The ALGA Peer Review Committee is currently in the process of revising the Yellow Book Peer Review Guide to reflect changes resulting from recent revisions to Government Auditing Standards.  Expected completion of the revised Yellow Book Peer Review Guide is expected March 31, 2008.

The standards are effective for audits beginning on or after January 1, 2008.  Early implementation is permissible and encouraged.  

Below is a summary of the more significant changes.  

Chapter 1 Introduction

The revision clarified professional requirements through the use of standard terminology.  Clarifications center around the use of the words must, is required, should, may, might and could. Aren't you glad you asked?

Must or is required identify unconditional requirements that apply to auditors or audit organizations in all cases in which the standard applies.  

Should identifies a presumptively mandatory requirement, which applies in specified circumstances.  Auditors or audit organizations may depart ("in rare circumstances") from a presumptively mandatory requirement provided they document their justification for the departure and how the alternative procedures performed in the circumstances were sufficient to achieve the objectives of the presumptively mandatory requirement. 

May, might and could identify descriptive, explanatory material.

The revision also establishes criteria for using the unmodified or modified "GAGAS statement" in reporting based on the terminology.

Chapter 1 also reinforced the key role of auditing in maintaining accountability and improving government operations. Other aspects in Chapter 1 include the following:

• Clarified the standards through standardized language to define the auditors' level of responsibility and distinguish between requirements and additional guidance;
• Added guidance on citing compliance with GAGAS in the auditors' report;
• Clarified and expanded the standards to recognize other sets of standards that can be used in conjunction with GAGAS; and
• Retained the same types of government audits and attestation engagements, but updated and expanded definitions and descriptions of performance audits and attestation  engagements.

Chapter 2 Ethics

Among the more significant revisions is the addition of a chapter on the Auditor's Ethical Responsibilities.  The revised Standards recognize that it is essential that government auditors observe overarching ethical concepts in the performance of their professional responsibilities.  

The information presented in the chapter on Ethical Principles in Government Auditing deals with fundamental principles and contains no additional requirements.  However, inclusion of those principles in the Standards conveys the message that management will set the tone for ethical behavior through policies and procedures that:

• maintain an ethical culture;
• clearly communicate acceptable behavior and expectations to each employee; and 
• create an environment that reinforces and encourages ethical behavior throughout the organization. 

Chapter 3 General Standards 

The revised Standards add a requirement that if an independence impairment is identified after the audit report is issued, the audit organization should assess the impact on the audit, and report on the impairment if deemed significant.

Another revision related to independence relates to non-audit work. The provisions related to non-audit work were moved from the personal impairments section to the section on organizational independence.  In addition, the definition of non-audit work has been changed.  Non-audit work now encompasses everything that isn't conducted as an audit or attestation. The Standards now specify three types of non-audit as follows:

Services that do not impair independence

Providing "targeted and limited" technical knowledge ("routine" advice) Conducting Training Providing tools, methodologies and benchmarks Providing information or data to a requesting party without verification Conducting Surveys Oversight assistance on budget submissions Conducting Investigations Contracting for audit services on behalf of the entity Other oversight-related services that could be performed as an audit (for example, emerging issues, recommendation follow-up and prospective focus)

Services that would not impair independence if safeguards are used

Basic accounting assistance Limited payroll services Advisory services on IT (extra requirements) Assist in evaluating potential candidates (panel of at least three) Preparing routine tax filings based on information provided by the entity

Services that impair independence

Maintaining or preparing the audited entity's records Posting transactions to the entity's financial records Determining account balances or capitalization criteria Designing, developing, installing, or operating the entity's accounting or information systems Developing an entity's performance measurement system when that system is material or significant to the audit Developing an entity's policies, procedures, and internal controls "Carrying out internal audit functions, when performed by external auditors."  (Refers to the SOX prohibition of a commercial auditor providing internal audit services and also doing the external financial audit.  The auditor may not report different types of work to different levels of the organization.)

Note that the difference between allowed, allowed with safeguards, and not allowed under any circumstances often relates to the scope of the service rather than the nature of the work.  There are examples under each category related to internal controls.  The differences in how the activities are categorized reflect the difference between making recommendations and making decisions.

The revision also identifies certain required elements of an audit organization's system of quality control.  These elements must be included in the audit agency's policies and procedures and include the following:

• Leadership responsibilities for quality
• Independence, legal and ethical requirements
• Initiation, acceptance and continuance of engagements
• Elements related to human resources
• Documentation on audit work performed and audit reporting
• Monitoring - "ongoing, periodic assessment of work performed"
• Analysis and summary of the results of monitoring procedures at least annually
• Requires organizations to make the most recent peer review report publicly available.

Continuing Professional Education (CPE)

Incorporated the revised CPE requirements issued April 2005 (GAO-05-568G).  Under these requirements;

• All auditors should complete every 2 years at least 24 hours of CPE directly relating to government auditing, the government environment, or the specific or unique environment in which the audited entity operates.
• All auditors involved in planning, directing, or reporting on GAGAS assignments and all auditors who charge 20 percent or more of their time annually to GAGAS assignments should also obtain at least an additional 56 hours of CPE that enhances the auditors' professional proficiency to conduct audits.

