For full functionality of this site it is necessary to enable JavaScript. Here are the instructions how to enable JavaScript in your web browser.

CPE for Government Auditors

Blending the Green Book with the Yellow Book

Objectives:

  • Identify the purpose of the GAO’s Green Book.
  • Distinguish between components of internal control.
  • Distinguish between management objectives
  • Choose a finite subject matter on which to apply controls
  • Identify the auditor’s responsibilities regarding application of the Green Book

Most of the changes between the 2011 Yellow Book and the 2018 Yellow Book that we have discussed so far probably have not shocked you. But the change triggered by the Green Book may. The Green Book is the GAO’s version of the COSO model, and its formal title is “Standards for Internal Control in the Federal Government.”

As I am traveling and teaching the 2018 Yellow Book, I have noticed that quite a few auditors are not familiar with the Green Book which was published by the GAO in 2014. This is not good because the Green Book is by far the biggest change to the Yellow Book.

The Green Book Describes an Ideal Control Structure

The GAO’s Green Book lays out an ideal control structure – a nirvana for internal controls, if you will. And I have never encountered any entity that has achieved this ideal. Yes, I’ve seen some entities achieve control nirvana in some part or aspect of their business. But I have never seen an entire entity under complete control, and I doubt I ever will. I think the lack of perfect internal controls in an organization is a reasonable state of affairs because controls cost money to implement.

However, what I am discussing in this chapter is not the auditee’s responsibility regarding internal controls (which is the focus of the Green Book), but the auditor’s responsibility regarding internal controls. You and I know that the entity you audit has not achieved control nirvana. But instead of just knowing that in your head, the Yellow Book is asking you to document your assessment of the auditee’s internal control status in grand and glorious detail.

Here are some quotes from one of the performance audit chapters in the 2018 Yellow Book that give performance auditors pause. I’ll address financial auditors conducting the Single Audit at the end of the chapter. I added bolding to draw your eye to some new terms that I’d like you to notice.

8.41     Consideration of internal control in a performance audit begins with determining the significance of internal control to the audit objectives and documenting that determination. Some factors that may be considered when determining the significance of internal control to the audit objectives include

  1. the subject matter under audit, such as the program or program component under audit, including the audited entity’s objectives for the program and associated inherent risks;
  2. the nature of findings and conclusions expected to be reported, based on the needs and interests of audit report users;
  3. the three categories of entity objectives (operations, reporting, and compliance); and
  4. the five components of internal control (control environment, risk assessment, control activities, information and communication, and monitoring) and the integration of the components.

8.42     If internal control is significant to the audit objectives, auditors determine which of the five components of internal control and underlying principles are significant to the audit objectives, as all components of internal control are generally relevant, but not all components may be significant to the audit objectives. This determination can also identify whether specific controls are significant to the audit objectives. Determining which internal control components and principles and/or specific controls are significant to the audit objectives is a matter of professional judgment. 

8.47     Approaches for obtaining an understanding of internal control may vary and may include consideration of entity-level controls, transaction- level controls, or both. However, even when assessing only transaction- level controls, it may be beneficial to gain an understanding of entity-level controls that may affect transaction-level controls by obtaining a broad understanding of the five components of internal control at the entity level. This involves considering the relationships between the components, which work together in an integrated manner in an effective internal control system, and the principles of internal control that support each component. In addition to obtaining a broad understanding of internal control at the entity level, auditors may also obtain an understanding of internal control at the transaction level for the specific programs and processes under audit. 

Here is an infographic from the Green Book that starts to explain the highlighted terms:

The terms “three categories of entity objectives” appear at the top of the cube and the terms “five components of internal control” appear on the face of the cube. The seventeen “principles of internal control that support each component” are presented in a stack on the bottom left side of the infographic.

Nice Infographic, Now What?

Yes, the cube is cute, and the stack is pretty – but so what? What does all this new language mean to performance auditors, practically? What the cube and the stack are illustrating is the most up-to-date structure for approaching internal controls. This means that performance auditors are going to have to change the way they document internal controls! The GAO is working on a tool right now to help you with this task, but it won’t be published until the spring of 2019.

So, if you want to implement these changes in your internal control documentation right now, you will need to create a tool on your own. HUD has developed a tool that might get your creative juices flowing. Google “HUD IC Questionnaire 17 principles” to find it.

How are COSO and the Green Book Related?

But before we get too far along, let’s look at how the Green Book is related to the COSO (Committee of Sponsoring Organizations of the Treadway Commission) model and what our profession is trying to accomplish with both. As we will see, the Government Accountability Office (GAO) bases the Green Book on the COSO model.

The GAO Pushed for Better Controls in 1983.

In addition to auditing federal agencies and reporting the results back to Congress, the GAO also advises executive agencies on how to make government more efficient and effective. The Federal Managers Financial Integrity Act of 1982 requires the GAO to establish standards for internal controls. The GAO made its first efforts toward creating a standard for internal controls in 1983.

In the opening letter to this first version of the Green Book, the Comptroller General of the GAO said:

In the past decade, numerous situations came to light that dramatically demonstrated the need for controls as the Government experienced a rash of illegal, unauthorized, and questionable acts which were characterized as fraud, waste, and abuse. It is generally recognized that good internal controls would have made the commission of such wrongful acts more difficult. Consequently, increased attention is being directed toward strengthening internal controls to help restore confidence in Government and to improve its operations.

I wonder what the Comptroller General would think of the hijinks in the government realm in since that initial Green Book was issued 30 years ago!

Congress Pushed for Better Controls in 1977, and the Treadway Commission Was Formed

Six years before the Financial Managers Financial Integrity Act, corporate fraud was getting the attention of Congress. In 1977, Congress enacted the Foreign Corrupt Practices Act (FCPA) as a result of 400 US corporations admitting that they had made questionable or illegal payments to foreign officials as part of conducting business in other countries. In response, the Treadway Commission, a private-sector initiative, was formed in 1985 to inspect, analyze, and make recommendations on fraudulent corporate financial reporting.

The COSO Report Was Issued in 1992

As a result of the Treadway Commission’s initial report, the Committee of Sponsoring Organizations (COSO) was formed. COSO retained Coopers & Lybrand, a major CPA firm, to study the issues and create a report on controls. This report was titled Internal Control – Integrated Framework and was issued in 1992.

And for the first time, we were introduced to the COSO cube that many of us use in our work today.

Over time, the COSO model, as it came to be called, was integrated into various auditing standards including the American Institute of CPAs auditing standards, the GAO’s Generally Accepted Government Auditing Standards (the aforementioned Yellow Book), and the Institute of Internal Auditor’s professional literature.

SOX Renewed Interest in the COSO Model in 2002.

After a spate of corporate financial scandals (Enron, WorldCom, etc.) at the turn of the century, Congress passed the Sarbanes-Oxley Act (SOX) in 2002. The Sarbanes-Oxley Act requires that publicly traded companies in the United States certify that their internal controls over financial reporting are effective. Most corporations used the COSO model as the framework to guide this assessment.

The COSO Model and Report Were Revised in 2013

The COSO model was revised in 2013, more than 20 years after its initial creation. The 2013 revision didn’t alter the cube very much; the side of the cube now uses the term “division” instead of “unit,” and a few titles were changed on the face of the cube: “financial reporting” on the top of the original cube was changed to the more broad “reporting,” and “monitoring” was changed to “monitoring activities.”

These changes are minor compared to what COSO did to the text of the report. The original 1992 COSO report was presented in narrative form using lengthy, complex paragraphs. The 2013 version breaks each of the five elements on the face of the cube into 17 principles, and then these principles are further broken into 81 points of focus. Breaking down the narrative into smaller, more digestible concepts makes the document much easier to scan and, thus, to use.The 2013 version of the COSO model is available online for $99-270, depending on whether you want a piece of the document or the entire set of literature.

The GAO Published the Green Book in 2014

In September 2014, the GAO revised the Green Book. The 2014 version replicates the 2013 version of the COSO model but changes some terminology to customize the model for the government environment. The Green Book is free online. Get it by Googling “GAO Green Book.”

The COSO Model Has Three Main Dimensions.

The COSO model and the Green Book both represent controls using the three dimensions of a cube. The top of the cube describes WHY you need controls. The side of the cube describes WHAT you will control, and the face of the cube tells you HOW to implement controls.
Let’s talk first about the dimension of the cube that is the most difficult to grasp – the face of the cube which lists the five components of internal control. We will discuss the side and the top next.

The Five Components of Internal Control

The five components of internal control listed on the face of the cube are:

  1. control environment
  2. risk assessment
  3. control activities
  4. information and communication
  5. monitoring

I need to admit, right up front, that I have never ‘clicked’ with face of the cube. You know how some business models just make you say to yourself, “Yes, of course, that is how it is!” For instance, the “Plan, do, check, act!” model. Those four steps – plan, do, check, act – are intuitive and sensible. The five components of internal control? Not so much.

Here is how I make sense of the five components (Warning: this appears nowhere in COSO literature!):

First, the organization needs to ask what risks it is facing. Once they have done this risk assessment, they can apply control activities to keep those risks from occurring. Then valid reports need to be generated that provide information and communicate with the stakeholders of the organization who need to know how well the controls are working. The organization should not just assume, but monitor to ensure, that the control activities and reports they put in place to tamp down risk are working. And all of this effort needs to take place within an encouraging, nurturing environment that appreciates and supports controls.

Does it still sound like Greek? Let’s dig a tiny bit deeper. Let’s begin with an overview of the five components starting where the cube starts, with the control environment.

Do You Care about the Environment?

The control environment component directly addresses the attitudes of the leaders of an organization toward controls. You will also hear this component described as ‘tone at the top.’ If the leaders of an organization are uninterested in excellence in operations, strict compliance with laws and regulations, and accurate and transparent reporting, efforts toward those objectives by the employees will fail.

I have seen a wide variety of control environments, as I am sure you have. Some control environments are strong and reassuring. Others vary from strong to weak depending on who is in the leadership position, and others are crazy disasters that eventually implode. And no matter the size of your entity, the leadership’s attitude permeates the whole organization. One of my jumbo clients sells groceries in 28 countries. Since I am also a customer of this grocery retailer, I was very pleased to hear an executive in charge of food safety initiatives talk openly and emotionally about his responsibilities to keep customers safe.

He began his presentation by sharing the pictures of children in his briefcase that he looks at every day. These were not picture of his children, but children who had died of food borne illness from all food sellers – groceries and restaurants – in the United States. Then he began to share statistics about how vulnerable children are to food borne illnesses. It was clear from talking to his grocery managers, that his serious attitude toward a serious risk had also affected their attitudes and, therefore, controls.

If his powerful message permeated such a large organization, imagine how much more the viewpoint of a leader in a small organization affects controls. Smaller organizations are particularly vulnerable to the attitudes of the leadership.

Regrettably, I agreed to be the treasurer for a small organization, the local chapter of the National Speaker’s Association and served for three years. We had about thirty members and six of them were on the board. The tone at the top dramatically altered the control environment every time we elected a new president.

Most of the members of the local chapter were motivational speakers, and some of them thought that if you just believed something with all your heart and mind, you could wish anything into existence. So, when I informed them at our first board meeting that I had carefully looked over the books and that we were close to bankruptcy, the response from the president was, “Well, if we just think positive thoughts, everything will work out.” A few meetings later, my less-than-positive prognosis came true. We were broke and couldn’t pay the hotel after our monthly Saturday meeting.

The chapter’s president conveniently disappeared after I informed her of this fact. Luckily, one of our successful and moneyed members named Jim stepped in and paid the bill.

Our new savior, Jim, was immediately appointed president. Jim was a six-and-a-half-foot tall ex-Marine who knew how to lead. At our first board meeting, he told the group that we were going to set a strict budget, and that we were going to talk about it at every meeting. All expenditures had to be approved by me before they were incurred. I silently clapped and cheered in my little accounting heart!

Everyone on the board was paying attention to my financial presentation at meetings (or at least they looked like they were paying attention), and I felt great about my role as treasurer. By the end of Jim’s term, we had built our bank account balance up to a healthy $14,000.

But, when Jim’s term was up, the group elected sweet John to be our leader. John preferred to spend the board meeting hugging and vision casting rather than worrying about tacky old money. At our first meeting under John’s leadership, we all discussed relaxation techniques – which just happened to be the focus of John’s signature speech. The group again began to ignore the budget, and by the end of John’s term, we were again near bankruptcy.

I realized that I would only be successful as a treasurer with the chapter if I had the strong support of the president. It didn’t matter how wonderful and clear and compelling my budget presentations were (and I tried everything I could to wake them up to the reality of the situation – emoticons, colors, graphics, dancing, singing). I was ignored. Only when Jim created an environment of compliance and fiscal restraint did the controls over our finances work.

My situation as a powerless treasurer plays out on larger, more important scales all the time. Do you remember the financial executive at Enron, Sherron Watkins, who wrote a memo to the chief executive about Enron’s fraudulent financial statements? The leadership didn’t want to hear it and published the erroneous financial results for public consumption. No matter how well she did her job, without the support of the organization’s leadership, her efforts were thwarted.

Controls Mitigate Risks

The second component – risk assessment – is all about making sure we put our resources toward things that matter. We don’t need controls over things we aren’t worried about. Controls are created to mitigate or reduce risk.

Here is a personal example: My family has two cars. One represents more risk to us than the other because it is worth more money. Let me begin by saying that my husband and I only buy used cars and pay cash for them. I was raised in new or nearly new cars. My father bought a new car every few years and still does. But now that I am paying the bills, I appreciate my husband’s view that new cars waste money.

My husband has been driving the same Toyota Sienna minivan (that we, of course, bought used) for the past 10 years or so. It has over 200,000 miles on it and doesn’t show any sign of stopping. It looks like a hideous, rolling pile of retro junk. It is worth about $1000 per the Kelly Blue Book.

Recently, I bought a beautiful, jumbo Lexus sedan with 100,000 miles on it. The sedan cost us around $18,000. We park my Lexus in the garage and repair every little ding. The mini-van is always exposed to the weather, and if it gets a ding, my husband reasons that it only adds to its character. Because more of our money is at risk in the Lexus, (and more of my ego is on the line with the Lexus!), we treat it better and we endeavor to control what happens to it. When a hailstorm hits – as they do at least once a year here in Austin – my husband’s first question is, “Is the Lexus in the garage?”

What do you care about in your organization? Is it that your assets are safeguarded? Is it that your customers and employees are safe? Maybe you care the most about making a difference to the disadvantaged? While it would be nice to have the time and the resources to worry and control everything, no individual or organization in the history of the world has been able to pull that off.

What a risk assessment does is lay out all of the possible things you might care about on the table (or in an Excel table!). It gives you a way of ranking them and deciding where you will to focus your efforts. Controls cost time and money, and you want to be intentional about applying them.

I have seen a wide variety of risk assessment models and risk assessment documentation. You can really go nuts refining the risk assessment and contemplating every eventuality, but at a very basic level, all you have to do is decide if you care. Simply ask yourself what could go wrong. And if you don’t care about the resulting answer, you don’t need any controls over it. So, if I ask myself if I will care if my Lexus suffers hail damage, I would say that I care – the mini-van, not so much.

What Most People Think of When They Think of Controls

The third component – control activities – is what most auditors think of when they think of applying controls. Control activities include such things as segregation of critical duties, transaction approvals, timely reviews of transactions, and documentation.

Figure 6 of the Green Book contains a fabulous list of control activities:

Figure 6: Examples of Common Categories of Control Activities

  1. Top level reviews of actual performance
  2. Reviews by management at the functional or activity level
  3. Management of human capital
  4. Controls over information processing
  5. Physical control over vulnerable assets
  6. Establishment and review of performance measures and indicators
  7. Segregation of duties
  8. Proper execution of transactions
  9. Accurate and timely recording of transactions
  10. Access restrictions to and accountability for resources and records
  11. Appropriate documentation of transactions and internal controls

You Aren’t in This Alone!

Information and communication, the fourth component, acknowledges that you aren’t in this all by yourself. Various stakeholders need to keep informed about what is going on.

Any endeavor will generate critical information and this information will allow stakeholders to evaluate the success of the organization’s efforts. The information and communication component asks the manager who they need to communicate with, what they need to share, and whether the data the manager is sharing is valid.

Hopefully, You Are Being Carefully Watched, But Not in a Creepy Way

Just performing a risk assessment, applying control activities, and communicating with stakeholders is not enough. Unfortunately, we aren’t done. We need the final component – monitoring.

We can’t just set things up and hope that they run on their own forever and ever. Over time, controls slip away and atrophy. Somehow, we need to monitor to make sure that controls are working as intended and make corrections when they aren’t working as intended. And, let’s be honest here, things never work exactly as we intend.

What this means is, that if you are following the COSO model, someone will be watching! It is best if this someone can be honest about what they see without suffering any consequences, and they might watch continually or just occasionally.

We auditors apply the monitoring component and the information and communication component to our audit quality control system by creating an annual monitoring report each year.

Summarizing Five Components of Control

Let’s recap. First you have to decide what you care about and what risks you are unwilling to tolerate. You then apply controls activities to the risks you aren’t interested in experiencing. You need to share the data your activities generate (information and communication) with stakeholders and set up a monitoring function to make sure that everything you have put in place to mitigate the risks is operating as intended. All of this needs to take place within an environment that values and supports controls.

The Top and Side of the Cube: A Little Whine with That Cheese?

In order to make the top and the side of the cube come alive here, I am going to talk about my tiny little operation. And I am probably going to come off as a little whiney in places.

You see, I suffered an embarrassing failure in my business that I am still smarting over. Have you ever seen that poster on Despair, Inc.’s website of a shipwreck? Underneath it is says, “It could be that the purpose of your life is only to serve as a warning to others.” Sometimes I feel like that. See? Whiney.

My Little Idea That Became a Big Set of Processes

Since I like to write, I decided that I should start writing self-study books and selling them through other continuing professional education providers and on my own website. If anyone had told me how involved this idea was going to be before I started, I would have probably stopped right there. But luckily, I was innocent, unaware, and hopeful.

I knew before I started that writing a book is pretty involved. Writing the text is just the beginning; the text has to be edited, revised, and formatted. Lots of processes for that.

My idea to sell to other vendors involved maintaining relationships with those vendors, creating and managing contracts, and lots and lots of communication. Process, process, process.

And since I wanted to sell the books on my website, I needed a website that would allow folks to buy things – so I needed an online store. Process. Since I wanted students to be able to buy and take an online quiz and get credit for the courses online, I had to work with programmers for years and years and years to create the quiz and automatic grading software. Process.

Do I need to go on? Because I can . . . I so can. But I’ll stop there and point out that everything I have described so far would be categorized as ‘operating’ on the top of the cube.

Let’s talk about the top of the cube for a minute…

The Top of the Cube

The top of the cube represents management’s objectives. In less fancy terms, it answers the question, “Why bother having controls?” Yes, as we said in an earlier chapter, controls are there to mitigate risk. But we wouldn’t even have a risk unless we decided to do something, to act in the world. I wouldn’t need controls and processes over my self-studies if I hadn’t decided to write and sell self-study books.

The management objectives at the top of the cube help us categorize why we do things. The top of the cube has three management objectives: operations, reporting, and compliance.

If management is concerned with operations, they are concerned that they deliver their goods and services while efficiently using their entity’s resources. If management is concerned about reportingthey are focused on making sure that reports generated for stakeholders are reliable. For instance, the entity needs to ensure that the financial statements it publishes and sends into regulators are accurate. And if the entity is concerned about compliance, they are making sure that they stay in line with laws and regulations.

I was mistaken that my business was mostly about writing (process or operations). It ended up being mostly about compliance.

Compliance Ate My Lunch

I recognized that no one would read my books for grins. I mean, who wants to read a 300-page book entitled, “The Yellow Book Interpreted” for fun and information only? I knew that I had to offer my books for continuing professional education credit or they wouldn’t sell at all. To qualify for continuing professional education credits for CPAs, I had to register with NASBA (the National Association of State Boards of Public Accountancy).

