Printer Friendly

The new yellow book: focus on internal controls.

Auditors who do their work in accordance with Government Auditing Standards, also known as the yellow book, will face increased responsibility for testing internal controls under new auditing standards proposed by the U.S. General Accounting Office (GAO). The new standards will focus auditors' judgment on two areas: the control environments and controls for safe-guarding assets.

The GAO is seeking comments on an exposure draft containing these and other proposed changes to the yellow book. This article explains why the new yellow book will require additional internal control work in financial statement audits and what that additional work will be. The exhibit on page 85 highlights other proposed changes to the yellow book.


The current yellow book standards for internal controls mirror the American Institute of CPAs generally accepted auditing standards. If auditors follow Statement on Auditing Standards no. 55, Consideration of the Internal Control Structure in a Financial Statement Audit, they effectively follow the yellow book. But after reviewing research done by the GAO staff and reflecting on their own experience, members of the Government Auditing Standards Advisory Council found mounting evidence SAS no. 55's minimum requirements were no longer enough:

* Accounting professionals were calling for increased auditor involvement in internal controls to provide both "early warning" of potential problems and, among other things, assurance an entity is well controlled.

* Bank audit committees were asking auditors or more information about the state of internal controls.

* Congress and the Office of Management and Budget were enacting news laws and regulations calling for auditor assurance that internal controls in large banks and in federal agencies are effective.

The council recognized that financial statement audits provided only so much information about internal controls. To meet the growing demand for the information, it realized auditors would have to examine controls (or perform agreed-upon procedures) separately from the financial statement audit. Still, the council believed the financial statement audit could partially satisfy this demand if it included work on internal controls beyond the minimum required by SAS no. 55 that would

* Be within the boundaries of what auditors choose to do under SAS no. 55, which gives them considerable discretion over the extent of their consideration of internal controls.

* Help auditors assess audit risk more precisely.

* Focus auditor's attention on potential control weaknesses users of auditors' reports might want to know about.

Using these criteria, the council recommended expanding the auditor's responsibilities in two areas: the control environment and controls for safeguarding assets. The GAO included these recommendations in its ED. (See the sidebar on page 86 for a discussion of the council's work.)



The new yellow book will require auditors to assess the control environment in all financial statement audits.

SAS no. 55 requires auditors to answer the questions: How important are internal controls to the board of directors and top management? What are their attitudes, awareness and actions regarding controls as reflected in

* Management's philosophy and operating style?

* Methods of assigning authority and responsibility?

* Methods of monitoring and following up on performance, including internal auditing?

The collective impact of these and other factors on the effectiveness of specific control policies and procedures makes up the control environment.

The AICPA audit guide Consideration of the Internal Control Structure in a Financial Statement Audit, which provides guidance on implementing SAS no. 55, says auditors do not have to assess the control environment separately. Instead, they may consider all elements of the internal control structure together - the control environment, accounting system and control procedures - in assessing control risk for a given financial statement assertion.

The new yellow book will change that. It will require auditors to specifically assess whether the control environment enhances or undermines control procedures' effectiveness. Auditors will base this assessment on the results of the following procedures, most of which the current yellow book requires.

* Ask management how it assures itself the entity achieves control objectives.

* Perform any other procedures auditors ordinarily would perform to satisfy SAS no. 55 requirements. (The new yellow book will refer to the AICPA audit guide's discussion of procedures auditors may perform to obtain an understanding of the control environment.)

* Perform procedures auditors ordinarily would perform to satisfy the requirements of SAS no. 65, The Auditor's Consideration of the Internal Audit Function in an Audit of Financial Statements.

* Determine whether management remedied material internal control weaknesses the auditors had identified in earlier audits or that the internal auditor had identified.

The increased emphasis on the control environment will benefit both auditors and the public. It should help auditors point out a weak control environment; often that is a red flag to auditors to be alert for fraud in the financial statements. Auditors are more likely to detect weakness if they assess the control environment separately. It also should help auditors report cases when management failed to set an appropriate "tone at the top." Financial statement users generally want to know about such failures.


