Yellow Book Independence: When Should You Apply Safeguards?

Safeguards are to be applied when significant independence threats are present

When I was a kid living in Donalsonville, Georgia, my mother would drive into our open garage, leave the keys in the ignition (where they remained for the evening), and then would walk into our home (which had not been locked all day).

Over time, I noticed that she left the keys in the car less and less, and we began to lock the doors of our home. At one point we even bought deadlocks.

Why?

It seems our neighbors were, from time to time, having small thefts, and one even had a burglar in the home as they returned one afternoon.

My parents were responding to risks. The greater the thefts and burglaries, the greater the safeguards.

Safeguards Required by Yellow Book

Whenever an external auditor performs nonattest services (e.g., preparation of financial statements), then the auditor should consider whether the nonattest service adversely affects his independence.

The Government Auditing Standards (known as the Yellow Book) requires that safeguards be applied whenever independence threats are significant – but only if they are significant – in order to eliminate or reduce such threats to an acceptable level.

Yellow Book Independence Safeguards

Yellow Book Independence Safeguards

Examples of safeguards that may eliminate or reduce significant threats to an acceptable level include the following:

  • Discussing independence issues with those charged with governance of the entity
  • Assigning separate engagement personnel for the audit and nonaudit service
  • Obtaining secondary reviews of the nonaudit services by professional personnel who were not members of the audit engagement team (e.g., second partner review of financial statements prepared by the external audit firm)
  • Discussing the significance of the threats to management participation or self-review with the engagement team and emphasizing the risks associated with such threats
  • Educating management on the nonaudit services performed by reviewing and explaining the reason and basis for all significant transactions, as well as authoritative standards, so that management is in a position to determine or approve all assumptions and judgments and take responsibility for the nonaudit services
  • When financial statement preparation is the nonaudit service being performed, determining that there has been review of the financial statements and successful completion of a disclosure checklist by the audited entity

Not all safeguards listed would be appropriate for all significant threats identified and, often, may require combinations of more than one safeguard. When determining the type and number of safeguards to be applied, the auditor should consider the significance of the threats, both individually and in the aggregate.

Some safeguards have a higher level of mitigation of threats than others. Also safeguards that involve personnel who are independent of the audit process are generally more effective than those who are not independent.

Determining which safeguards to apply involves professional judgment and is dependent on the facts and circumstances of each specific situation.

Prohibited Services

Finally remember that safeguards cannot be used to ameliorate risk related to prohibited services (e.g., the external audit firm signs checks for the client); if the external auditor performs prohibited services, then safeguards cannot remedy the lack of independence. Examples of prohibited services follow:

  • Setting policies and the strategic direction for the audited entity
  • Directing and accepting responsibility for the actions of the audited entity’s employees in the performance of their routine, recurring activities
  • Having custody of an audited entity’s assets
  • Accepting responsibility for designing, implementing, or maintaining internal control

Preparing Financial Statements 

 If you are an external auditor that also prepares the client’s financial statements (a nonattest service), see my post concerning Yellow Book independence.

Yellow Book Independence Documentation is Important

Failure to document Yellow Book independence results in a nonconforming engagement (during peer review)

I just received the June 2016 AICPA Reviewer Alert (a monthly newsletter for peer reviewers). It provides the following Yellow Book independence documentation guidance:

Yellow Book contains specific requirements for documentation related to independence which may be in addition to the documentation that auditors have previously maintained. The 2011 Yellow Book Chapter 3 emphasizes that documentation is required for the evaluation of each of the elements of independence, which consists of:

  1. Management’s ability to oversee the nonaudit services, including whether management has skills, knowledge, and experience
  2. Significant threats that require the application of safeguards along with the safeguards applied
  3. Understanding established with the audited entity regarding the nonaudit services to be performed

Failure to document one or more of these elements is considered a departure from professional standards that causes the engagement to be deemed nonconforming. The reviewed firm and reviewer should be aware that verbal explanation and vague completion of a checklist does not provide for a thoughtful evaluation and documentation of management’s abilities related to each nonaudit service and will be unlikely sufficient to comply with the standards.

