1. Going “GAGAS” for the GAO Yellow Book
FGFOA Annual Conference
Boca Raton, FL
June 24, 2013
Kristen A. Kociolek 1

2. Session Objectives Provide a general overview of the Yellow Book
Highlight areas revised in the 2011 Yellow Book, especially focusing on independence
Use of conceptual framework
Documentation requirements

3. Introduction: Yellow Book = “GAGAS”
GAGAS—Generally Accepted Government Auditing Standards
Broad statements of auditors’ responsibilities
An overall framework for ensuring that auditors have the competence, integrity, objectivity, and independence in planning, conducting, and reporting on their work
For financial audits and attestation engagements, incorporates and builds on the AICPA standards (SASs and SSAEs) 3

4. Primary Yellow Book Changes
Updated independence
Included a conceptual framework
Added documentation requirements
Additional documentation in independence
Focus on non-audit services
Focused on converging where practical
Incorporated clarified SASs
Fewer differences
Made several revisions to details of the performance audit chapters 4 4

5. The 2011 Yellow Book Applicability
Chapters 1, 2, and 3 apply to all GAGAS engagements
Chapter 1: Government Auditing: Foundation and Ethical Principles
Chapter 2: Standards for Use and Application of GAGAS
Chapter 3: General Standards
Chapter 4: Standards for Financial Audits – applies only to financial audits
Chapter 5: Standards for Attestation Engagements - applies only to attestation engagements 5 5

6. The 2011 Yellow Book Applicability (continued)
Chapters 6 and 7 apply only to performance audits
Chapter 6: Field Work Standards for Performance Audits
Chapter 7: Reporting Standards for Performance Audits
Appendix: Provides additional guidance (not requirements) for all GAGAS engagements
Interpretations: Available on the Yellow Book web page. Provide additional guidance (not requirements) for areas of particular interest or sensitivity. 6 6

7. 2011 Yellow Book Effective Dates
Effective for financial audit periods ending on or after December 15, 2012
Effective for attestation periods ending on or after December 15, 2012
Effective for performance audits starting on or after December 15, 2011
Independence may be impacted before the beginning of an engagement
Likely periods ending after December 15, 2012 (Chapter 4)

8. Chapter 1: Foundation and Ethical Principles
Provide a framework for conducting high quality audits with competence, integrity, objectivity, and independence
For use by auditors of government entities and entities that receive government awards 8 8 8

9. Chapter 2: Types of GAGAS Engagements
All audits begin with objectives, and those objectives determine the type of audit to be performed and the applicable standards to be followed.
The types of audits that are covered by GAGAS, as defined by their objectives, are classified in the Yellow Book as
financial audits,
attestation engagements, and
performance audits. 9 9 9

10. Chapter 2: Financial Audits
Financial audits provide an independent assessment of and reasonable assurance about whether an entity’s reported financial condition, results, and use of resources are presented fairly in accordance with recognized criteria
Financial audits performed under GAGAS include
Financial statement audits
Other types of financial audits 10

11. Chapter 2: Attestation Engagements
In addition to financial audits
Attestation engagements can cover a broad range of financial or non-financial objectives and may provide different levels of assurance about the subject matter or assertion depending on the users’ needs.
The three types of attestation engagements are:
Examination
Review
Agreed-Upon Procedures 11

12. Chapter 2: Performance Audits
Performance audits are defined as audits that provide findings or conclusions based on an evaluation of sufficient, appropriate evidence against criteria
Performance audits provide objective analysis to assist management and those charged with governance and oversight in using the information to
Improve program performance and operations
Reduce costs
Facilitate decision making, and
Contribute to public accountability

13. Chapter 2: Use of Terminology
Standardized language to define the auditor requirements
Consistent with SAS No. 102:
Must indicates an unconditional requirement
Should indicates a presumptively mandatory requirement
Text not using the above conventions is considered explanatory material
Interpretive publications are recommendations on the application of GAGAS specific circumstances

