Yellow Book Update

Yellow Book, 2018 Revision

Intergovernmental Biennial Conference

July 2020

Session Objective

This presentation covers the 2018 Yellow Book and highlights key areas that will impact 2020 audits.

2

CPE Alert Issued

Grace Period due to Covid

3

GAGAS CPE Requirements

• GAGAS CPE requirements are located in 2018 GAGAS paragraphs 4.16 through 4.18, with application guidance provided in paragraphs 4.19 through 4.53. Under GAGAS, auditors are required to complete at least 80 hours of CPE in every 2-year period as follows.

• Auditors should complete at least 20 hours of CPE in each year of the 2-year periods.

4

CPE Exceptions and Exemptions

• Effective as of February 29, 2020

• Six-month grace period for completing CPE

• Waiver of 20-hour annual CPE requirement

• Carry over of CPE

• Existing exemption for extended absences

5

Important CPE Considerations

• The exceptions do not remove the requirement for auditors to complete 80 hours of CPE as noted earlier, and an audit organization may not change its 2-year CPE period because of circumstances related to the COVID-19 pandemic.

• The exceptions apply to GAGAS CPE requirements only. The exemptions and exceptions do not apply to CPE requirements of other professional organizations or other licensing bodies, such as those that license certified public accountants.

6

CPE Exception: Six-Month Grace Period

• For 2-year CPE periods that end February 29, 2020, through December 31, 2020

• Auditors may have up to 6 months immediately following the 2-year period to complete:• 80-hour CPE requirement and• 24-hour CPE requirement

• CPE hours may not be counted toward the next period

7

CPE Exception: Waiver of 20-Hour Annual Requirement

• For 1-year CPE periods that end February 29, 2020, through December 31, 2020

• Not required to complete 20 hours of CPE in 1-year

8

CPE Exception: Carry Over of CPE

• For CPE period in effect on February 29, 2020• May carry over up to 40 hours of CPE to the next CPE period• Cannot use hours carried over to satisfy:

• 24-hour government CPE requirement• 20-hour annual CPE requirement

9

Existing CPE Exemption

• Audit organizations may grant exemptions for portions the CPE requirement if auditor is not working on GAGAS engagements

• Provided in 2018 GAGAS paragraph 4.29• If the auditor is working, including teleworking, audit

organizations and auditors may not use this exemption.

10

Independence Considerations

Reminders for Independence

11

Consideration of Independence in the Yellow Book• GAGAS’s practical consideration of independence consists of

four interrelated sections:• General requirements and application guidance• Conceptual framework for making independence

determinations• Independence and nonaudit services• Documentation (para. 3.17)

12

Independence General Requirements

• Independence of Mind• Independence in Appearance (para. 3.21)

• Statutory instances where independence is impaired (para. 3.25)• Example: requirement for auditors to

serve in official roles that conflict with indepence requirements (e.g., voting member of management committee with no safeguards).

• Modified GAGAS compliance statement.

13

Conceptual Framework for Independence

14

Categories of Threats to Independence

• Self-interest threat• Self-review threat• Bias threat• Familiarity threat• Undue influence threat• Management participation threat• Structural threat (para. 3.30)

15

Safeguards to Independence Threats

• Safeguards are actions or other measures, individually or in combination, that auditors and audit organizations take that effectively eliminate threats to independence or reduce them to an acceptable level.

• Safeguards vary depending on the facts and circumstances (para. 3.49)

• Examples of safeguards are listed in paragraphs 3.50 and 3.69. These provide a starting point and is not an exhaustive list.

16

Safeguards Related to Nonaudit Services

Examples of safeguards for addressing threats to independence related to nonaudit services (para. 3.69):

a. not including individuals who provided the nonaudit service as engagement team members;

b. having another auditor, not associated with the engagement, review the engagement and nonaudit work as appropriate;

c. engaging another audit organization to evaluate the results of the nonaudit service; or

d. having another audit organization re-perform the nonauditservice to the extent necessary to enable that other audit organization to take responsibility for the service.

17

Independence and Nonaudit Services

• Consider: does the nonaudit service create a threat to independence?

• If the nonaudit services could create a threat to independence, auditor’s should (among others):• Ensure management has the skills,

knowledge and experience to oversee and understand the services provided.

• Obtain agreement with management about management responsibility for oversight, evaluation and responsibility for the services (para. 3.76)

18

Nonaudit Services vs. Routine Activities

• Routine activities are not considered nonaudit services (para. 3.70).

