Association of Local Government Auditors - What Does It Mean To Be Independent?

Independence is one of the defining characteristics of auditing. We agree that independence helps make our work credible. But what does it mean to be independent? At its most basic, independence means that we control our own work and are free from conflicts of interest. In government auditing this means that we must be free from conflicts arising from relationships, other job responsibilities and beliefs (personal impairments); free from others’ interference (external impairments); and free from conflicts or interference arising from reporting relationships (organizational impairments). To remain credible to others, we must also appear to others to be free from conflicts of interest and interference. While auditors frequently use the terms “independent” and “objective” more or less interchangeably, independence is just a piece of what we need to be objective. We need to follow fieldwork and reporting standards, as well, in order to be, and be seen as, objective.

The yellow book independence standard has changed significantly over the years. The 2003 revision incorporates extensive changes regarding provision of nonaudit services, introduced in 2002, which has been confusing for many auditors. However, because the requirements are now more specific and because emphasis has shifted more toward auditors’ actions than attitudes, the standard is easier to apply in some respects. I’ll walk through the standard and talk about what’s required, what peer reviewers will be looking for, and some of the practical ways that audit organizations are meeting the standard.

The standard applies to audit organizations and individual auditors (3.04). The independence standard has also expanded since the yellow book’s inception in 1972 to cover commercial auditors, hired consultants, internal experts and specialists. The standard now specifically places the burden of assessing specialists’ independence, including consultants and internal experts, on the auditors who will use the work. The audit organization is required to provide the specialist with GAGAS independence requirements and obtain the specialist’s representation that he/she is independent from the activity or program under audit (3.06). Peer reviewers will be reviewing your policies and procedures to see whether you address use of specialists. If you used a specialist during the review period, the reviewers will check to see whether you documented the specialist’s independence.

The threshold has changed in two notable ways from the 1994 revision. First, it is a little more stringent because we are specifically required to avoid questionable situations, whereas the previous version said we should consider such situations. On the other hand, it is also more stringent for the questioners. It is no longer necessarily a problem if anyone questions our independence – a reasonable third party with knowledge of the facts would need to conclude that there is a problem. What this change means in terms of our day-to-day work is that we should be prepared to consider carefully the independence implications of new situations rather than assume that any new situation could appear to be a threat to independence. Then document the relevant facts for your peer reviewers, who of course are reasonable third parties.

The standard defines personal impairments to individual auditors and recognizes that providing nonaudit services may create a personal impairment to the independence of the audit organization as a whole.

Individual personal impairments. Personal impairments of staff members result from relationships and beliefs that might cause the auditors to limit the extent of the inquiry, limit disclosure, or weaken or slant audit findings in any way (3.07). The standard provides examples of relationships, financial conflicts of interest, and decision-making authority that would impair an auditor’s independence. Changes in the wording of the examples have lessened the implication that any type of relationship with any person in the audited entity impairs independence. For example, the standard no longer refers to “official, personal, or professional” relationships; it refers to immediate or close family members with decision-making authority in the specific area under audit. The standard now also provides a time limit to personal impairment due to previous management or decision-making authority (footnote 21).

A lot of audit organizations require auditors to complete annual disclosure forms and/or independence statements for each audit they work on to ensure that auditors don’t have financial ties, family relationships, prior decision-making authority, or beliefs that would cause them to limit disclosure or slant audit results. Some audit organizations have policies that limit auditors’ contacts with employees of audited entities. Keep in mind, however, that the intent of the standard is not for auditors to isolate themselves from the organization or community issues. Good auditors care about what’s going on. Auditors need to be free from conflicts of interest but not necessarily free of opinions. Use professional judgment and follow fieldwork and reporting standards to ensure objectivity.

The standard now establishes a hierarchy of preferred options for resolving personal impairments: remove the impairment; decline to perform the audit; and as a last resort, disclose the impairment in the scope section of the report. Note that this last option is only open to government auditors.

The standard requires audit organizations to have an internal quality control system to help determine whether auditors have personal impairments to independence (3.07) and lists the required elements of a quality control system (3.08). Our peer review process asks organizations to describe and document how it meets the standards. The peer review team will review the description and documentation to ensure that your system meets all of the required elements and will test a sample of engagements to ensure that auditors followed the procedures while conducting their work. Peer reviewers may also review logs or other internal records for monitoring.

The yellow book recognizes that providing nonaudit services may result in a personal impairment for the audit organization as a whole. The standard defines nonaudit services, establishes two overarching principles for an audit organization to consider before agreeing to do a nonaudit service; and requires the audit organization to implement specific safeguards when providing nonaudit services.