14. Chapter 2: Standards for the Use and Application of GAGAS
Clarified citing compliance with GAGAS
Determining appropriate GAGAS compliance statement is a matter of professional judgment
Departures from presumptively mandatory requirements
Using GAGAS with other standards 14

15. Chapter 3: General Standards
Independence
Conceptual framework
Provision of nonaudit services to auditees
Professional judgment
Competence
Technical knowledge
Continuing Professional Education
Quality Assurance
System of quality assurance
Peer review 15 15 15

16. Chapter 3: Independence
The following from the 2007 Yellow Book has been removed from the 2011 revision:
definition of independence in terms of personal, external, and organizational independence, and
the overarching principles that applied to assessing nonaudit services.
The 2011 revision
requires “independence of mind” and “independence in appearance” (para 3.03)
and establishes a risk-based conceptual framework within which to evaluate seven broad categories of “threats to independence.”
Independence of mind
The state of mind that permits the performance of an audit without being affected by influences that compromise professional judgment, thereby allowing an individual to act with integrity and exercise objectivity and professional skepticism.
Independence in appearance
The absence of circumstances that would cause a reasonable and informed third party, having knowledge of the relevant information, to reasonably conclude that integrity, objectivity, or professional skepticism had been compromised. (audit organization or audit team, or an individual)

18. Chapter 3: Independence Timeframes
Impairment exists during
The period of the audit – usually the fiscal year
The professional engagement
usually starts with earlier of start of planning or engagement agreement.
usually ends on the last report date.
Depending on the circumstances, independence may be impacted beyond this timeframe.
Recurring engagement may mean that some activities or circumstances will always impair.

19. Chapter 3: Applying the Framework
New approach combines a conceptual framework with certain rules (prohibitions)
Balances principle and rules based standards
Serves as a hybrid framework
Certain prohibitions remain
Generally consistent with Rule 101 AICPA
Beyond a prohibition
Apply the conceptual framework
Will be used more often than AICPA 19 19

20. Chapter 3: Applying the Framework (continued)
Threats could impair independence
Do not necessarily result in an independence impairment
Safeguards could mitigate threats
Eliminate or reduce to an acceptable level

21. Chapter 3: Applying the Framework (continued)
Conceptual Framework:
Identify threats to independence
Evaluate the significance of the threats identified, both individually and in the aggregate
Apply safeguards as necessary to eliminate the threats or reduce them to an acceptable level
Evaluate whether the safeguard is effective
Documentation Requirement:
Para 3.24: When threats are not at an acceptable level and require application of safeguards, auditors should document the safeguards applied.
The framework requires the auditor to assess the significance of threats
Threats related to nonaudit services often include
Management participation threat
Self review threat
Indicators of a significant threat include:
Level of services provided (aggregation assessment)
Significance to the audit objective
Basic understanding of the service enough to recognize material errors
Facts and circumstances that increase the perception that the auditor is working as part of management 21

22. GAGAS Conceptual Framework for Independence

23. Chapter 3: Categories of Threats
Management participation threat
Self-review threat
Bias threat
Familiarity threat
Undue influence threat
Self interest threat
Structural threat 23 23

24. Chapter 3: Examples of Safeguards
Reassign individual staff members who may have a threat to independence.
Have separate staff perform the non-audit and audit services.
Have professional staff from outside of the team review the work.
Use or consult with an independent third party.
Involve another audit organization.
Decline to do the requested scope of the non-audit service.

25. Chapter 3: Routine Audit Services and Nonaudit Services
Routine audit services pertain directly to the audit and include:
Providing advice related to an accounting matter
Researching and responding to an audited entity’s technical questions
Providing advice on routine business matters
Educating the audited entity on technical matters
Other services not directly related to the audit are considered nonaudit services 25

26. Chapter 3: Routine Audit Services and Nonaudit Services (continued)
Services that are considered nonaudit services include:
Financial statement preparation
Bookkeeping services
Cash to accrual conversions (a form of bookkeeping)
Other services not directly related to the audit
Unless specifically prohibited, nonaudit services MAY be permissible but should be documented
In relation to the conceptual framework
In relation to the auditor’s assessment of managements’ skill, knowledge or experience 26