• Examples include (para. 3.71):

• providing advice to the audited entity on an accounting matter as an ancillary part of the overall financial audit;

• providing advice to the audited entity on routine business matters;• educating the audited entity on matters within the technical expertise of the

auditors; and• providing information to the audited entity that is readily available to the

auditors, such as best practices and benchmarking studies

19

Additional Independence Guidance

• Application guidance to define management's “Skills, Knowledge and Experience” (SKE) an indicator is management’s ability to recognize a material error in services provided (para. 3.79 – 3.81)

• Application guidance to clarify that certain services provided by government audit organizations would generally not create threats to independence allowability of certain functions such as investigations (para. 3.72)

20

Independence Threats related to Preparing Financial Statements & Accounting Records

Nonaudit services performed by auditors related to financial statements and accounting records either:

21

Impair Independence

Are Significant Threats

The auditor prepares financial statements in their entirety (para. 3.88).OR The auditor determines that a service related to preparing financial statements or accounting records is a significant threat (para. 3.93).

Are Threats • Evaluate threat and document evaluation (para. 3.90).• Typing, formatting, printing, binding: not likely significant (para.

3.95)

Determining or changing journal entries and other accounting entries without obtaining management’s approval (para. 3.87)

Document the threats and safeguards applied to eliminate and reduce threats to an acceptable level (para. 3.33).ORDecline to perform the service (para. 3.88).

Additional Threats to Independence

• Other services not identified earlier include (but are not limited to):• Recording/posting transactions which

management has approved to the general ledger or trial balance;

• Preparing certain line items or sections of the financial statements based on the trial balance;

• Preparing account reconciliations that identify reconciling items for the audited entity management’s evaluation (para. 3.89).

• Auditors should evaluate and document the significance of these threats (para 3.90).

22

Evaluating and Documenting Threats

• Auditors should evaluate and document independence considerations:• The extent of the audited entity’s involvement in determining

significant matters of judgment.• Documentation of safeguards and their effectiveness

23

General Audit Considerations

Important Considerations for both Financial and Performance Audits

24

Peer Review Requirements

Peer review section differentiates requirements for those audit organizations affiliated with a recognized organization.

25

Audit organization affiliated with a

recognized organization?

Yes

No

Peer Review Requirements

All audit organizations comply with GAGAS peer review requirements for:

Assessment of peer review risk (paras. 5.66 & 5.67),

Peer review report ratings (paras. 5.72 – 5.74), and

Availability of peer review report to the public (paras. 5.77 –5.80).

26

Peer Review Requirements: Not Affiliated

Audit organizations not affiliated with a recognized organization also comply with additional GAGAS peer review requirements in areas including:

Peer review scope (para. 5.82),

Peer review intervals (para. 5.84),

Written agreement for peer review (para. 5.86),

Peer review team (para. 5.89),

Report content (para. 5.91), and

Audit organization’s response to the peer review report (paras. 5.93 – 5.94).

27

Peer Review Report Ratings

28

Pass

Pass with deficiencies

Fail

Communicate deficiencies in the peer review report

Communicate deficiencies and significant deficiencies in the

peer review report

Quality Control

New specific requirements for quality control related to:

Annual independence affirmation (para. 5.09),

Undertaking engagements only if the audit organization has the capabilities, including time and resources, to do so (para. 5.12),

Consultation on difficult or contentious issues (para. 5.24),

Supervision and review of work (para. 5.36), and

Assigning an engagement partner or director to each engagement (para. 5.37).

29

Monitoring of Quality

New specific requirements for monitoring of quality related to:

Communication of monitoring sufficient to enable corrective actions (para. 5.44), and

Evaluation of deficiencies noted during monitoring (para. 5.45).

30

Fraud, Waste, and Abuse

31

FRAUD ABUSEWASTE

New Considerations for Addressing Waste

• Waste is the act of using or expending resources carelessly, extravagantly, or to no purpose.

• Waste can include activities that do not include fraud and abuse and does not necessarily involve a violation of law.

• Waste relates primarily to mismanagement, inappropriate actions, and inadequate oversight.

(paras. 6.21, 7.23, & 8.120)

32

Waste and Abuse

Auditor considerations related to waste and abuse are intended to be consistent.

Auditors are not required to perform procedures to detect waste or abuse.

Evaluating internal control in a government environment may include consideration of internal control deficienciesthat result in waste or abuse.

(paras. 6.20, 7.22, & 8.119)

33

Audit Risk and Considerations

Important Risk Considerations for both Financial and Performance Audits

34

Professional Skepticism

• Circumstances related to the COVID-19 pandemic amplify the need for professional skepticism

• Audited entities may have new and changing risks• Auditors may need to revisit their understanding of the entity and

its environment throughout the engagement to ensure understanding remains current

35

Inherent Risk

• Risk that exists before considering internal control• Conditions that may indicate an increased level of inherent risk:

• New programs and rapid program growth• New laws, regulations, and responsibilities• Programs with a large number of payments sent to external

recipients• Additional pressures on audited entity management• Changes in economic conditions

36

Risk of Fraud

37

Risk of Fraud

• If engagement began before the pandemic, revisit the fraud risk assessment

• Consider changes due to pandemic in fraud risk factors• Incentive/pressure• Opportunity • Attitude/rationalization

• Gather and assess information to identify fraud risks within the scope of audit objectives or with potential effects on findings and conclusions

