Today, I enjoyed working with internal auditors with the county, school district, transportation district, and community college in San Antonio. We were covering the Yellow Book standards.
Most internal auditors have a designation from the IIA - like a CIA or CGAP - and would prefer to follow the Red Book if given a chance. But sometimes, the choice is made for them. A rule, regulation, contract, or law calls the Yellow Book into play, and there is nothing they can do about it.
One of my previous managers at the Texas State Auditor's Office was instrumental in drafting the Internal Auditing Act in Texas that requires all internal audit directors of state agencies to be orange shops - in other words, cover both the IIA and GAO standards. But when I did a training for his group last year (he now works for a large university) he complained about his decision. He feels like the Yellow Book goes too far in a variety of areas. My audience today felt the same.
What are they annoyed with in the Yellow Book?
Independence. In general, the IIA encourages auditors to be helpful - to consult as well as provide assurance services. The GAO discourages 'consulting' work and calls this sort of work 'non-audit services.' The GAO strongly warns auditors that engaging in non-audit services could ruin their independence on audits.
The GAO also far exceeds the IIA's requirements on quality control and peer review. The GAO mimics the intense requirements of the AICPA. One onerous quality control requirement asks that auditors perform an annual monitoring inspection to ensure that the quality system is working. A peer review must be conducted every three years under GAO standards and every five years under IIA standards.
The GAO also goes into a lot more detail than the IIA regarding how to plan an audit. The IIA's Red Book is mostly focused on how to run an audit shop - not in how to conduct an audit. The GAO says very little about how to run an audit shop but goes into great detail regarding how to run an audit project - asking that auditors design their audit to detect fraud and noncompliance, describing the qualities of strong evidence, and laying out general principles for working paper documentation.
My participants today - like my old manager at the University - wish they hadn't gotten themselves into the strict land of GAO standards.