I have to do what ?*#[email protected] to audit government grants!?!
So you are still hanging in with this idea, eh? Even after I described how granular the audit work can be and who you will be working with in government, you are still game? Good for you. You might be made for this gig.
But before you take on a new client, I want to warn you of a few more things in this last of three articles on the subject. They might not be deal breakers – but I guess that depends on how sensitive you are to regulation.
I regularly teach full day seminars on YellowBook standards (which by the way, you are going to have to follow!) and at about 1 o’clock, the attendees start thinking about getting out of government auditing. At that point, some of them are saturated with bad news. I even had one woman in San Francisco stand up and offer her sole government client to anyone who was interested – she was done. Sort of a live e-bay auction. By the end of the day, she was back to her regular gigs - free of the constraints of government standards.
What is the Yellow Book anyway? It is also known as Generally Accepted Government Auditing Standards or GAGAS. (How is that for an attractive acronym?!?) The Yellow Book is written by the Government Accountability Office, the federal audit agency. And it regularly exceeds the standards set forth by the AICPA in the SASs (Statements on Auditing Standards for Financial Audits). Actually it is an additional governmental specific standard designed to layer on top of the AICPA standards.
Here is how the standards stack up: The Single Audit Act/OMB Circular A-133 requires that Single Audits be conducted in accordance with GAGAS. Inside GAGAS, the Single Audit is classified as a financial audit. Financial auditors must follow the edicts of chapters 1-5 (2007 version) of the Yellow Book plus the AICPA SASs.
So, did you catch that? In order to do the Single Audit, you follow three layers of directions. 1. The Single Audit requirements 2. GAGAS and 3. The AICPA’s SASs. Whew, I am tired just thinking about it!
This wasn’t that big a deal a decade ago. All three standard setting bodies were pretty quiet before the Enron debacle. Since then, the AICPA and GAO standards have been in constant state of flux. It is great for my business, as a teacher. But not so great as a practitioner.
Here are a few things that trigger a “You’ve got to be kidding!?!” response from the participants in my Yellow Book seminars.
1. Specific training. GAGAS requires auditors to get 80 hours of training that enhances their ability to conduct audits every two years. Out of this 80 hours, 24 of it must be in government topics or topics relevant to your audit environment. This means that your tax update classes won’t count! Here is the specific relevant paragraph from GAGAS:
GAGAS 2007 3.46 Auditors performing work under GAGAS, including planning, directing, performing field work, or reporting on an audit or attestation engagement under GAGAS, should maintain their professional competence through continuing professional education (CPE). Therefore, each auditor performing work under GAGAS should complete, every 2 years, at least 24 hours of CPE that directly relates to government auditing, the government environment, or the specific or unique environment in which the audited entity operates. For auditors who are involved in any amount of planning, directing, or reporting on GAGAS assignments and those auditors who are not involved in those activities but charge 20 percent or more of their time annually to GAGAS assignments should also obtain at least an additional 56 hours of CPE (for a total of 80 hours of CPE in every 2-year period) that enhances the auditor's professional proficiency to perform audits or attestation engagements. Auditors required to take the total 80 hours of CPE should complete at least 20 hours of CPE in each year of the 2-year period.
2. Extra nagging regarding independence: As of this writing, GAGAS is in the middle of revision. The 2011 version of the Yellow Book should be out… well hopefully in 2011. The exposure draft continues on a theme that the GAO has always emphasized; while the GAO doesn’t specifically prohibit auditors from creating financial statements for their audit clients, they definitely don’t like it. Here is an excerpt from the 2010 proposed revision:
GAGAS 2010 Proposed 3.44. Bookkeeping is the systematic recording of an entity's transactions. Auditors performing bookkeeping services for an audited entity they audit should determine that the audited entity's management is providing sufficient oversight of those services. Auditors should determine that the audited entity's management
responsible for oversight possesses suitable skill, knowledge, and/or experience to evaluate the adequacy of the bookkeeping services provided, and accepts responsibility for the results of the services.
3.45. Bookkeeping services that would impair an auditor's independence include:
a. determining or changing journal entries, account codings or classifications for transactions, or other accounting records for an entity without obtaining the entity's approval,
b. authorizing or approving transactions,
c. preparing source documents, and,
d. making changes to source documents without client approval.
