Internal auditors who follow the Yellow Book and the Institute of Internal Auditor’s Red Book (the International Professional Practices Framework) simultaneously are rightly confronted by the GAO’s take on auditor independence.
The GAO – a legislative auditor, not an internal auditor – didn’t initially set out to have any influence over internal auditors. They wrote the Yellow Book for themselves to please themselves. But over the decades, through a series of laws and regulations, they became responsible for groups of folks they seem to have little empathy for. And I would say that internal auditors are one of those groups.
In writing their standards, the GAO borrows heavily from the AICPA standards. And AICPA standards are designed for external auditors. From my understanding, the Institute of Internal Auditors doesn’t work very closely with the GAO and it shows in the resulting Yellow Book standards.
The GAO has been working for the last decade trying to clarify and strengthen the auditor independence standards to mixed success. They finally decided that rather than go their own way – apart from the AICPA – regarding independence, they would just go ahead and use the AICPA’s own structure with some modifications.
The AICPA uses a decision process for evaluating independence they call the "conceptual framework." Typical of the AICPA, they are making something very straightforward sound complex and involved – something only a well-paid, CPA-type, professional can implement. As auditors, we can smell bull a mile away. And the conceptual framework is pretty smelly. I am not impressed or wowed by their conceptual framework, and you shouldn’t be either. But since you have to use it now, it would be good to know what it is. Here it is:
GAGAS Conceptual Framework Approach to Independence
3.07 Many different circumstances, or combinations of circumstances, are relevant in evaluating threats to independence. Therefore, GAGAS establishes a conceptual framework that auditors use to identify, evaluate, and apply safeguards to address threats to independence. The conceptual framework assists auditors in maintaining both independence of mind and independence in appearance. It can be applied to many variations in circumstances that create threats to independence and allows auditors to address threats to independence that result from activities that are not specifically prohibited by GAGAS.
3.08 Auditors should apply the conceptual framework at the audit organization, audit, and individual auditor levels to:
a. identify threats to independence;
b. evaluate the significance of the threats identified, both individually and in the aggregate; and
c. apply safeguards as necessary to eliminate the threats or reduce them to an acceptable level.
It is what anyone does to solve problems and decide on their next move. You do the same things when you are dating, right?
a. identify threats; in dating terms this means spending time with your intended to find out more about them and identify potential relationship killers or aspects of their personality, habits, or baggage that could cause you future misery. Maybe he is way too close to his mother, or his ex-wife is extremely hard to deal with, or his football/golf/hunting/fishing hobby is likely to leave you on your own most weekends
b. evaluate the significance of the threats identified, both individually and in the aggregate; In dating terms you now need to figure out whether you can actually tolerate being left alone most weekends. Maybe you like to be alone so you can shop, spend time with girlfriends, or volunteer. But if you add it to his mother’s constant visits and calls…. (that is what the AICPA calls threats in the ‘aggregate’)
c. apply safeguards as necessary to eliminate the threats or reduce them to an acceptable level. In dating terms, this might mean breaking up, finding a new supportive social structure, agreeing to limits on his hobby, or moving to another country without phone or internet service to escape his mother.
Not exactly rocket science, huh? Conceptual framework… PLEASE!
The GAO just adds to the aura of complexity by coming up with a diagram in the appendix.
I can tell when people have gotten a bit too granular when I see two things – a key and/or a flowchart. When auditors feel the need to add a key that explains acronyms and technical terms to the back cover of their report they mistakenly assume their readers care enough to actually use it to read their complex report. And when they have to draw a flowchart…
Application of the conceptual framework to internal auditors
Let’s start by looking at the list of threats - conceptual framework step #1. This information is from the Appendix to the Yellow Book where it explains the threats to independence in more detail than in Chapter 3:
Threats to Independence
A3.02 This list is intended to illustrate by example the types of circumstances that create threats to independence that an auditor might identify when applying the conceptual framework. It does not include all circumstances that create threats to independence; these circumstances will be unique to the conditions under which each evaluation takes place.
A3.03 Examples of circumstances that create self-interest threatsfor an auditor include:
b. An audit organization having undue dependence on income from a particular audited entity.
c. A member of the audit team entering into employment negotiations with an audited entity.
d. An auditor discovering a significant error when evaluating the results of a previous professional service performed by a member of the auditor’s audit organization.
A3.04 Examples of circumstances that create self-review threats for an auditor include:
a. An audit organization issuing a report on the effectiveness of the operation of financial or performance management systems after designing or implementing the systems.
b. An audit organization having prepared the original data used to generate records that are the subject matter of the audit.
c. An audit organization performing a service for an audited entity that directly affects the subject matter information of the audit.
d. A member of the audit team being, or having recently been, employed by the audited entity in a position to exert significant influence over the subject matter of the audit.
A3.05 Examples of circumstances that create bias threats for an auditor include:
a. An auditor’s having preconceptions about the objectives of a program under audit that are sufficiently strong to impact the auditor’s objectivity.
b. An auditor’s having biases associated with political, ideological, or social convictions that result from membership or employment in, or loyalty to, a particular type of policy, group, organization, or level of government that could impact the auditor’s objectivity.