27. Chapter 3: Prohibited Nonaudit Services
Management Responsibilities:
setting policies and strategic direction for the audited entity;
directing and accepting responsibility for the actions of the audited entity’s employees in the performance of their routine, recurring activities;
having custody of an audited entity’s assets;
reporting to those charged with governance on behalf of management;
deciding which of the auditor’s or outside third party’s recommendations to implement;
accepting responsibility for the management of an audited entity’s project;
Sometime during the discussion of prohibited nonaudit services, discuss mandates that government organizations may have that would also be considered an independence impairment – how should they handle those

28. Chapter 3:Prohibited Nonaudit Services (continued)
Management Responsibilities (cont):
accepting responsibility for designing, implementing, or maintaining internal control;
providing services that are intended to be used as management’s primary basis for making decisions that are significant to the subject matter of the audit;
developing an audited entity’s performance measurement system when that system is material or significant to the subject matter of the audit; and
serving as a voting member of an audited entity’s management committee or board of directors.
In addition to explaining what auditors cannot do, give examples of what they can do. For example, auditors are often requested to design or “approve” an agency’s internal controls. Although auditors cannot do exactly that, they can provide advice on what constitutes a good internal control, leaving it up to the agency to actually design and implement it.
Explain the term, “subject matter of the audit.” This phrase confuses some auditors if they are not conducting an audit of that specific function and do not have plans to audit it in the immediate future. The confusion is more likely to be among performance auditors in local governments who have broad audit authority – is there a “cooling off” period, or should they always say no if there is a future possibility of auditing that subject matter even if there are no immediate plans to do so.
Mention that auditors cannot sit on interview panels that make recommendations for hiring decisions in departments they audit and that staff in departments they audit should not sit on the auditors’ interview panels. Provide other examples of management committees or boards that auditors should not participate in, or if they do, what the limits of their roles should be (e.g., retirement board, ethics committee).

29. Chapter 3: Prohibited Nonaudit Services (continued)
Design or develop an IT system that would be subject to or part of an audit.
Make significant modifications to an IT system’s source code.
Operate or supervise an IT system.
Internal Controls
May not provide ongoing monitoring services.
May not design the system of internal controls and then assess its effectiveness.
Full list of prohibited services: para 3.36 and para – 3.58
Since auditors are often asked to help during the design and implementation phases of IT systems, explain the type of services they can provide (e.g., advice on the types of controls the system should have; testing to make sure the implemented controls are working)
Explain that the auditor may, however, perform monitoring services that are part of audit work (e.g., continuous auditing)

30. Chapter 3: Nonaudit Services Commonly Requested of Government Auditors
Signing off on an agency’s policies and procedures
Establishing a strategic plan for an agency
Determining the priority for implementing audit recommendations
Participating in human capital decisions for key government staff
Participating in committees as a voting member
But these are not allowed
Again, reiterate that auditors may not be members of interview panels of agencies they audit when that role would involve scoring, ranking, and/or making recommendations in any manner about a candidate

31. Chapter 3: Nonaudit Services
1. Determine if there is a specific prohibition. Unless specifically prohibited, nonaudit services MAY be permitted but should be documented. 2. If not prohibited, assess the nonaudit service’s impact on independence using the conceptual framework. 3. If the auditor assesses any identified threat to independence as higher than insignificant, assess the sufficiency of audited entity management’s skill, knowledge, and experience to oversee the nonaudit service. And…

32. Chapter 3: Nonaudit Services (continued)
4. If the auditor concludes that performance of the nonaudit service will not impair independence, document assessments in relation to both:
safeguards applied in accordance with the conceptual framework and
the auditor’s assessment of sufficiency of audited entity managements’ skill, knowledge or experience to oversee the nonaudit service (paragraph 3.34).

