CPE for Government Auditors

Meticulous, Fastidious & Thorough: Minor Themes of the Yellow Book


•    Identify communication requirements for all types of Yellow Book engagements
•    Identify planning requirements for all types of Yellow Book engagements


We will cover nine minor themes in this chapter that apply to all three types of engagements. The minor themes are:

1.    Licensing and certification
2.    Auditor communication
3.    Results of previous engagements
4.    Investigations and legal proceedings
5.    Reporting findings to outside parties
6.    Obtaining views of responsible officials
7.    Reporting confidential and sensitive information
8.    Distributing reports
9.    Discovery of insufficient evidence after the report is issued

Remember that attestation engagements are a little tricky; as you decrease your assurance level, you also decrease the applicable number of Yellow Book must and should statements! So if you are performing the most intense type of attestation engagement (an examination), you must follow over a dozen yellow book requirements. If you are conducting the less intense types of attestation engagements (reviews and agreed-upon-procedures) you apply less than half-a-dozen additional yellow book requirements.


Minor Theme #1: Licensing and Certification

Auditors performing a financial audit should be CPAs – unless they work for a government audit organization. This is also known as the CPA continued employment clause.

6.04    Auditors engaged to conduct financial audits in the United States who do not work for a government audit organization should be licensed CPAs, persons working for licensed certified public accounting firms, or licensed accountants in states that have multiclass licensing systems that recognize licensed accountants other than CPAs. 


Minor Theme #2: Auditor Communication

Imagine that an advocate for the homeless convinces the state legislature to create a program to tutor homeless high school students to increase the probability that they will graduate. The legislature, through annual appropriations, allocates resources to the state department of education. But the department of education isn’t close enough to the students to administer the program, so they pass on the money to school districts. The school districts can then partner with local governments or not-for profits who also work with high-risk kids.

In this scenario, who is in charge of governance for the program? Lots of cooks in that kitchen!  Who should the auditor inform about the audit results? At a minimum, in 6.06 the GAO asks that the auditor communicate with groups who contract for the audit and the relevant legislative committee. But you might decide to communicate with others involved in the program based on your own judgment or at the request of the auditee.

6.06    If the law or regulation requiring an audit specifically identifies the entities to be audited, auditors should communicate pertinent information that in the auditors’ professional judgment needs to be communicated both to individuals contracting for or requesting the audit and to those legislative committees, if any, that have ongoing oversight responsibilities for the audited entity.

6.10    Because the governance structures of government entities and organizations can vary widely, it may not always be clearly evident who is charged with key governance functions. The process for identifying those charged with governance includes evaluating the organizational structure for directing and controlling operations to achieve the audited entity’s objectives and how the audited entity delegates authority and establishes accountability for management.

6.07    If the identity of those charged with governance is not clearly evident, auditors should document the process followed and conclusions reached in identifying the appropriate individuals to receive the required communications.


Minor Theme #3: Results of Previous Engagements

This standard asks that you take the results of previous audits into consideration when planning and conducting your work.

6.11    When planning the audit, auditors should ask management of the audited entity to identify previous audits, attestation engagements, and other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a significant effect on the subject matter. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work and determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives. 

In order to know what audits have been conducted since your last audit, the GAO advises you to ask the client.

Notice that your assessment should include related studies, not just former audits or attestation engagements.

The standard also mentions that the report needs to relate to your audit subject matter. If the report is entirely unrelated to your subject matter or audit objective, you don’t have to read it, find out whether the client has taken action, or integrate it into your audit planning. For instance, if you are performing an audit of the school lunch program, you don’t have to worry about the study completed last month by the internal auditor regarding the safety of the gym equipment!


Minor Theme #4: Investigations and Legal Proceedings

I once heard a fraud investigator beg an audience of 100 auditors to keep their hands off of a suspected fraudster’s computer! The investigator shared that several well-meaning auditors had tampered with important electronic evidence he wanted to use to prove that a fraud had occurred. Once the computer files are opened, they are automatically re-dated and become less convincing to the court. So before you begin your work, make sure you ask around about whether an investigation is underway!

6.12    Auditors should inquire of management of the audited entity whether any investigations or legal proceedings have been initiated or are in process with respect to the period under audit, and should evaluate the effect of initiated or in-process investigations or legal proceedings on the current audit.

6.14    Avoiding interference with investigations or legal proceedings is important in pursuing indications of fraud and noncompliance with provisions of laws, regulations, contracts, and grant agreements. In some cases, it may be appropriate for the auditors to work with investigators or legal authorities or to withdraw from or defer further work on the engagement or a portion of the engagement to avoid interfering with an ongoing investigation or legal proceeding.


