Yellow Book Independence: When Should You Apply Safeguards?

Safeguards are to be applied when significant independence threats are present

When I was a kid living in Donalsonville, Georgia, my mother would drive into our open garage, leave the keys in the ignition (where they remained for the evening), and then would walk into our home (which had not been locked all day).

Over time, I noticed that she left the keys in the car less and less, and we began to lock the doors of our home. At one point we even bought deadlocks.

Why?

It seems our neighbors were, from time to time, having small thefts, and one even had a burglar in the home as they returned one afternoon.

My parents were responding to risks. The greater the thefts and burglaries, the greater the safeguards.

Safeguards Required by Yellow Book

Whenever an external auditor performs nonattest services (e.g., preparation of financial statements), then the auditor should consider whether the nonattest service adversely affects his independence.

The Government Auditing Standards (known as the Yellow Book) requires that safeguards be applied whenever independence threats are significant – but only if they are significant – in order to eliminate or reduce such threats to an acceptable level.

Yellow Book Independence Safeguards

Yellow Book Independence Safeguards

Examples of safeguards that may eliminate or reduce significant threats to an acceptable level include the following:

  • Discussing independence issues with those charged with governance of the entity
  • Assigning separate engagement personnel for the audit and nonaudit service
  • Obtaining secondary reviews of the nonaudit services by professional personnel who were not members of the audit engagement team (e.g., second partner review of financial statements prepared by the external audit firm)
  • Discussing the significance of the threats to management participation or self-review with the engagement team and emphasizing the risks associated with such threats
  • Educating management on the nonaudit services performed by reviewing and explaining the reason and basis for all significant transactions, as well as authoritative standards, so that management is in a position to determine or approve all assumptions and judgments and take responsibility for the nonaudit services
  • When financial statement preparation is the nonaudit service being performed, determining that there has been review of the financial statements and successful completion of a disclosure checklist by the audited entity

Not all safeguards listed would be appropriate for all significant threats identified and, often, may require combinations of more than one safeguard. When determining the type and number of safeguards to be applied, the auditor should consider the significance of the threats, both individually and in the aggregate.

Some safeguards have a higher level of mitigation of threats than others. Also safeguards that involve personnel who are independent of the audit process are generally more effective than those who are not independent.

Determining which safeguards to apply involves professional judgment and is dependent on the facts and circumstances of each specific situation.

Prohibited Services

Finally remember that safeguards cannot be used to ameliorate risk related to prohibited services (e.g., the external audit firm signs checks for the client); if the external auditor performs prohibited services, then safeguards cannot remedy the lack of independence. Examples of prohibited services follow:

  • Setting policies and the strategic direction for the audited entity
  • Directing and accepting responsibility for the actions of the audited entity’s employees in the performance of their routine, recurring activities
  • Having custody of an audited entity’s assets
  • Accepting responsibility for designing, implementing, or maintaining internal control

Preparing Financial Statements 

 If you are an external auditor that also prepares the client’s financial statements (a nonattest service), see my post concerning Yellow Book independence.

Yellow Book CPE Requirements – A Summary

What are the requirements for Yellow Book continuing professional education (CPE)?

Below we will address (1) who is subject to the Yellow Book CPE requirements and (2) what CPE classes satisfy those requirements.

Yellow Book CPEOverview

First realize there are two rules:

  1. The 80-hour rule (every two years)
  2. The 24-hour rule (every two years)

Then you must answer:

  1. Who is subject to each rule?
  2. What classes qualify for each rule?

The 24 Hour Rule – Who is Subject?

The answer: each auditor performing work on a Yellow Book audit; if as an auditor you work on the engagement, you are subject to this rule. If your audit report contains a Yellow Book report (usually located just after the notes to the financial statements), then that engagement is subject to generally accepted government auditing standards (GAGAS).

The 80-Hour Rule – Who is Subject?

The answer: Auditors who are involved in any amount of:

1. Planning,
2. Directing, or
3. Reporting on GAGAS assignments
and
4. Those auditors who are not involved in those activities but charge 20 percent or more of their time annually to GAGAS assignments.

I interpret 1., 2. and 3. as mainly partners, managers, and in-charges. 4. relates to staff who support the audit.

So a staff person that does not meet the criteria in 4., but still works on a Yellow Book engagement must still satisfy the 24-hour rule (but not the 80-hour rule).

What Classes Qualify?

The Yellow Book states, “Determining what subjects are appropriate for individual auditors to satisfy both the 80-hour and the 24-hour requirements is a matter of professional judgment to be exercised by auditors in consultation with appropriate officials in their audit organizations.”

First we see that there is judgment in what qualifies (no bright yellow lines). But there are differences in the 80-hour rule and the 24-hour rule; otherwise, there would be only one category.