A3.06 Examples of circumstances that create familiarity threats for an auditor include:
a. A member of the audit team having a close or immediate family member who is a principal or senior manager of the audited entity.
b. A member of the audit team having a close or immediate family member who is an employee of the audited entity and is in a position to exert significant influence over the subject matter of the audit.
c. A principal or employee of the audited entity in a position to exert significant influence over the subject matter of the audit having recently served on the audit team.
d. An auditor accepting gifts or preferential treatment from an audited entity, unless the value is trivial or inconsequential.
e. Senior audit personnel having a long association with the audited entity.
A3.07 Examples of circumstances that create undue influence threats for an auditor or audit organization include existence of:
a. External interference or influence that could improperly limit or modify the scope of an audit or threaten to do so, including exerting pressure to inappropriately reduce the extent of work performed in order to reduce costs or fees.
b. External interference with the selection or application of audit procedures or in the selection of transactions to be examined.
c. Unreasonable restrictions on the time allowed to complete an audit or issue the report.
d. External interference over the assignment, appointment, compensation, and promotion of audit personnel.
e. Restrictions on funds or other resources provided to the audit organization that adversely affect the audit organization’s ability to carry out its responsibilities.
f. Authority to overrule or to inappropriately influence the auditors’ judgment as to the appropriate content of the report.
g. Threat of replacing the auditors over a disagreement with the contents of an auditors’ report, the auditors’ conclusions, or the application of an accounting principle or other criteria.
h. Influences that jeopardize the auditors’ continued employment for reasons other than incompetence, misconduct, or the need for audits or attestation engagements.
A3.08 Examples of circumstances that create management participation threats for an auditor include:
a. A member of the audit team being, or having recently been, a principal or senior manager of the audited entity.
b. An audit organization principal or employee serving as a voting member of an entity’s management committee or board of directors, making policy decisions that affect future direction and operation of an entity’s programs, supervising entity employees, developing or approving programmatic policy, authorizing an entity’s transactions, or maintaining custody of an entity’s assets.
c. An audit organization principal or employee recommending a single individual for a specific position that is key to the entity or program under audit, or otherwise ranking or influencing management’s selection of the candidate.
d. An auditor preparing management’s corrective action plan to deal with deficiencies detected in the audit.
A3.09 Examples of circumstances that create structural threats for an auditor include:
a. For both external and internal audit organizations, structural placement of the audit function within the reporting line of the areas under audit.
b. For internal audit organizations, administrative direction from the audited entity’s management.
Did you see yourself in there? If so, proceed to the conceptual framework step #2: evaluating the significance of the threat. Whether a threat is a big deal or not is entirely up to auditor judgment, although it includes the classic auditing standard reference to the “objective third party with knowledge of relevant facts.” Who is this person? I have no idea! I don’t think I’ve ever met one. :)
3.22 Auditors should determine whether identified threats to independence are at an acceptable level or have been eliminated or reduced to an acceptable level. A threat to independence is not acceptable if it either (a) could impact the auditor’s ability to perform an audit without being affected by influences that compromise professional judgment or (b) could expose the auditor or audit organization to circumstances that would cause a reasonable and informed third party to conclude that the integrity, objectivity, or professional skepticism of the audit organization, or a member of the audit team, had been compromised.
If you decide that you or the imaginary third party believes these threats to be significant, you move on to conceptual framework step #3: apply safeguards.
3.16 Safeguards are controls designed to eliminate or reduce to an acceptable level threats to independence. Under the conceptual framework, the auditor applies safeguards that address the specific facts and circumstances under which threats to independence exist. In some cases, multiple safeguards may be necessary to address a threat. The list of safeguards in this section provides examples that may be effective under certain circumstances. The list cannot provide safeguards for all circumstances. It may, however, provide a starting point for auditors who have identified threats to independence and are considering what safeguards could eliminate those threats or reduce them to an acceptable level.
3.17 Examples of safeguards include:
a. consulting an independent third party, such as a professional organization, a professional regulatory body, or another auditor;
b. discussing independence issues with those charged with governance of the entity;
c. disclosing to those charged with governance of the entity the nature of the audit and nonaudit services provided;
d. involving another audit organization to perform or reperform part of the audit; and
e. having a professional staff member who was not a member of the audit team review the work performed.
3.18 Depending on the nature of the audit, an auditor may also be able to place limited reliance on safeguards that the entity has implemented. It is not possible to rely solely on such safeguards to eliminate threats or reduce them to an acceptable level.
3.19 Examples of safeguards within the entity’s systems and procedures include:
a. an entity requirement that persons other than management ratify or approve the appointment of an audit organization to perform an audit;
b. internal procedures at the entity that ensure objective choices in commissioning nonaudit services; and
c. a governance structure at the entity that provides appropriate oversight and communications regarding the audit organization’s services.
And typical of an audit standard – you don’t get to just go through the process in your head, you get to document your reasoning process, too. Yes, you will need another friggin’ memo.
After applying the conceptual framework, you might be just fine. If you have a threat, you put a safeguard in place and go on your merry way. But the GAO didn’t stop there!
Nonaudit services (a.k.a. consulting)
You probably caught that reference to nonaudit services as you read that last quote from the Yellow Book.
The GAO keeps the discussion going by addressing a variety of non-audit services specifically. Here they are going beyond the AICPA independence standards.
The IIA divides the internal auditor’s world up into assurance and consulting services. The GAO calls consulting services another name, ‘non-audit services.’ And the GAO isn’t that crazy about auditors conducting non-audit services. In the 2011 standards they added a paragraph that might stop internal auditors in their consulting tracks!
3.34 Before an auditor agrees to provide a nonaudit service to an audited entity, the auditor should determine whether providing such a service would create a threat to independence, either by itself or in aggregate with other nonaudit services provided, with respect to any GAGAS audit it performs. A critical component of this determination is consideration of management’s ability to effectively oversee the nonaudit service to be performed. The auditor should determine that the audited entity has designated an individual who possesses suitable skill, knowledge, or experience, and that the individual understands the services to be performed sufficiently to oversee them. The individual is not required to possess the expertise to perform or reperform the services. The auditor should document consideration of management’s ability to effectively oversee nonaudit services to be performed.
Uh oh! The reason internal auditors get involved in nonaudit services/consulting is because they know the subject better than anyone else. Management is relying on the auditors knowledge, skills, experience and judgment to help them with something they can’t or don’t want to do.
And management needs to acknowledge that they are responsible for the non-audit service – in writing!
3.37 Auditors performing nonaudit services for entities for which they perform audits should obtain assurance that audited entity management performs the following functions in connection with the nonaudit services:
a. assumes all management responsibilities;
b. oversees the services, by designating an individual, preferably within senior management, who possess suitable skill, knowledge, or experience;
c. evaluates the adequacy and results of the services performed; and
d. accepts responsibility for the results of the services.
3.38 In cases where the audited entity is unable or unwilling to assume these responsibilities (for example, the audited entity does not have an individual with suitable skill, knowledge, or experience to oversee the nonaudit services provided, or is unwilling to perform such functions due to lack of time or desire), the auditor’s provision of these services would impair independence.
I like that phrase in 3.38 – lack of desire. No kidding, GAO! No one WANTS to worry with internal controls. No one dreams of designing, documenting, or implementing internal controls when they are a child. “Herbie, doll, what do you want to be when you grow up?” “A COSO expert, mommy!” That response has never been, nor will it ever be spoken.
Herbie, now an experienced auditor in his 40s, is well suited to do that sort of work. Now all internal auditors involved in that sort of work need to reassess their situation and decide whether the client should to do this kind of work on their own.
Continuous monitoring was a hot topic at the last IIA conference I attended in Atlanta. But the GAO talks specifically about helping the client with internal control monitoring in a list of non-audit services that impair auditor independence:
Internal Control Monitoring as a Nonaudit Service
3.54 Accepting responsibility for designing, implementing or maintaining internal control includes accepting responsibility for designing, implementing, or maintaining monitoring procedures.34 Monitoring involves the use of either ongoing monitoring procedures or separate evaluations to gather and analyze persuasive information supporting conclusions about the effectiveness of the internal control system. Ongoing monitoring procedures performed on behalf of management are built into the routine, recurring operating activities of an organization. Therefore, the management participation threat created if an auditor performs or supervises ongoing monitoring procedures is so significant that no safeguards could reduce the threat to an acceptable level.
3.55 Separate evaluations are sometimes performed as nonaudit services by individuals who are not directly involved in the operation of the controls being monitored. As such, it is possible for an auditor to provide an objective analysis of control effectiveness by performing separate evaluations without creating a management participation threat that would impair independence. However, in all such cases, the significance of the threat created by performing separate evaluations should be evaluated and safeguards applied when necessary to eliminate the threat or reduce it to an acceptable level. Auditors should assess the frequency of the separate evaluations as well as the scope or extent of the controls (in relation to the scope of the audit performed) being tested when evaluating the significance of the threat. An evaluation prepared as a nonaudit service is not a substitute for audit procedures in a GAGAS audit.
I think that is enough analysis (or bad news) for now, don’t you? I recommend you read the Yellow Book yourself because it probably has more to say to your particular situation on this subject. I have just hit the highlights. Please seehttp://www.gao.gov/yellowbook and read sections 3.02-3.59 and the appendix sections A3.02-A3.09
a. A member of the audit team having a direct financial interest in the audited entity. This would not preclude auditors from auditing pension plans that they participate in if (1) the auditor has no control over the investment strategy, benefits, or other management issues associated with the pension plan and (2) the auditor belongs to such pension plan as part of his/her employment with the audit organization, provided that the plan is normally offered to all employees in equivalent