Minor Theme #5: Reporting Findings to Outside Parties

Imagine you are an auditee and an auditor has just told you that you have suffered a significant fraud and/or are out of compliance with significant rules and regulations. Would you immediately call your oversight entity – let’s say your federal grantor – to let them know? Probably not because your funding, your job, and your reputation is on the line.

Now put your auditor hat back on. Knowing that auditees aren’t excited about telling on themselves, the GAO requires auditors to make sure relevant parties are informed of fraud, illegal acts, or violations of contract or grant agreements.

You must report to parties outside of the audited entity when the audited entity:

•    doesn’t report to other interested parties themselves, or
•    doesn’t take timely corrective action

6.53    Auditors should report identified or suspected noncompliance with provisions of laws, regulations, contracts, and grant agreements and instances of fraud directly to parties outside the audited entity in the following two circumstances.

1.    When audited entity management fails to satisfy legal or regulatory requirements to report such information to external parties specified in law or regulation, auditors should first communicate the failure to report such information to those charged with governance. If the audited entity still does not report this information to the specified external parties as soon as practicable after the auditors’ communication with those charged with governance, then the auditors should report the information directly to the specified external parties.
2.    When audited entity management fails to take timely and appropriate steps to respond to fraud or noncompliance with provisions of laws, regulations, contracts, and grant agreements that (1) is likely to have a material effect on the subject matter and (2) involves funding received directly or indirectly from a government agency, auditors should first 
report management’s failure to take timely and appropriate steps to those charged with governance. If the audited entity still does not take timely and appropriate steps as soon as practicable after the auditors’ communication with those charged with governance, then the auditors should report the audited entity’s failure to take timely and appropriate steps directly to the funding agency.

6.55    Auditors should obtain sufficient, appropriate evidence, such as confirmation from outside parties, to corroborate representations by management of the audited entity that it has reported audit findings in accordance with provisions of laws, regulations, or funding agreements. When auditors are unable to do so, they should report such information directly as discussed in paragraphs 6.53 and 6.54.

This is a practical way for the GAO to ensure that auditees are held accountable for their actions.

Even if the auditor has been fired from the audit, the auditor’s responsibility to report still holds. This makes a lot of sense from a grantee’s perspective; GAO doesn’t want the auditee to be able to fire the auditor if they find something in hopes of finding a more lenient auditor.

6.54    Auditors should comply with the requirements in paragraph 6.53 even if they have resigned or been dismissed from the audit prior to its completion. 


Minor Theme #6: Obtaining Views of Responsible Officials

The Yellow Book requires that you put the auditee’s response to your audit findings in the audit report. This lends a balanced tone to the report and also gives the report user a feel for whether anything is going to be done about the problems raised.

On the flip side, it also can highlight where the auditor has left the realm of reality! Sometimes the auditor makes a recommendation that is so out-of-line that the client, rightly, disagrees.  Since the report belongs to the auditor, they can always change their mind about reporting any finding.


We Don’t Have to Wait Forever Anymore

When I read this section, I am reminded of an audit of a state attorney general’s office. Our audit team reported several significant findings and the client agreed at the exit conference to implement the recommendations. We kindly asked for their response in writing, so we could put it in our report. And then we waited months for them to respond!

The attorney general’s office spent those months explaining their side of the story to every high-ranking-decision-maker that would listen. After they had convinced the Governor, the Speaker of the House, and the Comptroller of their position, they sent us an eight-page response to our findings that had nothing to do with our recommendation. They had used fancy legalese to skirt accountability entirely.

We asked the attorneys to cut their response down to 100 words or less so it would fit in our report. I am not sure lawyers can even tell you what they had for lunch in 100 words or less! So they dragged their feet for another month before giving us a three-page, legalistic, B.S. response that still didn’t respond to our findings.

Our patience was now long gone. So we included a direct and pointed follow-up comment in our report describing how weak and silly their response was, using professional language of course! They immediately complained that it was unfair of us to respond to their response in our report. But since it is our audit report, we have the right, and some would say, the responsibility, to point out that, per their response, nothing was going to be done to resolve the issue.

6.59    When the audited entity’s comments are inconsistent or in conflict with the findings, conclusions, or recommendations in the draft report, the auditors should evaluate the validity of the audited entity’s comments. If the auditors disagree with the comments, they should explain in the report their reasons for disagreement. Conversely, the auditors should modify their report as necessary if they find the comments valid and supported by sufficient, appropriate evidence. 

I wish that the Yellow Book included the following standard when we were working with the attorney general, but it appeared in the standards for the first time in 2007.

