For the Orange | AccountingWEB

For the Orange

The Internal Auditing Act in Texas requires that all internal audit shops in state agencies and universities follow both the Yellow Book and the Red Book. Yellow and red make orange. Get it?

Last month, for the Institute of Internal Auditors chapter in Albuquerque, I compared the GAO’s 2011 version of Government Auditing Standards (the Yellow Book) to the IIA’s 2013 edition of the International Professional Practices Framework (the Red Book). It took two days to journey through both standards, and even at that, we only hit the highlights. The GAO’s 2011 version of the Yellow Book is 215 pages including the ridiculous independence flowchart in the back, while the IIA’s 2013 Red Book is 222 pages.

Before all of the knowledge I gleaned from studying and teaching the seminar went to the secret place where the second sock and esoteric knowledge abide, I jotted down a summary of what we discovered as we contrasted the two sets of standards.

Please excuse a few generalities so that I can keep this list as succinct as possible.

  1. The GAO and the IIA start from different definitions of who auditors are and what auditors do. The GAO believes that auditors are better described as ‘accountability professionals’ who keep the greater good of the citizenry at heart as they perform their work. The GAO, then, naturally values transparency and holding government officials accountable for their decisions.  And, the GAO’s standards have a decidedly project-by-project focus. On the other hand, the IIA seeks to assess governance, risk, and controls to add value to the entities for and in which auditors work. The IIA does not encourage transparency and takes a wider, holistic, organization-wide view of auditors’ work and role.
  2. The IIA’s Red Book asks audit shops to develop an internal audit charter that sets forth their agreement regarding the purpose and power of the internal audit shop. The GAO has no such requirement.
  3. The GAO puts up many barriers to auditors being helpful to their audit clients. The GAO feels that performing non-audit (consulting) services compromises the auditor’s ability to objectively and independently provide assurance against their audit objectives. You cannot help make the baby (consult) and then later call that same baby (audit) ugly. In other words, the GAO does not allow you to help create the internal controls that you will later audit because you will lack the objectivity toward the controls you helped establish. But, the IIA actually encourages internal auditors to consult and be helpful and establishes ‘consulting’ standards to assist in that effort.
  4. The GAO wants you to document your consideration of auditor and audit team independence using the ‘conceptual framework’ borrowed from the AICPA’s literature. The IIA is nowhere near as formal when it comes to assessing auditor independence and does not require project-by-project documentation.
  5. The GAO requires that every three years the auditor’s quality control system, which includes six components, undergo an external peer review. The GAO’s description of the quality control system includes six components.  The IIA requires an external peer review every five years and leaves the structure of the quality control system largely up to the auditor’s judgment.
  6. The IIA is much tougher than the GAO when it comes to bragging rights.   Under GAO standards, following every ‘must’ requirement allows you to claim your adherence to the standards once you kick off your first audit.  In contrast, the IIA requires an audit shop to undergo a peer review before claiming in their audit report that they are following Red Book standards. Under both standards, you must disclose when you do not follow a ‘should’ requirement. The GAO requires that you disclose the noncompliance in your audit report, but the IIA is not clear on how or to whom the noncompliance is disclosed.
  7. The GAO talks about three types of assurance engagements: financial audits, attestation engagements, and performance audits. For financial audits and attestation engagements, the GAO incorporates AICPA guidance. The IIA simply discusses “assurance services” and does not group them into types or levels of assurance. The IIA also does not formally acknowledge or encourage the use of any other standard. Instead, the IIA talks about the nature of the auditor’s work: internal auditors are expected to focus their efforts on their entity’s governance, risk assessment, and controls.
  8. The GAO asks that auditors use the results of prior audits that are relevant to their audit objective in planning the audit. Under Yellow Books standards, a formal follow-up process or statement is not required. Yet, the IIA requires you to follow up on prior audits.
  9. The GAO focuses on one single engagement at a time and requires no development of an audit universe or an annual plan. But, the IIA asks chief audit executives to document all of their potential audit subjects and select the riskiest subjects for their annual audit plan.
  10. The GAO wants you to design your audit to detect fraud and non-compliance. The IIA asks that you simply be aware of fraud and does not require auditors to perform procedures to uncover it.
  11. The GAO asks that auditors write findings when they find fraud, internal control weaknesses, noncompliance, and abuse. The IIA calls reportable conditions ‘observations’ and does not formally recognize noncompliance or abuse as triggers of an observation.
  12. When you answer the audit objective on a financial audit or an examination under Yellow Book standards, you opine. When you answer the objective on a performance audit under Yellow Book standards, you conclude. The IIA will let you use either word – you can opine or conclude when answering the objective.
  13. The GAO requires auditors to get 80 hours of CPE every two years. The IIA encourages auditors to get CPE, but does not require a specific number of hours.

Is that everything? No. But isn’t that enough for anyone?

I suggest that you also look at the IIA’s guidance regarding the comparison of the GAO vs. IIA standards.

Good luck, my orange fellows. You have plenty to live up to!

If you have any comments, please write to me at I’d love to hear from you regarding whether you agree or disagree with my summary.  I’d also like to know if you found it helpful.

This blog

Governmental auditors unite! Leita Hart-Fanta, CPA, CGFM, and CGAP is the author of “The Yellow Book Interpreted” and owner of a website devoted to training for governmental auditors. Whether you are an internal auditor or monitor for a government entity or a CPA doing grant audits, you will enjoy Leita’s humorous take on the complexity of auditing in the government environment.

More from this blog

Bloggers crew

Steve Knowles has spent 25 years in business and practice in the UK, but he also worked in the states and the years haven't dulled his way of seeing an alternative view to everyone else, and every day is a new adventure.


Joel M. Ungar, CPA is a lifelong resident of the Detroit area and a graduate of The University of Michigan. He is a principal with Silberstein Ungar, PLLC, a Top 15 auditor of SEC public reporting companies.


Allan Boress, CPA, with over 25 years as a practitioner and consultant to the accounting profession. Mr. Boress is the author of 12 published books in 6 different languages, including a best-seller, The "I-Hate-Selling" Book.


Larry Perry, CPA, CPA Firm Support Services, LLC, is the author of accounting and auditing manuals, author and presenter of live staff training seminars, and author of webcast and self-study CPE programs. He blogs about small audits, reviews, and compilations.

Sandra Wiley, COO and Shareholder, is ranked by Accounting Today as one of the 100 Most Influential People in Accounting as a result of her prominent role as an industry expert on HR and training as well as influence as a management and planning consultant. She is also a founding member of The CPA Consultant's Alliance. Sandra is a certified Kolbe™ trainer who advises firms on building balanced teams, managing employee conflict and hiring staff.

Maria Calabrese, CIR, Human Resources manager for Fazio, Mannuzza, Roche, Tankel, LaPilusa, LLC in Cranford, New Jersey, Maria's topics revolve around the world of: Mentoring, Performance management, and The "Y Generation," a.k.a. "The whY generation".


William Brighenti is a CPA, Certified QuickBooks ProAdvisor, and Certified [Business] Valuation Analyst, operating an accounting, tax, and QuickBooks consulting firm in Hartford, Connecticut, Accountants CPA Hartford.


Ken Garen, CPA, is the co-founder and President of Universal Business Computing Company (, a software development firm of high-volume, high-productivity accounting and payroll technology.


Eva Rosenberg, MBA, EA, is the publisher of, and author of the weekly syndicated Ask TaxMama column. She provides answers to tax questions from taxpayers and tax professionals worldwide.


Amy Vetter, CPA, CITP is the CPA Programs Leader for Intacct Corporation responsible for leading the CPA/BPO Partners nationally.

Brian Strahle is the owner of LEVERAGE SALT, LLC where he provides state and local tax technical services to accounting firms, law firms and tax research organizations across the United States. He also writes a weekly column in Tax Analysts State tax Notes entitled, "The SALT Effect." For more info, visit his website:
Scott H. Cytron, ABC, is president of Cytron and Company, known for helping companies and organizations improve their bottom line through a hybrid of strategic public relations, communications, marketing programs and top-notch client service. An accredited consultant, Scott works with companies, organizations and individuals in professional services (accounting, finance, medical, legal, engineering), high-tech and B2B/B2C product/service sales.

Rita Keller is a nationally known CPA firm management consultant, speaker, author, mentor and blogger. She has over 30 years hands-on experience in CPA firm management, marketing, technology and administrative operations.

Stacy Kildal is the mom of two fantastic kids, an Advanced Certified QuickBooks ProAdvisor, Certified Enterprise Solutions ProAdvisor, Sleeter Group Certified Consultant, a nationally recognized member of the Intuit Trainer and Writer Network, and co-host of RadioFree QuickBooks.
Michael Alter's blog specializes in providing practical advice to those who seek greater profitability and practice management tactics that enhance deeper client relationships.

Sally Glick, CMO, Principal, Marketer of the Year in 2003 and AAM Hall of Famer in 2007, leads a lively discussion of the constantly expanding roles of marketing and the professional marketers that drive this initiative in accounting firms of all sizes.


The IMA Young Professionals Blog features the insights of IMA’s Young Professionals Committee. Committee members share advice and experiences on careers, continuing education, work/life balance, and other issues affecting young accounting and finance professionals.


FEI Financial Reporting Blog provides highlights from SEC, PCAOB, FASB, IASB, and other regulatory news, including reporting under Sarbanes-Oxley Sect 404. It is written by Edith Orenstein, Director of Technical Policy Analysis at FEI.


Sue Anderson has 30 years of experience in continuing education for accountants. Currently she is the program director for online CPE provider CPE Link.


Jim Fahey is COO of Apple Growth Partners, a regional CPA firm in Ohio. His focus is on the effective and efficient use of technology within the firm by all team members.

Caleb Newquist is the Editor-in-Chief of Sift Media US, overseeing content for both AccountingWEB and Going Concern.

Leita Hart-Fanta, CPA, CGFM, and CGAP is the author of "The Yellow Book Interpreted" and owner of a website devoted to training for governmental auditors.


AccountingWEB is more than just a U.S. team of journalists and financial and technology experts - we have an international side, too! Members of our British team who publish share their ideas, insights, and perspectives from across the pond.