The New 2018 Yellow Book: A Summary of What You Need to Know
The U.S. Government Accountability Office (GAO) issued an update to Generally Accepted Government Auditing Standards (GAGAS) (http://www.gao.gov/yellowbook). GAGAS, commonly known as the “Yellow Book,” was created to provide a foundation for efficient and high-quality government audits. The requirements apply to some governmental organizations and other organizations that receive grants from the federal government, including higher education institutions and not-for-profit organizations. The revised version has been streamlined and rationalized to simplify the professionals’ process of finding relevant rules when performing research. The redesigned Yellow book also contains clarifying details that CPAs will find helpful and some significant new regulations that auditors undertaking audits under GAS should be aware of.
Watch our video below or read the article underneath to understand more!
The 2018 Yellow Book goes into effect for financial audits, attestation engagements, and reviews of financial statements for periods ending on or after June 30, 2020, and for performance audits starting on or after July 1, 2019. Auditors should, however, take into account the independence provisions of the 2018 Yellow Book before the effective date because, when performing audits for periods before the new rules are in effect, auditors performing non-audit services for a financial statement audit will need to comply to the new independence requirements at the start of the audit period and be independent for the entire period to which the financial statements relate. Although it is not authorized to adopt the new requirements early, auditors may want to consider the new regulations when making decisions about the impact that non-audit services have on independence.
CPAs familiar with the Yellow Book’s format from 2011 will immediately recognize a significant difference in the 2018 edition. The chapters have been rearranged and realigned, and the 2018 Yellow Book’s chapters now include extra advice from the appendices of the 2011 Yellow Book or omitted if no longer relevant. The biggest and most significant improvement is that requirements are now presented in a box, followed by the proper application instructions.
The terms “must” and “should” are used in the new standards to distinguish between presumptively mandatory requirements and those that are unconditional. While “must” is self-explanatory, caution should be followed if an auditor decides not to perform a procedure described as something that “should” be done. According to the requirements, if an auditor sees the need to vary from a presumptively mandatory requirement, the auditor must document his explanation for the deviation and explain how the alternative audit processes carried out were sufficient to meet the requirement’s intent.
Non-audit Services and Independence
The most significant change to the standards relates to how auditors evaluate the nonaudit services they perform and whether the performance of those services creates significant threats that require safeguards to reduce those threats to an acceptable level. When nonaudit services are performed, an evaluation should be made to determine if the service creates a threat to independence. This evaluation should be documented and follow the existing GAS independence framework, which continues to be a part of the 2018 revised Yellow Book. To summarize the requirements of the independence framew ork, the first step is to identify any threats, including the performance of nonaudit services. The next step is for the auditor to evaluate the significance of the threat and consider the skills, knowledge, and experience of the persons at the entity charged with overseeing the service. If the threat is considered significant, then a safeguard must be implemented.
The new standards also make it clear that preparing financial statements in their entirety from a client-provided trial balance or underlying records is considered a significant threat to the auditors’ independence. While the AICPA’s 2011 Yellow Book Independence—Nonaudit Services Documentation Practice Aid provides several examples to help auditors use their judgment on whether the preparation of financial statements creates a significant threat to independence, the 2018 Yellow Book clearly takes that judgment away from the auditor by stating this type of service automatically creates a significant threat. Because of this, the author recommends that auditors who are still performing audits under the 2011 Yellow Book take into account the rules in the 2018 Yellow Book when determining whether the nonaudit service of preparing substantially all of the financial statements is a significant threat or not.
The standards clarify other nonaudit services frequently performed by auditors that automatically impair independence such that no safeguard could possibly be applied to eliminate this threat. In these cases, auditors must either refuse to perform the nonaudit service or resign from the audit. The following is a list of those services that automatically impair independence:
Other frequently performed nonaudit services that do not automatically impair independence should be evaluated to determine if they create significant threats. These services include the following:
Under the new standards, the most important factors in determining whether the nonaudit service should be considered a significant threat to independence are the extent to which the outcome of the service could have a material effect on the financial statements, the degree of subjectivity in determining amounts, and the extent of the audited entity’s involvement in determining significant matters of judgment.
