The Internal Auditing Act in Texas requires that all internal audit shops in state agencies and universities follow both the Yellow Book and the Red Book. Yellow and red make orange. Get it?
Last month, for the Institute of Internal Auditors chapter in Albuquerque, I compared the GAO’s 2011 version of Government Auditing Standards (the Yellow Book) to the IIA’s 2013 edition of the International Professional Practices Framework (the Red Book). It took two days to journey through both standards, and even at that, we only hit the highlights. The GAO’s 2011 version of the Yellow Book is 215 pages including the ridiculous independence flowchart in the back, while the IIA’s 2013 Red Book is 222 pages.
Before all of the knowledge I gleaned from studying and teaching the seminar went to the secret place where the second sock and esoteric knowledge abide, I jotted down a summary of what we discovered as we contrasted the two sets of standards.
Please excuse a few generalities so that I can keep this list as succinct as possible.
- The GAO and the IIA start from different definitions of who auditors are and what auditors do. The GAO believes that auditors are better described as ‘accountability professionals’ who keep the greater good of the citizenry at heart as they perform their work. The GAO, then, naturally values transparency and holding government officials accountable for their decisions. And, the GAO’s standards have a decidedly project-by-project focus. On the other hand, the IIA seeks to assess governance, risk, and controls to add value to the entities for and in which auditors work. The IIA does not encourage transparency and takes a wider, holistic, organization-wide view of auditors’ work and role.
- The IIA’s Red Book asks audit shops to develop an internal audit charter that sets forth their agreement regarding the purpose and power of the internal audit shop. The GAO has no such requirement.
- The GAO puts up many barriers to auditors being helpful to their audit clients. The GAO feels that performing non-audit (consulting) services compromises the auditor’s ability to objectively and independently provide assurance against their audit objectives. You cannot help make the baby (consult) and then later call that same baby (audit) ugly. In other words, the GAO does not allow you to help create the internal controls that you will later audit because you will lack the objectivity toward the controls you helped establish. But, the IIA actually encourages internal auditors to consult and be helpful and establishes ‘consulting’ standards to assist in that effort.
- The GAO wants you to document your consideration of auditor and audit team independence using the ‘conceptual framework’ borrowed from the AICPA’s literature. The IIA is nowhere near as formal when it comes to assessing auditor independence and does not require project-by-project documentation.
- The GAO requires that every three years the auditor’s quality control system, which includes six components, undergo an external peer review. The GAO’s description of the quality control system includes six components. The IIA requires an external peer review every five years and leaves the structure of the quality control system largely up to the auditor’s judgment.
- The IIA is much tougher than the GAO when it comes to bragging rights. Under GAO standards, following every ‘must’ requirement allows you to claim your adherence to the standards once you kick off your first audit. In contrast, the IIA requires an audit shop to undergo a peer review before claiming in their audit report that they are following Red Book standards. Under both standards, you must disclose when you do not follow a ‘should’ requirement. The GAO requires that you disclose the noncompliance in your audit report, but the IIA is not clear on how or to whom the noncompliance is disclosed.
- The GAO talks about three types of assurance engagements: financial audits, attestation engagements, and performance audits. For financial audits and attestation engagements, the GAO incorporates AICPA guidance. The IIA simply discusses “assurance services” and does not group them into types or levels of assurance. The IIA also does not formally acknowledge or encourage the use of any other standard. Instead, the IIA talks about the nature of the auditor’s work: internal auditors are expected to focus their efforts on their entity’s governance, risk assessment, and controls.
- The GAO asks that auditors use the results of prior audits that are relevant to their audit objective in planning the audit. Under Yellow Books standards, a formal follow-up process or statement is not required. Yet, the IIA requires you to follow up on prior audits.
- The GAO focuses on one single engagement at a time and requires no development of an audit universe or an annual plan. But, the IIA asks chief audit executives to document all of their potential audit subjects and select the riskiest subjects for their annual audit plan.
- The GAO wants you to design your audit to detect fraud and non-compliance. The IIA asks that you simply be aware of fraud and does not require auditors to perform procedures to uncover it.
- The GAO asks that auditors write findings when they find fraud, internal control weaknesses, noncompliance, and abuse. The IIA calls reportable conditions ‘observations’ and does not formally recognize noncompliance or abuse as triggers of an observation.
- When you answer the audit objective on a financial audit or an examination under Yellow Book standards, you opine. When you answer the objective on a performance audit under Yellow Book standards, you conclude. The IIA will let you use either word – you can opine or conclude when answering the objective.
- The GAO requires auditors to get 80 hours of CPE every two years. The IIA encourages auditors to get CPE, but does not require a specific number of hours.
Is that everything? No. But isn’t that enough for anyone?
I suggest that you also look at the IIA’s guidance regarding the comparison of the GAO vs. IIA standards.
Good luck, my orange fellows. You have plenty to live up to!
If you have any comments, please write to me at [email protected] I’d love to hear from you regarding whether you agree or disagree with my summary. I’d also like to know if you found it helpful.