Years ago, the thought of working with NASBA was slightly intimidating but not prohibitively intimidating. But it seems that I chose a very bad moment to enter the market. As I was authoring my first books, NASBA was busy tightening up its requirements. This meant that I had to add all sorts of components to my books, including quiz questions that are hard to answer. By hard to answer, I mean I have to write the questions in such a way that the answer isn’t obvious – sort of like the obscure questions on the CPA exam. Oh joy! I never imagined myself as a question writer, but I embraced my new task and sent my first book into NASBA for testing. I passed and started selling my books.

All was well until my testing software started failing here and there, and I decided to create a new software program. The next time NASBA ran their test using my new software, they were able to find a flaw in the software that allowed students to jimmy the system and earn credit without taking the quiz. NASBA yanked my license. Huge, embarrassing ouch!

All the clients I had cultivated dropped me like a hot potato. I had to start the lengthy process of fixing the bugs in the software and applying for the license again. NASBA put the review of my courses on the back burner, and it took an entire year for them to review my courses and reinstate my license.

Compliance had eaten my lunch, and my dinner, and my midnight snack.

I won’t go into details about the remaining management objective, reporting, but as you can imagine, I must report to several regulatory bodies every year so that they can ensure I am staying in compliance. One regulatory body requires that I write out every course I offer on a teeny-tiny spreadsheet by hand! Electronic submissions are not allowed. Every course and every student must be tracked and maintained in reports that fit each regulator’s demands. Another process and another set of controls.

All organizations take on the same three areas – operations, compliance, and reporting when they decide to act.

Now for the Right-Hand Side of the Cube

If I told you that you needed to develop controls over the entire planet and keep everyone in line, you wouldn’t be too happy.

How about if I asked you to control the United States? Still too big a task? How about Texas? Yes, too big. How about Austin, Texas? No. How about the state capital complex in Austin, Texas? Getting closer.

What if I asked you to control the north door of the state capital to ensure that all people entering the state capitol building are screened by the Capitol Police? Now, I can work on controls for that! But anything larger, and I get overwhelmed.

And being overwhelmed probably means that I am going to approach the subject in a disorganized way. And being disorganized usually leads to leaving something important undone.

The whole point of the COSO cube is to help us organize our thoughts. The top organizes our purpose in creating controls, the front organizes the types of controls, and the right hand side simply helps us pick a subject — an area to work on. The side of the cube organizes the subject of our controls. This model lists the subject matter of controls as:

  • Entity
  • Division
  • Operating Unit
  • Function
Here is an example from a fictional university:
  • Entity: University of Universal Understanding (UUU)
  • Division: Philosophy Department
  • Operating Unit: Dean Supreme’s Office
  • Function: Curriculum development and divination
To me, the cube doesn’t go far enough in breaking the subject down into manageable, controllable pieces. I imagine that the function “curriculum development and divination” involves a process and each step of the process should be controlled. I advise you to break the subject matter into small enough pieces so that it is obvious what the controls should be.For instance, the process of revising and re-publishing my books is a discreet subject matter. In order to tackle it, I had to break the process into a dozen major steps. And then for a good number of those steps, I had to layer on controls. The result is a two-page checklist with over 20 items that involves five people to complete!

If I had imagined creating controls at a higher level – say for my whole self-study business – I would have gotten hopelessly lost. And my self-study business is just one of five ways I make a living. If I had just started the layering on of controls at that high level, the result would have definitely ended up as a hodge-podge of controls and processes that didn’t get the job done.

So, to summarize: the top of the cube tells us whywe develop controls and the right-hand side helps us decide exactly what we are going to control.

Another Layer of Detail

Because the face of the cube is a little too summarized for COSO and the GAO, both have broken the components on the face into 17 principles as follows:
CONTROL ENVIRONMENT
  1. The oversight body and management should demonstrate a commitment to integrity and ethical values.
  2. The oversight body should oversee the entity’s internal control system.
  3. Management should establish an organizational structure, assign responsibility, and delegate authority to achieve the entity’s objectives.
  4. Management should demonstrate a commitment to recruit, develop, and retain competent individuals.
  5. Management should evaluate performance and hold individuals accountable for their internal control responsibilities.

RISK ASSESSMENT

  1. Management should define objectives clearly to enable the identification of risks and define risks tolerances.
  2. Management should identify, analyze and respond to risks related to achieving the defined objectives.
  3. Management should consider the potential for fraud when identify, analyzing, and responding to risks.
  4. Management should identify, analyze, and respond to significant changes that could impact the internal control system.

CONTROL ACTIVITIES

  1. Management should design control activities to achieve objectives and respond to risks.
  2. Management should design the entity’s information system and related control activities to achieve objectives and respond to risks.
  3. Management should implement control activities through policies.

INFORMATION AND COMMUNICAITON

  1. Management should use quality information to achieve the entity’s objectives.
  2. Management should internally communicate the necessary quality information to achieve the entity’s objectives.
  3. Management should externally communicate the necessary quality information to achieve the entity’s objectives.

MONITORING

  1. Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results.
  2. Management should remediate identified internal control deficiencies on a timely basis.

What Does All This Mean for the Auditor?

The purpose of the Green Book is to encourage governments to implement strong, well thought out controls. The purpose of the Yellow Book is to encourage auditors to perform convincing and thorough audits. By integrating the Green Book into the Yellow Book, the GAO is requiring performance auditors to evaluate controls using all of the dimensions of the cube plus the 17 principles. This means that auditor’s internal control documentation must change to include the 17 principles.

Theoretically, as auditors use the new model to evaluate governments, the governments will be encouraged adopt the model in their own organization and thus strengthen their controls.
In the intro to the chapter, we looked at these requirements from the performance audit chapter of the Yellow Book:

8.41     Consideration of internal control in a performance audit begins with determining the significance of internal control to the audit objectives and documenting that determination. Some factors that may be considered when determining the significance of internal control to the audit objectives include

  1. the subject matter under audit, such as the program or program component under audit, including the audited entity’s objectives for the program and associated inherent risks;
  2. the nature of findings and conclusions expected to be reported, based on the needs and interests of audit report users;
  3. the three categories of entity objectives (operations, reporting, and compliance); and
  4. the five components of internal control (control environment, risk assessment, control activities, information and communication, and monitoring) and the integration of the components.

8.42     If internal control is significant to the audit objectives, auditors determine which of the five components of internal control and underlying principles are significant to the audit objectives, as all components of internal control are generally relevant, but not all components may be significant to the audit objectives. This determination can also identify whether specific controls are significant to the audit objectives. Determining which internal control components and principles and/or specific controls are significant to the audit objectives is a matter of professional judgment.

8.47     Approaches for obtaining an understanding of internal control may vary and may include consideration of entity-level controls, transaction- level controls, or both. However, even when assessing only transaction- level controls, it may be beneficial to gain an understanding of entity-level controls that may affect transaction-level controls by obtaining a broad understanding of the five components of internal control at the entity level. This involves considering the relationships between the components, which work together in an integrated manner in an effective internal control system, and the principles of internal control that support each component. In addition to obtaining a broad understanding of internal control at the entity level, auditors may also obtain an understanding of internal control at the transaction level for the specific programs and processes under audit. 

Hopefully now, after we have covered those terms, those paragraphs hold more meaning. But it also may scare you a little bit because it is new and it is detailed!

To Save Time

As you can tell, documenting internal controls is going to be a lot of work! But before you start looking for another job, there is something you can do to minimize the documentation. You can refine your objective early in the audit process!

The Yellow Book says auditors are only responsible for documenting internal controls that are relevant to the audit objective. Thank you, GAO! So, the more specific you are about your audit objectives, the less controls you will end up having to document!

Here is the paragraph that allows you to focus on only documenting controls that a relevant to your audit objective:

8.49     If internal control is determined to be significant to the audit objectives, auditors should assess and document their assessment of the design, implementation, and/or operating effectiveness of such internal control to the extent necessary to address the audit objectives. 

If you dig into controls AFTER you have performed your inherent risk assessment and refined your audit objectives, you will conserve precious audit resources and, maybe, be able to tolerate your job for another year or two.

How the Green Book Affects Financial Auditors

Currently, the financial audit chapter of the Yellow Book does not emphasize the Green Book. This is because the AICPA has not adopted the 2013 version of the COSO model with the 17 principles. The AICPA is still working with the original version of the COSO model without the principles. So, if you are performing a straight up financial audit, you don’t have to worry about documenting the 17 principles.

If you are performing the Single Audit, you do need to apply the new model including the 17 principles because the Uniform Administrative Rules, Cost Principles and Audit Requirements for Federal Awards (the Uniform Guidance) mentions the Green Book. And as we just read, the Green Book structure includes the 17 principles. Check out this quote from the Uniform Guidance directed at the auditee:

200.303 Internal Controls
The non-Federal entity must:
(a) establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-Federal entity is managing the Federal Award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. These internal controls should be in compliance with guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States and the “Internal Control Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).

And check out this requirement directed at the auditor regarding internal controls over compliance. I added bolding to emphasize the reference to the Green Book.

200.514 (c) Internal control. (1) The compliance supplement provides guidance on internal controls over Federal programs based upon the guidance in Standards for Internal Control in the Federal Government issued by the Comptroller General of the United States and the Internal Control—Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). (2) In addition to the requirements of GAGAS, the auditor must perform procedures to obtain an understanding of internal control over Federal programs sufficient to plan the audit to support a low assessed level of control risk of noncompliance for major programs.

This lands auditors working on the compliance portion of the Single Audit in the same position as performance auditors; they will have to evaluate and document the auditee’s application of all 17 principles. Fun-ness!

Do you know what you are doing? Chapter 4: Yellow Book competence standards

As I revise my self-study book, “The Yellow Book Interpreted,” I will be sharing chapters with you.

Objectives: 

  • Assess whether an audit team has met competency standards

The competencestandard has raised more than a few eyebrows over the years.  The competence standard is where the GAO introduces a very stringent continuing education requirement.

Let’s begin by understanding the GAO’s overarching objective – to make sure that audit teams are competent – and then dig into the continuing education requirement.

What Does the Team Have to Know?

The following list of basic competencies for an audit team can help your team select relevant training:

4.07     The knowledge, skills, and abilities needed when conducting an engagement in accordance with GAGAS include the understanding necessary to proficiently apply 

1.GAGAS; 
2.standards, statutory requirements, regulations, criteria, and guidance applicable to auditing or the objectives for the engagement(s) being conducted; and 
3.techniques, tools, and guidance related to professional expertise applicable to the work being performed.

Competence Is Collective

Thankfully, each team member does not have to carry the burden of competence individually; competence is a team effort.

4.02     The audit organization’s management must assign auditors to conduct the engagement who before beginning work on the engagement collectively possess the competence needed to address the engagement objectives and perform their work in accordance with GAGAS. 

Notice the term, “collectively possess.” I call this the Larry, Darrell, and Darrell standard. In the 1980s TV sitcom, Newhart, three bumpkin brothers (Larry, Darrell, and his other brother Darrell) would emerge out of the Vermont woods. Larry was the only brother who could speak, but collectively, as a team, they were functional. Just like Larry, Darrell, andDarrell, one smart guy can carry the whole audit team.

The Definition of Competence

What is competence? It is earned through education and experience.

4.05     Competence is the knowledge, skills, and abilities, obtained from education and experience, necessary to conduct the GAGAS engagement. Competence enables auditors to make sound professional judgments. Competence includes possessing the technical knowledge and skills necessary for the assigned role and the type of work being done. This includes possessing specific knowledge about GAGAS. 

4.06     Competence is derived from a combination of education and experience. Education is a structured and systematic process aimed at developing knowledge, skills, and other abilities; it is a process that is typically but not exclusively conducted in academic or learning environments. Experience refers to workplace activities that are relevant to developing professional proficiency. Competence is not necessarily measured by years of auditing experience because such a quantitative measurement may not accurately reflect the kinds of experiences gained by auditors in any given time period. Maintaining competence through a commitment to learning and development throughout auditors’ professional lives is an important element for auditors. 

I am sure you have encountered auditors with only a few years of experience who have earned half-a-dozen certifications and degrees who don’t have a clue what they are doing. And you have also met auditors who have been auditing for 25 years who have never cracked open an auditing standard. Competence is a BLEND of both education and experience.

Who is responsible?

First off, the Yellow Book places responsibility for assuring that the staff is competent onthe audit organization and says that they are responsible for the hiring and development of Larry and the Darrells.

4.03     The audit organization’s managementmust assign auditors who before beginning work on the engagement possess the competence needed for their assigned roles. 

4.04     The audit organizationshould have a process for recruitment, hiring, continuous development, assignment, and evaluation of personnel so that the workforce has the essential knowledge, skills, and abilities necessary to conduct the engagement. 

Education Keeps You Up-To-Date

One way you can make sure the audit team is competent is by keeping them up-to-date through continuing education. I don’t know what the rule is in other states, but hair stylists in Texas go to school once and that is that; no more training necessary. My hair was long, permed, and fluffy like Stevie Nick’s hair for a good seven years longer than was prudent because I was loyal to a hair stylist who earned her licensein the 1970s!

The GAO realizes that auditors need to grow and change in order to remain relevant. So, they require government auditors to earn 80 hours of CPE every two years. No permed hair for us!

The GAO has reformatted the way they present the core CPE requirements by putting the requirements in a table, but the requirements themselves have not changed in over a decade.

4.16     Auditors who plan, direct, perform engagement procedures for, or report on an engagement conducted in accordance with GAGAS should develop and maintain their professional competence by completing at least 80 hours of CPE in every 2-year period as follows.

CPE Guidance Document Is Now Integrated into t­­­he Standards

The GAO issued a guidance document regarding CPE in April of 2005. The official title is “Guidance on GAGAS Requirements for Continuing Professional Education.” In the 2018 version of the Yellow Book, the GAO added the contents of this supplemental document to the text of the competence chapter.

The following are the topics addressed in the rest of the competence chapter that may be relevant to you.

  • Subject matter categories of CPE
    • Subject matter directly related to the 24-hourrequirement
    • Subject matter related to the 56-hourrequirement
  • Exemptions and exceptions
  • Specialists
  • Programs and activities that qualify for CPE
  • Measurement of CPE
  • Monitoring CPE

Let’s hit the highlights of these requirements together:

Who’s Subject to the Requirements?

Under “Who is subject to CPE requirements?” the guidance document describes what the GAO means by planning, directing, performing, and reporting.

4.11      Definitions of key terms follow: 

a.   Planning: Determining engagement objectives, scope, and methodology; establishing criteria to evaluate matters subject to audit; or coordinating the work of the other audit organizations. This definition excludes auditors whose role is limited to gathering information used in planning the engagement. 

b.   Directing: Supervising the efforts of others who are involved in accomplishing the objectives of the engagement or reviewing engagement work to determine whether those objectives have been accomplished. 

c.   Performing engagement procedures: Performing tests and procedures necessary to accomplish the engagement objectives in accordance with GAGAS. 

d.   Reporting: Determining the report content and substance or reviewing reports to determine whether the engagement objectives have been accomplished and the evidence supports the report’s technical content and substance prior to issuance. This includes signing the report. 

Why do these definitions of planning, directing, performing, and reporting matter?  Because if your work centers around “performing engagement procedures,” you may be exempt from some or all of the CPE requirements. But if you are involved in any of the other three functions, you are required to earn all 80 hours.

4.25 Auditors may be exempted from the 56-hour CPE requirement by the audit organization, but not the 24-hour requirement, if they 

1.charge less than 20 percent of their time annually to engagements conducted in accordance with GAGAS and 

2.are only involved in performing engagement procedures, but not involved in planning, directing, or reporting on the engagement. 

The 20 percent may be based on historical or estimated charges in a year, provided that the audit organization has a basis for this determination and monitors actual time. For auditors who change status such that they are charging more than 20 percent of their time annually to engagements under GAGAS, the audit organization may prorate the required CPE hours similar to when auditors are assigned to GAGAS engagements after the beginning of a 2-year CPE measurement period, as discussed in paragraph 4.42. 

4.26     Nonsupervisory auditors who charge less than 40 hours of their time annually to engagements conducted in accordance with GAGAS may be exempted by the organization from all CPE requirements in paragraph 4.16. 

The way I interpret this – and mind you, this is my interpretation – is that even if you touch a governmental audit orare involved with the audit team at all, beyond doing simple test procedures, you must comply with the whole 24- and 56-hour CPE requirement. This means that, if you are a tax partner in an accounting firm and your audit partner goes on holiday for two weeks during the middle of a government audit leaving you to make decisions and supervise the staff on that audit, then you must get all 80 hours! This is the GAO’s way to keep folks who aren’t serious about government audits away from government audits.

If you are a staff person performing only fieldwork, then you must get the 24 hours, and you may be exempt from the remaining 56 depending on how much of your year you spend on government audits. If you spend less than 20% of your time on a GAGAS audit and you aren’t involved in conducting, directing, or reporting, then you still need 24 hours of CPE, but you don’thave to get the additional 56 hours.

Notice that if you spend less than 40 hours a year “performing engagement procedures,” you are exempt from all requirements. This exemption is new as of the 2018 revision.

CPE Subjects That Qualify for the 24 Hours

The Yellow Book lists topics that qualify for the 24-hourrequirement:

Subject Matter Directly Related to the Government Environment, Government Auditing, or the Specific or Unique Environment in Which the Audited Entity Operates (24-Hour Requirement) 

4.23     Subject matter directly related to the government environment, government auditing, or the specific or unique environment in which the audited entity operates may include, but is not limited to, the following: 

  • generally accepted government auditing standards (GAGAS) and related topics, such as internal control as addressed in GAGAS; 
  • the applicable American Institute of Certified Public Accountants’ (AICPA) Statements on Auditing Standards; 
  • the applicable AICPA Statements on Standards for Attestation Engagements and Statements on Standards for Accounting and Review Services; 
  • the applicable auditing standards issued by the Institute of Internal Auditors, the Public Company Accounting and Oversight Board, the International Auditing and Assurance Standards Board, or other auditingstandard-setting body; 
  • U.S.generally accepted accounting principles, or the applicable financial reporting framework being used, such as those issued by the Federal Accounting Standards Advisory Board, the Governmental Accounting Standards Board, or the Financial Accounting Standards Board; 
  • Standards for Internal Control in the Federal Government
  • Internal Control—Integrated Frameworkas applicable; 
  • requirements for recipients of federal contracts or grants, such as Single Audits under the Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards; 
  • requirements for federal, state, or local program audits; 
  • relevant or applicable audit standards or guides, including those 

for information technology auditing and forensic auditing; 

  • information technology auditing topics applicable to the government environment; 
  • fraud topics applicable to a government environment; 
  • statutory requirements, regulations, criteria, guidance, trends, risks, or topics relevant to the specific and unique environment in which the audited entity operates; 
  • statutory requirements, regulations, criteria, guidance, trends, risks, or topics relevant to the subject matter of the engagement, such as scientific, medical, environmental, educational, or any other specialized subject matter; 
  • topics directly related to the government environment, such as the nature of government (structures, financing, and operations), economic or other conditions and pressures facing governments, common government financial management issues, appropriations, measurement or evaluation of government financial or program performance, and application of general audit methodologies or techniques to a government environment or program; 
  • specialized audit methodologies or analytical techniques, such as the use of complex survey instruments, actuarial estimates, statistical analysis tests, or statistical or nonstatistical sampling; 
  • performance auditing topics, such as obtaining evidence, professional skepticism, and other applicable audit skills;
  • government ethics and independence; 
  • partnerships between governments, businesses, and citizens; 
  • legislative policies and procedures; 
  • topics related to fraud, waste, abuse, or improper payments affecting government entities; and 
  • compliance with laws and regulations. 

That list covers a lot of ground and means that you don’t have to sit in a Yellow Book class every two years to earn your 24 hours!

Remember because of the last clause of the requirement, “Subject Matter Directly Related to the Government Environment, Government Auditing, or the Specific or Unique Environment in Which the Audited Entity Operates,” you are allowed to earn CPE hours for learning about the unique environment or subject matter that you are auditing. For example, if you are performing an audit of investments for a retirement system, you can earn your 24 hours in a three-day class on how large institutions trade investments. Or, you might be auditing a housing and urban development program. In this case, you can take a seminar that would teach you more about the program.