The identification of a significant threat does not prohibit an auditor from performing an audit unless it is one of the prohibited services outlined above. In these circumstances, however, the auditor must implement a safeguard that will eliminate or reduce the treat to an acceptable level. Auditors should use judgment in deciding which safeguard will best eliminate or reduce the threat to an acceptable level. Common safeguards that have been known to be effective include the following:
The new standards include one important clarification: providing clerical assistance, such as typing, formatting, printing, and binding financial statements, is unlikely to be a significant threat. The nature of these services should, however, be evaluated and documented.
Required Competence and CPE
The other major impact of the new standards is the clarification on how continuing professional education (CPE) affects the competence auditors should have regarding skills, ability, and knowledge of specific GAS requirements. Those who were following the Yellow Book exposure draft should be aware that the proposed requirement to take four hours of GAS-specific CPE was not included in the finalized 2018 Yellow Book; instead, the standards state that obtaining CPE on specific GAS topics, particularly during years in which there are revisions to the standards, may assist auditors in maintaining the competence necessary to conduct GAS engagements. The standards also state that auditors assigned to an engagement must collectively possess competence for the engagement’s objectives and GAS before beginning work on the engagement.
The rules state that auditors who plan, direct, perform, and report on an engagement in accordance with GAS should develop their competency by completing 80 hours of CPE during every two-year period, with a minimum of 20 hours of CPE in each year of that period. Of those 80 hours, at least 24 hours of subject matter need to be directly related to the government environment, government auditing, or the specific environment in which the audited entity operates; the remaining 56 hours of subject matter should directly enhance professional expertise to conduct engagements. The new standards provide examples of topics that qualify under each of those categories. In addition, the audit organization should maintain documentation of each auditor’s CPE.
There are several exceptions and exemptions to these rules. If an auditor charges less than 20% of her time annually to engagements conducted in accordance with GAS and only performs procedures (i.e., does not plan, direct, or report), she is only required to meet the 24-hour requirement over the two-year period and is exempt from the 56-hour requirement. In addition, nonsupervisory auditors who charge less than 40 hours to GAS auditors are exempted from all CPE requirements.
The 2018 Yellow Book introduces a new concept referred to as “waste,” defined as “the act of using or expending resources carelessly, extravagantly, or for no purpose. Importantly, waste can include activities that do not include abuse and does not necessarily involve a violation of law. Rather, waste relates primarily to mismanagement, inappropriate actions, and inadequate oversight.”
Waste is an expansion of the concept referred to as “abuse” in the 2011 Yellow Book. While auditors are not responsible for designing testing procedures to detect waste or abuse, they should understand that the discovery of either of these items may indicate that fraud or noncompliance could exist.
The 2018 Yellow Book adds standards for review engagements for the first time. It reflects the issuance of Statement on Standards for Attestation Engagements (SSAE) 18, Attestation Standards: Clarification and Recodification, and Statement on Standards for Accounting and Review Services (SSARS) 21, Statements on Standards for Accounting and Review Services: Clarification and Recodification.
Increased Scrutiny of GAS Audits
The 2018 Yellow Book offers professionals a new format with which to read and understand the rules. As audits under GAS continue to be highly scrutinized and receive increased attention during peer review, CPAs who perform these audits need to be familiar with the detailed rules or risk having problems in peer review or with licensing regulators. This article should provide a good start in guiding CPAs to the essential information they need to know.
How can firms prepare for these changes?
Firms must assess independence in terms of providing non-audit services during the period covered by the financial statements (or another subject of the engagement) as well as the duration of professional engagement, which includes the period covered by the financial statements. As a result, firms should consider whether they can implement safeguards to eliminate or minimize substantial threats to an appropriate level under the new guidelines. In some instances, non-audit services provided by the auditor to the audited entity before June 30, 2020, may have an influence on the auditor’s independence in the subsequent financial audit conducted in accordance with the 2018 standards. In these circumstances, auditors must abide by the relevant version by exercising professional judgment.
Auditors go to great lengths to record the measures in place to reduce the significant threat to a manageable level to continue offering the nonaudit service of aiding with financial statement preparation. To do your part as an auditee, it is your responsibility to identify the best and most appropriate individual within your organization with the skills, knowledge, and experience to review the financial statements and allocate the proper amount of time once the auditor has supplied the draft copies. Utilize the auditors’ financial statement checklist and the conversion journal entries to thoroughly examine the financial statements to ensure no significant misstatements. Lastly, arrange a time for you and your auditor to review the financial statement draft so that you can provide all of your concerns are addressed before you submit your report.
audits of a wide range of complexity