov/yellowbook) requires that the external auditor document the CPA firm’s independence when the firm also provides nonaudit services (such as preparation of financial statements).  Many small governments have their external auditors prepare their financial statements.

This independence determination will largely hinge on one factor: whether the city or county has a person with sufficient skill, knowledge or experience (SKE) to qualify as a reviewer.

If the government has no one with sufficient SKE, then the external auditor is not independent and can’t ethically perform the audit.

Examples of SKE

Consider the following potential reviewer scenarios:

1. A 15 year mayor who is a businessman, no accounting education, no formal training in reading governmental financial statements, he understands the fund level statements but can’t grasp the reconciliation between the government-wide financial statements and the fund level financial statements.

2. Second year finance director with no prior accounting experience, graduated from a two year college with a degree in general business.

3. Finance director with 25 years experience and is a CPA, member of GFOA, trains others in governmental accounting.

4. Finance director with a high school education but has extensive governmental accounting training from the Carl Vinson Institute, could if he liked, create the financial statements from scratch.

As you can see, the independence assessment will sometimes be black and white, but sometimes there will be shades of gray.

An Alternative

If the auditor can’t get comfortable with the SKE of the government’s financial statement reviewer, there is one alternative: the local government can hire someone outside the government with sufficient SKE to be the reviewer (for example a CPA not affiliated with the external audit firm).

At the end of the day, the local government must have a designated person (either internally or externally) with sufficient SKE for the audit firm to be independent.