In this episode of THE SAMPLE, Leita Hart-Fanta, CPA answers the question, “If I’m following Yellow Book standards, can I both create and audit the financial statements?”
Welcome to The Sample, a quick discussion of auditing concepts and terms that will help you do your work. Conducting an audit in accordance with auditing standards is no small feat and I want to support you. We’ll be referring to the GAO, IIA and AICPA literature to bolster our conversations. Let’s get started.
In this episode, we answer the question, “If I’m following Yellow Book standards, can I both create and audit the financial statements?” Well, I can’t give you a 100% sure answer because, yes, technically you can. But man, the GAO in the Yellow Book makes it as hard as possible. They put up as many hurdles as they can muster to prevent you from doing that. They stop short of just saying “no” and they, instead, leave it up to your judgment in some ways.
I was teaching this topic, which gets most of the heat when I’m teaching a live class on Yellow Book standards. This is the one where people get upset when I talk about independence and creating financial statements. I had a CPA come up to me on break and he said, “You know, I hate the GAO. They make me lie all the time.” I’m like, “Oh yeah? Tell me about that.”
He was telling me that his clients are small governments and not-for-profits. They don’t have the ability, the capacity, the knowledge to create the financials, and they expect him to do it and him to audit it too. He has to lie about their skills, knowledge, and experience (there’s an acronym for that called SKE, which we’ll talk about in a little bit) in order to justify that that’s okay for him to do that. He said, “I don’t like the GAO because they make me lie.”
I reminded him, “Yes,” I said, “I know, but what if the public knew that you were both creating and auditing your own work? What we sell is our objective, independent opinion about the subject matter, and you’re not objective anymore because you created it.” He didn’t like that very much. He’s still going to do what he wants to do. He’s still going to work through these hurdles that the GAO puts up and still do what he wants to do. But he’s going to have to write it all down, and then wrestle with his own conscience about that one.
Here’s what he has to do. Well, what we all have to do, if we decide to both create and audit the financials. We’ve got to apply the conceptual framework, document the conceptual framework. We’ve got to make sure the client has SKE, and document their SKE. We’ve got to come to an understanding of the client’s responsibilities regarding the financials, that they’re responsible for the financials, and document our understanding with the client. Document, document, document, hurdle, hurdle, hurdle. What the GAO is hoping is by the time you get to the second hurdle, you’re like, “Yeah, okay. Maybe I shouldn’t do this.” But that’s not where everybody gets to.
Let’s talk about the conceptual framework first. It’s like a little sub-routine, a three-step process where you think through the threats to your independence. First you identify them, then you decide if they’re significant, and then you apply safeguards. You do procedures and take actions to safeguard your independence. The threats, the entire list is here, one through seven, that’s presented in the Yellow Book. Creating the financial statements triggers two alarm bells for independency, two threats. The self review threat, where you’re creating the work that you’re turning around and reviewing. And the management participation threat because management is supposed to create the financials.
I could argue, too, that there’s a familiarity threat, this number four but I’m just going to stick with number two and number six. Definitely, that’s a threat. Now the GAO, usually for most threats to independence, lets auditors think through the next step themselves. That was identifying threats. The GAO usually lets auditors decide this number two: are the threat significant? However, in the 2018 revision, the GAO, again, trying to prohibit auditors from creating and auditing financial statements, added a new paragraph. It says here that the threat is significant, so they made the decision for you and you must apply safeguards.
Remember, you can pause the video at any point and read these longer paragraphs if you would like to. They decided for you; it is significant. It is a threat; it is significant. Now, you apply safeguards. Now the GAO doesn’t give us exactly the most robust list of safeguards in the Yellow Book, but one that could be relevant here is having an auditor who is not a member of the engagement team review the work performed. That could help us. That’s the conceptual framework. Identify threats, decide if they’re significant, apply safeguards. That’s hurdle number one with these little substeps, and document your application of the conceptual framework.
Second hurdle: determine if the client has SKE. SKE stands for skills, knowledge, and experience. Essentially, we’re asking whether the client can tell if you made a mistake. If you create the financials and present them to them and they could not tell if you made a material error, then they don’t have SKE.
This is a lengthy paragraph that describes that for the client to have SKE doesn’t mean that they actually have to be able to create the financials, but that they can tell that you made a booboo. Then you get to document their SKE. This is where I believe that CPA was lying because he knew the client was completely reliant on him and had no idea how to read financials, but he had to make something up and act like they did.
Then the last thing is to come to an understanding. So far you’re still okay. “I’m still doing it!” You get to the last one, which is come to an understanding of the client’s responsibilities regarding the non-audit service. You must have them agree to the objectives of your service, the non-audit service (that’s what the GAO calls consulting and creating financial statements is a non-audit/consulting engagement, where you’re helping to make the subject matter).
Services to be performed, the auditee’s acceptance of its responsibilities, your responsibilities, and any limitations on the non-audit service. Personally, I would recommend that you have them sign something when it comes to their responsibilities, but the standards don’t actually go that far and say they have to sign.
Just as a review, yes, you can both create and then audit the financial statements. However, you’re going to have to write a memo that applies the conceptual framework. You’re going to have to apply safeguards. You’re going to have to document the client’s SKE and document that the client has taken ownership of the financial statements. Lots of writing, lots of thinking. It’s almost like, are you sure? Are you sure? Are you sure? That’s what the GAO is doing. You sure you want to do that? You sure? You sure? It’s like your conscience speaking to you.
Bottom line: three major hurdles. Bottom line: I’m sure that CPA is going to do whatever he wants to do, but he’s going to have to fib to get him there.
That wraps it up for another episode of The Sample. True to the nature of a sample, we didn’t talk about everything, so you’ve probably got questions. Write to me firstname.lastname@example.org and I’ll do my best to fill in the blanks. Thanks for playing.
For More Info: