Response to the 2023 Exposure Draft of GAGAS by Leita Hart-Fanta, CPA CGFM CGAP
Hello, Mr. Dalkin.
Thank you for keeping GAGAS up-to-date and for allowing us to comment on the 2023 exposure draft of GAGAS. I frequently refer to GAGAS for answers to sticky questions and to set expectations for participants in my Yellowbook-CPE.com courses.
Although the majority of my courses are designed for performance auditors inside government, I also work with external auditors conducting the Single Audit. Additionally, I conduct peer reviews and quality control reviews against GAGAS and IIA standards.
I know you’re requesting feedback regarding changes to Chapters 5 and 6, but I included a few other notes below to consider for the next revision.
The definition of a performance audit
The 2018 Yellow Book version removed the definition of a performance audit. It was previously included in 2.10 of the 2011 version stating: Performance audits are defined as audits that provide findings or conclusions based on evaluation of sufficient appropriate evidence against criteria.
The key part of that definition that’s missing from the current definition of a performance audit in 1.21 of the 2018/2021 version is the term ‘criteria.’ Even though criteria is mentioned as a necessary component of planning in chapter 8.07, as a component of an audit objective in 8.08 and an element of an audit finding in 8.116, the 2011 sentence is more direct and clear.
I had the pleasure of attending the GAO Center for Audit Excellence class entitled Planning a Performance Audit. I asked the instructor about the change to the performance audit definition after encountering this proposed performance audit objective in the course materials: What steps did program managers take to ensure that the competitive bid process resulted in the most cost-effective contracts?
This objective does not have a criteria and sounds more like a ‘consulting’ – or ‘non-audit’ – project than an audit project. The instructor stated the GAO does conduct these more ‘informational’ or descriptive engagements under performance audit standards. This was juxtaposed against ‘evaluative’ audits requiring criteria under the performance audit standards. The instructor continued that ‘descriptive’ audits would not reach a conclusion and the findings would only contain conditions and effects.
This raises a few questions:
- Should these ‘descriptive’ engagements be classified as a ‘non-audit service’ and then evaluated for their impact on auditor independence?
- If performing a ‘descriptive’ engagement, how would the auditor then comply with section 8.07 requiring auditors to develop criteria?
- When conducting a ‘descriptive’ engagement, should the GAGAS compliance statement in 9.03 be modified since the auditor won’t have a conclusion against the objective? 9.03 states in part: Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives.
- How will a quality control reviewer comply with requirements in section 5.143c.(3) of the exposure draft about evaluating whether the auditor can support their audit conclusions?
Approved peer review programs
5.61 lists five well-known peer review programs, but leaves out a number of other high quality ones. One example is the Association of College and University Auditors’ peer review program.
What process do you use to screen these programs? In an effort to be more transparent, will you share in the standards about what you look for and the process for being included in the list at 5.61?
Independence
While teaching a class on Yellow Book standards to CPAs, one of the participants mentioned he hated the GAO. Ha! When asked why, he responded that the GAO made him lie all the time! What was he lying about? His clients had the skills, knowledge and experience necessary to oversee his creation of the financial statements that he subsequently audited. In the CPA’s opinion, it was more efficient to both create and audit the financials. This was also the client’s expectations. To keep the client happy, he met their expectations.
Please take your independence standards one step further and expressly prohibit auditors from both creating and auditing financial statements. This is equivalent to prohibiting auditors for being involved in continuous monitoring on behalf of management in 3.97.
Auditors will most likely find a way around the prohibition. At least it will be a clearer and more direct method of preventing auditors from creating and auditing financial statements than requiring the client to have skills, knowledge and experience. Skills, knowledge and experience are all subjective, and thus manipulatable, concepts.
Professional judgment
The standard in Chapter 3 of GAGAS 2021 contains paragraphs 3.113-3.116 mentioning some, but not all, areas where professional judgment should be applied. The new 2023 exposure draft of GAGAS also includes multiple paragraphs relating to the application of professional judgment, including 5.06, 5.33, 5.52 and 5.110.