In other words, you don’t need to feel locked intocourses that have “government” in the title to earn these 24 hours. The “unique environment” clause opens up a lot of possibilities.

CPE Subjects That Qualify for the 56 Hours

The guidance document has this to say about the 56-hourrequirement:

Subject Matter That Directly Enhances Auditors’ Professional Expertise to Conduct Engagements (56-Hour Requirement) 

4.24     Subject matter that directly enhances auditors’ professional expertise to conduct engagements may include, but is not limited to, the following: 

1.subject matter categories for the 24-hour requirement listed in paragraph 4.23; 
2.general ethics and independence; 
3.topics related to accounting, acquisitions management, asset management, budgeting, cash management, contracting, data analysis, program performance, or procurement; 
4.communicating clearly and effectively, both orally and in writing; 
5.managing time and resources; 
6.leadership; 
7.software applications used in conducting engagements; 
8.information technology; and 
9.economics, human capital management, social and political sciences, and other academic disciplines that may be applied in engagements, as applicable. 

Similar to the 24-hour requirement, the 56-hour requirement is fairly flexible.

Classes on estate planning or a personal taxation update don’t qualify for either the 24 or the 56 hour requirement. Although those classes might help a CPA in public practice keep their business going, they have nothing to do with governmental auditing.

Be careful that you do not confuse the Yellow Book requirements with other professional requirements

The State of California has some very specific CPE requirements for CPAs. The Certified Fraud Examiners have specific training requirements, too. The GAO warns us that satisfying another organization’s requirements might not satisfy Yellow Book requirements and viceversa.

4.34     Individual auditors who are members of professional organizations or who are licensed professionals, such as certified public accountants, are cautioned that the GAGAS CPE requirements, while similar in many respects to those of professional organizations and of licensing bodies, may not be identical. Some subjects and topics may be acceptable to state licensing bodies or professional organizations, but may not qualify as CPE under GAGAS. Conversely, some CPE that qualifies for GAGAS may not qualify for state licensing bodies or professional organizations. Careful consideration of auditors’ relevant professional organizations or licensing body requirements is encouraged to meet other relevant CPE requirements. 

4.35     Examples of training topics that may qualify as CPE for state licensing bodies or professional organizations but would not generally qualify as CPE for purposes of satisfying requirements under GAGAS include certain training in taxation, personal financial planning and investment, taxation strategies, estate planning, retirement planning, and practice management, unless such training directly enhances the auditors’ professional proficiency to perform engagements or relate to the subject matter of an engagement. However, if certain taxation or other topics relateto an objective or the subject matter of an engagement, training in those related topics could qualify as CPE under GAGAS. 

That was a lot of information about CPE! If you have any more questions, please review Chapter 4 in the Yellow Book, as it will likely answer your questions. If that doesn’t help, the GAO is very helpful and willing to answer your questions. Write to yellowbook@gao.gov

Does your team meet the 2018 Yellow Book Independence Standards?

Chapter 3: Independence

As I revise my self-study book, “The Yellow Book Interpreted,” I will be sharing chapters with you.

Objectives: 

  • Classify your ethical responsibilities in the government environment 
  • Apply the conceptual framework in evaluating threats to your independence as an auditor 
  • Identify the attributes of professional judgment per GAO standards

All Three Together

In prior versions of the Yellow Book, the ethics, independence, and professional judgment standards were presented in different chapters. Now they are joined in one long chapter.

These are some of the least specific standards in the Yellow Book as all require the application of professionalism, maturity, and judgment. And how do you regulate professionalism, maturity, and judgment? You can’t. You can only talk about them in generalities.

We will cover the three standards in the order presented in Chapter 3 of the Yellow Book. First ethics, then independence, and lastly professional judgment.

Ethics

In order to understand the GAO’s perspective on ethics and independence, we need to talk about three themes of the Yellow Book that kick off the standards in the first few pages of the Yellow Book. These three themes – accountability, transparency, and service –  put us in the right frame of mind when auditing in the government environment.

Accountability

What is accountability? I had heard the term tossed around the government so frequently that I never even thought about its meaning. Now I know that accountability does notmean that you got it right. It just means that you take ownership of it.

I met a cowboy auditor in West Texas who said, “You might be right, or you might be wrong, but you’d better the hell document it.” That sums up accountability quite nicely. When things go bad, you are there to say, “Yes, that was me. I’m sorry.” When things go well, you can keep your job.

Recently on TV news, I saw a high school coach who was responsible for the death of one of his teenage football players. And instead of being contrite, he said something like, “Everyone is forgetting that I suffered a loss, too, and that I will hold on to this for the rest of my life.” That is not exactly what the parents of that boy wanted to hear. He deflected accountability and tried to engender empathy for himself. I doubt that will serve him well in his community.

The GAO repeatedly reminds us that we are accountable to the taxpaying public for our actions and that we, as auditors, have a role in holding government leaders accountable.

1.02     The concept of accountability for use of public resources and government authority is key to our nation’s governing processes.

1.05     Government auditing is essential in providing accountability to legislators, oversight bodies, those charged with governance, and the public. Auditsprovide an independent, objective, nonpartisan assessment of the stewardship, performance, or cost of government policies, programs, or operations, depending upon the type and scope of the engagement.

One of the tough things about the GAO standards is they are not written for government officials (although government officials are mentioned a few times); they are written as standards for auditors. So, while we hold public officials and employees accountable for their actions, we are accountable for our actions, too.

Transparency

Actions and information that are transparent and open for everyone’s inspection and review.

1.07     Audits performed in accordance with GAGAS provide information used for oversight, accountability, transparency, and improvements of government programs and operations. GAGAS contains requirements and guidance to assist auditors in objectively acquiring and evaluating sufficient, appropriate evidence and reporting the results. When auditors perform their work in this manner and comply with GAGAS in reporting the results, their work can lead to improved government management, better decision making and oversight, effective and efficient operations, and accountability and transparency for resources and results.

The State of Texas government has put every single transaction online in real time. I can, with a few clicks of the mouse, see that the Texas Department of Transportation bought a van, how much the van was, who they bought it from, why they need it, and what color of funds (general revenue, special revenue, enterprise revenues) paid for it. They occasionally consider putting all state employee payroll data online – yes, names, pay grade, title, the whole bit. Why? Because citizens own the government, and we citizens have a right to know how our money is being used!

Theoretically, if you do as President Obama frequently advised in his speeches and shine light in the dark places, those in hiding will be exposed and held accountable.

Service

If you audit Hurst Construction, your ultimate audience for the audit report is Mr. Hurst, his board of directors, and the bank. But, if you audit a public housing project, your ultimate clients are not the managers of the project, the boards of directors, or the banks. Your ultimate beneficiaries of the report are not even the grantors. The ultimate beneficiaries of your work are the low-income children who live in the housing project.

We have to remember, as governmental auditors, that we are checking to see whether tax dollars are being used for their intended purpose and whether the public is being served by our auditee’s efforts.

3.08     A distinguishing mark of an auditor is acceptance of responsibility to serve the public interest. This responsibility is critical when auditing in the government environment. GAGAS embodies the concept of accountability for public resources, which is fundamental to serving the public interest.

We hold our clients to a higher standard of behavior than we do in the commercial sector. While it was OK for AIG to go on a lavish $500,000 spa junket before the US taxpayers bailed them out in 2008, it certainly was not OK after the bailout.

Later, we will see that the GAO asks you to report even more bad behaviors than the AICPA does. If Mr. Hurst wants to put his jet-setting, never-worked-a-day-in–their-life kids on the payroll, more power to him. Auditors in the commercial sector do not have a responsibility to say anything about that. But in the government realm, we call that abuse, and we do have a professional, and I have to add, moral, responsibility to do something with that knowledge. We’ll discuss more about abuse later.

Five Main Sections of the Ethics Section

The ethics discussion is divided into five main principles:

a.   The public interest 
            b.   Integrity 
            c.   Objectivity 
            d.   Proper use of government information, resources, and position 
            e.   Professional behavior 

Let’s discuss each one in turn.

The Public Interest

When Johnson and Johnson found out that someone had tampered with one of their products, Tylenol, and that people were dying as a result, they immediately recalled the product. This cost Johnson and Johnson an estimated $100 million. They could have made a lot of other, less responsible and possibly less expensive choices. But because they had a mission statement that put the customer first and the shareholders second, it was obvious what they should do.

In government, our first responsibility is to the public. Not to the person who hired us and is writing our checks. Not to the federal grantor. We are responsible for bringing anything to light that harms the kid in the housing development.  Sometimes this will cost us.

A city auditor told me that he sees a higher purpose in his work. It is his job to make sure that the monies collected by the city are turned back to support those who need services and who may not have a voice in the government. He works on the citizens’ behalf, and because of this higher purpose, doesn’t care whether he makes his auditees upset when he publishes his reports.

3.07     The public interest is defined as the collective well-being of the community of people and entities the auditors serve. Observing integrity, objectivity, and independence in discharging their professional responsibilities assists auditors in meeting the principle of serving the public interest and honoring the public trust. The principle of the public interest is fundamental to the responsibilities of auditors and critical in the government environment.

In my business, I transfer in and out of two worlds – the government world and the commercial world – and indeed they are different. In the commercial world fortunes are made by doing what is not expressly prohibited. In the government world, action won’t be taken unless it is expressly permitted.

Commercial entities are not interested in transparency. A friend of mine, an engineer, says that Apple is one of the most secretive organizations for which he has ever worked. At the corporate headquarters store, they sell a T-Shirt that says, “I visited the Apple Corporate Offices in Cupertino…and that is all I can say about it.” Apple doesn’t want their auditor shining light in their dark places.

But government auditors must shine light in dark places to serve the children, the elderly, and the disabled.

And taxpayers get very, very upset if even a tiny bit of their hard-earned tax dollars are squandered. Not long ago, I helped develop a training event for a government employee retirement system. Afterwards, to celebrate our success, the retirement system managers insisted that we dine at a first-rate steakhouse in Dallas – you know the type, where you pay $45 for an à la carte steak. We had wine and appetizers, and one guy ordered a $35 brandy. I was very uncomfortable. I thought that if any of their members walked in and recognized them as the folks in charge of their retirement funds, they would have a lot of explaining to do. The retirees don’t want their money going for high living! If you work for a corporation, go ahead and enjoy. Live it up! But in a conscientious government environment, I can’t even get a cup of coffee for free.

Integrity

Both the integrity and objectivity sections of the Yellow Book mention independence and freedom from political or ideological bias.

When I started in public accounting, the managing partner made it very clear to me that I should not put any bumper stickers on my car indicating affiliation with any political party, university, or even a radio station! When talking to the client, I was not to express opinions on the events of the day or engage the clients in religious, social, or political discussions. I was to be personality-less! In this way, the client could never question whether I had a bias as I made my audit conclusions.

He was, not so subtly, pointing out that what the firm sold was auditor integrity and objectivity. And if the client doubted either or those, our product – our conclusions and opinions – was useless.

Integrity
3.09     Public confidence in government is maintained and strengthened by auditors performing their professional responsibilities with integrity. Integrity includes auditors conducting their work with an attitude that is objective, fact-based, nonpartisan, and nonideological with regard to audited entities and users of the auditors’ reports. Within the constraints of applicable confidentiality laws, rules, or policies, communications with the audited entity, those charged with governance, and the individuals contracting for or requesting the audit are expected to be honest, candid, and constructive.

3.10     Making decisions consistent with the public interest of the program or activity under audit is an important part of the principle of integrity. In discharging their professional responsibilities, auditors may encounter conflicting pressures from management of the audited entity, various levels of government, and other likely users. Auditors may also encounter pressures to inappropriately achieve personal or organizational gain. In resolving those conflicts and pressures, acting with integrity means that auditors place priority on their responsibilities to the public interest.

Objectivity

Objectivity

3.11      The credibility of auditing in the government sector is based on auditors’ objectivity in discharging their professional responsibilities. Objectivity includes independence of mind and appearance when providing audits, maintaining an attitude of impartiality, having intellectual honesty, and being free of conflicts of interest. Maintaining objectivity includes a continuing assessment of relationships with audited entities and other stakeholders in the context of the auditors’ responsibility to the public. The concepts of objectivity and independence are closely related. Independence impairments impact objectivity.

Proper Use of Government Information, Resources, and Position

A professor at University of Texas at Arlington teaches ethics and leadership to government leaders in communist bloc countries. He developed several case studies for the leaders-in-training to discuss. One case study described how a mayor used city employees to landscape his backyard– clearly an improper usage of government resources. But unlike previous case studies, the professor didn’t hear anything back from them the next week. Instead the leaders stalled for a month before they admitted that they just didn’t understand the ethical dilemma in the scenario. Using the labor of government employees for personal benefit is one of the perks of being a government leader in a communist bloc country! Not so under Yellow Book standards:

3.12     Government information, resources, and positions are to be used for official purposes and not inappropriately for the auditor’s personal gain or in a manner contrary to law or detrimental to the legitimate interests of the audited entity or the audit organization. This concept includes the proper handling of sensitive or classified information or resources.

3.13     In the government environment, the public’s right to the transparency of government information has to be balanced with the proper use of that information. In addition, many government programs are subject to laws and regulations dealing with the disclosure of information. To accomplish this balance, exercising discretion in the use of information acquired in the course of auditors’ duties is an important part in achieving this goal. Improperly disclosing any such information to third parties is not an acceptable practice.

3.14     Accountability to the public for the proper use and prudent management of government resources is an essential part of auditors’ responsibilities. Protecting and conserving government resources and using them appropriately for authorized activities is an important element in the public’s expectations for auditors.

3.15     Misusing the position of an auditor for financial gain or other benefits violates an auditor’s fundamental responsibilities. An auditor’s credibility can be damaged by actions that could be perceived by an objective third party with knowledge of the relevant information as improperly benefiting an auditor’s personal financial interests or those of an immediate or close family member; a general partner; an organization for which the auditor serves as an officer, director, trustee, or employee; or an organization with which the auditor is negotiating concerning future employment.

Professional Behavior

Any behavior that could cause someone to question your professionalism can detract from your credibility. And, credibility helps sell audit recommendations.

3.16     High expectations for the auditing profession include compliance with all relevant legal, regulatory, and professional obligations and avoidance of any conduct that might bring discredit to auditors’ work, including actions that would cause an objective third party with knowledge of the relevant information to conclude that the auditors’ work was professionally deficient. Professional behavior includes auditors putting forth an honest effort in performanceof their duties and professional services in accordance with the relevant technical and professional standards.

Consider the following true scenario (with a few small changes to protect identities): You are the internal audit director of a large city. You recently hired a new auditor fresh out of college and have been grooming him for a career conducting governmental audits. Recently, you assigned him to conduct a performance audit of your city’s police department.

Everything has been going well until last week when you saw a picture of him in the local newspaper at the city’s Mardi Gras celebration. He was pictured on the very top of a street light without his shirt wearing dozens of bead necklaces. The police stood below and appeared to be yelling at him to come down. You show him the picture and ask him what he thought he was doing. He becomes immediately defensive and tells you that what he does on his own time is none of your business. He had some college buddies in town and they were celebrating an upcoming wedding.

The professional behavior standard says nothing about distinguishing your behavior between your work life and your personal life. But does this new auditor’s personal behavior compromise his credibility with the police force? Yes, indeed! If he doesn’t respect the law on his personal time, he can’t expect the police department to respect his audit during his professional time.

To maintain your shop’s professional image, you will probably have to remove this auditor from the engagement and replace him with another auditor.

As auditors, we sell our credible, objective, high integrity opinions  andconclusions about an audit subject.

Borrowing from the later discussion on independence in chapter 3:

3.22     Auditors and audit organizations maintain independence so that their opinions, findings, conclusions, judgments, and recommendations will be impartial and viewed as impartial by reasonable and informed third parties. 

3.19     Auditors and audit organizations should avoid situations that could lead reasonable and informed third parties to conclude that the auditors and audit organizations are not independent and thus are not capable of exercising objective and impartial judgment on all issues associated with conducting the engagement and reporting on the work. 

Independence

Did you notice how many times the words independence and objectivity showed up in the ethics requirements? Independenceis one of the most complicated and granular standards in the Yellow Book clocking, in at almost 30 pages of text!

I am going to summarize the major requirements of the Yellow Book regarding independence. But as you know, summaries leave out details that might be important to you. So please at least scan Chapter 3 to make sure you have applied the independence standards to your specific situation.

The GAO Isn’t Empathetic When It Comes to Independence

The GAO, a legislative auditor, is in a rare situation; they are truly independent. They can say whatever needs to be said and not suffer any consequences because they are funded by and report directly to Congress, not the federal agencies that they audit.

The GAO did not set out to have anythingto do with internal or external auditors. They wrote the Yellow Book for themselves. But over the decades, through a series of laws and regulations, they became responsible for groups of folks for whom they seem to have little empathy because both internal auditors and external auditors have inherent independence challenges. Internal auditors are employees of the entity they audit and attend the same holiday parties as their auditees. External auditors are contractors who are paid by the auditee, and if they don’t make the auditee happy, they don’t get to keep the gig during the next audit cycle.

For the last few decades, the GAO has been working with mixed success to clarify and strengthen the auditor independence standards so that all government auditors are working with the highest level of objectivity and integrity. Along the way, they decided that going their own way with the standards confused CPAs in public practice. So, they adopted the AICPA rules for independence and added a few significant modifications. The AICPA invented something called the “conceptual framework” for evaluating auditor independence, which I will explain shortly.

The Bottom Line of Auditor Independence

The essential steps the GAO wants you to go through if you encounter an independence threat are:

  1. apply the conceptual framework when you encounter a threat
  2. document your application of the conceptual framework
  3. if the threat involves you performing a non-auditservice, make sure the client has SKE
  4. document the client’s SKE
  5. have the client agree they are responsible for the results of the non-audit service
  6. document this understanding with the client in writing

Let’s go through each step.

Apply the Conceptual Framework

The AICPA uses a decision process for evaluating independence that they call the “conceptual framework.” Typical of the AICPA, they make something very straightforward sound complex and involved. You know, something only a well-paid, CPA-typeprofessional can implement!

I am not intimidated or wowed by their conceptual framework, and you shouldn’t be either. It is simply putting fancy terminology around the way all humans make decisions. First, we understand our options, then we decide what is important to us, and then we choose. But since you have to use the conceptual framework, it would be good for you to use the exact language the AICPA and GAO use:

3.27     Auditors should apply the conceptual framework at the audit organization, engagement team, and individual auditor levels to 

1.identify threats to independence; 

2.evaluate the significance of the threats identified, both individually and in the aggregate; and 

3.apply safeguards as necessary to eliminate the threats or reduce them to an acceptable level. 

Let’s think through the conceptual framework in more personal terms before we take on an audit example. Let’s talk about the decision process you go through when dating!

Step 1 of the Conceptual Framework: Identify Threats

In dating terms, identifying threats means spending time with your intended to find out more about them and identify potential relationship killers or aspects of their personality, habits, or baggage that could cause you future misery. Maybe he is way too close to his mother, or his ex-wife is extremely hard to handle, or his football/golf/hunting/fishing hobby is likely to leave you on your own most weekends.

Step 2 of the Conceptual Framework: Evaluate the Significance of the Threats Identified, Both Individually and in the Aggregate

In dating terms, this means you now need to figure out whether you can actually tolerate being left alone most weekends. Maybe you like to be alone, so you can shop, spend time with friends, or volunteer. But if his mother’s constant visits and calls are unwanted, his ex-wife’s picture is still on his mantle, and he spent the last three weekends getting sunburned and drunk at the golf course, this is what the AICPA calls “threats in the aggregate.”

Step 3 of the Conceptual Framework: Apply Safeguards as Necessary to Eliminate the Threats or Reduce Them to an Acceptable Level

In dating terms, this might mean breaking up, finding a new supportive social structure, agreeing to limits on his hobby, or moving to another country without phone or internet service to escape his mother.

