Upload
justina-sanders
View
216
Download
0
Tags:
Embed Size (px)
Citation preview
1
2011 Yellow Book: What You Need to Know
Joint meeting Baltimore Chapter
of AGA and American Society
of Military Comptrollers
Baltimore, MDJanuary 17, 2013
Marcia B. Buchanan
2
Session Objectives
• Highlight areas that GAO revised in the 2011 Yellow Book, especially focusing on independenceUse of conceptual frameworkNew documentation requirements
• Walk through a common case study on independence
• Highlight revisions made for financial audits and attestation engagements
• Highlight revisions made for performance audits
33
Primary Yellow Book Changes
• Updated independenceIncluded a conceptual framework
• Added documentation requirementsAdditional documentation in independenceFocus on non-audit services
• Focused on converging where practicalIncorporated clarified SASsFewer differences
• Made several revisions to details of the performance audit chapters
444
The 2011 Yellow BookApplicability
• Chapters 1, 2, and 3 apply to all GAGAS engagements Chapter 1: Government Auditing: Foundation and
Ethical Principles Chapter 2: Standards for Use and Application of
GAGAS Chapter 3: General Standards
• Chapter 4: Standards for Financial Audits – applies only to financial audits
• Chapter 5: Standards for Attestation Engagements - applies only to attestation engagements
555
The 2011 Yellow BookApplicability (Continued)
• Chapters 6 and 7 apply only to performance audits Chapter 6: Field Work Standards for Performance
Audits Chapter 7: Reporting Standards for Performance
Audits• Appendix: Provides additional guidance (not
requirements) for all GAGAS engagements• Interpretations: Available on the Yellow Book web
page. Provide additional guidance (not requirements) for areas of particular interest or sensitivity.
2011 Yellow BookEffective Dates
• Effective for financial audit periods ending on or after December 15, 2012
• Effective for attestation periods ending on or after December 15, 2012
• Effective for performance audits starting on or after December 15, 2011
• Independence may be impacted before the beginning of an engagement
6
777
Chapter 1: Government Auditing: Foundation and Ethical Principles
• Provide a framework for conducting high quality audits with competence, integrity, objectivity, and independence
• For use by auditors of government entities and entities that receive government awards
888
Chapter 2: Types of GAGAS Engagements
• All audits begin with objectives, and those objectives determine the type of audit to be performed and the applicable standards to be followed.
• The types of audits that are covered by GAGAS, as defined by their objectives, are classified in the Yellow Book as
financial audits, attestation engagements, and performance audits.
99
Chapter 2: Financial Audits
• Financial audits provide an independent assessment of and reasonable assurance about whether an entity’s reported financial condition, results, and use of resources are presented fairly in accordance with recognized criteria
• Financial audits performed under GAGAS include Financial statement auditsOther types of financial audits
1010
Chapter 2: Attestation Engagements
• In addition to financial audits• Attestation engagements can cover a broad
range of financial or non-financial objectives and may provide different levels of assurance about the subject matter or assertion depending on the users’ needs.
• The three types of attestation engagements are:ExaminationReviewAgreed-Upon Procedures
11
Chapter 2: Performance Audits
• Performance audits are defined as audits that provide findings or conclusions based on an evaluation of sufficient, appropriate evidence against criteria
• Performance audits provide objective analysis to assist management and those charged with governance and oversight in using the information to Improve program performance and operations Reduce costs Facilitate decision making, and Contribute to public accountability
12
Chapter 2: Use of Terminology
Standardized language to define the auditor requirements• Consistent with SAS No. 102:
Must indicates an unconditional requirement Should indicates a presumptively mandatory
requirement Text not using the above conventions is
considered explanatory material• Interpretive publications are recommendations
on the application of GAGAS specific circumstances
1313
Chapter 2: Standards for the Use and Application of GAGAS
Clarified citing compliance with GAGAS• Determining appropriate GAGAS compliance
statement is a matter of professional judgment• Departures from presumptively mandatory
requirements• Using GAGAS with other standards
141414
Chapter 3: General Standards
• IndependenceConceptual frameworkProvision of nonaudit services to auditees
• Professional judgment• Competence
Technical knowledgeContinuing Professional Education
• Quality AssuranceSystem of quality assurancePeer review
15
Chapter 3:General Standards – Independence
• The following from the 2007 Yellow Book has been removed from the 2011 revision: • definition of independence in terms of personal,
external, and organizational independence, and • the overarching principles that applied to assessing
nonaudit services.• The 2011 revision
• requires “independence of mind” and “independence in appearance” (para 3.03)
• and establishes a risk-based conceptual framework within which to evaluate seven broad categories of “threats to independence.”