38

Internal Control

39

Internal Control

• Obtain an understanding of internal control significant to the audit objectives

• Audited entities may not have made the necessary changes to their systems of internal control amidst the pandemic

• Conditions that may indicate an increased level of control risk include• Audited entity employees working remotely• Changes in staffing at audited entities, such as those caused

by furloughs or layoffs• Changes in audited entity staff responsibilities

40

Evidence

• Consider alternative methods to conduct engagements and obtain sufficient, appropriate evidence

• In this environment, there will likely be more electronic communications and documentation

• In some circumstances, auditors may be unable to obtain sufficient, appropriate evidence

41

Quality Control

• Audit organizations must maintain systems of quality control • Consider how to assure proper supervision of remote

engagement work• Pay careful attention to GAGAS

requirements for consultation ondifficult and contentious issues

42

Financial Audits

Important Considerations and Updates

43

Change in Risks

• Required to identify and assess risk of material misstatement• Consider holding additional brainstorming session if auditors

have already conducted one prior to the COVID-19 pandemic• Evaluate design and implementation of internal controls: if

unable to perform procedures on-site, consider other methods for performing procedures

44

Estimates

• Obtain sufficient, appropriate evidence about whether accounting estimates are reasonable and related disclosures are adequate

• Pay attention to:• Management responses on change in circumstances• Relevant internal controls in estimation process• Whether there should be a change in estimate methods,

assumptions, or data from prior period• Whether management has assessed estimation uncertainty

45

Estimate Uncertainty Example

• An entity owns financial instruments with no direct market activity for which there is increased estimation uncertainty. Auditors should determine whether management’s valuation estimates are still reasonable based on current economic conditions and whether auditors should include an emphasis-of-matter paragraph in the auditor’s report.

46

Subsequent Events

• Certain events that occur after the date of the financial statements may affect the statements

• Reporting dates may be delayed • Audited entities may need to make additional disclosures• Work with management to identify subsequent events• Read meeting minutes and latest subsequent interim financial

statements• Not required to perform any audit procedures after auditor’s

report date• Inconsistent information – modifications to audit procedures may

be necessary47

Reporting

• Emphasis-of-matter paragraph may be necessary• Qualified or disclaimer of opinion if unable to obtain sufficient,

appropriate evidence due to COVID-19 circumstances• AU‐C section 706A provides examples of when auditors may

consider an emphasis-of-matter paragraph• Use professional judgment to determine whether an emphasis-

of-matter paragraph is necessary

48

Performance Audits

Important Considerations and Updates

49

Internal Control: Program or Process Approach

• Internal controls can help auditors identify root cause of findings• Consider limiting the scope of internal control work to the

program or process that is the subject of the audit• Key audit procedures

• Identify specific program objectives significant to the audit• Obtain understanding of internal control for the specific

program or process

50

Internal Control: Performance Audits

Auditors should document the significance of internal control to performance audit objectives (para. 8.39).

51

Internal control significant to

audit objectives?

Yes

No

Document and Proceed

(See next slide)

Document

Determine, as applicable, for new or revised objectives

Internal Control: Performance Audits (cont.)

Internal control significant to audit objectives =

Obtain an understanding of internal control that is significant to the audit objectives (para. 8.40).

Assess and document the assessment of internal control to the extent necessary to address the audit objectives (para. 8.49).

Evaluate and document the significance of identified internal control deficiencies within the context of the audit objectives (para. 8.54).

Consider internal control deficiencies when developing the cause element of findings (para. 8.117).

Identify in the audit report which internal control components and principlesare significant (para. 9.30).

52

Yes

Internal Control: Financial Audits and Examination Engagements

Considering a comprehensive internal control framework such as Standards for Internal Control in the Federal Government or Internal Control –Integrated Framework can help auditors identify the cause of findings and develop recommendations. (paras. 6.18 & 7.20)

53

Elements of a Finding

Condition: the situation that exists.

Criteria: standards for what should be.

Cause: the explanation of why the condition deviates (if it does) from the criteria.

Effect: the actual or potential consequences of allowing the condition to persist.

54

Testimonial Evidence and Documentation

• If using testimonial evidence evaluate: • Objectivity• Credibility• Reliability

• Exercise professional judgment and professional skepticism• Document the assessment of collective evidence

55

Quality Information

• Management uses quality information to achieve objectives• Auditors use information as evidence to provide a reasonable

basis for addressing audit objectives and supporting their findings and conclusions

• Auditors are required to evaluate whether any lack of sufficient, appropriate evidence is caused by internal control deficiencies

• Auditors may consider whether management’s lack of quality information to achieve of objectives is caused by internal control deficiencies

56

Where to Find the Yellow Book and Alerts

• The Yellow Book and Audit Alerts are available on GAO’s website at:www.gao.gov/yellowbook

• For technical assistance, contact us at:yellowbook@gao.govor call (202) 512-9535

57

Thank You

Questions?

58