Yellow Book Independence

Yellow Book Independence Forms

All firms that perform Yellow Book engagements need to make sure their system of quality control provides guidance for documentation of the three items listed above. Consider using the AICPA’s 2011 Yellow Book Independence form. The electronically fill-able version is $28 for AICPA members and can be found here. The free PDF version can be found here.

For information about determining if your client’s skill, knowledge, and experience are sufficient, click here.

Findings from Peer Reviews of Governmental Engagements

Governmental audit problem areas

The AICPA has identified governmental engagements as a high-risk area. While governmental accounting is complex, the addition of Yellow Book and Single Audit standards (when applicable) make these engagements even more challenging.

I recall in the pre-GASB 34 days reviewing physical ledger sheets that contained all of the transactions for a local government. There were no Yellow Book or Single Audit requirements. Those idyllic days of simplicity are gone, and the complexity of governmental audits has increased a hundred-fold.

Governmental regulators have complained that CPAs are not performing these audits in conformity with professional standards. In addition, these regulators are saying that the present peer review process is not identifying non-conforming engagements.

Picture is courtesy of DollarPhotoClub.com

Picture is courtesy of DollarPhotoClub.com

AICPA’s Testing of Peer Review Process

In response to these concerns–and those related to other high-risk areas such as benefit plans–the AICPA performed enhanced oversights to gauge how well peer reviewers are performing.

Here are some of the key takeaways from the oversights performed on that initial sample of engagements:

  • Approximately 40 percent of the engagements selected as part of this pilot program were identified as non-conforming with the applicable professional standards by the industry experts.
  • The peer reviewers on these engagements had identified only around one out of ten as non-conforming.
  • Over the 2012 to 2014 peer review cycle, 8 percent of the must-select engagements reviewed were identified as non-conforming by their reviewers.

Peer review statistics related to governmental engagements reflect similar dynamics:

  • Significantly more GAGAS/single audit engagements were determined to be non-conforming by the oversighters and were not recognized as being non-conforming by the peer reviewers. There was an approximate 40 percent nonconforming rate for oversights of governmental engagements while none of these engagements were identified as nonconforming by the peer reviewers.

Governmental Engagement Deficiencies

The enhanced oversights identified the following governmental engagement deficiencies (many of these are related to Yellow Book and Single Audit):

  • Compliance requirements documented as applicable, but no testing performed for the compliance requirement
  • A lack of testing of internal controls over direct and material compliance requirements
  • A lack of documentation of management’s skills, knowledge, and experience to effectively oversee nonaudit services performed by the auditor
  • A lack of documentation or incomplete documentation related to the risk assessment of type A or type B programs
  • A lack of documentation supporting the assessment that compliance requirements were not applicable for the identified major programs
  • A lack of documentation showing the consideration of fraud risk regarding noncompliance for major programs
  • A lack of documentation of the internal control assessment over the preparation of the Schedule of Federal Awards (SEFA)
  • The Schedule of Findings and Questioned Costs missing required elements
  • Financial statements presented under GAAP instead of GASB
  • No materiality calculation on opinion units
  • A lack of documentation detailing the risk of management override of controls.
  • A lack of documentation to support the client’s designation as a low-risk auditee
  • Type A programs that were designated as low risk when they did not meet all of the requirements
  • An auditor’s report on internal control that did not include all required elements
  • The report on compliance with requirements applicable to each major program and internal controls over compliance that did not contain all of the required elements
  • A data collection form that did not properly summarize the auditor’s results
  • A calculation of amounts tested as major programs that was incorrect
  • The omission of a federal program from a cluster that should have been included when testing major programs

Increased Scrutiny

Expect increased peer review scrutiny of governmental engagements in peer reviews.

The CPA community must take these concerns seriously. If we don’t, we may end up with a complete change of the present peer review process. Without positive improvement, CPA firms could, one day, be reviewed by governmental regulators — think IRS audits. It is imperative that we self-regulate in an effective manner.

Yellow Book Independence and Preparing Financial Statements – Sufficient SKE

Does your client have sufficient skill, knowledge and experience?

Are you a CPA that prepares city or county financial statements for an audit client? If yes, are you independent under the Yellow Book independence standards?