Not exactly rocket science, huh? Conceptual framework… PLEASE!

The GAO just adds to the aura of complexity by coming up with a diagram in the appendix. I can tell when people have gotten a bit too granular when I see two things: a key that explains acronyms and terminology and/or a flowchart. When auditors feel the need to add a key that explains acronyms and technical terms to the back cover of their report, they mistakenly assume their readers care enough to actually use it to read their complex report! The same is true when they have to draw a flowchart similar to the following:

GAGAS chart

Trifecta Step #1 – Identify Threats

Let’s start by looking at the list of threats: conceptual framework step #1.

3.30     Auditors should evaluate the following broad categories of threats to independence when applying the GAGAS conceptual framework: 

1.Self-interest threat: The threat that a financial or other interest will inappropriately influence an auditor’s judgment or behavior. 
2.Self-review threat: The threat that an auditor or audit organization that has provided nonauditservices will not appropriately evaluate the results of previous judgments made or services provided as part of the nonauditservices when forming a judgment significant to a GAGAS engagement. 
3.Bias threat: The threat that an auditor will, as a result of political, ideological, social, or other convictions, take a position that is not objective. 
4.Familiarity threat: The threat that aspects of a relationship with management or personnel of an audited entity, such as a close or long relationship, or that of an immediate or close family member, will lead an auditor to take a position that is not objective. 
5.Undue influence threat: The threat that influences or pressures from sources external to the audit organization will affect an auditor’s ability to make objective judgments. 
6.Management participation threat: The threat that results from an auditor’s taking on the role of management or otherwise performing management functions on behalf of the audited entity, which will lead an auditor to take a position that is not objective. 
7.Structural threat: The threat that an audit organization’s placement within a government entity, in combination with the structure of the government entity being audited, will affect the audit organization’s ability to perform work and report results with integrity.

3.38     Examples of circumstances that create self-interest threats for an auditor follow: 

a.   An audit organization having undue dependence on income from a particular audited entity. 
b.   A member of the audit team entering into employment negotiations with an audited entity.
c.   An audit organization discovering a significant error when evaluating the results of a previous professional service provided by the audit organization. 
d.   A member of the audit team having a direct financial interest in the audited entity. However, this would not preclude auditors from auditing pension plans that they participate in if (1) the auditors have no control over the investment strategy, benefits, or other management issues associated with the pension plan and (2) the auditors belong to such pension plan as part of their employment with the audit organization or prior employment with the audited entity, provided that the plan is normally offered to all employees in equivalent employment positions. 

3.39     Examples of circumstances that create self-review threats for an auditor follow: 

1.An audit organization issuing a report on the effectiveness of the operation of financial or performance management systems after designing or implementing the systems. 
2.An audit organization having prepared the original data used to generate records that are the subject matter of the engagement. 
3.An audit organization providing a service for an audited entity that directly affects the subject matter information of the engagement. 
4.A member of the engagement team being, or havingrecently been, employed by the audited entity in a position to exert significant influence over the subject matter of the engagement. 

3.40     Examples of circumstances that create bias threats for an auditor follow: 

1.A member of the engagement team having preconceptions about the objectives of a program under audit that arestrong enough to affect the auditor’s objectivity. 
2.A member of the engagement team having biases associated with political, ideological, or social convictions that result from membership or employment in, or loyalty to, a particular type of policy, group, entity, or level of government that could affect the auditor’s objectivity. 

3.41     Examples of circumstances that create familiarity threats for an auditor follow: 

a.   A member of the engagement team having a close or immediate family member who is a principal or senior manager of the audited entity. 
b.   A member of the engagement team having a close or immediate family member who is an employee of the audited entity and is in a position to exert significant influence over the subject matter of the engagement. 
c.   A principal or employee of the audited entity having recently served on the engagement team in a position to exert significant influence over the subject matter of the engagement. 
d. An auditor accepting gifts or preferential treatment from an audited entity, unless the value is trivial or inconsequential. 
e. Senior engagement personnel having a long association with the audited entity. 

3.42     Examples of circumstances that create undue influence threats for an auditor or audit organization include existence of the following: 

a.   External interference or influence that could improperly limit or modify the scope of an engagement or threaten to do so, including exerting pressure to inappropriately reduce the extent of work performed in order to reduce costs or fees. 
b.   External interference with the selection or application of engagement procedures or in the selection of transactions to be examined. 
c.   Unreasonable restrictions on the time allowed to complete an engagement or issue the report.
d.   External interference over assignment, appointment, compensation, and promotion. 
e.    Restrictions on funds or other resources provided to the audit organization that adversely affect the audit organization’s ability to carry out its responsibilities. 
f.    Authority to overrule or to inappropriately influence the auditors’ judgment as to the appropriate content of the report. 
g.   Threat of replacing the auditor or the audit organization based on a disagreement with the contents of an audit report, the auditors’ conclusions, or the application of an accounting principle or other criteria. 
h.   Influences that jeopardize the auditors’ continued employment for reasons other than incompetence, misconduct, or the audited entity’s need for GAGAS engagements. 

3.43     Examples of circumstances that create management participation threats for an auditor follow: 

1.A member of the engagement team being, or having recently been, a principal or senior manager of the audited entity. 
2.An auditor serving as a voting member of an entity’s management committee or board of directors, making policy decisions that affect future direction and operation of an entity’s programs, supervising entity employees, developing or approving programmaticpolicy, authorizing an entity’s transactions, or maintaining custody of an entity’s assets. 
3.An auditor or audit organization recommending a single individual for a specific position that is key to the audited entity or program under audit, or otherwise ranking or influencing management’s selection of the candidate. 
4.An auditor preparing management’s corrective action plan to deal with deficiencies detected in the engagement. 

3.44     Examples of circumstances that create structural threats for an auditor follow: 

1.For both external and internal audit organizations, structural placement of the audit function within the reporting line of the areas under audit. 
2.For internal audit organizations, administrativedirection from the audited entity’s management. 

By the way, performing a non-audit service in addition to your audit is automatically a threat.

Conceptual Framework Step #2 – Evaluate the Significance of the Threat

Did you see yourself inStep 1? If so, proceed to the conceptual framework/trifecta step #2 evaluating the significance of the threat. Whether a threat is a big deal or not is entirely up to your judgment, even though the standard does ask you to imagine a hypothetical judge – the classic “objective third party with knowledge of relevant facts.”

3.46     When evaluating threats to independence, an acceptable level is a level at which a reasonable and informed third party would likely conclude that the audit organization or auditor is independent. The concept of a reasonable and informed third party is a test that involves an evaluation by a hypothetical person. Such a person possesses skills, knowledge, and experience to objectively evaluate the appropriateness of the auditor’s judgments and conclusions. This evaluation entails weighing all the relevant facts and circumstances, including any safeguards applied, that the auditor knows, or could reasonably be expected to know, at the time that the evaluation is made. 

Conceptual Framework Step #3 – Apply Safeguards

If you decide that you or the imaginary third party believes these threats to be significant, you move on to conceptual framework/trifecta step #3: apply safeguards:

3.49     Safeguards are actions or other measures, individually or in combination, that auditors and audit organizations take that effectively eliminate threats to independence or reduce them to an acceptable level. Safeguards vary depending on the facts and circumstances. 

3.50     Examples of safeguards include 

a.   consulting an independent third party, such as a professional organization, a professional regulatory body, or another auditor to discuss engagement issues or assess issues that are highly technical or that require significant judgment; 
b.   involving another audit organization to perform or re-perform part of the engagement; 
c.   having an auditor who was not a member of the engagement team review the work performed; and 
d.   removing an auditor from an engagement team when that auditor’s financial or other interests or relationships pose a threat to independence. 

3.69     The following are examples of actions that in certain circumstances could be safeguards in addressing threats to independence related to nonauditservices: 

a.   not including individuals who provided the nonauditservice as engagement team members; 
b.   having another auditor, not associated with the engagement, review the engagement and nonauditwork as appropriate; 
c.   engaging another audit organization to evaluate the results of the nonauditservice; or 
d.   having another audit organization re-perform the nonauditservice to the extent necessary to enable that other audit organization to take responsibility for the service. 

And, typical of a Yellow Book audit standard, you don’t get to just go through the process in your head. You get to document your reasoning process, too. Yes, you will need another memo!

After applying the conceptual framework, you might be just fine. If you have a threat, you put a safeguard in place and go on your merry way. But if the nature of your threat is caused because you are taking on a non-audit service, a handful of additional requirements apply.

What Is a Nonaudit Service?

A non-audit service is almost anything that you do for the auditee that isn’t an audit. Examples include helping them document internal controls, monitoring transactions on their behalf, or creating financial statements.

Non-audit services are called “consulting services” by other standards. For instance, the IIA divides their standards up into two main pieces, assurance standards andconsulting standards. And the IIA encourages internal auditors to perform consulting engagements in order to add value to their organization.

The GAO wishes you would just stick with auditing and let someone else provide consulting services because they believe that consulting services have an impact on your auditor independence. To make auditors think twice about taking on consulting services (non-audit services), the GAO requires that the client has skills, knowledge, and experience (SKE) and that the client takes responsibility for the product of the non-audit service in writing.

SKE

The GAO wants to make sure that the client is sophisticated enough to tell if the auditor made a mistake with the product of their consulting service. Pay close attention to a new sentence at the bottom of 3.79 (bolding added).

3.73     Before auditors agree to provide nonauditservices to an audited entity that the audited entity’s management requested and that could create a threat to independence, either by themselves or in aggregate with other nonauditservices provided, with respect to any GAGAS engagement they conduct, auditors should determine that the audited entity has designated an individual who possesses suitable skill, knowledge, or experience and that the individual understands the services to be provided sufficiently to oversee them. 

3.74     Auditors should document consideration of management’s ability to effectively oversee nonauditservices to be provided. 

3.75     In cases where the audited entity is unable or unwilling to assume these responsibilities (for example, the audited entity does not have an individual with suitable skill, knowledge, or experience to oversee the nonauditservices provided, or is unwilling to perform such functions because of lack of time or desire), auditors should conclude that the provision of these services is an impairment to independence. 

3.79     A critical component of determining whether a threat to independence exists is consideration of management’s ability to effectively oversee the nonauditservice to be provided. Although the responsible individual in management is required to have sufficient expertise to oversee the nonauditservices, management is not required to possess the expertise to perform or re-perform the services. However, indicators of management’s ability to effectively oversee the nonauditservice include management’s ability to determine the reasonableness of the results of the nonauditservices provided and to recognize a material error, omission, or misstatement in the results of the nonauditservices provided. 

ClientMust Take Responsibility in Writing

Once you have documented your application of the conceptual framework, applied safeguards, and decided and documented that the client has SKE, you now create a letter of agreement with the client stating that the client is responsible for the results of the non-audit service.

3.76     Auditors providing nonauditservices to audited entities should obtain agreement from audited entity management that audited entity management performs the following functions in connection with the nonauditservices: 

1.assumes all management responsibilities; 
2.oversees the services, by designating an individual, preferably within senior management, who possesses suitable skill, knowledge, or experience; 
3.evaluates the adequacy and results of the services provided; and
4.accepts responsibility for the results of the services. 

The Bottom Line of Auditor Independence: A Review

Again, I recommend that you read the independence section of the Yellow Book yourselfbecause as I summarize and simplify the standard, I naturally have to leave some detail out that might be pertinent to you!  Here again is the bottom line:

  1. apply the conceptual framework when you encounter a threat
  2. document your application of the conceptual framework
  3. if the threat involves a non-audit service, make sure the client has SKE
  4. document the client’s SKE
  5. have the client agree they are responsible for the results of the non-audit service
  6. document this understanding with the client in writing

Notice three levels of documentation: the application of the conceptual framework, the proof of SKE, and the letter assigning responsibility for the subject matter to the client.

Specifically Addressed Non-Audit Services

The GAO knows that auditors are still performing non-audit services, regardless of the GAO’s disdain for them and their repeated warnings. And they also know of a handful of non-audit services that are performed pretty regularly. I want to mention two of thembecause I see these non-audit services being performed quite often myself. One is continuous monitoring and the other is financial statement preparation.

Continuous Monitoring as a Non-Audit Service

Continuous monitoring is always a hot topic at IIA conferences. Continuous monitoring technology allows managers to watch transactions and controls in real time to identify outliers and correct errors or even fraud promptly. But, in a list of non-auditservices that impair auditor independence, the GAO specifically prohibits the auditor from performing internal control monitoring on behalf of the client.

3.97     Auditors should conclude that providing or supervising ongoing monitoring procedures over an entity’s system of internal control impairs independence because the management participation threat created is so significant that no safeguards could reduce the threat to an acceptable level. 

Creating the Financial Statements

The GAO also specifically addresses this non-audit service, and although it does not firmly prohibit auditors from both creating the subject matter of the audit (the financial statements) and opiningon the same subject matter, they do make the auditor think and rethink his or her decision to proceed.

Relevant clauses regarding preparing the financial statements include the following:

3.87     Auditors should conclude that the following services involving preparation of accounting records impair independence with respect to an audited entity: 

1.determining or changing journal entries, account codes or classifications for transactions, or other accounting records for the entity without obtaining management’s approval; 
2.authorizing or approving the entity’s transactions; and 
3.preparing or making changes to source documents without management approval. 

3.88     Auditors should conclude that preparing financial statements in their entirety from a client-provided trial balance or underlying accounting records creates significant threats to auditors’ independence, and should document the threats and safeguards applied to eliminate and reduce threats to an acceptable level in accordance with paragraph 3.33 or decline to provide the services. 

3.89     Auditors should identify as threats to independence any services related to preparing accounting records and financial statements, other than those defined as impairments to independence in paragraph 3.87 and significant threats in paragraph 3.88. These services include 

1.recording transactions for which management has determined or approved the appropriate account classification, or posting coded transactions to an audited entity’s general ledger; 
2.preparing certain line items or sections of the financial statements based on information in the trial balance; 
3. posting entries that an audited entity’s management has approved to the entity’s trial balance; and
4. preparing account reconciliations that identify reconciling items for the audited entity management’s evaluation. 

3.90     Auditors should evaluate the significance of threats to independence created by providing any services discussed in paragraph 3.89 and should document the evaluation of the significance of such threats

So, although the GAO does not expressly prevent auditors from both preparing and auditing the financial statements, the GAO puts up as many barriers as they can:

Barrier # 1: The auditor must identify the preparation of the financials as a threat and apply appropriate safeguards.

Barrier # 2. The auditor must document their rationale that the threat has been mitigated through safeguards or decline the engagement.

Barrier # 3. The auditor must determine that the client has the skills, knowledge, andexperience to be able to tell if the auditor made a mistake in the financials and document that rationale

Barrier #4. The client must take responsibilities for the financials in writing.

That’s enough to keep me away from preparing and auditing the financial statements. How about you?

Professional Judgment

Professional judgment is one of the least specific Yellow Book standards. It is similar to the warning that your mother would give you when you were going out to play, “Be careful!”

Now if mom had given me specific instructions, like “Don’t play in the street,” I would know what she expected of me. But, “Be careful!”? How does a five-year-old know what “careful” looks like? That is similar to what we read in the professional judgment standard. The GAO cautions us to apply professional judgment but then never defines the term. Instead,they offer this explanation:

3.110    Professional judgment includes exercising reasonable care and professional skepticism. 

Yep, sounds like your mama, “Be reasonable, girl! Take care, girl! And don’t let anyone pull the wool over your eyes! It is a wicked world out there.”

Maybe I will show my kids this explanation of professional skepticism some day:

3.110    Attributes of professional skepticism include a questioning mind, awareness of conditions that may indicate possible misstatement owing to error or fraud, and a critical assessment of evidence. Professional skepticism includes being alert to, for example, evidence that contradicts other evidence obtained or information that brings into question the reliability of documents or responses to inquiries to be used as evidence. Further, it includes a mindset in which auditors assume that management is neither dishonest nor of unquestioned honesty. Auditors may accept records and documents as genuine unless they have reason to believe the contrary. Auditors may consider documenting procedures undertaken to support their application of professional skepticism in highly judgmental or subjective areas under audit. 

Maybe that explanation will keep both my kids and us auditors out of trouble.

In the next chapter, we introduce the competency standard. And thoughtfully, the GAO has provided a nice segue for to the topic of competence at the end of Chapter 3:

3.111    Using the auditor’s professional knowledge, skills, and abilities, in good faith and with integrity, to diligently gather information andobjectivelyevaluate the sufficiency and appropriateness of evidence is a critical component of GAGAS engagements. Professional judgment and competence are interrelated because judgments made depend upon the auditor’s competence, as discussed in chapter 4. 

Introduction to the Yellow Book Interpreted

Objectives: 

  • Differentiate between the Yellow Book and other auditing standards
  • Assess whether an engagement requires the use of the Yellow Book
  • Identify the way the Yellow Book is organized

Why do they call it the “Yellow Book”?

The Yellow Book goes by many names:

  • Government Auditing Standards,
  • Generally Accepted Government Audit Standards (GAGAS – I love that one… pronounced “gag us”), and, of course,
  • The Yellow Book.

Legend has it that the original title of the Yellow Book was the “Golden Rule of Government Auditing,” and the cover was supposed to be gold. But when it came back from the printer, the cover was yellow. Whoops! Bye-bye catchy title, hello kitschy title – the Yellow Book. If you ever run across a hard copy, the cover is indeed a sunny yellow. Whether the inside is full of sun will be yours to judge as you read this text!

Why Does the Yellow Book Exist?

The Government Accountability Office (GAO) is the legislative auditor for the federal government. They first published the Yellow Book back in the 1970s as a guide for their own auditors. This is why the Yellow Book exists because the GAO wanted to set an audit standard for itself.

But in 1984, Congress passed a law called the Single Audit Act that made the Yellow Book relevant to a different set of auditors, CPAs in public practice. The Single Audit Act addresses audits of federal grants and requires that the audit be conducted in accordance with Government Auditing Standards. I don’t think the GAO intended to be involved in setting standards for CPAs in public practice. But through the passage of the Act, they were burdened with that responsibility. Subsequent to the Act, several state legislatures passed laws requiring the use of the Yellow Book for audits of governmental entities.

Who might use the Yellow Book on an Audit?

For the first time in 2018, the GAO lists users of the Yellow Book. This list is not comprehensive as it leaves out some of my clients including internal auditors working inside of state agencies and universities, but it is still interesting to see who the GAO thinks it is writing for:

1.12      GAGAS provides standards that are used by a wide range of auditors and audit organizations that audit government entities, entities that receive government awards, and other entities. These auditors and audit organizations may also be subject to additional requirements unique to their environments. Examples of the various types of users who may be required or may elect to use GAGAS include the following: 

Contract auditors: audit organizations that specialize in conducting engagements pertaining to government acquisitions and contract administration 

Certified public accounting firms: public accounting organizations in the private sector that provide audit, attestation, or review services under contract to government entities or recipients of government funds 

Federal inspectors general: government audit organizations within federal agencies that conduct engagements and investigations relating to the programs and operations of their agencies and issue reports both to agency management and to third parties external to the audited entity 

Federal agency internal auditors: internal government audit organizations associated with federal agencies that conduct engagements and investigations relating to the programs and operations of their agencies 

Municipal auditors: elected or appointed officials in government audit organizations in the United States at the city, county, and other local government levels 

State auditors: elected or appointed officials in audit organizations in the governments of the 50 states, the District of Columbia, and the U.S. territories 

Supreme audit institutions: national government audit organizations, in the United States or elsewhere, typically headed by a comptroller general or auditor general 

The Yellow Book has to be called into play by someone else.

Just because the Yellow Book exists does not mean you have to follow it in conducting a governmental audit. The Yellow Book has to be called forth by something or someone external to it:

1.08     Laws, regulations, contracts, grant agreements, and policies frequently require that engagements be conducted in accordance with GAGAS. In addition, many auditors and audit organizations voluntarily choose to conduct their work in accordance with GAGAS. The requirements and guidance in GAGAS in totality apply to engagements pertaining to government entities, programs, activities, and functions, and to government assistance administered by contractors, nonprofit entities, and other nongovernmental entities when the use of GAGAS is required or voluntarily adopted. 