16
17
Independence Timeframes
• Impairment exists during The period of the audit – usually the fiscal year The professional engagement
• usually starts with earlier of start of planning or engagement agreement.
• usually ends on the last report date.
• Depending on the circumstances, independence may be impacted beyond this timeframe.
• Recurring engagement may mean that some activities or circumstances will always impair.
1818
Applying the Framework
• New approach combines a conceptual framework with certain rules (prohibitions) Balances principle and rules based standards Serves as a hybrid framework
• Certain prohibitions remain Generally consistent with Rule 101 AICPA
• Beyond a prohibitionApply the conceptual frameworkWill be used more often than AICPA
18
19
Chapter 3 – General Standards: Independence
Threats could impair independence• Do not necessarily result in an independence
impairment
Safeguards could mitigate threats • Eliminate or reduce to an acceptable level
20
Applying the Framework
Conceptual Framework:
1. Identify threats to independence
2. Evaluate the significance of the threats identified, both individually and in the aggregate
3. Apply safeguards as necessary to eliminate the threats or reduce them to an acceptable level
4. Evaluate whether the safeguard is effective
Documentation Requirement:
Para 3.24: When threats are not at an acceptable level and require application of safeguards, auditors should document the safeguards applied.
20
21
GAGAS Conceptual Framework for Independence
Assess condition or activity for threats to independence
Assess safeguard(s) effectiveness
Identify and apply safeguard(s)
Assess threat for significance
Is threat significant?
Threat identified?
Is threat eliminated or reduced to an acceptable level?
Yes
Yes
Document nature of threat and any safeguards applied
Yes
No
Independence impairment; do
not proceed
No
Is threat related to a nonaudit service?
Is the nonaudit service specifically prohibited in GAGAS paragraphs
3.36 or 3.49 through 3.58?No
No
Yes
Yes
Proceed
Proceed
Proceed
No
2222
Applying the Framework: Categories of Threats
1. Management participation threat2. Self-review threat3. Bias threat4. Familiarity threat5. Undue influence threat 6. Self interest threat7. Structural threat
2323
Routine Audit Services and Nonaudit Services
Routine audit services pertain directly to the audit and include:
• Providing advice related to an accounting matter
• Researching and responding to an audited entity’s technical questions
• Providing advice on routine business matters• Educating the audited entity on technical
matters
Other services not directly related to the audit are considered nonaudit services
2424
Routine Audit Services and Nonaudit Services
Services that are considered nonaudit services include:• Financial statement preparation• Bookkeeping services• Cash to accrual conversions (a form of
bookkeeping)• Other services not directly related to the audit
Unless specifically prohibited, nonaudit services MAY be permissible but should be documented
• In relation to the conceptual framework• In relation to the auditor’s assessment of
managements’ skill, knowledge or experience
25
Nonaudit Services
• Certain services may be permitted• First, determine if there is a specific prohibition• If not, the auditor should assess the nonaudit
service’s impact on independence using the conceptual framework
26
Independence:Prohibited Nonaudit Services
Management Responsibilities:• setting policies and strategic direction for the audited entity;• directing and accepting responsibility for the actions of the
audited entity’s employees in the performance of their routine, recurring activities;
• having custody of an audited entity’s assets;• reporting to those charged with governance on behalf of
management;• deciding which of the auditor’s or outside third party’s
recommendations to implement;• accepting responsibility for the management of an audited
entity’s project;
27
Independence:Prohibited Nonaudit Services (cont.)
Management Responsibilities (cont):• accepting responsibility for designing, implementing, or
maintaining internal control;• providing services that are intended to be used as
management’s primary basis for making decisions that are significant to the subject matter of the audit;
• developing an audited entity’s performance measurement system when that system is material or significant to the subject matter of the audit; and
• serving as a voting member of an audited entity’s management committee or board of directors.
28
Independence:Prohibited Nonaudit Services (cont.)
IT Services:• Design or develop an IT system that would be subject to or
part of an audit.• Make significant modifications to an IT system’s source code. • Operate or supervise an IT system.
Internal Controls• May not provide ongoing monitoring services.• May not design the system of internal controls and then
assess its effectiveness.
Full list of prohibited services: para 3.36 and para 3.49 – 3.58
29
Independence: Nonaudit Services Commonly Requested of Government Auditors
• Signing off on an agency’s policies and procedures• Establishing a strategic plan for an agency• Determining the priority for implementing audit
recommendations• Participating in human capital decisions for key
government staff• Participating in committees as a voting member
30
Nonaudit Services
1. Determine if there is a specific prohibition. Unless specifically prohibited, nonaudit services MAY be permitted but should be documented.
