Comments on the 2010 Yellow Book - as emailed to Michael Hrapsky at the GAO

Sift Media
Share this content

Hi Michael –

I used the 2010 revision to teach with last week.  So, I am going to take an initial stab at feedback about the new draft.  Thanks for allowing me to do this informally- via email.


1.       Independence: CPAs are still going to take the little bit of wiggle room you gave them and RUN with it.   No one wants to give up drafting the financial statements as part of the audit and they are very busy justifying why their situation is different and they can still do what they have always done.  I believe it would be better to prohibit it completely – with no professional judgment involved.  It is wrong to create the subject matter that you opine on– period.  And we are risking the integrity of the only service CPAs are actually licensed to provide – audits of financial statements.  The AICPA is too lenient on their members on this subject and I would like to see the GAO do the right thing and flat out prohibit it.


2.       Section 1.06.  Auditors are still a bit confused on when the Yellow Book is applicable to their audit.  They assume that if their client is a government – that the Yellow Book is automatically required.  I’d like to see the language of 1.06 clarified and strengthened to says something to the effect of – “The Yellow Book is applicable to an engagement if it is required by law, policy, etc… Some organizations choose to voluntarily follow the yellow book. Just because the audited entity is a government or receives government funds, it does not mean that the government auditing standards are automatically required.”   Yes, it is a bit redundant. 


3.       Section 1.07 – Some auditors erroneously believe that you have to be certified in order to be subject to the CPE requirements.  1.01a could be enhanced by adding “regardless of job title OR PROFESSIONAL CERTIFICATION.”  Caps not necessary! 


4.       3.53 – Professional judgment – This is my least favorite section of the yellow book.  It is vague, redundant, and broad and I really struggle with teaching it.   It is saying “turn your brain on” and then tells you when to turn your brain on.  I wonder if you could merge 3.54 and 3.55 with evidence, 3.56 with competence, 3.57 with quality control, 3.58 with independence, 3.59 and 3.60 with planning, and get rid of 3.61 – which reads like an attorney’s fine print. 


5.       3.84 human resources.  Instead of doing a footnote back to the HR sentence in competence, I think it would be helpful to repeat the second sentence of 3.63 here… “Audit organizations should have a process for recruiting, hiring, developing, assigning, and evaluation staff to maintain a competent workforce.”  Otherwise, I am afraid people are missing that because it is imbedded in another section, in the middle of a paragraph.  Another solution would be to make the second sentence of 3.63 its own paragraph.


6.       The appendix’s format is hard to decipher and it would be easier on the reader if you would  indent the sub-topics.  For instance on page 176 – c is a super topic, 1 is under c, and a is under 1.  It is difficult to tell what is modifying what or what is listed under what.  And this goes on for many pages.


7.       4.23 – why is abuse grouped with noncompliance?  Shouldn’t it have its own number – number 4? 


8.       4.22-4.30 –The 2 additional letters on internal control and compliance are out of date.  So in 4.23 we find the list all of the things that trigger a reportable condition.  And then we write letters on only two of them  - internal controls and compliance.  And the language that is used in these letters – in reality –is obscure and only vaguely related to what this section requires.  I remember asking Michael about the purpose of these letters and he explained that they enhance transparency for the user.  After the AICPA gets a hold of them and creates a stream of legalistic and confusing language to satisfy this requirement – we are being anything but transparent.   Auditors simply go to the AICPA for model reports and plug the name of the entity in the blank.  Users don’t understand them or, I might argue, need them if there is nothing to report.  I would like to see the GAO reconsider the purpose of these letters and ask whether these letters are the best way to serve this purpose.  If the GAO decides to keep these letters – I would suggest updating them to include the requirements for the auditor’s responsibility for fraud and abuse.  Could the GAO propose some standard language for a straight yellow book audit that is clear and straightforward – like the mandatory performance audit paragraph at 7.30 in the 2010 proposed revision?



Thanks for allowing me to say things significant and not-so-significant!  You guys are the best!



About admin


Please login or register to join the discussion.

There are currently no replies, be the first to post a reply.