The Yellow Book may be called forth by law or policy. The Single Audit Act is just one of many laws that call the Yellow Book into play. For instance, the State of Texas passed a law that all audits conducted by internal audit shops in the state will be conducted using government auditing standards.

If you conduct an audit of a city, the city may have a policy requiring that all audits be conducted in accordance with government auditing standards. Or, the request for proposal for the audit may request that the audit be conducted in accordance with government auditing standards. But it wouldn’t be surprising if the city does not have a policy or a law that mentions the Yellow Book. In this case, the internal auditor for the city would likely follow Institute of Internal Auditors (IIA) Standards and the external auditor would follow American Institute of Certified Public Accountants (AICPA) auditing standards.

The bottom line is that just because you audit a government does not mean you have to use the Yellow Book. If you cannot find any law or policy requiring it, you do not have to follow it. The Yellow Book is not like the AICPA’s audit standards, which, just because they exist, must be followed when expressing an opinion on the financial statements.

For instance, let’s say you are engaged to express an opinion on the financial statements of a small town in Georgia that does not receive any federal funds. Are you required to follow the Yellow Book on this engagement? To figure this out, you need to do more research. You need to determine whether the state of Georgia has a law or regulation requiring the use of GAGAS on audits of towns and cities in the state. You must also find out whether the town has a rule or regulation in its city charter that requires the use of GAGAS. The request for proposal may include a request that the audit be conducted in accordance with Yellow Book. You need to look at all these rules, regulations, and policies to find the answer.

You don’t necessarily have to use the Yellow Book when working as an internal auditor of a government or as a monitor of governmental funds.Obviously, if you work for the federal government and conduct an audit of federal funds, you probably use the Yellow Book in your work because the Inspector General Act or the CFO Act requires it. But if you are a county auditor, you probably are not required to use it to guide your work.

Here is an example. Many state agencies have set up monitoring teams to ensure that federal and state pass-through funds are being spent properly, and they usually look at a finite set of compliance requirements. Nowhere do state regulations or laws require that the state agencies follow the Yellow Book. And, the agencies do not conduct or contribute to the Single Audit of the sub-recipients. Therefore, these monitoring teams do not conduct their work to comply with the Yellow Book, even though they audit governmental funds of governmental entities.

The GAO lists several laws or regulations that may require the use of the Yellow Book:

1.09     The following are some of the laws, regulations, and or other authoritative sources that require the use of GAGAS:

  1. The Inspector General Act of 1978, as amended, 5 U.S.C. App. requires that the statutorily appointed federal inspectors general comply with GAGAS for audits of federal establishments, organizations, programs, activities, and functions. The act further states that the inspectors general shall take appropriate steps to assure that any work performed by nonfederal auditors complies with GAGAS.
  2. The Chief Financial Officers Act of 1990 (Public Law 101-576), as expanded by the Government Management Reform Act of 1994 (Public Law 103-356), requires that GAGAS be followed in audits of executive branch departments’ and agencies’ financial statements. The Accountability of Tax Dollars Act of 2002 (Public Law 107-289) generally extends this requirement to most executive agencies not subject to the Chief Financial Officers Act unless they are exempted for a given year by the Office of Management and Budget (OMB).
  3. The Single Audit Act Amendments of 1996 (Public Law 104-156) require that GAGAS be followed in audits of state and local governments and nonprofit entities that receive federal awards. OMB Circular No. A-133, Audits of States, Local Governments, and Non- Profit Organizations, which provides the government wide guidelines and policies on performing audits to comply with the Single Audit Act, also requires the use of GAGAS.

1.10      Other laws, regulations, or authoritative sources may require the use of GAGAS. For example, auditors at the state and local levels of government may be required by state and local laws and regulations to follow GAGAS. Also, auditors may be required by the terms of an agreement or contract to follow GAGAS. Auditors may also be required to follow GAGAS by federal audit guidelines pertaining to program requirements, such as those issued for Housing and Urban Development programs and Student Financial Aid programs. Being alert to such other laws, regulations, or authoritative sources may assist auditors in performing their work in accordance with the required standards.

1.11      Even if not required to do so, auditors may find it useful to follow GAGAS in performing audits of federal, state, and local government programs as well as audits of government awards administered by contractors, nonprofit entities, and other nongovernment entities. Many audit organizations not formally required to do so, both in the United States of America and in other countries, voluntarily follow GAGAS.

When the AICPA gets involved

The Yellow Book covers several different categories of engagements: financial audits, attestation engagements, reviews of financial statements, and performance audits. If you conduct a financial audit, you must also follow the AICPA audit standards. If you conduct an attestation engagement, you must also follow the AICPA attestation standards. If you conduct a review of the financial statements, you must follow the AICPA’s review standards. However, if you conduct a performance audit, you don’t have to follow the AICPA standards or any other standards for that matter!

The Yellow Book states, in the sections dealing with financial audits and attestation engagements, that the AICPA standards are to be applied. Then the Yellow Book adds a few additional requirements of its own. For example, the AICPA does not require that the findings contain the five distinct elements of a persuasive argument, but the Yellow Book does.

Periodically, the GAO revises the Yellow Book. When the GAO revises, they seek to match the language in the Yellow Book to the language in the AICPA standards. This is true even in the performance standards because the GAO wants the Yellow Book to use consistent terms and concepts throughout. Why do I mention this? If you are a performance auditor, you can’t entirely ignore the AICPA because when the AICPA moves and updates, the GAO matches their move and updates the financial AND performance audit chapters accordingly.

The Single Audit Layers

If you are one of the lucky souls who conduct Single Audits, you must pay attention to several layers of standards.

In addition to requiring that its instruction be followed, Single Audit requirements demand that the audit be conducted in accordance with government auditing standards. Upon opening the Yellow Book, you discover that a Single Audit qualifies as a financial audit. The financial audit chapters inside the Yellow Book then say that you must also follow the AICPA audit standards.

So, the layering looks like this:

Single Audit requirements
Yellow Book
AICPA audit standards (AU-C)

More often than not, if you audit a federal program, you must look at other requirements generated by the federal grantors that exceed the Single Audit requirements in the Uniform Guidance. For instance, in auditing HUD programs, you must follow the HUD audit guide as well as the Single Audit requirements (and hence the Yellow Book and the AICPA standards). Instead of three layers, you must be apply four layers of audit requirements. Does anybody want out of governmental auditing yet?

The Focus of This Manual

The focus of this manual is to cover onlythe government auditing standards, the Yellow Book. The manual will not delve into the AICPA standards, the IIA standards, or the Single Audit requirements in detail, although I may refer to them from time to time. The Yellow Book provides plenty of fodder for discussion on its own.

How the Yellow Book Is Organized

One key to understanding the Yellow Book standards is to get comfortable with the way they are organized. The standards are conveniently organized by introductory material and general standards as well as financial, attestation, and performance standards.

CHAPTER 1: Foundation and Principles for the Use and Application of Government Auditing Standards: This chapter introduces the types of audits and meaning of must, should, and may
CHAPTER 2: General Requirements for Complying with Government Auditing Standards
CHAPTER 3: Ethics, Independence, and Professional Judgment
CHAPTER 4: Competence and Continuing Professional Education
CHAPTER 5: Quality Control and Peer Review
CHAPTER 6: Standards for Financial Audits: This chapter is applicable to financial audits only and discusses fieldwork standards, including documentation and client communications during planning. This chapter also discusses reporting standards, including the need to garner client responses to findings. This chapter builds on top of AICPA audit standards.
CHAPTER 7: Standards for Attestation Engagements and Reviews of Financial Statements. This chapter is applicable to attestation engagements and reviews of financial statements only and is very redundant of financial auditing standards. This chapter builds on the AICPA’s Statements on Standards for Attestation Engagements (SSAEs) and the Statement on Standards for Accounting and Review Services (SSARS).
CHAPTER 8: Fieldwork Standards for Performance Audits. This chapter is applicable to performance audits only and does not layer on top of any other standards.
CHAPTER 9: Reporting Standards for Performance Audits. This chapter is applicable to performance audits only and does not layer on top of any other standards.

The Most Important Change to the Yellow Book is the Green Book

I’ve had a few months to digest the changes to the 2018 Yellow Book (Government Auditing Standards),and I’ve taught a few seminars and webinars about the changes.  Most of the changes do not shock my audiences. But I am noticing that quite a few auditors are not familiar with the Green Book which was published by the GAO in 2014.  This is not good because the Green Book is by far the biggest change to the Yellow Book.

The Green Book is the GAO’s version of the COSO model, and its formal title is “Standards for Internal Control in the Federal Government.”

Here are some quotes from one of the performance audit chapters in the 2018 Yellow Book that give performance auditors pause. (Financial auditors please read the section below titled ‘Financial auditors should be pleased.’) I added bolding to draw your eye to some new terms that I’d like you to notice.

8.41 Consideration of internal control in a performance audit begins with determining the significance of internal control to the audit objectives and documenting that determination. Some factors that may be considered when determining the significance of internal control to the audit objectives include

a.the subject matter under audit, such as the program or program component under audit, including the audited entity’s objectives for the program and associated inherent risks;

b.the nature of findings and conclusions expected to be reported, based on the needs and interests of audit report users;

c. the three categories ofentity objectives (operations, reporting, and compliance); and

d. the five components of internal control (control environment, risk assessment, control activities, information and communication, and monitoring) and the integration of the components.

8.42 If internal control is significant to the audit objectives, auditors determine which of the five components of internal control and underlying principles are significant to the audit objectives, as all components of internal control are generally relevant, but not all components may be significant to the audit objectives. This determination can also identify whether specific controls are significant to the audit objectives. Determining which internal control components and principles and/or specific controls are significant to the audit objectives is a matter of professional judgment.

8.47 Approaches for obtaining an understanding of internal control may vary and may include consideration of entity-level controls, transaction- level controls, or both. However, even when assessing only transaction- level controls, it may be beneficial to gain an understanding of entity-level controls that may affect transaction-level controls by obtaining a broad understanding of the five components of internal control at the entity level. This involves considering the relationships between the components, which work together in an integrated manner in an effective internal control system, and the principles of internal control that support each component. In addition to obtaining a broad understanding of internal control at the entity level, auditors may also obtain an understanding of internal control at the transaction level for the specific programs and processes under audit.

Here is an infographic from the Green Book that explains the highlighted terms:
GB

The terms “three categories of entity objectives” appear at the top of the cube and the terms “five components of internal control” appear on the face of the cube. The seventeen “principles of internal control that support each component” are presented in a stack on the bottom left side of the infographic.

Nice infographic, now what?

Yes, the cube is cute and the stack is pretty… but so what?  What does all this new language mean to performance auditors, practically?  What the cube and the stack are illustrating is the most up-to-date structure for approaching internal controls.  This means that performance auditors are going to have to change the way they document internal controls. The GAO is working on a tool right now to help you with this task, but it won’t be published until the spring of 2019.

So if you want to implement these changes in your internal control documentation now, you will need to create something yourself. Here are a few tools developed by forward thinking audit shops that might get your creative juices flowing:

The Florida Department of Economic Opportunity: http://www.floridajobs.org/docs/default-source/division-of-finance-and-administration/financial-monitoring-and-accountability/tools-and-templates/fy-2017-18-internal-control-questionnaire-and-assessment.pdf?sfvrsn=2

HUD https://www.hud.gov/sites/documents/IC_QUESTIONNAIRE_ATOOL.PDF

To save time…

As you can tell, this is going to be a lot of work!  But before you start looking for another job, there is something you can do to minimize the documentation.  You can refine your objective early in the audit process!  The Yellow Book says auditors are only responsible for documenting internal controls that are relevant to the audit objective. Thank you, GAO!  So, the more specific you are about your audit objectives, the less controls you will end up having to document!   If you dig into controls AFTER you have performed your inherent risk assessment and refined your audit objectives, you will conserve precious audit resources and, maybe, be able to tolerate your job for another year or two.

If you want to know more about the Green Book and how to narrow your audit objectives, please check out these resources:

Newsletter explaining the Green Book: http://yellowbook-cpe.com/internal-controls-a-la-gaos-green-book.html

A webinar or book on internal controls:  http://yellowbook-cpe.com/topics/internal-controls

A newsletter explaining how to narrow objectives: http://yellowbook-cpe.com/163-times.html

Or an on-demand video on audit objectives: http://yellowbook-cpe.com/product/audit-objective-video

Financial auditors should be pleased

Financial auditors should be celebrating a rare moment when not much in the Yellow Book is  new to them. Right now, the AICPA is driving the changes to the GAO standards, and financial auditors have been adjusting to the AICPA standards as they come out.

But performance auditors are not going to be able to join in on the celebration because the changes to the Yellow Book are new to them. Although, technically, performance auditors do not have to follow AICPA standards, performance auditors indirectly get dragged into the changes prompted by the AICPA anyway because the GAO seeks to keep the Yellow Book consistent throughout.  So when the GAO plays along with the AICPA in the financial audit standards, they also have to play along with the AICPA in the performance audit standards.

Next time

In my next newsletter, I will discuss how internal control weaknesses can serve as the cause of a well-built finding.

Thanks for everything you do to keep the government running!

Little frauds are a big deal in government.

Please enjoy Chapter 1 of An Auditor’s Responsibilities for Fraud in the Government Environment, available at Yellowbook-CPE.com.

Objectives: 

  • Differentiate between auditing for fraud in the government environment and auditing for fraud in the commercial environment

Fraud – it’s a costly thing! Whether it is committed in the government environment or the commercial environment, those who practice it leave victims in their wake and rob taxpayers and businesses of their money.

You’ve heard the stories about the small town sheriff who used prisoners to landscape his backyard. Or the court clerk who takes bribes to dismiss traffic tickets. Or the school lunch lady who takes home a portion of the kids’ lunch money every day.  Cities are going bankrupt because their leaders rewarded themselves with huge salaries, perks, and pension benefits.  These stories of fraud crop up every day in the press and make us think badly of our government leaders.

But we also see similar stories in business.  Let’s not fool ourselves into believing that corporations are any better than the government at running things. I have had the privilege of working at a dozen or so Fortune 500 companies and they all have their quirks, and all have suffered from employee fraud.

Maybe it is just the people with whom I hang out, but most dinner conversations eventually include a few criticisms of our government.  And the tacit agreement among most of my friends and family is that corporations operate more effectively and efficiently than government.  But I think they are wrong.  I think both corporations and governments are flawed.  I have never encountered a perfect organization.  Have you?

My husband recently treated me to an Apple laptop – which I love by the way. And I was curious about how Apple had created such great products so I watched a MSNBC business documentary about Apple. It turns out that Apple folks argue, and fail, and torment each other while creating products.  Time is wasted, people get their feelings hurt, and the company loses massive amounts of money. But, they create a great product in the end, don’t they?

Governments, with all of their faults, create great products and services for us, too.  They pick up our trash, fix our roads, educate our children, and respond to emergencies.  Even the tiniest cities are responsible for a wide range of services, from police and fire protection to courts, water and sewer, garbage disposal, inter‑government relations, health programs, parks and recreation, bus systems, and airports. No wonder things get out of hand every so often.  The more stuff there is to manage, the more opportunities for fraud to be committed.

Fraud Defined

Unfortunately, leaders and managers of government programs and of businesses engage in bad behaviors such as fraud, illegal acts, violations of contracts, abuse, and unethical behavior. This text focuses on fraud that occurs in government: more specifically, what you should do when you detect fraud in government.

In this text, I hope to give you the ability to discern between fraud and other bad behaviors in government.  I also hope that you will be able to recognize fraud when you see it and know what your professional responsibilities are regarding fraud.

So, first you need to know what fraud is.

According to the dictionary[1], fraud is: “deceit, trickery; specifically: intentional perversion of truth in order to induce another to part with something of value from someone else or to surrender a legal right.

This is how the Government Accountability Office (GAO) defines fraud in the Yellow Book:

8.73     …Fraud involves obtaining something of value through willful misrepresentation. …

Basically, fraud is a willful act in order to gain something for personal use. In super simple terms, fraud is lying, cheating, and stealing. When it happens in business it is bad. When you have fraud in government it is often much, much worse.

Victims of Fraud in Government

When a bookkeeper steals money from a businessman, it is ugly and wrong.  But how much nastier is it when a bookkeeper takes monies destined to feed impoverished children? The elderly? War veterans?  Take your pick of disadvantaged or deserving groups, and the government probably helps them in some way.  When fraud occurs in the government, there are many helpless victims, and it is a crying shame.  It is one thing for business owners or corporations to lose their resources but another when fraud consumes the resources that are destined to become school lunches, infant formula, military armor, or low-income housing.

When I was in public accounting, auditing a car parts manufacturer in Eagle Pass, Texas, my ultimate customer was the owner of the business or the banker who used the audit report.  But when I audit a HUD project, a low-income apartment complex, whom is my ultimate customer?

Yes, HUD, the feds, the state, the city, the management of the housing project all are involved and concerned about the project.  But my ultimate customer is a 3 year-old toddler living in the complex with her single mother who works two jobs to keep the family together.

I have had the opportunity to work for a variety of governmental audit organizations including federal, state, and local government audit organizations. The stories I hear about and witness regarding governmental waste, fraud, and abuse are numerous and sad.

A Higher Purpose

When government works well, it is a wonderful thing.  And our job, as government auditors, is to make the government work better.

The 2018 version of the Yellow Book contains an introductory statement letter from Gene Dedaro, the Comptroller General of the GAO.  He said, in part:

Given the current challenges facing governments and their programs, the oversight provided by auditing is more critical than ever. Government auditing provides the objective analysis and information needed to make the decisions necessary to help create a better future.

The Yellow Book itself states:

1.07     Engagements performed in accordance with GAGAS provide information used for oversight, accountability, transparency, and improvements of government programs and operations.

One city auditor has a personal mission that transcends the day-to-day work of auditing.  He believes his ultimate goal is to make sure that the city’s resources are directed to those who don’t have a voice, to those who are disenfranchised and in need of help.  Bravo! I am glad to know he is on the job.

3.08     A distinguishing mark of an auditor is acceptance of responsibility to serve the public interest. This responsibility is critical when auditing in the government environment. GAGAS embodies the concept of accountability for public resources, which is fundamental to serving the public interest.

 

Little Misbehaviors can be a Big Deal in Government

If you have not worked in government before, I need to warn you that little things can easily become a big deal.

One of my buddies got a job as a city manager of an east Texas town.  Early in his tenure, a scandal rocked his office.  His executive assistant used the city’s stamp machine to mail her Christmas cards.  The local press went wild over the whopping $60 in postage and painted his office as wasteful and out of control.  He had to let her go to save his job and the jobs of others in his department.

This boils down to for whom we work when we work for the government: the citizens.  Citizens own the government.  They work hard, pay their taxes, and choose lawmakers to create programs to do very specific things – such as build a library, feed low-income children, or clean up the beach.  It really upsets and angers them when their money is misspent or flat out stolen.

Materiality in Government

And that brings us to the topic of materiality.  Materiality is a term used in auditing to indicate the importance of a matter in relationship to other matters.  Risk-based auditing requires auditors to delineate between important or risky matters and insignificant matters. The auditor cannot and should not look under every rock for problems, examine every transaction, or consider every risk because they will never finish the audit project!

You may hear an auditor saying something like, “That is not material.”  And what he is really saying is, “I am not going to look at that because I don’t care as much about that as I do something else.”  For instance, an auditor may not examine a petty cash account of $200 but will examine equipment worth $70,000.

One wise auditor in a class I held in California pointed out that many of his corporate clients are high-flying, incredibly busy executives who could care less about a small fraud.  Small frauds could be managed by front line managers and do not warrant inclusion in the audit report.

In a corporation, access to the stamp machine, the copy machine, goodies, cake, and spa retreats are all perks of the job.  Remember when AIG spent $500K on a spa retreat for executives one week after the feds bailed them out?  The public was outraged, and AIG simply said, “Oh, we always do that. What’s the big deal?”