2. If not prohibited, assess the nonaudit service’s impact on independence using the conceptual framework.
3. If the auditor assesses any identified threat to independence as higher than insignificant, assess the sufficiency of audited entity management’s skill, knowledge, and experience to oversee the nonaudit service.And…
31
Nonaudit Services (Continued)
4. If the auditor concludes that performance of the nonaudit service will not impair independence, document assessments in relation to both:• safeguards applied in accordance with the
conceptual framework and• the auditor’s assessment of sufficiency of
audited entity managements’ skill, knowledge or experience to oversee the nonaudit service (paragraph 3.34).
3232
Assessing Management’s Skill, Knowledge, or Experience
Factors to document include management’s:• Understanding of the nature of the service• Knowledge of the audited entity’s mission and
operations• General business knowledge• Education• Position at the audited entity
Some factors may be given more weight than others
GAGAS does not require that management have the ability to perform or reperform the service
33
Sufficiency of Skills, Knowledge and Experience
Sufficient skills, knowledge and experience may be judged in part based on:• Ability of the identified client personnel to identify material
errors or misstatements in a non audit service work product
• Ability of the client to sufficient background to understand the nature and results of the audit service
• Ability of management to take responsibility and understand the work
Client prepared material in poor condition may indicate the client is not capable of taking responsibility for the service. Significant audit findings and adjustments may also be indicative of this issue.
3434
Financial Statement Preparation
Auditors may prepare financial statements• Considered by GAGAS a nonaudit service• Must apply the conceptual framework• Two additional documentation requirements
• Document application of safeguards• Document assessment of management’s skill,
knowledge or expertise
35
Independence:Documentation Requirements
Para 3.59 summarizes documentation requirements for independence:• Threats that require the application of safeguards along with
the safeguards applied (3.24)• Safeguards in place if an audit organization is structurally
located within a government entity (3.30)• Consideration of sufficiency of audited entity management’s
skill, knowledge, and experience to take responsibility for and effectively oversee the nonaudit services (3.34)
• The auditor’s understanding with an audited entity regarding nonaudit services to be provided (3.39)
36
Case Study #1
• Can ABC Audit Firm prepare the financial statements of We Help People (WHP), a not-for-profit organization, and remain independent under the AICPA and Yellow Book Standards?
a. Yesb. Noc. Maybe
37
Case Study #1 (Continue)
• ABC has proposed in excess of 50 adjusting entries to correct WHP financial statements. Is ABC independent with respect to WHP?
a. Yesb. Noc. Maybe
38
Case Study #1 (Continue)
• ABC has also identified the following issues:• WHP’s trial balance is not in balance• The balance sheet has account balances that appear to
be materially wrong—assets with credit balances and liabilities with debit balances
• Bank reconciliations are materially different thafrom the trial balance
• ABC has been asked by WHP to do whatever necessary to get the books in order to complete the audit. ABC can take on this role:a. Yesb. No
3939
Chapter 3 – General Standards: Continuing Professional
Education (CPE)
No revision to overall requirements:• Minimum of 24 hours of CPE every 2 years
• Government• Specific or unique environment• Auditing standards and applicable accounting
principles• Additional 56 hours of CPE for auditors involved in
• Planning, directing, or reporting on GAGAS assignments; or
• Charge 20 percent or more of time annually to GAGAS assignments
• Minimum of 20 hours of CPE each year
4040
Chapter 3 – General Standards: Competence
CPE requirements for external specialists:• External specialists are not required to meet
GAGAS CPE requirements, but should be qualified and maintain professional competence
4141
Chapter 3 – General Standards: Competence
CPE requirements for internal specialists:• Internal specialists serving as auditors are
subject to all CPE requirements• Specialized CPE count towards the required 24
hours• Internal consulting specialists are not required
to meet GAGAS CPE requirements, but should be qualified and maintain professional competence
42
Chapter 3: General Standards— Quality Control and Assurance
Each audit organization performing audits or attestation engagements in accordance with GAGAS must:
• establish a system of quality control that is designed to provide the audit organization with reasonable assurance that the organization and its personnel comply with professional standards and applicable legal and regulatory requirements, and
• have an external peer review at least once every 3 years.
43
Chapter 3: General Standards— System of Quality Control
• Each audit organization must document its quality control policies and procedures and communicate those policies and procedures to its personnel.