Definition of nonaudit services. First, and perhaps most importantly, nonaudit service does not mean any project that the office hasn’t classified as an audit. The standard defines two types of nonaudit services. In the first, management requests the auditor to perform a service that directly supports the entity’s operations. In this case, management establishes the objectives, scope and type of work performed. The type of work may be similar to audit work – the distinguishing characteristic is the role of the auditor. In an audit, the audit organization determines the nature and scope of work needed to satisfy audit objectives and makes recommendations for improvement to management. In the nonaudit service, management determines the nature and scope of work needed to meet management’s needs and oversees the work.

In the second type of nonaudit work, the auditor provides information to a requesting party without verifying, analyzing, or evaluating the information. In this case, the type of work is different from audit work because the auditor is not following the evidence standard, cannot attest to the reliability of data provided and should not draw conclusions or render opinions based on the information.

Under both of these definitions, the audit organization is responding to a request. Work that the audit organization initiates or for which the audit organization determines the nature and scope of work to satisfy objectives does not meet the definition of nonaudit services. The peer review committee recommends that audit organizations review the different types of work they are conducting and carefully consider whether auditing or attestation standards should apply. Keep in mind that the yellow book defines types of work by the objective – not the amount of evidence collected. Some types of work, such as investigations or some independent monitoring activities, are neither audit nor nonaudit and yellow book standards do not apply.

Routine activities. The standard identifies some types of work that could meet the definition of nonaudit service (e.g. management requested to directly support the organization) but are “routine activities” that do not require the audit organization to apply safeguards. Routine activities include participating on committees in an advisory (non-decision making) capacity; providing routine advice to assist management in establishing internal controls or implementing audit recommendations; providing tools and methodologies, such as best practice guides, benchmarking studies or internal control assessment methodologies; answering technical questions; and providing training (3.15).

Overarching principles. The standard establishes two overarching principles related to nonaudit services and requires audit organizations to consider whether providing nonaudit services creates a personal impairment in fact or appearance for conducting audits before agreeing to provide the service:
• audit organizations should not provide nonaudit services that involve performing management functions or making management decisions; and
• audit organizations should not audit their own work or provide nonaudit services in situations where the nonaudit services are significant/material to the subject matter of audits (3.13).

If the audit organization concludes that the service does not violate the overarching principles, the standard prescribes safeguards that the audit organization must follow. The organization is required to document its consideration that the nonaudit service did not conflict with the overarching principles of the standard and document that all the safeguards were applied (3.17).

Meeting requirements related to nonaudit service is one of the elements required in an audit organization’s internal quality control system (3.08). Audit organizations – including the GAO – have been reviewing the types of work they do, rethinking how they classify projects, and revising their policies and procedures to address nonaudit work.

Our peer review process requires audit organizations to disclose its entire body of work to the peer review team. Peer reviewers will review how the audit organization classifies work and will ensure that organization applied the required safeguards when conducting nonaudit work.

This definition is broader than the 1994 revision because it includes perceived as well as actual pressures. The revised definition also focuses specifically on the audited entity and oversight organizations as the sources of external impairments.

The standard requires audit organizations to have policies for reporting and resolving external impairments as part of its internal quality control system. Most audit organizations have a policy to report scope impairments in the audit report. Peer reviewers will be looking at your policies to see how you handle external impairments. Some statutory protections referred to under organizational impairments can also protect an audit organization from external impairments, particularly pressure from a member of an oversight body. The ALGA advocacy committee plans to redraft model legislation that could assist audit organizations in avoiding external impairments.

The yellow book recognizes that a government audit organization’s independence can be affected by its reporting relationships. Organizational impairments occur when the auditor reports to a lower level manager with line responsibilities for the activity under audit. Many government auditors, for example, still report to a comptroller or finance director.

The standard distinguishes between external government auditors – who are independent to report externally to third parties – and internal government auditors – who are independent to report internally to management. The 2003 revision expanded the criteria by which an audit organization may be presumed organizationally independent when reporting externally (3.23-3.25) and clarified criteria by which an audit organization reporting internally to management may be presumed organizationally independent (3.27). While the reporting structures are different, both are considered organizationally independent under the yellow book. When distributing reports outside the organization, internal government auditors are required to reflect in their reports that they are employees of the audited entity. External government auditors are no longer subject to this requirement.

The standard requires the audit organization to document the conditions that allow it to be organizationally independent and for peer reviewers to review the documentation. Peer review teams will review your charter or statutory authority and reporting structure as part of the peer review.