But in government, expectations for what is acceptable behavior are different. One federal inspector general for whom I work forbids his employees from holding birthday celebrations or eating in the office on government time. He does not want to be perceived as wasting taxpayer dollars.  When I work for a government, I have a hard time finding a cup of coffee, much less a pastry or a massage!

Once I attended the annual picnic at a state audit organization where they gave out awards for the most stupid finding of the year.  A guy named Jesse won the award for writing up a finding for a questioned cost of 52 cents.  Yep.  The federal grantor had told the state auditor they wanted to know about everything they had found. Jesse was just doing his job, literally!

While the AICPA (American Institute of Certified Public Accountants) standards are primarily written for audits of financial statements of commercial entities, the GAO (Government Accountability Office) standards are written for audits of governments.  The GAO counsels us – but doesn’t require us – to set a lower materiality level on government engagements than on engagements following AICPA standards. Here is their reasoning:

6.03     …Additional considerations may apply to GAGAS financial audits of government entities or entities that receive government awards. For example, in audits performed in accordance with GAGAS, auditors may find it appropriate to use lower materiality levels as compared with the materiality levels used in non-GAGAS audits because of the public accountability of government entities and entities receiving government funding, various legal and regulatory requirements, and the visibility and sensitivity of government programs.

Over and over, the GAO’s Government Auditing Standards distinguish between the purpose of their standards and the AICPA’s purpose for their standards.  And here the GAO says that government programs are more visible and sensitive.  In other words, little things matter in government! And what do we know about government? They care about it all!  Little, big, all of it!  So, a broader range of bad behaviors is reportable in this realm.

Do you think the federal grantor who doesn’t want employees eating cake on government time would care about the stamp machine incident?
Probably.   So while you might not report a small fraud for a business owner, you probably should in government.

The 2018 version of the Yellow Book identifies several methods by which you can report fraud depending on its significance or materiality.

If the fraud is material, then the auditor must write a finding and include it in the audit report. This language is excerpted from the financial audit standard, but the performance audit standards say something similar:

6.41 Auditors should include in their report on internal control or compliance the relevant information about noncompliance and fraud when auditors, based on sufficient, appropriate evidence, identify or suspect … 2 fraud that is material, either quantitatively or qualitatively, to the financial statements or other financial data significant to the audit objectives. 

And if the fraud is not material, but still warrants the attention of management, the auditor should communicate with management in writing:

6.44 Auditors should communicate in writing to audited entity officials when …b. the auditor has obtained evidence of identified or suspected instances of fraud that have an effect on the financial statements or other financial data significant to the audit objectives that are less than material but warrant the attention of those charged with governance. 

Accountability is an Ideal for Which We Strive

The GAO likes the concept of accountability so much that they changed their name from the General Accounting Office to the Government Accountability Office.  They even refer to auditors in their literature as “accountability professionals.”

Because we citizens are the owners of our government, we have a right to see where our money goes. Good governments seek transparency in their actions and their financial information. And if we know what the government does because they are transparent, we can hold those working for the government accountable for their actions.  That is the theory, anyway.

1.02 The concept of accountability for use of public resources and government authority is key to our nation’s governing processes.1.03 As reflected in applicable laws, regulations, agreements, and standards, management and officials of government programs are responsible for providing reliable, useful, and timely information for transparency and accountability of these programs and their operations.Legislators, oversight bodies, those charged with governance,and the public need to know whether (1) management and officials manage government resources and use their authority properly and in compliance with laws and regulations; (2) government programs are achieving their objectives and desired outcomes; and (3) government services are provided effectively, efficiently, economically, ethically, and equitably.

But accountability can be hard attribute to any one person in government.  Because of the complexity of government and the vast array of services the government offers to its citizens, losses due to fraud, waste, and abuse in government are often absorbed into the complex bureaucracy, and no one is held accountable.

When my children were small, we visited my aunt in Jefferson County, Alabama. My aunt lives  just outside of Birmingham, and she warned my children not to get in or touch the pretty lake on which she live because it was contaminated. In 1993, Jefferson County, Alabama was prosecuted for contaminating local creeks with raw sewage.

To fix the contamination problem, the county issued bonds to finance water treatment facilities.  The project has been plagued with corruption and the county commissioner was jailed in 2010 for accepting bribes.

And to add insult to injury, an unscrupulous Florida investment banker talked the county into defeasing the bonds using a complicated swap.  Then the county suffered from low tax collections in 2008, and had to lay off 1400 workers.  For a time, it appeared that the county would go bankrupt and default on the bonds.

No one, including the state of Alabama, wants the county to go bankrupt! Birmingham is the state’s most vibrant city. A failure there would make Alabama look less appealing to investors and industry. So the initial $3 billion dollars in bond debt was renegotiated and reduced to less than $1.4 billion.

Is anyone in government in jail for these poor decisions regarding the bonds? Did anyone responsible lose his or her jobs? And who ate the other $1.6 billion?  These mysteries may never be solved because so many were involved in the decisions.[2]But the citizens of Jefferson County deserve better.

Summary

Fraud occurs in both corporations and governments. Government auditors have a higher purpose, and that is to protect the recipients of government programs and citizens from fraud, waste, and abuse of their resources.

When auditing for fraud in the government, you need to be aware that:

  • Victims of fraud in government are ultimately the individuals that government intends to help.
  • You should reduce your materiality level when auditing governments.
  • Citizens want and deserve government leaders to be held accountable (and for every penny) for fraudulent activities.


[1]“Fraud.” Online Merriam-Webster Dictionary. April 10, 2012.
[2]Matthew Bigg. “Alabama’s Jefferson county sees hope for debt deal.” Reuters[London]. April 9, 2010.

163 Times!

The 2018 version of the Yellow Book mentions audit objectives 163 times in one chapter; Chapter 8 the Performance Audit Fieldwork chapter. That tells me that objectives run the show!

A few years ago, I created a white paper on objectives.  The concepts covered in the white paper are even more important today.  Please find a copy of it here.

And if you want to experience creating and refining objectives along with me, please join me in Austin on September 6 &7.

Audit on!

Leita

The 2018 Yellow Book is OUT!

The GAO issued the 2018 version of Generally Accepted Government Auditing Standards Tuesday.

Find the online version here: https://www.gao.gov/assets/700/693136.pdf.

Find an audio summary of the changes to the standards here: https://www.gao.gov/multimedia/podcast/692926

I suggest you scan chapter 4 and specifically section 4.16 to make sure you are compliant with the CPE requirements.

Also notice that the GAO has defined the roles of a supervisor and a reviewer inside the quality control chapter in sections 5.36-5.40.

And that the Green Book (Standards for Internal Control in the Federal Government) are mentioned several times in the document: 4.23, 6.30, 7.32, 8.41 & 8.130.

I’ll get back to you soon with a more thorough analysis of the changes and what they mean for you.

Stay cool!

What is an auditor?

Please enjoy this first chapter of self-study book Essential Skills for Government Auditor  available on YellowBook-CPE.com.

So here you are, an auditor. No other job title is more likely to be a conversation stopper at a dinner party.  No one likes to be audited.

But auditors do have an important role to play because, unfortunately, government leaders can’t trust program managers when they say, “Everything here is fine.  Don’t worry about us!” Government leaders and citizens do worry and want assurance from someone they can trust that everything is going well.  The auditor is that professional whom the leaders and the citizens can trust.

One definition of auditor is:  An independent professional who evaluates a subject matter against agreed-upon criteria.

This definition has several important components: independence, subject matter, and criteria.  Let’s look at each of those components in turn.

Independence

Auditors must be independent of their clients and the subject matter they are auditing.  But who are these clients?

The Government Accountability Office (GAO), the federal audit organization that writes the governmental auditing standards (a.k.a. the Yellow Book) has a very broad definition of client.  The GAO says, “A distinguishing mark of an auditor is acceptance of responsibility to serve the public interest.” And they define public interest as “the collective well-being of the community and entities the auditors serve.”  Did you know you had such a noble job?

CPAs are held to the same standard. They are certified “public” accountants after all. They have a primary responsibility to the public and a secondary responsibility to their audit client.

Clients in the government realm include management of the auditee, governing bodies, oversight bodies, special interest groups, other citizens, and the people who actually benefit from the government’s services.

If you think about it, auditors are often the only professionals involved in an organization or in a program who can comfortably speak the truth because they are, hopefully, shielded from backlash because they are independent.

GAGAS (Yellow Book) 20113.04     Auditors and audit organizations maintain independenceso that their opinions, findings, conclusions, judgments, and recommendations will be impartial and viewed as impartial by reasonable and informed third parties. Auditors should avoid situations that could lead reasonable and informed third parties to conclude that the auditors are not independent and thus are not capable of exercising objectiveand impartial judgment on all issues associated with conducting the audit and reporting on the work.

The recipients of governmental funds aren’t likely to uncover their own risks or highlight their own weaknesses because they could lose their funding. And the oversight bodies might be so far removed from the program that they don’t have a sense of what is really happening.

You can make quite a difference in an organization. The GAO’s Yellow Book says that you are “essential to the nation’s governing process!” Wow, that is quite a responsibility!

Consulting vs. Auditing

Some professionals who call themselves auditors are actually consultants. They help the client implement systems or spend months working to help the client with a technical issue. Consultants are allowed to get involved in the day-to-day operations of a department.

The Institute of Internal Auditors (one of the standard setting bodies that I will explain further in the next chapter) encourages consulting and has created consulting standards for their members.

The Government Accountability Office (GAO) calls consulting by another name, “non-audit services,” and puts up numerous barriers to prevent auditors from also serving as consultants. The GAO believes that you cannot both consult regarding an audit subject matter and later serve as objective, independent evaluator of the same subject matter.

In this text, our focus will be on auditing and auditing standards.

Subject matter and criteria

Auditors opine or conclude on whether a subject matter meets a certain criteria.

All auditors struggle to keep their audits limited in size and scope. It is extremely easy to create monstrous projects that are hard to reign in and report on.

In response to this struggle, most audit standards require that you develop a finite objective and scope for each engagement.   Imbedded in the audit objective are the audit subject and the criteria the auditor will use to evaluate the audit subject.

The GAO has this to say about the audit objective and scope in the Yellow Book:

GAGAS6.08The objectives are what the audit is intended to accomplish. They identify the audit subject matter and performance aspects to be included, and may also include the potential findings and reporting elements that the auditors expect to develop. Audit objectives can be thought of as questions about the program that the auditors seek to answer based on evidence obtained and assessed against criteria. The term “program” is used in GAGAS to include government entities, organizations, programs, activities, and functions.GAGAS 6.09

Scope is the boundary of the audit and is directly tied to the audit objectives. The scope defines the subject matter that the auditors will assess and report on, such as a particular program or aspect of a program, the necessary documents or records, the period of time reviewed, and the locations that will be included.

The objective and scope define what the project is, as well as what it is not. Objectives are assessed against agreed upon criteria, which are benchmarks established by law, governing organizations, or company policies and procedures. (For more on criteria, read Chapter 6.)

To satisfy the audit objective, you will gather and document audit evidence.  The techniques that you use to gather evidence are called audit methodologies.

6.10     The methodology describes the nature and extent of audit procedures for gathering and analyzing evidence to address the audit objectives. Audit procedures are the specific steps and tests auditors perform to address the audit objectives. Auditors should design the methodology to obtain reasonable assurance that the evidence is sufficient and appropriate to support the auditors’ findings and conclusions in relation to the audit objectives and to reduce audit risk to an acceptable level.

All three of these elements – the objective, scope, and methodology – are essential to describe what you seek to accomplish on the audit. (For more on methodology, see Chapter 15.)   The GAO requires that auditors both document these three defining elements in the working papers and disclose them in the audit report.

Audit deliverables

As Stephen Covey says, you should begin with the end in mind.  So before we dig in to the steps of conducting an audit, let’s look at what you will have when you are all done.  Auditors create three deliverables from an audit project:

  • The answer to the audit objective – called either an audit conclusion or an audit opinion
  • Findings – issues that the auditor would like to see addressed or corrected by the client
  • Working papers –documentation of the evidence the auditor gathered to support the conclusions and the findings.

If you are following GAO’s audit standards (The Yellow Book) for performance audits, you must put this promise – word for word – in your audit report:

7.30     We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

As you seek to satisfy your audit objectives, you will gather evidence using audit methodologies.  Some auditors call audit methodologies audit tests or audit program steps.  The results of applying these methodologies must be documented.

6.79     Auditors must prepare audit documentation related to planning, conducting, and reporting for each audit. Auditors should prepare audit documentation in sufficient detail to enable an experienced auditor, having no previous connection to the audit, to understand from the audit documentation the nature, timing, extent, and results of audit procedures performed, the audit evidence obtained and its source and the conclusions reached, including evidence that supports the auditors’ significant judgments and conclusions. An experienced auditor means an individual (whether internal or external to the audit organization) who possesses the competencies and skills that would have enabled him or her to conduct the performance audit. These competencies and skills include an understanding of (1) the performance audit processes, (2) GAGAS and applicable legal and regulatory requirements, (3) the subject matter associated with achieving the audit objectives, and (4) issues related to the audited entity’s environment.6.80     Auditors should prepare audit documentation that contains evidence that supports the findings, conclusions, and recommendations before they issue their report.

Questions auditors answer

In order to give the client assurance regarding an audit subject, you must answer questions that naturally arise as you seek the answer to your audit objective.

Notice that these questions assume that something is wrong.  Auditors tend to think that way!  Because of time constraints, auditors focus on risks, negative events, and the issues that need fixing instead of proving the good that occurs in an organization.  In that way, auditors are like journalists.

  1. What is the current state of affairs? (condition)
  2. What should be the current state of affairs? (criteria)
  3. What has caused the current state of affairs? (cause)
  4. Why is the current state of affairs undesirable? (effect)
  5. What should be done to correct the current state of affairs? (recommendation)

You will see these questions used in later chapters and referred to as the “elements of a finding.” Auditors following IIA & GAO standards use them to write audit findings when they find something that needs to be corrected, such as an internal control weakness, non-compliance, fraud, and/or abuse.

What I hope to do in this text is show you the steps auditors follow to create their three main deliverables (the conclusion/opinion, the findings, and the audit documentation) as well as give you the tools to answer these questions for your clients.

Let’s tweak that definition of an auditor

Now that we have discussed independence, audit subject matter, audit criteria, and audit deliverables, we should tweak our definition of an auditor. We began the chapter with this definition: An independent professional who evaluates a subject matter against agreed-upon criteria.

Please allow me to enhance it a bit based on what we just read: An auditor is an independent professional who concludes whether a subject matter meets an agreed upon criteria by gathering evidence through performing custom-designed audit methodologies.  Aren’t you glad I didn’t start with that?

Yellow Book Ethics

Enjoy this excerpt from the self-study text: The Yellow Book Interpreted which qualifies for 15 hours of CPE.

 

The GAO has a few things to say about a government auditor’s ethical responsibilities and, thus, added a large section on ethics to the 2007 revision of the Yellow Book.  The same ethical principles appear in the 2017 exposure draft.

Themes of GAGAS
GAGAS is a very high-minded document.  And, in order to understand the GAO’s perspective on ethics, we need to talk about three themes of the Yellow Book that kick off the first chapter of the standards.

These three themes — accountability, transparency, and service -­- put us in the right frame of mind when auditing in the government environment.

Accountability
What is accountability? I had heard the term tossed around the government so frequently that I never even thought about its meaning.  Now I know that accountability does not mean that you got it right. It just means that you take ownership of it.

I met a cowboy auditor in West Texas who said, “You might be right or you might be wrong, but you’d better the hell document it.”  That sums up accountability quite nicely.  When things go bad, you are there to say, “Yes, that was me.  I’m sorry.”  When things go well, you can keep your job.

Recently on CNN, I saw a high school coach who was responsible for the death of one of his teenage football players.  And instead of being contrite, he said something like, “Everyone is forgetting that I suffered a loss, too, and that I will hold on to this for the rest of my life.”  That is not exactly what the parents of that boy wanted to hear. He deflected accountability and tried to engender empathy for himself.  I doubt that will serve him well in his community.

The GAO repeatedly reminds us that we are accountable to the taxpaying public for our actions and that we, as auditors, have a role in holding government leaders accountable.

1.01      The concept of accountability for use of public resources and government authority is key to our nation’s governing processes.

1.03     Government auditing is essential in providing accountability to legislators, oversight bodies, those charged with governance, and the public. Audits provide an independent, objective, nonpartisan assessment of the stewardship, performance, or cost of government policies, programs, or operations, depending upon the type and scope of the audit.

One of the tough things about the GAO standards is they are not written for government officials (although government officials are mentioned a few times); they are written as standards for auditors.  So, while we hold public officials and employees accountable for their actions, we are accountable for our actions, too.

Transparency
Actions and information that is transparent is open for everyone’s inspection and review.

1.05     Audits performed in accordance with GAGAS provide information used for oversight, accountability, transparency, and improvements of government programs and operations. GAGAS contains requirements and guidance to assist auditors in objectively acquiring and evaluating sufficient, appropriate evidence and reporting the results. When auditors perform their work in this manner and comply with GAGAS in reporting the results, their work can lead to improved government management, better decision making and oversight, effective and efficient operations, and accountability and transparency for resources and results.

The state of Texas has put every single transaction online – LIVE— and rates the transparency of local government as well.  I can, with a few clicks of the mouse, see that the Texas Department of Transportation bought a van, how much the van was, who they bought it from, why they need it, and what color of funds (general revenue, special revenue, enterprise revenues) paid for it.

Why?  Because citizens own the government, and we have a right to know.  Google “windows on Texas state government” to start your own exploration.

Service
If you audit Hurst Construction, your ultimate audience for the audit report is Mr. Hurst, his board of directors, and the bank.  But, if you audit a public housing project, your ultimate clients are not the managers of the project, the boards of directors, or the banks.  Your ultimate beneficiaries of the report are not even the grantors.  The ultimate beneficiaries of your work are the low-income children who live in the housing project.

We have to remember, as governmental auditors, that we are checking to see whether tax dollars are being used for their intended purpose and whether the public is being served by our auditee’s efforts.

1.16      A distinguishing mark of an auditor is acceptance of responsibility to serve the public interest. This responsibility is critical when auditing in the government environment. GAGAS embodies the concept of accountability for public resources, which is fundamental to serving the public interest.

We hold our clients to a higher standard of behavior than we do in the commercial sector. While it was OK for AIG to go on a lavish $500,000 spa junket before the US taxpayers bailed them out, it certainly was not OK after the bailout.

Later, we will see that the GAO asks you to report even more bad behaviors than the AICPA does.  If Mr. Hurst wants to put his jet-setting, never-worked-a-day-in–their-life kids on the payroll, more power to him. Auditors in the commercial realm do not have a responsibility to say anything about that. But in the government realm, we call that abuse, and we do have a responsibility to report it.  We’ll discuss more about abuse later.

Five main sections of the ethics section
The ethics discussion is divided into five main principles:

a.   The public interest
b.   Integrity
c.   Objectivity
d.   Proper use of government information, resources, and position
e.    Professional behavior

Let’s discuss each one in turn.

The public interest 
A city auditor once told me that he sees a higher purpose in his work.  It is his job to make sure that the monies collected by the city are turned back to support those who need services and who may not have a voice in the government.  He works on the citizens’ behalf, and because of this higher purpose, he doesn’t care whether he makes his auditees upset with his reports.  Now that is integrity!

1.15      The public interest is defined as the collective well-being of the community of people and entities the auditors serve. Observing integrity, objectivity, and independence in discharging their professional responsibilities assists auditors in meeting the principle of serving the public interest and honoring the public trust. The principle of the public interest is fundamental to the responsibilities of auditors and critical in the government environment.

In my business I transfer in and out of two worlds – the government world and the commercial world – and indeed they are different.

An auditor from the GAO made the distinction between the two by saying that in the commercial world fortunes are made by doing what is not expressly prohibited; in the government world action won’t be taken unless it is expressly permitted.

Commercial entities do not seek transparency.  At the Apple corporate headquarters store, they sell a T-Shirt that says, “I visited the Apple Corporate Offices in Cupertino… and that is all I can say about it.”

But government auditors must shine light in dark places in order to serve their customer, the public.  And taxpayers get very, very upset if even a tiny bit of their hard-earned tax dollars are squandered.

Not long ago, I was helping a government employee retirement system develop a training event. Afterwards, to celebrate our success, we all went out to a first-rate steakhouse in Dallas – you know the type, where you pay $45 for an à la carte steak. We had wine and appetizers, and one guy ordered a $35 brandy. I was very uncomfortable. I thought that if any of their members walked in and recognized them as the folks in charge of their retirement funds, the retirement system would have a lot of explaining to do. The retirees don’t want their money squandered on high living for government employees!

If you work for a corporation, go ahead and enjoy the perks and the luxuries. But when you work for government, don’t be surprised if you can’t even get a cup of coffee!

Integrity & Objectivity
Many seasoned professionals have told me that they believe that auditor independence is an unattainable ideal; an external auditor’s independence is compromised when the auditee writes a check to pay the auditor’s fee and an internal auditor takes a salary from the entity they audit. They argue, that at best, an auditor can provide an objective viewpoint and maintain integrity by making sure that external pressures do not force them to cover up the truth.

Later in this text, when we examine the GAO’s guidance for independence, the concepts of integrity and objectivity introduced here in the ethics chapter are raised again.

Both the integrity and objectivity sections of the ethics chapter of the Yellow Book mention auditor independence and freedom from political or ideological bias.

Integrity
1.17      Public confidence in government is maintained and strengthened by auditors performing their professional responsibilities with integrity. Integrity includes auditors conducting their work with an attitude that is objective, fact-based, nonpartisan, and nonideological with regard to audited entities and users of the auditors’ reports… 

1.18      … In discharging their professional responsibilities, auditors may encounter conflicting pressures from management of the audited entity, various levels of government, and other likely users. Auditors may also encounter pressures to inappropriately achieve personal or organizational gain. In resolving those conflicts and pressures, acting with integrity means that auditors place priority on their responsibilities to the public interest.

Objectivity
1.19      The credibility of auditing in the government sector is based on auditors’ objectivity in discharging their professional responsibilities. Objectivity includes independence of mind and appearance when providing audits, maintaining an attitude of impartiality, having intellectual honesty, and being free of conflicts of interest…The concepts of objectivity and independence are closely related…

Proper use of government information, resources, and position
A professor at UT Arlington teaches ethics and leadership to government leaders in Romania. He develops case studies for them to ponder each week.

One case study asked the students to discuss the ethical dilemma posed when a mayor used city employees to build a brick barbecue pit in his backyard – clearly an improper use of government resources. The professor didn’t hear back from his students in Romania for a month.

After several Skype conversations, the Romanians finally admitted that they just didn’t understand the ethical issue in the scenario. Using the labor of government employees for personal benefit is one of the perks of being a government leader in Romania! That professor has a lot of work to do!

1.20     Government information, resources, and positions are to be used for official purposes and not inappropriately for the auditor’s personal gain or in a manner contrary to law or detrimental to the legitimate interests of the audited entity or the audit organization. This concept includes the proper handling of sensitive or classified information or resources.

1.23     Misusing the position of an auditor for financial gain or other benefits violates an auditor’s fundamental responsibilities. An auditor’s credibility can be damaged by actions that could be perceived by an objective third party with knowledge of the relevant information as improperly benefiting an auditor’s personal financial interests or those of an immediate or close family member; a general partner; an organization for which the auditor serves as an officer, director, trustee, or employee; or an organization with which the auditor is negotiating concerning future employment.

Professional behavior
Any behavior that could cause someone to question your professionalism can detract from your credibility. And credibility helps sell audit recommendations.

1.24     High expectations for the auditing profession include compliance with all relevant legal, regulatory, and professional obligations and avoidance of any conduct that might bring discredit to auditors’ work, including actions that would cause an objective third party with knowledge of the relevant information to conclude that the auditors’ work was professionally deficient…

Consider the following true scenario (with a few small changes to protect identities): You are the internal audit director of a large city. You recently hired a new auditor fresh out of college and assigned him to conduct a performance audit of your city’s police department.

Everything has been going well until last week when you saw a photo of him in the local newspaper at the city’s Mardi Gras celebration. He was pictured near the top of a street light without his shirt wearing dozens of bead necklaces. The police stood below and appeared to be yelling at him to come down.

You show him the picture and he becomes immediately defensive and tells you that what he does on his own time is none of your business. He reasoned that he had some college buddies in town and it was natural for him to show them a good time.

This standard on professional behavior does not mention that it applies only to an auditor’s work life. But does this auditor’s behavior during his personal time compromise his credibility with the police force? Yes, indeed!  How is he going to face the officers during an exit conference?

To maintain your shop’s professional image, you will probably have to remove this young auditor from the engagement and replace him with another auditor from your shop.

Auditors are paid for our credible, objective, high integrity opinions and conclusions about an audit subject.  And this young man blew all that away with his antics.

Borrowing from the later discussion on independence in chapter 3:

3.04     Auditors and audit organizations maintain independence so that their opinions, findings, conclusions, judgments, and recommendations will be impartial and viewed as impartial by reasonable and informed third parties. Auditors should avoid situations that could lead reasonable and informed third parties to conclude that the auditors are not independent and thus are not capable of exercising objective and impartial judgment on all issues associated with conducting the audit and reporting on the work.

In our next chapter, we will address the types of audits covered by Yellow Book standards.

Pulling It All Together

What’s the matter with the crowd I’m seeing?
“Don’t you know that they’re out of touch?”
Should I try to be a straight-A student?
“If you are then you think too much.
Don’t you know about the new fashion, honey?
All you need are looks and a whole lot of money?”
It’s the next phase, new wave, dance craze, anyways
It’s still rock and roll to me.
Everybody’s talkin’ ‘bout the new sound
Funny, but it’s still rock and roll to me.
It’s Still Rock and Roll to Me, Billy Joel

Objectives:

  • Sequence the steps of developing an internal control structure

Whew!  You made it. We are in the last chapter! Congrats, you have held on through a long case study and a complicated model.

In this final chapter, we are taking another look at the steps of creating a control structure from scratch which will also serve as a review of this text. I will quote various excerpts from the Green Book as I go.  Also, we will address what happens when auditors visit to evaluate your controls.

Steps of developing controls

As I see it, the steps of developing controls are as follows:

1.Choose a subject matter

Maybe you have been asked to develop controls for a whole organization or just a segment of an organization.  In either case, you will benefit from breaking your subject matter down into smaller more defined segments because it is easier to imagine controls for something specific than to imagine controls for something broad.

For instance, if I asked you to control the University of Michigan, you would probably walk out the door never to come back!  But if I asked you to control student financial aid at the University of Michigan, you would feel better.  If I asked you to set up controls to make sure that student financial aid at the University of Michigan is distributed on time, you’d feel super because that is very doable!

The side of the COSO cube prompts us to break the subject matter down into segments.  In the COSO and Green Book literature, the side of the cube is dubbed the ’levels of organizational structure.’  I think of it instead as ‘what’ you are planning to control.

2. Focus on what is risky

Now that you have broken the organization up into segments, you can hone in on the segments that are the most likely to cause trouble.

Risk assessment is the second control component on the face of COSO model, but it is, in practice, the first component you consider when establishing controls.

For each piece, you ask four questions:

  1. What could go wrong?
  2. So what?
  3. How big of a deal is the ‘so what?’
  4. How likely are things to go wrong?

Here are the terms the Green Book uses for all of these questions:

  1. What could go wrong? The Green Book calls the answer to this question ‘identified risks.’
  2. So what?  The Green Book calls this ‘significance.’
  3. How big a deal is the so what?  The Green Book calls this ‘magnitude.’
  4. How likely are things to go wrong?  The Green book calls this ‘likelihood.’

From the Green Book:

7.05 Management analyzes the identified risks to estimate their significance, which provides a basis for responding to the risks. Significance refers to the effect on achieving a defined objective. 

7.06 Management estimates the significance of the identified risks to assess their effect on achieving the defined objectives at both the entity and transaction levels. Management estimates the significance of a risk by considering the magnitude of impact, likelihood of occurrence, and nature of the risk. Magnitude of impact refers to the likely magnitude of deficiency that could result from the risk and is affected by factors such as the size, pace, and duration of the risk’s impact. Likelihood of occurrence refers to the level of possibility that a risk will occur. The nature of the risk involves factors such as the degree of subjectivity involved with the risk and whether the risk arises from fraud or from complex or unusual transactions. The oversight body may oversee management’s estimates of significance so that risk tolerances have been properly defined. 

3. Decide if you want to tolerate the risk

When you are confronted with a risk, you have four choices of how to handle it:  you can accept it and live with the possible consequences, you can avoid it by not doing the activity, you can mitigate it by layering on controls or you can ask someone else to take on responsibility for it.

If you choose to keep on doing or to tolerate the activity that causes the risk, but you’d rather not suffer from this choice, you will proceed through the rest of the steps laid out here to help you create the controls to mitigate the risk.  Mitigate is a fancy word for ‘reduce.’

From the Green Book:

7.08 Management designs responses to the analyzed risks so that risks are within the defined risk tolerance for the defined objective. Management designs overall risk responses for the analyzed risks based on the significance of the risk and defined risk tolerance. These risk responses may include the following: 

  • Acceptance - No action is taken to respond to the risk based on the insignificance of the risk. 
  • Avoidance - Action is taken to stop the operational process or the part of the operational process causing the risk. 
  • Reduction - Action is taken to reduce the likelihood or magnitude of the risk. 
  • Sharing - Action is taken to transfer or share risks across the entity or with external parties, such as insuring against losses. 
8.06 Management analyzes and responds to identified fraud risks so that they are effectively mitigated. Fraud risks are analyzed through the same risk analysis process performed for all identified risks…


4. Come up with a control objective

In order to focus your efforts and make sure that everyone is clear about what you are working toward, the Green Book recommends you come up with a clear control objective.

The Green Book talks about objectives in two layers.  In one layer, they ask you to consider ‘why’ you want to control something.   Is it because you are concerned about operations, compliance or reporting? The GAO calls these ‘categories of objectives’ and they are listed on the top of the cube.
Description: Macintosh HD:Users:Leita:Dropbox:+TOPICS:controls:coso model picture:Slide1.jpg

OV1.01 Internal control is a process effected by an entity’s oversight body, management, and other personnel that provides reasonable assurance that the objectives of an entity will be achieved (see fig. 2). These objectives and related risks can be broadly classified into one or more of the following three categories: 

  • Operations - Effectiveness and efficiency of operations 
  • Reporting - Reliability of reporting for internal and external use 
  • Compliance - Compliance with applicable laws and regulations 

OV1.02 These are distinct but overlapping categories. A particular objective can fall under more than one category, can address different needs, and may be the direct responsibility of different individuals. 
Operations Objectives 

OV2.19 Operations objectives relate to program operations that achieve an entity’s mission. An entity’s mission may be defined in a strategic plan. Such plans set the goals and objectives for an entity along with the effective and efficient operations necessary to fulfill those objectives. Effective operations produce the intended results from operational processes, while efficient operations do so in a manner that minimizes the waste of resources. 

OV2.20 Management can set, from the objectives, related subobjectives for units within the organizational structure. By linking objectives throughout the entity to the mission, management improves the effectiveness and efficiency of program operations in achieving the mission. 

Reporting Objectives 

OV2.21 Reporting objectives relate to the preparation of reports for use by the entity, its stakeholders, or other external parties. Reporting objectives may be grouped further into the following subcategories: 

  • External financial reporting objectives - Objectives related to the release of the entity’s financial performance in accordance with professional standards, applicable laws and regulations, as well as expectations of stakeholders. 
  • External nonfinancial reporting objectives - Objectives related to the release of nonfinancial information in accordance with appropriate standards, applicable laws and regulations, as well as expectations of stakeholders. 
  • Internal financial reporting objectives and nonfinancial reporting objectives - Objectives related to gathering and communicating information needed by management to support decision making and evaluation of the entity’s performance. 

Compliance Objectives

OV2.22 In the government sector, objectives related to compliance with applicable laws and regulations are very significant. Laws and regulations often prescribe a government entity’s objectives, structure, methods to achieve objectives, and reporting of performance relative to achieving objectives. Management considers objectives in the category of compliance comprehensively for the entity and determines what controls are necessary to design, implement, and operate for the entity to achieve these objectives effectively. 

OV2.23 Management conducts activities in accordance with applicable laws and regulations. As part of specifying compliance objectives, the entity determines which laws and regulations apply to the entity. Management is expected to set objectives that incorporate these requirements. Some entities may set objectives to a higher level of performance than established by laws and regulations. In setting those objectives, management is able to exercise discretion relative to the performance of the entity. 

But later in the book, the GAO drills down into the categories and describes the need for a specific, customized control objective.

6.02 Management defines objectives in specific and measurable terms to enable the design of internal control for related risks. Specific terms are fully and clearly set forth so they can be easily understood. Measurable terms allow for the assessment of performance toward achieving objectives. Objectives are initially set as part of the objective-setting process and then refined as they are incorporated into the internal control system when management uses them to establish the control environment. 

6.03 Management defines objectives in specific terms so they are understood at all levels of the entity. This involves clearly defining what is to be achieved, who is to achieve it, how it will be achieved, and the time frames for achievement. All objectives can be broadly classified into one or more of three categories: operations, reporting, or compliance. Reporting objectives are further categorized as being either internal or external and financial or nonfinancial. Management defines objectives in alignment with the organization’s mission, strategic plan, and performance goals. 

6.04 Management defines objectives in measurable terms so that performance toward achieving those objectives can be assessed. Measurable objectives are generally free of bias and do not require subjective judgments to dominate their measurement. Measurable objectives are also stated in a quantitative or qualitative form that permits reasonably consistent measurement. 

Our objective was, “Do controls deter the coach from using his purchasing card for personal purchases as defined by Grace School District Policy #C7.459?”

5. Compare the baseline to the ideal

Now it is time to talk to managers and find out if there are any existing controls in place.  This will be your baseline of controls.

16.02 Management establishes a baseline to monitor the internal control system. The baseline is the current state of the internal control system compared against management’s design of the internal control system. The baseline represents the difference between the criteria of the design of the internal control system and condition of the internal control system at a specific point in time. In other words, the baseline consists of issues and deficiencies identified in an entity’s internal control system. 

16.03 Once established, management can use the baseline as criteria in evaluating the internal control system and make changes to reduce the difference between the criteria and condition. Management reduces this difference in one of two ways. Management either changes the design of the internal control system to better address the objectives and risks of the entity or improves the operating effectiveness of the internal control system. As part of monitoring, management determines when to revise the baseline to reflect changes in the internal control system. 

Next, you will compare the baseline to the ideal:  the list of 17 principles.  When management has not already addressed a principle with a control or two, then you will need to design a control for that principle.  Remember, in order to judge a control system as effective, all five components and the underlying 17 principles should be in place!

OV3.03 To determine if an internal control system is effective, management assesses the design, implementation, and operating effectiveness of the five components and 17 principles. If a principle or component is not effective, or the components are not operating together in an integrated manner, then an internal control system cannot be effective. 

Appendix I: The 17 principles support the effective design, implementation, and operation of the associated components and represent requirements necessary to establish an effective internal control system. The 17 principle requirements of the Green Book are as follows: 

  1. The oversight body and management should demonstrate a commitment to integrity and ethical values. 
  2. The oversight body should oversee the entity’s internal control system. 
  3. Management should establish an organizational structure, assign responsibility, and delegate authority to achieve the entity’s objectives. 
  4. Management should demonstrate a commitment to recruit, develop, and retain competent individuals. 
  5. Management should evaluate performance and hold individuals accountable for their internal control responsibilities. 
  6. Management should define objectives clearly to enable the identification of risks and define risk tolerances. 
  7. Management should identify, analyze, and respond to risks related to achieving the defined objectives. 
  8. Management should consider the potential for fraud when identifying, analyzing, and responding to risks. 
  9. Management should identify, analyze, and respond to significant changes that could impact the internal control system. 
  10. Management should design control activities to achieve objectives and respond to risks. 
  11. Management should design the entity’s information system and related control activities to achieve objectives and respond to risks. 
  12. Management should implement control activities through policies. 
  13. Management should use quality information to achieve the entity’s objectives. 
  14. Management should internally communicate the necessary quality information to achieve the entity’s objectives. 
  15. Management should externally communicate the necessary quality information to achieve the entity’s objectives. 
  16. Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results. 
  17. Management should remediate identified internal control deficiencies on a timely basis. 

6. Consider cost 

Before you run out and implement all of the controls you designed in the last step, stop and think about how much each of the controls is going to cost you.  Do you need to invest in technology to make the control work?  Or do you need to beef up your staff?  Also, consider whether the new controls will slow down processes and frustrate employees, suppliers and customers.  Excessive controls are also known as ‘red tape’ and ‘burdensome bureaucracy!’

OV4.07 Management may decide how an entity evaluates the costs versus benefits of various approaches to implementing an effective internal control system. However, cost alone is not an acceptable reason to avoid implementing internal controls. Management is responsible for meeting internal control objectives. The costs versus benefits considerations support management’s ability to effectively design, implement, and operate an internal control system that balances the allocation of resources in relation to the areas of greatest risk, complexity, or other factors relevant to achieving the entity’s objectives. 

7. Does it prevent, detect or correct?

Again, before you proceed with the hard work of implementing the controls you designed, take some time to evaluate whether each control is preventative, corrective, or detective.  Detective controls are nice, but stopping the risk before it happens would be better than cleaning up the mess after it happens. This is especially true when it comes to unacceptable risks such as death and injury.  Make sure you have a good mix of all three types of controls with a preponderance of preventative controls.

8. Document

At this point, you are working with a large volume of information.  Just in case you get a little overwhelmed and forgetful, you’d better write down everything you have worked on so far.  The GAO is pretty firm about documentation:

OV4.08 Documentation is a necessary part of an effective internal control system. The level and nature of documentation vary based on the size of the entity and the complexity of the operational processes the entity performs. Management uses judgment in determining the extent of documentation that is needed. Documentation is required for the effective design, implementation, and operating effectiveness of an entity’s internal control system. The Green Book includes minimum documentation requirements as follows: 

  • If management determines that a principle is not relevant, management supports that determination with documentation that includes the rationale of how, in the absence of that principle, the associated component could be designed, implemented, and operated effectively. (paragraph OV2.06) 
  • Management develops and maintains documentation of its internal control system. (paragraph 3.09) 
  • Management documents in policies the internal control responsibilities of the organization. (paragraph 12.02) 
  • Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues. (paragraph 16.09) 
  • Management evaluates and documents internal control issues and determines appropriate corrective actions for internal control deficiencies on a timely basis. (paragraph 17.05) 
  • Management completes and documents corrective actions to remediate internal control deficiencies on a timely basis. (paragraph 17.06) 

OV4.09 These requirements represent the minimum level of documentation in an entity’s internal control system. Management exercises judgment in determining what additional documentation may be necessary for an effective internal control system. If management identifies deficiencies in achieving these documentation requirements, the effect of the identified deficiencies is considered as part of management’s summary determination as to whether the related principle is designed, implemented, and operating effectively. 

9. Evaluate the design vs. operation

Once you have organized your thoughts and chosen controls for all five components and the 17 principles, someone has to put them into action.  That could take a while.  As usual, it is best to be patient and thorough instead of agitated and spotty.  Ha.  Agitated and spotty is a great title for a teen romance novel!

The GAO takes pains to mention the difference between the design of a control and the implementation of a control in over a dozen places in the Green Book.  Here are a few quotes:

OV2.13 Internal control is a dynamic, iterative, and integrated process in which components impact the design, implementation, and operating effectiveness of each other. No two entities will have an identical internal control system because of differences in factors such as mission, regulatory environment, strategic plan, entity size, risk tolerance, and information technology, and the judgment needed in responding to these differing factors. 