• Added a requirement that the quality control policies and procedures collectively address: • Leadership responsibilities for quality within the audit
organization• Independence, legal, and ethical requirements• Initiation, acceptance, and continuance of audit and
attestation engagements• Human resources• Audit and attestation engagement performance,
documentation, and reporting• Monitoring of quality
44
Chapter 3: General Standards— External Peer Reviews (continued)
Transparency of peer review
• Audit organization should make the most recent peer review report publicly available
• Audit organizations seeking to enter into a contract to perform an audit in accordance with GAGAS should provide a a copy of the most recent peer review report and any subsequent peer review reports received during the period of the contract
• Auditors who are using another audit organization’s’work should request a copy of the audit organization’s latest peer review report.
45
Chapter 3: Changes to Quality Control Monitoring Procedures
Audit organizations should analyze and summarize, in writing, the results of monitoring procedures at least annually:• Include identification of any systemic issues
needing improvement• Include recommendations for corrective action• Communicate deficiencies noted to appropriate
personnel and make recommendations for remedial action
46
Chapter 3: Changes Related to Peer Reviews
The peer review team uses professional judgment in deciding the type of peer review report. The following are the types of peer review reports:• Peer review rating of pass• Peer review rating of pass with deficiencies• Peer review rating of fail
46
4747
Chapter 4: Financial Audits-Overall Changes
• Considered Clarity Project conventions• Streamlined language to harmonize with AICPA• Clarified additive requirements• Combined 2007 GAGAS chapters 4 and 5 into
one chapter (2011 GAGAS chapter 4)
No new requirements were added for financial audits and attestation engagements
4848
Special Considerations for Government Engagements
Applying certain AICPA standards • Materiality• Early communication of deficiencies (SAS No.
115)
4949
Financial Audits: SAS 125 Alert That Restricts the Use of the Auditor’s Written
Communication
SAS 125 makes a special provision for the GAGAS report on internal control over financial reporting and compliance.• Don’t use the communication required for
other audits. Instead, the alert should:Describe the purpose of the
communication, andState that the communication is not
suitable for any other purpose.
5050
SAS 125: Sample Language for GAGAS Report on ICFR and Compliance
“The purpose of this report is solely to describe the scope of our testing of internal control over financial reporting and compliance, and the results of that testing, and not to provide an opinion on the effectiveness of the entity’s internal control over financial reporting or on compliance. This report is an integral part of an audit performed in accordance with Government Auditing Standards in considering the entity’s internal control over financial reporting and compliance. Accordingly, this report is not suitable for any other purpose.”
51
Chapter 5 - Attestation Engagements
Separated attest requirements • Examination• Review• Agreed-Upon Procedures
Update considerations• Identified practice issue• Clarified distinctions between engagement
types• Emphasized AICPA reporting requirements
5252
Chapter 5 - Attestation Engagements
Within each section, emphasized • Citing compliance with GAGAS• Required elements of AICPA reporting • Communicating the services to be performed
53
Chapter 6: Field Work Standards for Performance Audits
Guidance for conducting performance audits, including• Planning the audit• Supervising staff• Obtaining sufficient, appropriate evidence• Preparing audit documentation
54
Chapter 6: Performance Audits—Overall Framework for Performance Audits
• Level of assurance associated with a performance audit• Provide reasonable assurance that the evidence is
sufficient and appropriate to support the auditors’ findings and conclusions
• Concept of significance• Defined as the relative importance of a matter within the
context in which it is being considered, including quantitative and qualitative factors
• Audit risk• Defined as the possibility that the auditor’s findings,
conclusions, recommendations, or assurance may be improper or incomplete
55
Chapter 6: Performance Audits—Planning
• Auditors must adequately plan and document the planning of the work necessary to address the audit objectives
• Auditors should assess audit risk and significance by gaining an understanding of:• Nature and profile of the program and user needs• Internal control• Information systems controls• Legal and regulatory requirements, contract provisions or
grant agreements, fraud, or abuse • Previous audits
• Auditors should prepare a written audit plan
Chapters 6 & 7Performance Audits
Audit risk
Auditors must plan the audit to reduce audit risk to an appropriate level for the auditors to provide reasonable assurance that the evidence is sufficient and appropriate to support the auditors’ findings and conclusions
Chapters 6 & 7Performance Audits
Information systems controls for the purpose of assessing audit risk and planning the audit
• Consist of those internal controls that are dependent on information systems processing
• Include general controls and application controls• Are significant to the audit objectives if auditors
determine that it is necessary to evaluate the effectiveness of information system controls in order to obtain sufficient, appropriate evidence
• If significant, auditors should evaluate the design and operating effectiveness of such controls by performing audit procedures
Chapters 6 & 7Performance Audits
Legal and Regulatory Requirements, Provisions of Contracts or Grant Agreements
• Auditors should determine which laws, regulations, and provisions of contracts or grant agreements are significant within the context of the audit objectives and assess the risk that violations of those laws, regulations, and provisions of contracts or grant agreements could occur
• Auditors should design and perform procedures to provide reasonable assurance of detecting instances of violations of legal and regulatory requirements or violations of provisions of contracts or grant agreements that are significant within the context of the audit objectives
Chapters 6 & 7 Performance Audits
FraudIn planning the audit, auditors should assess risks of fraud
occurring that is significant within the context of the audit objectives
Auditors should• Discuss fraud risks among the audit team• Gather and assess information to identify risk of fraud that are significant
within the scope of the audit objectives or that could affect the findings and conclusions
When auditors identify factors or risks related to fraud that has occurred or is likely to have occurred that are significant within the context of the audit objectives, they should design procedures to provide reasonable assurance of detecting such fraud
Chapters 6 & 7 Performance Audits
Abuse• If auditors become aware of indications of abuse that
could be quantitatively or qualitatively significant to the program under audit, auditors should apply audit procedures specifically directed to ascertain • The potential effect on the program under audit within the
context of the audit objectives• However, because the determination of abuse is
subjective, auditors are not required to provide reasonable assurance of detecting abuse
• After performing additional work, auditors may discover that the abuse represents potential fraud or illegal acts
61
Chapter 6: Performance Audits— Sufficient, Appropriate Evidence
Appropriateness is defined as a measure of quality of evidence that encompasses the relevance, validity, and reliability of evidence used for addressing the audit objectives and supporting findings and conclusions.
Sufficiency is defined as a measure of quantity of evidence used for addressing the audit objectives and supporting findings and conclusions.
62
Performance AuditsTechnical Changes
• The definition of validity as an aspect of the quality of evidence has been revised: • the extent to which evidence is a meaningful or
reasonable basis for measuring what is being evaluated. In other words, validity refers to the extent to which evidence represents what it is purported to represent. (6.60b)
• The assessment the sufficiency and appropriateness of computer-processed information includes considerations regarding the completeness and accuracy of the data for the intended purposes. (6.66) (For additional guidance, see GAO publication, Assessing the Reliability of Computer-Processed Data)
63
Chapter 6: Performance Audits—Overall Assessment
• Overall assessment of the collective evidence to support the findings and conclusions• Assessment of evidence depends on the nature of the
evidence, how it is used, and the audit objectives
• Evidence is sufficient and appropriate when it provides a reasonable basis for supporting the findings or conclusions within the context of the audit objectives
64
Chapter 6: Performance Audits—Documentation
• Auditors must prepare audit documentation related to planning, conducting, and reporting for each audit.
• Auditors should document the following:• the objectives, scope, and methodology of the audit• the work performed to support significant judgments and
conclusions• evidence of supervisory review, before the audit report is
issued, of the work performed that supports findings, conclusions, and recommendations contained in the audit report
65
Chapter 7: Performance Audits— Reporting
Guidance for reporting on performance audits, including
• Reporting Form• Report Contents• Distributing Reports
66
Chapter 7: Performance Audits—Report Contents
• Auditors should prepare audit reports that contain• Objectives, scope, and methodology of the audit• Audit results, including findings, conclusions, and
recommendations, as appropriate• Statement about the auditors’ compliance with
GAGAS• Summary of the views of responsible officials• Nature of any confidential or sensitive information
omitted
67
Performance AuditsTechnical Changes
• The fraud reporting requirement is now limited to occurrences that are significant within the context of the audit objectives (7.21), with a requirement to communicate in writing other instances of fraud that warrant the attention of those charged with governance. (7.22)
• Early communication of deficiencies has been added as a consideration auditors may follow in the course of the performance audit. (6.78)
68
Chapter 7: Performance Audits—Citing Compliance in the Audit Report
GAGAS statement in audit reportWhen auditors comply with all applicable GAGAS requirements, they should use the following language in the report:
“We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.”
69
Appendix:Supplemental Guidance
Added an appendix to provide supplemental guidance to assist auditors in the implementation of GAGAS• Does not establish additional GAGAS requirements• Overall supplemental guidance includes examples of
• Deficiencies in internal control• Abuse• Fraud Risk
• Overall guidance includes guidance on determining whether laws, regulations, or provisions of contracts are significant
70
Questions?
71
Where to Find the Yellow Book
The Yellow Book is available on GAO’s website at:
www.gao.gov/yellowbook
For technical assistance, contact us [email protected]
(202) 512-9535
72
Contact Information
Marcia BuchananAssistant DirectorFinancial Management and Assurance U.S. Government Accountability Office
202-512-9321