The 80-Hour Rule – Classes that Qualify

The 80-hour rule is broad (encompassing any CPE that enhances the auditor’s professional proficiency); so, for example, CPE classes about writing skills or using Excel would qualify. (Taxation CPE usually does not qualify unless the class addresses audit-related issues. For example, a 1040 tax class does not qualify.)

For those subject to the 80 hour rule, at least 20 hours of CPE should be taken in each year of the two-year period; a total of 80 hours is to be taken in the two-year period.

The 24-Hour Rule – Classes that Qualify

Each auditor performing work under GAGAS should complete, every 2 years, at least 24 hours of CPE that directly relates to government auditing, the government environment, or the specific or unique environment in which the audited entity operates.

The 24-hour rule is specific to:
(1) Government auditing,
(2) The government environment or
(3) To the specific or unique environment in which the audited entity operates.

Government Auditing

Classes directly related to standards used in governmental auditing qualify; since GAGAS incorporates the AICPA statements on auditing standards (SASs) for field work and reporting, then audit classes that include a study of the SASs as they relate to the audit of your governmental entity would qualify. The same is true of pronouncements issued by the FASB. Single Audit classes also obviously qualify.

Government Environment

CPE dealing with Governmental Accounting Standards (GASB pronouncements) will qualify for the 24-hour rule since the class focuses on accounting standards in the government environment.

If you audit a county or a city, then most any CPE dealing with GASB pronouncements or governmental issues (e.g., sales taxes) will satisfy the 24-hour rule; also classes dealing with compliance with laws and regulations qualify.

Classes addressing economic conditions, fiscal trends, and pressures facing the governmental entity qualify.

Specific or Unique Environment in Which the Audited Entity Operates

Suppose you audit electric membership corporations (EMCs) subject to the Yellow Book; a CPE class about electrical supply grids qualifies. Or if you audit banks subject to Yellow Book requirements (e.g., FHA loans), then a CPE class dealing with lending qualifies. These classes address issues in the unique environment in which the audited entity operates.

Two-Year Cycle

An audit organization can adopt a standard 2-year period for all of its auditors to simplify administration of the CPE requirements.

Carryover Credit

Auditors are not allowed to carry over hours taken in excess of the 24-hour or 80-hour rule to the next reporting period.

Proration of Hours for New-Hires (or Those Newly Assigned to a Yellow Book Audit)

You will prorate the hourly requirements based on the remaining 6-month intervals in your two-year reporting period. For example, you hire someone on May 1, 2013 and your two-year cycle ends December 31, 2013. There is only one remaining 6-month period. If you are subject to the 24 hour rule, then you will multiply 25% (one six-month period divided by the four six-month periods in the two-year cycle) times 24 to compute the hours required: 6 hours.

GAO Guidance

Click here for the April 2005 GAO publication: Government Auditing Standards, Guidance on GAGAS Requirements for Continuing Professional Education.

The Three-Day Audit

My old friend Rhett Harrell used to say, “if you had only three days to perform an audit, what would you do?” His rhetorical question was designed to make me think about efficiency. We all know an audit cannot be done in three days, but with that thought in mind, here’s an idea that may help.

Thinking outside the box

Courtesy of iStockphoto.com

Prior Year Audit Entries as a Risk Map

If you audit smaller entities where you ordinarily make 10, 20 – and sometimes even more – journal entries, consider the following. (This bit of thinking will not work for companies that customarily have one or two audit entries each year, as is the case with companies that have highly trained accounting personnel.)

I have noticed that for smaller entities, I usually make the same journal entries year after year – often with little variation (provided the entity has the same accountants). This seems particularly true of small governments and nonprofits.

If our goal is to determine that the financial statements are materially correct (and it is), then using the summary of prior year audit entries as a map will often – in audits of smaller entities – lead you to areas that need the most attention.

Here’s a sample work paper.

Summary of Prior Year Audit Entries For Last Five Years

Summarize the largest audit journal entries for the last five years.

Current year materiality = $225,000
Type of AdjustmentNumber of Times Entry Made During Last Five YearsAverage Audit Adjustment
Accounts Payable2$45,252
Allowance for Uncollectible Accounts4$175,122
Inventory Obsolescence2$55,000
Interest Rate Swap Adjustment to Fair Value5$185,777

This work paper points out higher risk areas, at least historically. As I previously stated, when you have the same accountants, history often repeats itself. I find that once I address these areas, the financial statements are often materially correct.

Your Efficiency Idea

What idea helps you be most efficient?

One Additional Thought

If your audit firm makes numerous audit journal entries and you prepare the financial statements, consider your independence – especially for Yellow Book engagements. A large number of journal entries may indicate that management does not have the requisite skill, knowledge, and experience for the audit firm to be independent.