When I was a kid living in Donalsonville, Georgia, my mother would drive into our open garage, leave the keys in the ignition (where they remained for the evening), and then would walk into our home (which had not been locked all day).
Over time, I noticed that she left the keys in the car less and less, and we began to lock the doors of our home. At one point we even bought deadlocks.
It seems our neighbors were, from time to time, having small thefts, and one even had a burglar in the home as they returned one afternoon.
My parents were responding to risks. The greater the thefts and burglaries, the greater the safeguards.
Safeguards Required by Yellow Book
Whenever an external auditor performs nonattest services (e.g., preparation of financial statements), then the auditor should consider whether the nonattest service adversely affects his independence.
The Government Auditing Standards (known as the Yellow Book) requires that safeguards be applied whenever independence threats are significant – but only if they are significant – in order to eliminate or reduce such threats to an acceptable level.
Yellow Book Independence Safeguards
Examples of safeguards that may eliminate or reduce significant threats to an acceptable level include the following:
- Discussing independence issues with those charged with governance of the entity
- Assigning separate engagement personnel for the audit and nonaudit service
- Obtaining secondary reviews of the nonaudit services by professional personnel who were not members of the audit engagement team (e.g., second partner review of financial statements prepared by the external audit firm)
- Discussing the significance of the threats to management participation or self-review with the engagement team and emphasizing the risks associated with such threats
- Educating management on the nonaudit services performed by reviewing and explaining the reason and basis for all significant transactions, as well as authoritative standards, so that management is in a position to determine or approve all assumptions and judgments and take responsibility for the nonaudit services
- When financial statement preparation is the nonaudit service being performed, determining that there has been review of the financial statements and successful completion of a disclosure checklist by the audited entity
Not all safeguards listed would be appropriate for all significant threats identified and, often, may require combinations of more than one safeguard. When determining the type and number of safeguards to be applied, the auditor should consider the significance of the threats, both individually and in the aggregate.
Some safeguards have a higher level of mitigation of threats than others. Also safeguards that involve personnel who are independent of the audit process are generally more effective than those who are not independent.
Determining which safeguards to apply involves professional judgment and is dependent on the facts and circumstances of each specific situation.
Finally remember that safeguards cannot be used to ameliorate risk related to prohibited services (e.g., the external audit firm signs checks for the client); if the external auditor performs prohibited services, then safeguards cannot remedy the lack of independence. Examples of prohibited services follow:
- Setting policies and the strategic direction for the audited entity
- Directing and accepting responsibility for the actions of the audited entity’s employees in the performance of their routine, recurring activities
- Having custody of an audited entity’s assets
- Accepting responsibility for designing, implementing, or maintaining internal control