Some general observations for financial audits and attestation engagements (Related to Chapters 4, 5, and 6)

The revised standards affect financial audit and attestation engagements as follows:  

• Defined those charged with governance and how auditors will be communicating with them;
• Added a requirement for controls over electronically maintained audit documentation.  The audit organization will now need to establish information systems controls over accessing and updating the audit documentation;
• Clarified and streamlined development of a finding;  
• Provided guidance on reporting confidential or sensitive information if subject to public record laws.  In these situations, auditors will determine the impact of such laws on the availability of the report and other means of communicating;
• Clarified for financial audit and attest engagements that auditors are required to obtain comments when there are findings;  
• Identified distribution of reports from internal and external audit organizations.  These might include parties outside of the organization;
• Clarified that internal auditors may follow IIA standards to communicate audit results to parties who can ensure results are given due consideration. Internal auditors are encouraged to use IIA standards in conjunction with GAGAS.

Revision Highlights related to Financial Audit and Attestation Field Work

Many of the standards in this area carry over from AICPA standards with effective dates earlier than the Yellow Book. The new standards affected audit and attestation fieldwork in the following ways:  

• Provided for written communication documenting the auditors understanding of services to be provided.  Written communication should be with both management and those charged with governance;  
• Updated guidance on communications during planning;
• Clarified and streamlined the auditors' responsibilities for contract provisions or grant agreements;
• Clarified and streamlined the auditors' responsibilities in fieldwork for abuse.  If the auditor becomes aware of indications of abuse that could be material, the auditor should apply additional audit procedures to ascertain whether material abuse has occurred and the potential effect on the subject matter of the audit.
• Added a clear and prominent discussion on consideration of fraud and illegal acts.  This clarifies the existing standard but does not change the auditors' responsibilities.
• Updated GAGAS based on recent developments in financial auditing and internal control.  
• Updated the standard on audit documentation to achieve consistency with SAS No. 103. Similar to the documentation standard in the 2003 Yellow Book, but with some enhancements as follows:
  • documenting supervisory review before the report is issued;
  • documenting noncompliance with GAGAS requirements;
  • establishing policies and procedures for safe custody and retention of audit documentation;
  • making audit documentation available to other auditors and reviewers;
  • developing policies for handling requests by outside parties to obtain access to audit documentation.

Highlights of Financial Audit and Attestation Engagement Reporting

The revised standards affected financial audit and attestation engagement reporting in the following ways: 

• Updated reporting requirements for internal control deficiencies consistent with SAS No. 112.  Defined significant deficiency and material weakness and quantitative and qualitative considerations.  Note the importance of discussing this terminology with management in advance.  No management letter is required for items less than a significant deficiency.  Auditors will need to include significant deficiencies in the report on internal control and indicate those that represent material weaknesses.
• When auditors conclude that any of the following has occurred or is likely to have occurred, they should include the following relevant information in the audit report:

o  Fraud and illegal acts greater than inconsequential (previously reported all fraud);

o  Material violations of contracts or grant agreements (previously reported significant violations); or

o  Material abuse (previously reported significant abuse that has occurred or is likely to have occurred).

• The revision encourages communicating, in the auditors' report, significant concerns, uncertainties, or other unusual events that could have a significant impact on the agency's financial condition or operations. This requirement is likely due to public interest in operations of government entities and entities that receive or administer government awards;
• The revision clarifies that whether and how to communicate by management letter or audit report is a matter of professional judgment;
• Increased transparency surrounding reporting on restated financial statements.  During financial audits, auditors who become aware of new facts that might have affected their opinion on a previously issued statement, should advise management to determine the affect.  Auditors are required to assess the timeliness and appropriateness of managements' disclosure and actions to correct misstatements in previously issued statements.  The revision provides auditors' with the ability to directly report to appropriate officials when the audited entity does not take appropriate steps.  Auditors should perform procedures sufficient to reissue or update the auditor's report on the restated financial statements regardless of whether restated financial statements are separately issued or presented on a comparative basis.

Chapter 7 Performance Audits

Revisions to GAGAS Performance Audit standards include the following:

Describes the framework for evaluating evidence in terms of significance and audit risk and requires auditors to plan the audit to reduce audit risk.

Expands required communication related to the audit (overview of the objectives, scope and methodology, and timing) to those charged with governance as well as management of the audited entity.

Requires auditors to document their overall assessment that evidence taken as a whole is sufficient and appropriate to support findings and conclusions before issuing the report.

Requires audit organizations to establish policies and procedures for the safe custody, retention and sharing of audit documentation, including access and change controls over electronic working papers.

Adds a section on audit risk and specifically adding risk as a factor to be used in planning and evaluating evidence.

Added a section on information system controls for the purpose of assessing audit risk and audit planning.  

Requires auditors in the planning phase, to assess risks of fraud occurring that are significant within the context of the audit objectives.

Chapter 8 Reporting

Revisions to GAGAS Reporting Standards include the following:

Clarified and streamlined auditors' responsibility for reporting the views of responsible officials, reporting confidential and sensitive information, and issuing and distributing reports

Revised the GAGAS statement in the auditor's report:

When auditors comply with all applicable GAGAS requirements, they should use the following language in the report:

"We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives.  We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives."

The GAO believes that the revised GAGAS statement contains three important dimensions.  First, the revised statement defines an audit.  Second, it explains what the auditor did in conducting the audit.  Finally, that the audit was done in accordance with Generally Accepted Government Auditing Standards.  

Revisions include a new appendix to provide supplemental guidance to assist auditors in the implementation of GAGAS. The supplemental guidance does not establish additional GAGAS requirements.  Overall, supplemental guidance includes examples of deficiencies in internal control, abuse, fraud risk, and guidance on determining whether laws, regulations, or provisions of contracts are significant.

ALGA members should be sure to go to www.gao.gov to review the latest GAGAS revisions.  

Feel free to contact me or any member of the ALGA Peer Review Committee with your questions and comments.