Should this professional judgment section in Chapter 3 of GAGAS 2021 be expanded to include all applications of professional judgment? Or should this section be shortened to only include the concepts of reasonable care and professional skepticism?
Audit risk and project risk assessment
The guidance on project risk assessment for performance auditors hasn’t changed for a long time. There’s also redundancy and vagueness in the text. 8.15 and 8.16 seem to refer to the classic risk formula involving audit risk, inherent risk, control risk and detection risk as follows:
For the first time in 2018, the term ‘inherent risk’ was used in section 8.41.
Several of my clients struggle with how to best accomplish a risk assessment on their performance audits, partially due to unclear GAGAS guidance.
In the 2023 draft, is it possible to apply the same granularity and specificity to audit project risk assessment that’s applied to risk assessment for quality control?
Performance aspects
Section 8.08 mentions the term ‘performance aspect,’ but it is not defined in the standards. However, it is defined in the International Standards of Supreme Audit Institutions. A glossary definition would be helpful to the audit community using the Yellow Book.
Documentation standards
Documentation standards haven’t been revised in many years and contain redundancy. Paragraphs 8.32 and 8.135 of GAGAS 2021 mention ‘evidence obtained’ and ‘evidence that supports.’
Role of the supervisor
GAGAS 2021 Section 8.135c mentions the need for ‘supervisory review’ before issuing the report. The exposure draft separates the functions of supervision and review in sections 5.55 and 5.56. Please clarify your intention regarding 8.135.
Objectives as elements of a finding
Section 6.08 of the 2011 Yellow Book mentioned objectives could be developed as elements of a finding or reporting elements auditors expect to develop.
I often used this in my teaching to encourage a more thorough risk assessment and to create an outline of the audit finding and report before moving into fieldwork. This outline is a thesis that can be disproven by testing.
Please add this jewel of audit wisdom back to the discussion of objectives or somewhere else in the planning section of the performance audit standards.
Understanding of the program
Section 8.36 in 2018 GAGAS, understanding the nature and profile of the program and user needs, was moved from the planning section into the ‘conducting’ an audit section.
This is one of the first steps an auditor must perform to plan the engagement. It was also mentioned during the GAO’s Center for Audit Excellence course I mentioned earlier as a step of the planning process – not the fieldwork process – and was referred to as the ‘logic model.’
The AICPA standard AU-C 315.03 states gaining an understanding of the audit subject precedes assessing risk and planning responses: The objective of the auditor is to identify and assess the risks of material misstatement… through understanding the entity and its environment, including the entity’s internal control, thereby providing a basis for designing and implementing responses to the assessed risks of material misstatement.
As a result, this will effect the auditor’s understanding of significance and audit risk mentioned in 8.15 and 8.16, so moving it earlier in the chapter would better align with auditor practice and other standards.
Responses to Quality Management Risk
The 2023 exposure draft of GAGAS asks auditors design and implement responses to quality management risk in section 5.22. The only response discussed in the exposure draft is a quality control review in sections 5.137-5.150. Please share other possible responses.
Consultations
Sections 5.58-5.63 of the 2023 exposure draft of GAGAS address ‘consultations.’ My assumption is that a consultation needs to occur when the audit team is in disagreement. If so, 5.62 and 5.61 should introduce this set of paragraphs to help create a definition for the term ‘consultation.’
Inspections
It took several reads of the standards to distinguish between an inspection, a monitoring activity, a quality control review, a review and a supervisory review. Could you define each of these terms more clearly, perhaps in one area and with a handy-dandy graphic?
Other petty issues in the 2023 exposure draft of GAGAS
5.85 lists three significant items which should be converted to a bulleted list to match the format of other sections.
5.95 and 5.106 seem unnecessary.
5.122 (recognizing an audit is flawed) should refer readers to section 9.66 (about reissuing a report).
Thank you for your consideration
Thank you for considering these comments!
In appreciation,
Leita Hart-Fanta, CPA CGFM CGAP
Yellowbook-CPE.com is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: