The GAO’s 2010 proposed revision to the Yellow Book isn’t saying much that is new. Instead it is saying the same stuff – just in a different way.
For instance, the section on independence regarding non-audit services caused plenty of heartburn in the 2007 revision. The GAO asked auditors to evaluate whether they were 1. Auditing their own work in performing the non-audit service or 2. Making management decisions when performing the non-audit services. Obviously, auditing your own work and making management decisions compromises and auditor’s independence because the auditor will not be motivated to admit that they messed up either the work or the decision if and when they do the audit.
One state audit organization I worked with said that they had, many years ago, become frustrated with the state agency responsible for calculating pension obligations. It seems that the auditor was constantly writing the agency up for not calculating it correctly, so the agency finally just said, “You know what? We don’t really know how to do it. Will you do it for us?” And unfortunately, the auditor decided that was a good idea.
So, one assistant state auditor made the calculation for a decade or so until he retired. When a new auditor took over the job, she quickly realized that the calculation had been wrong the whole time and that the state owed the pension plan major dinero. How embarrassing is that for the state auditor to admit!?!
And the state auditor didn’t want to admit it and was trying desperately to figure out a way to avoid admitting their mistake. The only thing I can think for the auditor to do to avoid accountability is to write the state a check for a few million out of your personal state salaried accounts. I am sure they can spare it.
This is the sort of dilemma that independence standards allow us to avoid. But at the same time, independence causes internal auditors a special brand of heartburn.
Let’s look at what the proposed new standards say:
Some 2010 Clauses Significant to Internal Auditors
The revision to the Yellow Book takes a different path, but ends up at the same place. It talks about ‘threats’ to independence – and the following sound like they were written with internal auditors in mind:
GAGAS 2010 3.10
b. Self-review threat - the threat that an auditor will not appropriately evaluate the results of a previous judgment made or service performed by the auditor, or the audit organization, on which the auditor will rely when forming a judgment significant to an audit;
d. Familiarity threat - the threat that due to a long or close relationship with management or personnel of an audited entity or employer, an auditor will be too sympathetic to their interests or too accepting of their work;
f. Management participation threat - the threat that results from an auditor’s taking on the role of management or otherwise performing management functions on behalf of the entity undergoing an audit or attestation engagement;
And then goes on to expressly prohibit one common internal audit activity:
3.49 Accepting responsibility for designing, implementing or maintaining internal control includes accepting responsibility for designing, implementing or maintaining monitoring procedures. Monitoring involves the use of ongoing monitoring procedures or separate evaluations to gather and analyze persuasive information supporting conclusions about the effectiveness of the internal control system. Ongoing monitoring procedures are built into the routine, recurring operating activities of an organization. Therefore, the management participation threat created by an auditor performing ongoing monitoring procedures is so significant that no safeguards could reduce the threat to an acceptable level. On the other hand, nonaudit services providing separate evaluations often are performed by individuals who are not directly involved in the operation of the controls being monitored. As such, it is possible for an auditor to provide an objective analysis of control effectiveness by performing separate evaluations without creating a significant threat of management participation that would impair independence. However, in all such cases, the significance of the threat created by performing separate evaluations should be evaluated and safeguards applied when necessary to eliminate the threat or reduce it to an acceptable level. Auditors should assess the frequency of the separate evaluations as well as the scope or extent of the controls (in relation to the scope of the audit performed) being tested in evaluating the significance of the threat.
This excerpt points out a significant thematic difference between the IIA’s Professional Practices Framework (the red book) and the yellow book. Members of the IIA like to be helpful to their employers, the GAO does not. The GAO standards are written as if the auditor is an “external” auditor – not an internal auditor. A gentleman at the GAO once told me that internal auditor is a troublesome term. How can you be internal and be an auditor. The Yellow Book discourages auditors from performing ‘consulting’ engagements and instead prefers that internal auditors concentrate on the “assurance” aspect of their work.
One of the ‘hot’ topics – if you can go as far as to call anything in auditing “HOT” – at the HOTlanta IIA International Conference last summer was continuous monitoring. Internal auditors are working themselves into a frenzy figuring out how to do it.
BUT – when working in Yellow Book land, continuous monitoring – unless used by the internal audit shop to do their audit risk assessments – compromises auditor independence.
In one of my recent courses, we were discussing the COSO model and were talking about controls that the auditee should have in place over a federal grant. An internal auditor in the audience said that one of the best controls over a federal grant possible would be a strong internal audit shop monitoring the grant. And I immediately went, “No, I am not writing that up on the board!” A sharp reaction to a simple idea.
I immediately regretted shutting him down so hard and wrote it up on the board because I didn’t want to dwell on auditor independence that particular afternoon because it was off topic. But in Yellow Book land, the internal auditor is not to perform management functions. An auditor is an objective third-party that can give an unbiased assessment of what is really going on. This participant was looking at things from the IIA perspective – where it is OK to help management.
If the auditor took on monitoring the federal grant and then later criticized compliance or operations for same federal grant… they’d be in a bind, wouldn’t they? Because they were responsible for monitoring and thus for helping the client out. And unless the client is superhuman – they will usually come to depend on the auditor and assume (wrongly) that everything is OK and they have nothing to worry about. And then the auditor will have to write them a big fat check from his personal account for the questioned cost that they were complicit in generating. (I do realize that auditors won’t be writing any checks) by the way.
If this discussion has made you a little hot under the collar – go to the 2010 Proposed Revision at http://www.gao.gov/new.items/d10853g.pdf and carefully read Sections 3.02-3.50. Yes, it is a lot to look over. But it is new and worth the time.
This is the time to let the GAO know what you think. Write to [email protected] by November 22 to have an impact on the next revision.
If you want to discuss the major differences between the Yellow Book and the Red Book – attend the 2010 Single Audit and Government Conference in Austin and catch Helen Young and I arguing over which standard is best. We had a huge laugh fest last week talking about our opposing views on the red book and yellow book. For more info, see: http://www.tscpa.org/Public/Catalog/CourseDetails.aspx?courseID=11CGC01