In This Section

How Are Our Yellow Book Engagements Changing?

Jun 4, 2019

The 2018 Revision to Government Auditing Standards (GAGAS) was released in July 2018 and is effective for periods ending on or after June 30, 2020, and for performance audits beginning on or after July 1, 2019. Because the Revision addresses requirements for the entire period under audit, we will want to understand what these changes are before July 1, 2019.

Keep in mind that GAGAS applies to more than just audits as defined under Statements on Auditing Standards (SASs). GAGAS also applies to engagements performed under Statements on Standards for Attestation Engagements (SSAEs) and for the first time GAGAS incorporated reviews performed under Statements on Standards for Accounting and Review Services (SSARs). GAGAS refers to engagements performed under the Yellow Book as “audits” with an “auditor’s” report, which can include engagements such as agreed-upon procedure engagements and review engagements which do not include an opinion.

The Revision is organized as follows:

  • Chapter 2: General Requirements for Complying with GAGAS
  • Chapter 3: Ethics, Independence & Professional Judgement
  • Chapter 4: Competence & CPE Requirements
  • Chapter 5: Quality Control & Peer Review
  • Chapter 6: Financial Audits
  • Chapter 7: Attestations Engagements & Reviews of Financial Statements
  • Chapter 8–9: Fieldwork & Reporting Standards for Performance Audits
Throughout the Revision, the GAO made it easy for practitioners to identify the requirements by clearly highlighting them in boxes.

CPE requirements did not change from the current requirement (80 hours every two years, with at least 24 hours each year), though there is expanded discussion regarding acceptable programs and activities that count towards the hour requirement, acceptable subject matter, exception to the 56-hour requirement (every auditor subject to the 24-hour requirement), and guidance on documenting and monitoring compliance with the CPE requirement.

There is expanded discussion and additional requirements for audit organizations and firms that do not participate in recognized peer review programs.

Note: The AICPA’s peer review program, as administered by Peer Review Alliance at the Illinois CPA Society for Indiana CPA firms, is a recognized peer review program.


The GAO kept the five ethical principles: the public interest; integrity; objectivity; proper use of government information, resources, and positions; and professional behavior. Given the concept of accountability for use of public resources and government authority, evaluating internal control in a government environment may also include considering internal control deficiencies that result in waste or abuse.

Waste is the act of using or expending resources carelessly, extravagantly or with no purpose. Waste can include activities that do not include abuse and does not necessarily involve a violation of law. Rather, waste relates primarily to mismanagement, inappropriate actions and inadequate oversight.

"There is expanded discussion regarding acceptable programs and activities that count towards the hour requirement, acceptable subject matter, exception to the 56-hour requirement, and guidance on documenting and monitoring compliance with the CPE requirement."
Abuse is behavior that is deficient or improper when compared with behavior that a prudent person would consider reasonable and necessary business practice given the facts and circumstances. This excludes fraud and noncompliance with provisions of laws, regulations, contracts and grant agreements. Abuse also includes misuse of authority or position for personal financial interests or those of an immediate or close family member or business associate.

Because the determination of waste and abuse is subjective, auditors are not required to perform specific procedures to detect waste or abuse in financial audits. However, auditors should consider whether and how to communicate such matters if they become aware of them. Auditors who discover that waste or abuse are indicative of fraud or noncompliance with provisions of laws, regulations, contracts and grant agreements are then required to report a finding.


Independence includes both the auditor’s state of mind and the appearance of independence. While an auditor may believe they have an objective state of mind, there may be circumstances that would cause an outside party to conclude the integrity, objectivity or professional skepticism had been comprised. Both individual auditors and audit organizations should avoid situations that could lead reasonable and informed third parties to conclude that the auditor and/or audit organization is not capable of exercising objective and impartial judgment on all issues associated with conducting and reporting on the engagement.

Auditors and audit organizations should be independent from an audited entity during any period of time that falls within the period covered by the financial statements or subject matter of the engagement and the period of the professional engagement. For example, if an auditor is reporting on financial statements for the calendar year 2020, the auditor and their firm (the audit organization) would need to be independent from the audited entity from January 1, 2020 through the report issuance date, most likely sometime in 2021.

GAO’s Conceptual Framework approach to independence remains, but with tweaks. There is more specific guidance regarding the significance of threats, particularly when providing non-audit services, the Yellow Book’s term for non-attest services. Remember even “reviews” and AUPs are called audits in the Yellow Book.

The Conceptual Framework is a three-step process that needs to be continually revisited throughout the engagement. Audit documentation should clearly identify the auditor considered independence throughout the engagement, including:

  1. Identifying threats to independence.
  2. Evaluating the significance of the threats identified, both individually and in the aggregate.
  3. Applying safeguards to eliminate the threat or reduce them to an acceptable level.

Identifying Threats

When identifying threats, auditors should not skip over documenting threats just because those threats are mitigated. The GAO’s seven categories of threats remain unchanged. While peer review has focused largely on the provision of non-audit services, the auditor should document their consideration of threats to independence considering each of the seven categories.

"The Revision requires auditors to conclude that preparing financial statements from a client-provided trial balance or underlying accounting records creates significant threats to the auditor’s independence."
Before auditors agree to provide a nonaudit service to an audited entity, they should determine whether providing such a service would create a threat to independence, either by itself or in aggregate with other non-audit services provided, with respect to any GAGAS engagement they conduct. Before auditors agree to provide a nonaudit service, auditors should also determine that there is a designated individual who possesses suitable skill, knowledge or experience, and that individual understands the services to be provided sufficiently to oversee them.

Auditors should identify as threats to independence any services related to preparing accounting records and financial statements, including:

  • Recording transactions for which management has determined or approved the appropriate account classification, or posting coded transactions to the general ledger.
  • Preparing certain line items or sections of the financial statements based on information in the trial balance.
  • Posting entries to the trial balance that management has approved.
  • Preparing account reconciliations that identify reconciling items for management’s evaluation.

Evaluating Threats

Auditors must be sure to document their evaluation of threats both individually and in the aggregate. It may be that, taken individually, the threat to management participation posed by various services provided to management may be appropriately mitigated individually. However, when taken in aggregate, the appearance to an outside party may be that the objectivity or professional skepticism has been compromised.

A critical factor in evaluating threats posed by non-audit services is the extent to which the outcome of the non-audit service could have a material effect on the financial statements. The Revision requires auditors to conclude that preparing financial statements from a client-provided trial balance or underlying accounting records creates significant threats to the auditor’s independence.

The key to determining whether the significant threat to independence can be reduced to an acceptable level is the auditor’s consideration of management’s ability to effectively oversee the nonaudit service to be provided. Although the designated individual is required to have sufficient expertise to oversee the non-audit services, they are not required to possess the expertise to perform or re-perform them. Indicators of management’s ability to effectively oversee the nonaudit service include the ability to determine the reasonableness of the results of the non-audit services provided and the ability to recognize a material error, omission or misstatement in the results of the non-audit services provided.

Applying Safeguards

Safeguards are actions or other measures, individually or in combination, that auditors and audit organizations take to effectively eliminate threats to independence or reduce them to an acceptable level. Safeguards vary depending on the facts and circumstances.

Examples of safeguards are:

  • Consulting an independent third party, such as a professional organization, a professional regulatory body or another auditor to discuss engagement issues or assess issues that are highly technical or require significant judgment.
  • Involving another audit organization to perform or re-perform part of the engagement.
  • Having an auditor who was not a member of the engagement team review the work performed.
  • Removing an auditor from an engagement team when that auditor’s financial or other interests or relationships pose a threat to independence.
Examples of safeguards when addressing threats related to non-audit services are:

  • Not including individuals who provided the non-audit service as engagement team members.
  • Having another auditor, unassociated with the engagement, review the engagement and non-audit work as appropriate.
  • Engaging another audit organization to evaluate the results of the non-audit service.
  • Having another audit organization re-perform the non-audit service to the extent necessary to enable the other audit organization to take responsibility for the service.

Audit documentation should make it clear the auditor determined independence before the non-audit service was provided, indicators the auditor considered when concluding the designated individual has the ability to effectively oversee the non-audit service, and that threats were considered individually and in the aggregate.


The Revision incorporates internal control frameworks such as the Green Book and the COSO format. These provide example criteria for internal control that can help auditors determine whether control deficiencies exist and help to develop meaningful recommendations for corrective actions.

The Revision clarified and expanded discussion regarding requirements related to internal control over the subject matter of performance audits.

The information contained herein is intended to be a summary of some of the changes contained in the 2018 Revision to Government Auditing Standards. Auditors should obtain a thorough understanding of all of the changes before accepting or performing a Yellow Book engagement.

Laura Lindal, CPA, is a sole practitioner with more than 25 years of experience in auditing. Reprinted from the Winter 2018 issue of The WashingtonCPA magazine. Reprinted with permission of the Washington Society of CPAs.


Load more comments
Thank you for the comment! Your comment must be approved first
New code