The ED gives auditors responsibility for considering how management safeguards assets. Auditors must first answer the question: How could loss or misappropriation of assets cause the financial statements to be materially misstated? Identifying potentially vulnerable assets is one part of the answer. The other is finding a link between those assets and possible material misstatements of financial statement assertions. If a link could exist, the new yellow book will require auditors to determine whether management has controls in place to safeguard assets.

Here are two situations in which the vulnerability of assets and possible misstatement of financial statement assertions are linked.

* A not-for-profit organization gets a material amount of its revenues from door-to-door cash collections. If volunteers steal some of the cash before turning it in, the completeness assertion about revenues could be materially misstated.

* An industrial development agency makes loans that are material to its parent government's financial statements. Agency employees could have processed the loans without following established procedures. For example, they might have failed to get adequate information about borrowers' financial condition. If so, the agency could incur credit losses that exceed what management had anticipated when it established the procedures. The resulting discrepancy between actual credit losses incurred and management's expectations could lead to bias or outright misstatement in the allowance for credit losses. Thus, the valuation assertion about the agency's loans could be materially misstated.

In both cases, the ED requires auditors to determine what control procedures management has in place to safeguard assets. But even after doing so, auditors may conclude the most effective approach to limiting audit risk in to go further and determine whether the control procedures were effective throughout the period the audit covers. The ED emphasizes that if auditors plan to assess control risk below the maximum, they must have sufficient evidence of controls' effectiveness.


What will these new standards mean for auditors, auditees and the public?

Auditors. The new standards on the control environment and safeguarding assets should help make auditors aware of increased audit risk they might otherwise overlook. (If you were the auditor of the industrial development agency discussed above, would you want to be in the dark about severe weaknesses in controls over loan origination?) These new standards will likely lead auditors to do more work than they do now. But once auditors have developed a base of knowledge about a client's control environment and its vulnerability to loss or misappropriation of assets, the cost of applying the new standards should go down.

Auditees. Additional audit costs may translate into higher audit fees. However, in paying the higher fees, auditees will buy more accountability for the public. This will help them better meet their responsibility, set forth in the current yellow book, to provide "audit coverage that is broad enough to help fulfill the reasonable needs of potential users of the audit report."

The public. Added audit coverage should result in audit reports that provide more useful information about the control environment and safeguarding assets - two areas fundamental to the responsibilities of managers entrusted with taxpayer's money.


A copy of the ED can be obtained by writing the U.S. General Accounting Office, P.O. Box 6015, Gaithersburg, Maryland 20884-6015. Orders also may be placed by calling (202) 512-6000 or sending a fax to (301) 258-4066. The comment deadline is November 15.


* THE U.S. GENERAL Accounting Office is seeking comments on proposed changes to Government Auditing Standards, also known as the yellow book. Auditors will face increased responsibilities for testing internal controls.

* THE CURRENT YELLOW BOOK standards or internal control mirror the generally accepted auditing standards established by the American Institute of CPAs. If auditors follow Statement on Auditing Standards no. 55, Consideration of the Internal Control Structure in a Financial Statement Audit, they effectively follow the yellow book.

* THE EXPOSURE DRAFT proposes expanding auditor's responsibilities in two areas: the control environment safeguarding assets.

* CURRENTLY, AUDITORS NEED not specifically assess the control environment. The new yellow book will change that and require auditors to specifically assess whether the control environment enhances or undermines control procedures' effectiveness.

* AUDITORS WILL BE GIVEN responsibility for considering how management safeguards assets. (1) They must identify potentially vulnerable assets and look for a link between those assets and possible material misstatements of financial statement assertions. (2) If a link could exist, they must determine what controls management has in place to safeguard assets.

Proposed GAO changes to

yellow book standards

Changes in financial audit standards

The exposure draft of the new yellow book contains several provisions to improve auditor's communication with auditees and the public. The ED

* Requires auditors o communicate their responsibilities to audit committees or others who oversee financial reporting. The ED extends the applicability of Statement on Auditing Standards no. 61, Communications With Audit Committees, to all entities having yellow book audits of their financial statements. Auditors must communicate all matters specified in SAS no. 61 as well as information about additional yellow book responsibilities.

* Reinforces the requirement that auditors refer to government auditing standards in their reports. It no longer will be acceptable for auditors to omit references to the yellow book from their financial statement opinions, even if they include such references in their reports on controls and compliance.

* Simplifies requirements for reporting on internal controls and compliance with laws and regulations. Current yellow book reporting requirements have led to lengthy reports, such as those illustrated in SAS no. 68, Compliance Auditing Applicable to Governmental Entities and Other Recipients of Governmental Financial Assistance. The ED shows how auditors can meet the new reporting requirements by adding one paragraph to their opinions on the financial statements.

* Gives auditors flexibility to depart from boilerplate report on audited financial statements. The ED presents an alternative to the standard report of SAS no. 58, Report on Audited Financial Statements.

Changes in quality control standards

The ED adds two quality control requirements to put useful information into he hands of those who buy audit services. It requires

* Auditors to disclose to those who authorize or arrange for audits if they they have not met the external quality control review requirement.

* Auditors receiving adverse reports on their external quality control reviews to give such reports to those who authorize or arrange for audits.

Changes in performance audit standards

Major changes in the performance audit standards include

* Expanding the planning standard to discuss matters auditors should consider in setting audit objectives. The ED emphasizes the need to understand the program being audited. It includes guidance to help auditors set audit objectives that are more likely to result in reports that meet decision makers' needs. This expanded guidance incorporates concepts from the Governmental Accounting Standards Board's recent work on service efforts and accomplishments.

* Distinguishing controls, laws and regulations relevant to a performance audit from those significant to the audit's objectives. The revised standards for performance audits require auditors to understand management controls and laws and regulations relevant to the audit. Such an understanding generally will be part of the information auditors need to plan a performance audit. Auditors will be required to test controls and compliance only when those issues are significant to the performance audit's objectives. The ED uses examples to illustrate the distinctions between controls and laws that are relevant and those that are significant.




To help ensure the yellow book continues to meet the needs of the audit community and the public it serves, the U.S. comptroller general appointed the Government Auditing Standards Advisory Council to review the standards and recommend changes. The 16-member council includes experts in financial and performance auditing drawn from all levels of government, public accounting, internal auditing and academia.

The council was guided in its work by the introduction to the 1988 revision of the yellow book, which says in part: "[Government] audit standards are more than the condification of current practices. They include concepts and audit areas that are still evolving...." At the outset, the council identified the auditor's responsibility for internal controls as an "evolving area" for which it might recommend new standards.

The council held seven open meetings between April 1991 and February 1993 before achieving a consensus on recommended changes to the standards. The resulting exposure draft reflects the council's recommendations to the comptroller general.
COPYRIGHT 1993 American Institute of CPA's
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1993, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:'Government Auditing Standards' revision
Author:McNamee, Patrick
Publication:Journal of Accountancy
Date:Oct 1, 1993
Previous Article:How safe is your job?
Next Article:AICPA incoming chairman prepares the profession for rapid change.

Related Articles
How does an auditor report under SAS No. 63 when SAS No. 55 hasn't been adopted?
What the 1994 yellow book means for auditors.
Revised not-for-profit SOP reflects new yellow book and SAS 74.
GAO report gives accounting profession good marks.
OMB changes audit requirements for recipients of federal financial assistance.
New hierarchy for federal government audits.
AICPA issues comment letter on proposed 2002 Revision to Government Auditing Standards. (regulatory matters).
Independence standards--putting it all together.
New CPE requirements in GOV'T Auditing Standards.
Government Accountability Office issues CPE guidance.

Terms of use | Copyright © 2017 Farlex, Inc. | Feedback | For webmasters