Yellow Book Independence

Picture from AdobeStock.com

Yellow Book Independence

The 2011 Yellow Book (effective for periods ending after December 15, 2012; http://www.gao.gov/yellowbook) requires that the external auditor document the CPA firm’s independence when the firm also provides nonaudit services (such as preparation of financial statements).  Many small governments have their external auditors prepare their financial statements.

This independence determination will largely hinge on one factor: whether the city or county has a person with sufficient skill, knowledge or experience (SKE) to qualify as a reviewer.

If the government has no one with sufficient SKE, then the external auditor is not independent and can’t ethically perform the audit.

Examples of SKE

Consider the following potential reviewer scenarios:

1. A 15 year mayor who is a businessman, no accounting education, no formal training in reading governmental financial statements, he understands the fund level statements but can’t grasp the reconciliation between the government-wide financial statements and the fund level financial statements.

2. Second year finance director with no prior accounting experience, graduated from a two year college with a degree in general business.

3. Finance director with 25 years experience and is a CPA, member of GFOA, trains others in governmental accounting.

4. Finance director with a high school education but has extensive governmental accounting training from the Carl Vinson Institute, could if he liked, create the financial statements from scratch.

As you can see, the independence assessment will sometimes be black and white, but sometimes there will be shades of gray.

An Alternative

If the auditor can’t get comfortable with the SKE of the government’s financial statement reviewer, there is one alternative: the local government can hire someone outside the government with sufficient SKE to be the reviewer (for example a CPA not affiliated with the external audit firm).

At the end of the day, the local government must have a designated person (either internally or externally) with sufficient SKE for the audit firm to be independent.

Yellow Book CPE Requirements – A Summary

What are the requirements for Yellow Book continuing professional education (CPE)?

Below we will address (1) who is subject to the Yellow Book CPE requirements and (2) what CPE classes satisfy those requirements.

Yellow Book CPEOverview

First realize there are two rules:

  1. The 80-hour rule (every two years)
  2. The 24-hour rule (every two years)

Then you must answer:

  1. Who is subject to each rule?
  2. What classes qualify for each rule?

The 24 Hour Rule – Who is Subject?

The answer: each auditor performing work on a Yellow Book audit; if as an auditor you work on the engagement, you are subject to this rule. If your audit report contains a Yellow Book report (usually located just after the notes to the financial statements), then that engagement is subject to generally accepted government auditing standards (GAGAS).

The 80-Hour Rule – Who is Subject?

The answer: Auditors who are involved in any amount of:

1. Planning,
2. Directing, or
3. Reporting on GAGAS assignments
and
4. Those auditors who are not involved in those activities but charge 20 percent or more of their time annually to GAGAS assignments.

I interpret 1., 2. and 3. as mainly partners, managers, and in-charges. 4. relates to staff who support the audit.

So a staff person that does not meet the criteria in 4., but still works on a Yellow Book engagement must still satisfy the 24-hour rule (but not the 80-hour rule).

What Classes Qualify?

The Yellow Book states, “Determining what subjects are appropriate for individual auditors to satisfy both the 80-hour and the 24-hour requirements is a matter of professional judgment to be exercised by auditors in consultation with appropriate officials in their audit organizations.”

First we see that there is judgment in what qualifies (no bright yellow lines). But there are differences in the 80-hour rule and the 24-hour rule; otherwise, there would be only one category.

The 80-Hour Rule – Classes that Qualify

The 80-hour rule is broad (encompassing any CPE that enhances the auditor’s professional proficiency); so, for example, CPE classes about writing skills or using Excel would qualify. (Taxation CPE usually does not qualify unless the class addresses audit-related issues. For example, a 1040 tax class does not qualify.)

For those subject to the 80 hour rule, at least 20 hours of CPE should be taken in each year of the two-year period; a total of 80 hours is to be taken in the two-year period.

The 24-Hour Rule – Classes that Qualify

Each auditor performing work under GAGAS should complete, every 2 years, at least 24 hours of CPE that directly relates to government auditing, the government environment, or the specific or unique environment in which the audited entity operates.

The 24-hour rule is specific to:
(1) Government auditing,
(2) The government environment or
(3) To the specific or unique environment in which the audited entity operates.

Government Auditing

Classes directly related to standards used in governmental auditing qualify; since GAGAS incorporates the AICPA statements on auditing standards (SASs) for field work and reporting, then audit classes that include a study of the SASs as they relate to the audit of your governmental entity would qualify. The same is true of pronouncements issued by the FASB. Single Audit classes also obviously qualify.

Government Environment

CPE dealing with Governmental Accounting Standards (GASB pronouncements) will qualify for the 24-hour rule since the class focuses on accounting standards in the government environment.

If you audit a county or a city, then most any CPE dealing with GASB pronouncements or governmental issues (e.g., sales taxes) will satisfy the 24-hour rule; also classes dealing with compliance with laws and regulations qualify.

Classes addressing economic conditions, fiscal trends, and pressures facing the governmental entity qualify.

Specific or Unique Environment in Which the Audited Entity Operates

Suppose you audit electric membership corporations (EMCs) subject to the Yellow Book; a CPE class about electrical supply grids qualifies. Or if you audit banks subject to Yellow Book requirements (e.g., FHA loans), then a CPE class dealing with lending qualifies. These classes address issues in the unique environment in which the audited entity operates.

Two-Year Cycle

An audit organization can adopt a standard 2-year period for all of its auditors to simplify administration of the CPE requirements.

Carryover Credit

Auditors are not allowed to carry over hours taken in excess of the 24-hour or 80-hour rule to the next reporting period.

Proration of Hours for New-Hires (or Those Newly Assigned to a Yellow Book Audit)

You will prorate the hourly requirements based on the remaining 6-month intervals in your two-year reporting period. For example, you hire someone on May 1, 2013 and your two-year cycle ends December 31, 2013. There is only one remaining 6-month period. If you are subject to the 24 hour rule, then you will multiply 25% (one six-month period divided by the four six-month periods in the two-year cycle) times 24 to compute the hours required: 6 hours.

GAO Guidance

Click here for the April 2005 GAO publication: Government Auditing Standards, Guidance on GAGAS Requirements for Continuing Professional Education.

Yellow Book Independence and Preparing Financial Statements

Governmental clients must have sufficient SKE when auditors to prepare their financial statements

Yellow Book independence is critical for Yellow Book engagements.

Yellow Book Independence

Are you a CPA that prepares city or county financial statements for an audit client?

If yes, are you independent?

The 2011 Yellow Book (effective for periods ending after December 15, 2012; http://www.gao.gov/yellowbook) requires that the external auditor document the CPA firm’s independence when the firm also provides nonaudit services (such as preparation of financial statements).  Many small governments have their external auditors prepare their financial statements.

Having Sufficient Skill, Knowledge, and Experience

When auditors prepare financial statements, the independence determination will largely hinge on one factor: whether the city or county has a person with sufficient skill, knowledge or experience (SKE) to qualify as a reviewer.

If the government has no one with sufficient SKE, then the external auditor is not independent and can’t ethically perform the audit (and prepare the financial statements).

Yellow Book independence

Consider the following potential reviewer scenarios:

1. A 15-year mayor who is a businessman, no accounting education, no formal training in reading governmental financial statements, he understands the fund level statements but can’t grasp the reconciliation between the government-wide financial statements and the fund level financial statements.

2. Second-year finance director with no prior accounting experience graduated from a two-year college with a degree in general business.

3. Finance director with 25 years experience and is a CPA, member of GFOA, trains others in governmental accounting.

4. Finance director with a high school education but has extensive governmental accounting training from the Carl Vinson Institute, could if he liked, create the financial statements from scratch.

As you can see, the independence assessment will sometimes be black and white, but sometimes there will be shades of gray.

An Alternative

If the auditor can’t get comfortable with the SKE of the government’s financial statement reviewer, there is one alternative: the local government can hire someone outside the government with sufficient SKE to be the reviewer (for example a CPA not affiliated with the external audit firm).

Bottom Line

At the end of the day, the local government must have a designated person (either internally or externally) with sufficient SKE for the audit firm to be independent.