33. Chapter 3: Preconditions to Performing Nonaudit Services
Management should take responsibility for nonaudit services performed by the auditors
Auditors should document (GAGAS and AICPA) their understanding with management regarding the nonaudit service
Auditors should assess (AICPA) and document (GAGAS) whether management possesses suitable skill, knowledge, or experience to oversee the nonaudit service 33

34. Chapter 3: Assessing Management’s Skill, Knowledge, or Experience
Factors to document include management’s:
Understanding of the nature of the service
Knowledge of the audited entity’s mission and operations
General business knowledge
Education
Position at the audited entity
Some factors may be given more weight than others
GAGAS does not require that management have the ability to perform or reperform the service 34

35. Chapter 3: Sufficiency of Skills, Knowledge and Experience
Sufficient skills, knowledge and experience may be judged in part based on:
Ability of the identified client personnel to identify material errors or misstatements in a non audit service work product
Ability of the client to sufficient background to understand the nature and results of the audit service
Ability of management to take responsibility and understand the work
Client prepared material in poor condition may indicate the client is not capable of taking responsibility for the service. Significant audit findings and adjustments may also be indicative of this issue.

36. Chapter 3: Bookkeeping Services
May be performed provided the auditor does not
Determine or change journal entries, account codings or classifications for transactions, or other accounting records without obtaining client approval
Authorize or approve transactions
Prepare source documents
Make changes to source documents without client approval
Consistent with AICPA ET 101-3

37. Chapter 3: Financial Statement Preparation
Auditors may prepare financial statements
Considered by GAGAS a nonaudit service
Must apply the conceptual framework
Two additional documentation requirements
Document application of safeguards
Document assessment of management’s skill, knowledge or expertise 37

38. Chapter 3: Assessing Significance for Bookkeeping and Financial Statement Preparation
Relative significance is a continuum
Indicators of significant threats for bookkeeping and financial statement preparation may include:
Financial statement preparation with other non-audit services such bookkeeping or cash to accrual conversions
Condition of client prepared books and records
Level of anticipated “correction” or adjustments to client prepared schedules and documents
Condition of the general ledger/trial balance
Less significant may be:
Purely mechanical calculations

39. Chapter 3: Independence Documentation Requirements
Para 3.59 summarizes documentation requirements for independence:
Threats that require the application of safeguards along with the safeguards applied (3.24)
Safeguards in place if an audit organization is structurally located within a government entity (3.30)
Consideration of sufficiency of audited entity management’s skill, knowledge, and experience to take responsibility for and effectively oversee the nonaudit services (3.34)
The auditor’s understanding with an audited entity regarding nonaudit services to be provided (3.39)
3.30 – e.g., Auditor-Controller functions, which are mandated in certain jurisdictions

40. Case Study #1
Can ABC Audit Firm prepare the financial statements of We Help People (WHP), a not-for-profit organization, and remain independent under the AICPA and Yellow Book Standards?
Yes No
Maybe

41. Case Study #1 (continued)
ABC has proposed in excess of 50 adjusting entries to correct WHP financial statements. Is ABC independent with respect to WHP?
Yes No
Maybe

42. Case Study #1 (continued)
ABC has also identified the following issues:
WHP’s trial balance is not in balance
The balance sheet has account balances that appear to be materially wrong—assets with credit balances and liabilities with debit balances
Bank reconciliations are materially different thafrom the trial balance
ABC has been asked by WHP to do whatever necessary to get the books in order to complete the audit. ABC can take on this role:
Yes No

43. Chapter 3: Continuing Professional Education (CPE)
No revision to overall requirements:
Minimum of 24 hours of CPE every 2 years
Government
Specific or unique environment
Auditing standards and applicable accounting principles
Additional 56 hours of CPE for auditors involved in
Planning, directing, or reporting on GAGAS assignments; or
Charge 20 percent or more of time annually to GAGAS assignments
Minimum of 20 hours of CPE each year 43 43 43

44. Chapter 3: Competence CPE requirements for external specialists:
External specialists are not required to meet GAGAS CPE requirements, but should be qualified and maintain professional competence 44

45. Chapter 3: Competence (continued)
CPE requirements for internal specialists:
Internal specialists serving as auditors are subject to all CPE requirements
Specialized CPE count towards the required 24 hours
Internal consulting specialists are not required to meet GAGAS CPE requirements, but should be qualified and maintain professional competence 45

46. Chapter 3: Quality Control and Assurance
Each audit organization performing audits or attestation engagements in accordance with GAGAS must:
establish a system of quality control that is designed to provide the audit organization with reasonable assurance that the organization and its personnel comply with professional standards and applicable legal and regulatory requirements, and
have an external peer review at least once every 3 years.

47. Chapter 3: System of Quality Control
Each audit organization must document its quality control policies and procedures and communicate those policies and procedures to its personnel.
Added a requirement that the quality control policies and procedures collectively address:
Leadership responsibilities for quality within the audit organization
Independence, legal, and ethical requirements
Initiation, acceptance, and continuance of audit and attestation engagements
Human resources
Audit and attestation engagement performance, documentation, and reporting
Monitoring of quality

48. Chapter 3: Changes to Quality Control Monitoring Procedures
Audit organizations should analyze and summarize, in writing, the results of monitoring procedures at least annually:
Include identification of any systemic issues needing improvement
Include recommendations for corrective action
Communicate deficiencies noted to appropriate personnel and make recommendations for remedial action

49. Chapter 3: Changes Related to Peer Reviews
The peer review team uses professional judgment in deciding the type of peer review report. The following are the types of peer review reports:
Peer review rating of pass
Peer review rating of pass with deficiencies
Peer review rating of fail 49 49

50. Chapter 3: External Peer Reviews
Transparency of peer review
Audit organization should make the most recent peer review report publicly available
Audit organizations seeking to enter into a contract to perform an audit in accordance with GAGAS should provide a a copy of the most recent peer review report and any subsequent peer review reports received during the period of the contract
Auditors who are using another audit organization’s’work should request a copy of the audit organization’s latest peer review report. 50

51. Chapter 4: Financial Audits- Overall Changes
Considered Clarity Project conventions
Streamlined language to harmonize with AICPA
Clarified additive requirements
Combined 2007 GAGAS chapters 4 and 5 into one chapter (2011 GAGAS chapter 4)
No new requirements were added for financial audits and attestation engagements
Additional requirements relate to
Reporting auditors’ compliance with GAGAS
Reporting on internal control, compliance with provisions of laws, regulations, contracts, and grant agreements
Communicating deficiencies in internal control, fraud, noncompliance with provisions of laws, regulations, contracts, and grant agreements, and abuse
Reporting views of responsible officials
Reporting confidential or sensitive information
Distributing reports 51 51

52. Chapter 4: Special Considerations for Government Engagements
Applying certain AICPA standards
Materiality
Early communication of deficiencies (SAS No. 115)
Highlighted considerations for applying certain AICPA standards in a GAGAS financial audit
Materiality
Auditors may find it appropriate to use a lower materiality level in a governmental environment
Early communication of control deficiencies in a GAGAS financial audit
For some matters, early communication is important because of significance and the urgency of corrective action
May communicate orally to management, and when appropriate those charged with governance, so timely remedial action can be taken to minimize risk of material misstatement 52 52

53. Describe the purpose of the communication, and
Chapter 4: Financial Audits: SAS 125 Alert That Restricts the Use of the Auditor’s Written Communication
SAS 125 makes a special provision for the GAGAS report on internal control over financial reporting and compliance.
Don’t use the communication required for other audits. Instead, the alert should:
Describe the purpose of the communication, and
State that the communication is not suitable for any other purpose. 53

54. Chapter 4: SAS 125: Sample Language for GAGAS Report on ICFR and Compliance
“The purpose of this report is solely to describe the scope of our testing of internal control over financial reporting and compliance, and the results of that testing, and not to provide an opinion on the effectiveness of the entity’s internal control over financial reporting or on compliance. This report is an integral part of an audit performed in accordance with Government Auditing Standards in considering the entity’s internal control over financial reporting and compliance. Accordingly, this report is not suitable for any other purpose.” 54

55. Chapter 5: Attestation Engagements
Separated attest requirements
Examination
Review
Agreed-Upon Procedures
Update considerations
Identified practice issue
Clarified distinctions between engagement types
Emphasized AICPA reporting requirements
The additional requirements for government auditing relate to:
a. auditor communication;
b. previous audits and attestation engagements
c. fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse that could have a material effect on the subject matter or an assertion about the subject matter
d. developing elements of a finding; and
e. attest documentation.[1]
[1] See paragraphs 5.06 through 5.23 for additional discussion of 5.05 a-e.

56. Chapter 5: Attestation Engagements (continued)
Within each section, emphasized
Citing compliance with GAGAS
Required elements of AICPA reporting
Communicating the services to be performed
The additional requirements for government auditing relate to:
a. auditor communication;
b. previous audits and attestation engagements
c. fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse that could have a material effect on the subject matter or an assertion about the subject matter
d. developing elements of a finding; and
e. attest documentation.[1]
[1] See paragraphs 5.06 through 5.23 for additional discussion of 5.05 a-e. 56 56

57. Chapter 6: Field Work Standards for Performance Audits
Guidance for conducting performance audits, including
Planning the audit
Supervising staff
Obtaining sufficient, appropriate evidence
Preparing audit documentation
Criteria:
Represent the laws, regulations, contracts, grant agreements, standards, measures, expected performance, defined business practices, and benchmarks against which performance is compared or evaluated.
Examples of criteria:
purpose or goals prescribed by law or regulation or set by officials of the audited entity,
policies and procedures established by officials of the audited entity,
technically developed standards or norms,
expert opinions
More examples of criteria:
prior periods’ performance,
defined business practices,
contract or grant terms, and
performance of other entities or sectors used as defined benchmarks.

58. Chapter 6: Overall Framework for Performance Audits
Level of assurance associated with a performance audit
Provide reasonable assurance that the evidence is sufficient and appropriate to support the auditors’ findings and conclusions
Concept of significance
Defined as the relative importance of a matter within the context in which it is being considered, including quantitative and qualitative factors
Audit risk
Defined as the possibility that the auditor’s findings, conclusions, recommendations, or assurance may be improper or incomplete
Significance is defined as the relative importance of a matter within the context in which it is being considered, including quantitative and qualitative factors. Such factors include the magnitude of the matter in relation to the subject matter of the audit, the nature and effect of the matter, the relevance of the matter, the needs and interests of an objective third party with knowledge of relevant information, and the impact of the matter to the audited program or activity.
Audit risk is the possibility that the auditors’ findings, conclusions, recommendations, or assurance may be improper or incomplete, as a result of factors such as
evidence that is not sufficient and/or appropriate,
an inadequate audit process, or
intentional omissions or misleading information due to misrepresentation or fraud.

59. Chapter 6: Planning for Performance Audits
Auditors must adequately plan and document the planning of the work necessary to address the audit objectives
Auditors should assess audit risk and significance by gaining an understanding of:
Nature and profile of the program and user needs
Internal control
Information systems controls
Legal and regulatory requirements, contract provisions or grant agreements, fraud, or abuse
Previous audits
Auditors should prepare a written audit plan
Auditors must plan the audit to reduce audit risk to an appropriate level for the auditors to provide reasonable assurance that the evidence is sufficient and appropriate to support the auditors’ findings and conclusions
Information systems controls for the purpose of assessing audit risk and planning the audit
Consist of those internal controls that are dependent on information systems processing
Include general controls and application controls
Are significant to the audit objectives if auditors determine that it is necessary to evaluate the effectiveness of information system controls in order to obtain sufficient, appropriate evidence
If significant, auditors should evaluate the design and operating effectiveness of such controls by performing audit procedures
Legal and Regulatory Requirements, Provisions of Contracts or Grant Agreements
Auditors should determine which laws, regulations, and provisions of contracts or grant agreements are significant within the context of the audit objectives and assess the risk that violations of those laws, regulations, and provisions of contracts or grant agreements could occur
Auditors should design and perform procedures to provide reasonable assurance of detecting instances of violations of legal and regulatory requirements or violations of provisions of contracts or grant agreements that are significant within the context of the audit objectives
Auditors should obtain an understanding of internal control that is significant within the context of the audit objectives.
For those internal controls that are significant within the context of the audit objectives, auditors should:
assess whether the internal controls have been properly designed and implemented.
plan to obtain sufficient, appropriate evidence to support their assessment about the effectiveness of those controls.

60. Chapters 6: Audit Risk Considerations for Performance Audits
Auditors must plan the audit to reduce audit risk to an appropriate level for the auditors to provide reasonable assurance that the evidence is sufficient and appropriate to support the auditors’ findings and conclusions

61. Chapters 6: Fraud Considerations for Performance Audits
In planning the audit, auditors should assess risks of fraud occurring that is significant within the context of the audit objectives
Auditors should
Discuss fraud risks among the audit team
Gather and assess information to identify risk of fraud that are significant within the scope of the audit objectives or that could affect the findings and conclusions
When auditors identify factors or risks related to fraud that has occurred or is likely to have occurred that are significant within the context of the audit objectives, they should design procedures to provide reasonable assurance of detecting such fraud

62. Chapters 6: Abuse Considerations for Performance Audits
If auditors become aware of indications of abuse that could be quantitatively or qualitatively significant to the program under audit, auditors should apply audit procedures specifically directed to ascertain
The potential effect on the program under audit within the context of the audit objectives
However, because the determination of abuse is subjective, auditors are not required to provide reasonable assurance of detecting abuse
After performing additional work, auditors may discover that the abuse represents potential fraud or illegal acts

63. Chapter 6: Sufficient, Appropriate Evidence
Appropriateness is defined as a measure of quality of evidence that encompasses the relevance, validity, and reliability of evidence used for addressing the audit objectives and supporting findings and conclusions.
Sufficiency is defined as a measure of quantity of evidence used for addressing the audit objectives and supporting findings and conclusions.

64. Chapter 6: Technical Changes
The definition of validity as an aspect of the quality of evidence has been revised:
the extent to which evidence is a meaningful or reasonable basis for measuring what is being evaluated. In other words, validity refers to the extent to which evidence represents what it is purported to represent. (6.60b)
The assessment the sufficiency and appropriateness of computer-processed information includes considerations regarding the completeness and accuracy of the data for the intended purposes. (6.66) (For additional guidance, see GAO publication, Assessing the Reliability of Computer-Processed Data)
Old definition of validity: the extent to which evidence is based on sound reasoning or accurate information

65. Chapter 6: Overall Assessment
Overall assessment of the collective evidence to support the findings and conclusions
Assessment of evidence depends on the nature of the evidence, how it is used, and the audit objectives
Evidence is sufficient and appropriate when it provides a reasonable basis for supporting the findings or conclusions within the context of the audit objectives
Evidence is not sufficient and appropriate when it
Carries an unacceptably high risk that it could lead to an incorrect or improper conclusion
Has significant limitations
Does not provide an adequate basis for addressing the audit objectives or supporting the findings and conclusions
Elements needed depend on audit objectives.
Findings are complete to the extent the audit objectives are addressed.
Auditors should plan and perform procedures to develop the elements of a finding necessary to address the audit objectives:
Criteria
Condition
Cause
Effect or potential effect

66. Chapter 6: Documentation for Performance Audits
Auditors must prepare audit documentation related to planning, conducting, and reporting for each audit.
Auditors should document the following:
the objectives, scope, and methodology of the audit
the work performed to support significant judgments and conclusions
evidence of supervisory review, before the audit report is issued, of the work performed that supports findings, conclusions, and recommendations contained in the audit report

67. Chapter 7: Reporting Standards for Performance Audits
Guidance for reporting on performance audits, including
Reporting Form
Report Contents
Distributing Reports
Distribution of reports depends on
The relationship of the auditors to the audited organization
The nature of the information contained in the report
GAGAS establishes different requirements for
Government audit organizations (external)
Internal audit organizations in government
Public accounting firms

68. Chapter 7: Report Contents
Auditors should prepare audit reports that contain
Objectives, scope, and methodology of the audit
Audit results, including findings, conclusions, and recommendations, as appropriate
Statement about the auditors’ compliance with GAGAS
Summary of the views of responsible officials
Nature of any confidential or sensitive information omitted
Auditors should
obtain and report views of responsible officials concerning findings, conclusions, recommendations, and planned corrective actions
include in report an evaluation of the comments, as appropriate
If the audited entity does not provide comments, auditors may issue the report and indicate that the audited entity did not provide comments.
This requirement applies to all performance audit reports and to financial audit reports that disclose deficiencies in internal control, fraud, illegal acts, violations of provisions of contacts or grant agreements, or abuse.
If certain information is excluded from the auditors’ report, auditors
should disclose that certain information has been omitted and the reason for the omission
may issue a separate report and distribute it to only persons authorized to receive it
When audit organizations are subject to public records laws, auditors should determine
impact of such laws on the availability of the separate report
whether other means of communicating would be more appropriate

69. Chapter 7: Technical Changes
The fraud reporting requirement is now limited to occurrences that are significant within the context of the audit objectives (7.21), with a requirement to communicate in writing other instances of fraud that warrant the attention of those charged with governance. (7.22)
Early communication of deficiencies has been added as a consideration auditors may follow in the course of the performance audit. (6.78)
Previous fraud reporting requirement
--when auditors conclude, based on sufficient, appropriate evidence, that fraud either has occurred or is likely to have occurred, they should report the matter as a finding.
Detection responsibility still the same - must still design the audit to provide reasonable assurance of detecting fraud within the context of the audit objectives.

70. Chapter 7: Citing Compliance in the Audit Report
GAGAS statement in audit report
When auditors comply with all applicable GAGAS requirements, they should use the following language in the report:
“We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.”

71. Appendix: Supplemental Guidance
Added an appendix to provide supplemental guidance to assist auditors in the implementation of GAGAS
Does not establish additional GAGAS requirements
Overall supplemental guidance includes examples of
Deficiencies in internal control
Abuse
Fraud Risk
Overall guidance includes guidance on determining whether laws, regulations, or provisions of contracts are significant

72. Where to Find the Yellow Book
The Yellow Book is available on GAO’s website at:
For technical assistance, contact us at
(202) 72

73. Standards for Internal Control in the Government
Standards for Internal Control in the Federal Government
Standards for Internal Control in the Government
Going Green

74. Reasons for Green Book Revision
Last issued in November 1999
Adapt to a more global, complex, and technological landscape
Maintain relevancy to changing standards
Harmonize federal standards with the updated Committee of Sponsoring Organizations of the Treadway Commission (COSO) Framework

75. What’s in Green Book for State and Local Governments?
May be an acceptable framework for internal control on the state and local government level under proposed OMB Uniform Guidance for Federal Awards
Written for government
Leverages the COSO Framework
Uses government terms

76. What’s in Green Book for Management and Auditors?
Provides a framework for management
Provides criteria for auditors
Can be used in conjunction with other standards, e.g. Yellow Book

77. The Yellow Book: Framework for Audits
Findings are composed of
Condition (What is)
Criteria (What should be)
Cause
Effect (Result)
Recommendation (as applicable)

78. Linkage Between Criteria (Yellow Book) and Internal Control (Green Book)
Green Book provides criteria for the design, implementation, and operating effectiveness of an effective internal control system

79. The Yellow Book: Framework for Audits
Findings are composed of
Condition (What is)
Criteria (What should be)
Cause
Effect (Result)
Recommendation (as applicable)

80. Linkage Between Findings (Yellow Book) and Internal Control (Green Book)
Findings may have causes that relate to internal control deficiencies

81. Green Book and Yellow Book
Can be used by management to understand requirements
Can be used by auditors to understand criteria
Management: Requirements of internal control compliance and the standards to which they are being held when being audited.
Auditors: What to use to evaluate management and how to evaluate management.

82. Where to Find the Green Book
Once exposed, the Green Book will be on GAO’s website at:
For technical assistance, contact us at: 82

83. Questions?