OV3.05 When evaluating design of internal control, management determines if controls individually and in combination with other controls are capable of achieving an objective and addressing related risks. When evaluating implementation, management determines if the control exists and if the entity has placed the control into operation. A control cannot be effectively implemented if it was not effectively designed. A deficiency in design exists when (1) a control necessary to meet a control objective is missing or (2) an existing control is not properly designed so that even if the control operates as designed, the control objective would not be met. A deficiency in implementation exists when a properly designed control is not implemented correctly in the internal control system. 

10. Evaluate whether you can declare your controls effective!

Sorry to say that your work isn’t done when you finish designing, documenting and implementing controls.  True to the monitoring component of the COSO model, you can’t just set things up and forget them.  You need to come back and evaluate whether everything you have set up is working, correct any unintended consequences of your efforts, improve controls and start the cycle all over again.

OV3.03 To determine if an internal control system is effective, management assesses the design, implementation, and operating effectiveness of the five components and 17 principles. If a principle or component is not effective, or the components are not operating together in an integrated manner, then an internal control system cannot be effective. 

This is a great place to introduce auditors back into our conversation because they may be able to help you ensure that the controls you designed are functioning properly.  That is what we will do in our next newsletter.

Fraudulent Disbursements – Billing Schemes and Payroll Schemes

More in the series on getting to know the fraud tree better. To get a better sense of where we are on the fraud tree and which branch we are talking about in this newsletter, please see the entire fraud tree at http://www.acfe.com/fraud-tree.aspx.

Learn to do good;
seek justice, correct oppression;
bring justice to the fatherless,
plead the widow’s cause.
Isaiah 1:17

Misappropriating cash through fraudulent disbursements is a sizable portion of the fraud tree because there is a lot of room for creativity.  See an illustration of the fraud tree here: http://www.acfe.com/fraud-tree.aspx   In this newsletter, we will cover billing schemes & payroll schemes.  In future newsletters we will cover expense reimbursement schemes, check tampering, and register disbursements.  Five creative categories under fraudulent disbursements in all!

With fraudulent disbursements, the fraudster causes an organization to disburse funds through some trick or device such as submitting false invoices or forging checks.  The disbursement is often disguised as a legitimate business activity so that it can slide through the accounting system undetected by controls.

And with these sorts of schemes, the fraudster is usually caught when they get too bold or too greedy.  If they would just keep it small, they could supplement their income for decades!

Billing Schemes

Here the fraudster creates a valid looking bill and causes the organization to issue payment for the fraudster’s personal benefit. The Association of Certified Fraud Examiners classifies billing schemes into three categories:

  1. Shell companies
  2. Non-accomplice vendors
  3. Personal purchases

Shell Companies 

In this creative scenario, the fraudster creates a fake company that has a valid sounding name and then sends checks from the victim company to their fake, or shell, company.

In my hometown, LouAnne Aponte stole over $800,000 from a large not-for-profit, Family Connections, for which she was the executive director. For six years she forged a well-known local CPA firm’s name on audit reports to avoid questioning by auditors and to satisfy federal grant requirements.

In March 1993, Aponte formed a business named Excite and Challenge, and then paid Excite and Challenge from Family Connections funds.  She used the money to pay her mortgage for a home in a tony Austin neighborhood and bought herself a convertible Mercedes.

For a decade LouAnne Aponte also volunteered as the treasurer for the Texas Association of Child Care Resources and Referral Agencies.  Aponte was accused of stealing over $100,000 from that organization.

Aponte had a history of theft dating back to the 1980s when she stole about $60,000 from two employers. In 1987, she served only four months of a four-year prison sentence for her crimes. Unaware of Aponte’s past, the nonprofit Austin Families hired Aponte in 1990 when she was still on parole.

Having served only two and a half years of her 25-year sentence for the crimes against Family Connections, Aponte was up for parole in May 2013.[1]

Straw students are like shell companies, aren’t they?

Creating fake students has always been a popular scam when it comes to milking money out of student financial aid programs.  When you actually see students in a classroom in college environments, it is hard to keep a scammer from succeeding – but how do you verify online students?

Between 2006 and 2009, Trenda Halton defrauded Rio Salada College in Arizona for over a half a million dollars.  Having discovered how to defraud the registration system of Rio Salado College, Halton worked with four accomplices to create 136 “straw” students.

In her scheme, she recruited “straw” students who prepared and filed bogus admissions applications, financial aid applications, and Pell Grant applications in the students’ names. The financial-aid recipients received aid money after Rio Salada deducted tuition.

Halton’s cover was blown when a Rio Salado employee noticed that the applications all had the same handwriting and the students were enrolled in the same classes. In 2009, Halton was indicted with 64 other defendants and charged with offenses such as conspiracy, mail fraud, financial aid fraud, and making false statements in connection with financial aid.

Rio Salada’s small distance learning college was a prime digital target for Halton. Other colleges that have been victimized by online financial-aid fraudsters include the University of Phoenix’s Axia College, Michigan’s Lansing Community College, and Texas’ Dallas County Community College.[2]

Non-Accomplice Vendors

My small business has several names, and I have been married 15 times.  OK, OK, I have wed only twice.  But I have three last names!  And the bank will take any check from me using any of my last names or business names.

A banker in one of my classes told me that the bank doesn’t check endorsements or names on the check if the amount is under $10,000.  The volume of checks is just too high for them to watch.  Banks also put on the back of your bank statement that you have 60 days from the date of the statement to resolve any discrepancy, otherwise the bank is not responsible.

So imagine taking a valid vendor name – say ABC Pest Control – that your organization would spend money on and changing the address on the payment to your own PO Box.  And if you have already succeeded depositing checks under ABC Enterprises, the bank will take it. You will enjoy the money, and your organization probably won’t know the difference.

Personal Purchases

Whether personal purchases are considered fraud by an organization depends on the type of organization.  In the corporate environment, use of the company credit card to buy golf equipment while entertaining clients could be perfectly valid.

2 shoesIn government, we never entertain!  OK, we seldom entertain, but governments would seldom find the purchase of golf equipment valid.  Remember our discussion about what fraud is, what abuse is, and whether something is worthy of the attention of those in charge of governance? That applies to personal purchases, big time.

But HP wasn’t as lenient with their money as some other corporations.  They ousted their CEO, Mark Hurd, in 2010 for expense report irregularities and for hiring a model/actress that he had a personal relationship with to represent HP at trade shows for $5000 to $10,000 a pop.[3]

Payroll Schemes

Another way employees can extract money from their employers using a false disbursement scheme is to make false claims for compensation.  The fraud tree is divided into four parts under payroll schemes:

  1. Ghost employees
  2. Commission schemes
  3. Workers compensation
  4. Falsified wages

Ghost Employees

In this scheme, the government is charged for employee wages for fake employees or, if you prefer, “phantom” employees.

3 ghostsDo you remember Paul Bremer? He was the administrator of the Coalition Provisional Authority (CPA), the transitional Iraqi government. In 2007, Bremer acknowledged to the House Committee on Oversight and Government Reform that during the 2003 to 2004 rebuilding of Iraq, for which he was responsible, America had paid nonexistent “ghost employees.”

Bremer suggested that the organization feared the consequences of stopping payments to determine who were truly employed. Those who were employed supplied the Iraqi ministries with security, and Bremer did not want to anger these 74,000 armed men.

The problem of the “ghost” employees was just one piece of the puzzle of the missing $8.8 billion that the CPA distributed to Iraqi ministries. Stuart Bowen, the Special Inspector General for Iraq Reconstruction stated that the problem was not a major reason that so much money was unaccounted for. He blamed the lack of transparency for the missing funds.[4]

Commission Schemes

 

The Pyramid

Although I can’t imagine this happening in government, or that a commission/pyramid would be relevant in government, you may have personally been the victim of a pyramid scheme in your past.  In a pyramid scheme, the fraudster promises consumers or investors large profits if they can recruit others to join the program.  Some schemes purport to sell a product, but the product is really just a cover for the pyramid.

Victims of a pyramid scheme are often asked to inventory load – or buy stock inventory of a product in order to sell.  In this way, the company does make profit, and the folks on the top of the pyramid profit, but the front-line salesmen are stuck with a bunch of inventory they can’t sell!

Also beware of claims that the product is selling like hotcakes!  Who is buying the hotcakes: actual customers or just players in the pyramid?[5]

A few cautions about marketing ‘spin’!

I remember my mother buying a horrible car – a Ford Taurus – in the 90s because the dealer told her it was the best selling car in America.  Yes, it was, but only because Ford made incredible deals to get the rental car industry to buy beaucoup of them. Consumers hated the car and for good reason.  Ah, marketing spin wins again!

A well known vitamin company in the US is advertising that they are the first vitamin company to get clearance from an organization they say is an independent evaluator of vitamin quality.  Only problem is that the vitamin company founded, funds, and shares staff with this independent evaluator.

And it isn’t just creative Americans: Customer complaints against four of the United Kingdom’s largest energy firms led to an investigation of nPower, Scottish Power, Scottish and Southern Energy, and EDF Energy by the energy regulator Ofgem.

Many of the complaints were against door-to-door salespeople and telemarketers who were persuading customers to switch suppliers. Customers were given misleading information and quotes, which resulted in the customers being in worse positions than before switching suppliers.

Confirming the customer complaints, Ofgem’s 2008 investigation showed that changing firms at the persuasion of pushy door salespeople left almost half of gas customers and electricity customers worse off.

As of September 2010, energy regulators were considering fining suppliers a portion of their annual revenue if customer complaints proved true.[6]

A bit about the the Ponzi

Although a Ponzi scheme is not specifically mentioned on the fraud tree, it is definitely worth talking about!  A Ponzi scheme is similar to a pyramid scheme, except there is no product to sell, and the schemer doesn’t pay a commission to salespeople to find new recruits. A Ponzi schemer uses the money from new recruits to pay existing members.

The most notorious Ponzi schemer of our day is Bernie Madoff who defrauded investors out of $60 billion.  Madoff paid investors significant returns using money he collected from new investors, which he never truly invested.

Enticing new investors by paying his investors more money allowed Madoff to keep the scheme rolling for about two, maybe three, decades. Madoff told investors that their investments were earning high returns and would give them large payouts to keep them onboard.

While he probably believed that his venture could last forever, it couldn’t withstand the decline of the stock market. In 2008, he could no longer keep up his lie. Investors weren’t paid on time because of his inability to yield sufficient cash out of his holdings.

On March 10, 2009, Bernie Madoff was charged with eleven felony charges including securities fraud, investment adviser fraud, mail fraud, wire fraud, three counts of money laundering, false statements, perjury, false filings with the United States Securities and Exchange Commission (“SEC”), and theft from an employee benefit plan.  On June 29, 2009, Madoff was sentenced to 150 years in prison.[7]

Workers Compensation

5 boxI like to work, don’t you?  I like to get something done and create new things.  But not everyone is motivated to create – some people think the world owes them a living, and false workers comp claims are an easy route to income without exertion.

It makes me very sad to see a video on 60 minutes of a guy moving a piano who has been claiming workers comp for three years.  Can you imagine being related to that guy? How could he, and you, stand it?

Here is an executive summary from a report by the GAO on fraudulent benefits:

Social Security Administration: Cases of Federal Employees and Transportation Drivers and Owners Who Fraudulently and/or Improperly Received SSA Benefits[8]

Summary

This testimony discusses the results of our investigation of the disability programs managed by the Social Security Administration (SSA). SSA administers two of the nation’s largest cash benefit programs for people with disabilities: the Disability Insurance (DI) program, which provides benefits to workers with disabilities and their family members, and the Supplemental Security Income (SSI) program, which provides income for aged, blind, or disabled people with limited income and resources.

In 2008, the DI program provided about $104 billion to some 9 million beneficiaries, and the SSI program provided about $38 billion in financial benefits to some 7.5 million recipients. Given the magnitude of these cash benefit payments, it is important for SSA to have effective fraud prevention controls in place to minimize fraudulent and improper payments.

This statement summarizes our most recent report, describing cases of federal workers, commercial drivers, and commercial vehicle company owners who fraudulently or improperly received disability benefits. The objectives of the investigation were to (1) determine whether federal employees and commercial vehicle drivers and company owners may be improperly receiving disability benefits and (2) develop case study examples of individuals who fraudulently and/or improperly received these benefits. In conducting this investigation, we compared DI and SSI benefit data to civilian payroll records of certain federal agencies and carrier/driver records from the Department of Transportation (DOT) and 12 selected states.

We found the following:

1) Thousands of federal employees, commercial drivers, and owners of commercial vehicle companies received Social Security disability benefits during fiscal year 2008, though we could not determine the extent to which beneficiaries improperly or fraudulently received payments. Because further investigation is required to determine whether these individuals are entitled to receive payments, our analysis provides only an indicator of potentially improper or fraudulent activity. Federal salary data from selected agencies for October 2006 through December 2008 show that about 1,500 federal employees may be improperly receiving payments. These employees were (1) DI beneficiaries who received federal salary above the earnings threshold for more than 12 months after the start date of their disabilities or (2) SSI recipients who received more than 2 months of federal salary above the maximum SSA earnings threshold for the SSI program after the start date of their disabilities. Based on their SSA benefit amounts, we estimate that these federal employees received about $1.7 million in benefits a month.

2) Based on our overall analysis above, we selected 20 nonrepresentative examples of federal employees, commercial drivers, and registrants of commercial vehicle companies who received disability payments fraudulently and/or improperly. The 20 cases were primarily selected based on our analysis of SSA electronic and paper files for the higher overpayment amounts, the types of employment, and the locations of employment, and thus they cannot be projected to other federal employees, commercial drivers, or commercial vehicle owners who received SSA disability payments. In each case, SSA’s internal controls did not prevent improper and fraudulent payments, and as a result, tens of thousands of dollars of overpayments were made to individuals for 18 of these 20 cases. For the 20 cases, our investigations found the following: (1) For five cases, we believe that there is sufficient evidence that the beneficiaries committed fraud to obtain or continue receiving Social Security disability payments by withholding employment information. (2) For 10 cases, SSA improperly increased the benefit amounts of the disability payments because the individuals had increases in the reported wages on which the disability benefit payments are based.

(3) Several individuals from our cases were placed in long-term, interest-free repayment plans for improperly accepting disability overpayments, even though SSA can charge interest. One individual’s $33,000 repayment plan was in $20 monthly installments–resulting in a repayment period of 130 years. For 10 cases, the individuals were continuing to receive disability benefits as of October 2009. For 18 of these 20 cases, the individuals also received $250 stimulus checks as part of the American Recovery and Reinvestment Act of 2009 (Recovery Act) while they were improperly receiving SSA disability payments. According to SSA officials, most of these individuals were entitled to and would have received the $250 stimulus checks even if SSA had properly suspended the disability payments to them. Specifically, SSA officials stated that beneficiaries covered under the DI program would have been covered under an extended period of eligibility (EPE), which is a 36-month period in which SSA does not pay any benefit amounts (i.e., payments are suspended) if the beneficiary has earnings above the substantial gainful activity (SGA) threshold. According to SSA officials, all working DI beneficiaries covered by an EPE received the $250 stimulus check.

 

Falsified Wages

Here is a report from the NY Attorney General regarding contractors who falsified employee wages:6 nurse

Three Contractors Arrested For Underpaying Employees And Falsifying Business Records In Connection With New York City Housing Authority Construction Projects[9]

State Attorney General Spitzer and New York City Department of Investigation Commissioner Rose Gill Hearn today announced that three construction contractors were arraigned on felony and misdemeanor charges arising out of their falsification of records that made it appear that $367,000 in legally required prevailing wages were paid to 19 workers on New York City Housing Authority projects, when, in fact, such wages were not paid.

Mohammed Abdur Rashid, and his company Columbus General Construction Inc., and Tarcisio Ferreira and Harrison Jarvis, whose construction companies are now defunct, were charged with failure to pay wages, falsification of business records, false filings and perjury in connection with Housing Authority contracts at the Edgemere and Arverne Houses (Ocean Bay) located in Far Rockaway.

The defendants entered “not guilty” pleas in Queens County Criminal Court, and were ordered to return to court on October 15, 2003.

“The message is clear: falsifying records and failing to pay the prevailing wages on a public work project are serious violations of the law. Contractors who engage in such tactics can expect criminal sanctions,” Spitzer said.

“These contractors unjustly chose to enrich themselves rather than pay employees their rightful wages. DOI will not tolerate this type of fraud or other acts of dishonesty and will investigate them with vigor. Upon recovering any improprieties, DOI will seek to prevent the company in question from obtaining future contracts with the City,” said Commissioner Gill Hearn.

The joint investigation by the Attorney General’s office and the Department of Investigation’s Office of the Inspector General for the Housing Authority revealed that between July 2, 2001 and December 31, 2002, Rashid, Ferreira, Jarvis, and their respective companies employed nineteen workers at the Edgemere and Arverne Houses. The work was subject to federal and state prevailing wage laws, which dictate the hourly rates that must be paid to employees working on public projects. In each case, the defendants are alleged to have failed to pay workers prevailing wages, and attempted to conceal their wrongdoing by filing false payroll showing that their employees were paid properly. The workers received between $70 to (sic) $110 per day instead of up to $48.53 per hour, which they were entitled to by law.

The Attorney General is also seeking restitution for the underpayment of wages to employees, which totals more than $367,000.

As a result of the continuing cooperation between the OAG and DOI, over one million dollars in wage restitution orders have already been obtained this year. 

Next time… more on fraudulent disbursement schemes including expense reimbursement schemes.



[1] Andrea Ball. “Woman who stole from nonprofit up for parole two years into 25-year sentence.” Austin American Statesman. May 14, 2013.

[2] Marc Parry. “Online Scheme Highlights Fears About Distance-Education Fraud.” The Chronicle of Higher Education. January 13, 2010.

[3] Ben Worthen and Joann S. Lublin. “Mark Hurd Neglected to Follow H-P Code.” Wall Street Journal. August 8, 2010.

[4] Melinda Henneberger. “Bremer paid ‘Ghost Employees’ to avoid ‘Real Trouble.’” Huffington Post. February 6, 2007.

[5] Debra A. Valentine.  Prepared statement. “What is a Pyramid Scheme and What is Legitimate Marketing?” International Monetary Fund’s Seminar On Current Legal Issues Affecting Central Banks. Washington, D.C. May 13, 1998.

[6] Tim Webb. “Ofgem investigates doorstep gas and electricity sales agents.” The Guardian [UK]. Web. September 2, 2010.

[7] New York State. Department of Justice. United States v. Bernard L. Madoff and Related Cases. FBI, August 5, 2009.

[8] United States. Govt. Accountability Office. Social Security Administration: Cases of Federal Employees and Transportation Drivers and Owners Who Fraudulently and/or Improperly Received SSA Benefits.  August 4, 2010.

[9] New York. Office of the Attorney General. Three Contractors Arrested For Underpaying Employees And Falsifying Business Records In Connection With New York City Housing Authority Construction Projects. Media Center. September 2003.

Registering for this Webinar - How it works
  1. When you’re ready to register, select the “Register Now” button (at the top-right or bottom-left of this page).
  2. You’ll be taken directly to the secure website of our webinar-distribution partner:  CPA Crossings
  3. Fill out the “Register Online” section of the CPA Crossings page (near the bottom) and then select “Add to Cart”
  4. (Note:  If you want to register multiple attendees on the same purchase, just re-select the webinar and do a separate “Add to Cart” for each, as required.)
  5. After checking out, look for your notification and registration info via email – and mark your calendar to attend the webinar!
×
Stay Up-To-Date

Sign up here to have the lastest from Yellowbook-CPE.com delivered right to your inbox.

Just provide your name and email information below, and as an introductory “Thank You”, you’ll be able to view and download a free copy of our Audit Objectives whitepaper.

* indicates required




×
Stay Up-To-Date

Sign up here to have the latest from Yellowbook-CPE.com delivered right to your inbox.

Just provide your name and email information below, and as an introductory “Thank You”, you’ll be able to view and download a free copy of our Audit Objectives whitepaper.

[newsletters_subscribe list="20"]

×

Login

Lost your password?