Preparing Financial Statements:
GAGAS 2010 Proposed 3.46. Management is responsible for the preparation and fair presentation of the financial statements in accordance with the applicable financial reporting framework. Consequently an auditor's acceptance of responsibility for the preparation and fair presentation of financial statements that the auditor will subsequently audit would impair the auditor's independence. Auditors should determine that audited entity management taking responsibility for the preparation and fair presentation of the financial statements possesses suitable skill, knowledge, and/or experience to evaluate the adequacy of any services in this area provided by the auditor.
When I read that, I am discouraged from coming up with journal entries and preparing the financial statements. But it doesn’t expressly prohibit it, does it? Very much like a nagging - but ultimately powerless - parent.
This causes lots of angst during my seminars because auditors believe three things: 1. Their tiny client can’t create the financials or won’t pay for a third party to prepare them 2. The client expects the auditor to do it and 3. The auditor’s life is easier if they create the financials they end up auditing.
Unfortunately, the GAO isn’t exactly sympathetic to any of those views. But just like a nagging but ineffective parent, they are always talking but never putting their foot down or taking the keys to the car. This is something to keep your eye on when the next revision comes out.
3. The GAO isn’t happy just hearing about symptoms – they want a diagnosis of the root cause. In order to enhance transparency and accountability in government, GAGAS asks that auditors don’t stop at simply pointing out flaws in the client’s operations or in compliance. The GAO wants to know why the flaw occurred, whether it is a big deal, and what should be done about it. The GAO asks auditors to describe the elements of a finding (condition, effect, cause, criteria, recommendation) and this makes the auditor perform extra work, because the effect and root cause don’t necessarily present themselves to the auditor on a silver platter. For more on this topic, please see the newsletter archive athttp://www.yellowbook-cpe.com .
4. Additional reportable conditions – under GAGAS auditors have two additional triggers of a finding in addition to those laid out in the SASs. Under the SASs, internal control weaknesses and fraud are reportable.
The GAO adds non-compliance and abuse to the mix. First, government auditors must design their audits to uncover significant non-compliance with grants and contracts. That isn’t that big a deal to most folks, because that is one of the subject matters for the Single Audit anyway.
But the second additional responsibility, abuse, does cause auditors pause:
4.12 Abuse involves behavior that is deficient or improper when compared with behavior that a prudent person would consider reasonable and necessary business practice given the facts and circumstances. Abuse also includes misuse of authority or position for personal financial interests or those of an immediate or close family member or business associate. Abuse does not necessarily involve fraud, violation of laws, regulations, or provisions of a contract or grant agreement.
4.13 If during the course of the audit, auditors become aware of abuse that could be quantitatively or qualitatively material to the financial statements, auditors should apply audit procedures specifically directed to ascertain the potential effect on the financial statements or other financial data significant to the audit objectives. After performing additional work, auditors may discover that the abuse represents potential fraud or illegal acts. Because the determination of abuse is subjective, auditors are not required to provide reasonable assurance of detecting abuse.
Abuse is a criteria-less complaint about bad behavior in government.
An audit is the evaluation of a subject matter against criteria. For non-compliance, the criteria is the law or regulation the subject matter should meet. For internal controls, the criteria is COSO. For fraud, the criteria is the elements of a crime per statute. But who is to say if everyone in the government agency, including the janitor, needs a i-Pad and i-Phone or not? Is that wasteful and abusive? Some would say yes, others might say no. And because there is no objective criteria to go on, they are both right.
What about a tribal council traveling monthly to the Bellagio in Vegas to do research on how to operate a good casino? What if they took friends and family with them and partied down (presumably to replicate the customer experience)? What if other members of the tribe were living in trailers and the sewer system was in serious need of repair? Is that abuse? The tribal council thought that luxury travel was a perk of their job.
The auditor thought otherwise. Because they weren’t breaking any particular law, the auditor and the tribal council fought. The auditor put the abuse in their audit report and was promptly fired. But did he do the right thing? I think so.
Why does the government want us to report waste and abuse? Because we are on the front lines and see this stuff. The feds may never visit. And if we don’t say anything, who will? 60 Minutes only has so many shows a year; they can’t cover every wasteful scandal!
So to sum it all up – auditing in the government environment is trippy, different, sometimes flat out annoying. Most practitioners find it easiest to either embrace government accounting or walk away from it all together. Playing the middle and just dabbling in this environment can be a dangerous headache because of the intense expectations and scrutiny. Don’t say I didn’t tell you.
Leita Hart-Fanta, CPA, CGFM
Resides in Austin, Texas and can be reached at www.auditskills.com.