6.60    If the audited entity refuses to provide comments or is unable to provide comments within a reasonable period of time, the auditors should issue the report without receiving comments from the audited entity. In such cases, the auditors should indicate in the report that the audited entity did not provide comments. 

What is a reasonable amount of time for the client to respond? The GAO does not say, so I suggest that you have the client agree, in writing, at the beginning of the audit to return the report in X number of days. That way you don’t end up arguing about how slow they are at the end of the audit!


Minor Theme #7: Reporting Confidential and Sensitive Information

The way this section is worded turns me around and around because the concept is a little elusive. It basically says that if you have secret information, you need to acknowledge that you used the secret information to perform the audit and then go on to tell the reader you can’t disclose the secret information. Wha?

6.63    If certain information is prohibited from public disclosure or is excluded from a report because of its confidential or sensitive nature, auditors should disclose in the report that certain information has been omitted and the circumstances that make the omission necessary.

6.64    When circumstances call for omission of certain information from the report, auditors should evaluate whether this omission could distort the audit results or conceal improper or illegal practices and revise the report language as necessary to avoid report users drawing inappropriate conclusions from the information presented.

For example, a state auditor hires hackers every year to hack into the state’s databases and computer systems. When the hackers are done, they send a detailed report of their results to the state auditor and the state auditor immediately begins mitigating the vulnerabilities identified. The auditor sums up the detailed report in a two-page report to the legislature that says something to the effect of, “We have identified 14 vulnerabilities. 9 of these are already resolved and 5 are in the process of being resolved.”

The state legislature appropriates half-a-million dollars each year to pay the hackers but never gets to read about the details! If the detailed report was shared with the legislature, it would become a matter of public record and a crook could use it to access sensitive information.

Or imagine instead that you are auditing a drug rehab clinic. Obviously putting a patient’s name in your report could be harmful to the patient, their family, and the clinic.

Section 6.68 specifically mentions computer security and 6.65 mentions public record laws.

6.66    If the report refers to the omitted information, the reference may be general and not specific. If the omitted information is not necessary to meet the audit objectives, the report need not refer to its omission.

6.67    Certain information may be classified or may otherwise be prohibited from general disclosure by federal, state, or local laws or regulations. In such circumstances, auditors may issue a separate, classified, or limited use report containing such information and distribute the report only to persons authorized by law or regulation to receive it.

6.65    When the audit organization is subject to public records laws, auditors should determine whether public records laws could affect the availability of classified or limited use reports and determine whether other means of communicating with management and those charged with governance would be more appropriate. Auditors use professional judgment to determine the appropriate means to communicate the omitted information to management and those charged with governance considering, among other things, whether public records laws could affect the availability of classified or limited use reports.

6.68    Additional circumstances associated with public safety, privacy, or security concerns could also justify the exclusion of certain information from a publicly available or widely distributed report. For example, detailed information related to computer security for a particular program may be excluded from publicly available reports because of the potential damage that misuse of this information could cause. In such circumstances, auditors may issue a limited use report containing such information and distribute the report only to those parties responsible for acting on the auditors’ recommendations. In some instances, it may be appropriate to issue both a publicly available report with the sensitive information excluded and a limited use report. The auditors may consult with legal counsel regarding any requirements or other circumstances that may necessitate omitting certain information. Considering the broad public interest in the program or activity under audit assists auditors when deciding whether to exclude certain information from publicly available reports


Minor Theme #8: Distributing Reports

Governmental auditors are responsible for making sure everyone who should have a copy of the audit report actually gets a copy of the report or has access to it. Even if you are terminated, your responsibilities for distribution don’t end.


Requirements: Report Distribution 
9.56    Distribution of reports completed in accordance with GAGAS depends on the auditors’ relationship with the audited organization and the nature of the information contained in the reports. Auditors should document any limitation on report distribution. Auditors should make audit reports available to the public, unless distribution is specifically limited by the terms of the engagement, law, or regulation.


Report Distribution for Internal Auditors 
9.57    If an internal audit organization in a government entity follows the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing as well as GAGAS, the head of the internal audit organization should communicate results to the parties who can ensure that the results are given due consideration. If not otherwise mandated by statutory or regulatory requirements, prior to releasing results to parties outside the organization, the head of the internal audit organization should (1) assess the potential risk to the organization, (2) consult with senior management or legal counsel as appropriate, and (3) control dissemination by indicating the intended users in the report.


Report Distribution for External Auditors 
9.58    An audit organization in a government entity should distribute audit reports to those charged with governance, to the appropriate audited entity officials, and to the appropriate oversight bodies or organizations requiring or arranging for the audits. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority or who may be responsible for acting on audit findings and recommendations and to others authorized to receive such reports.

9.59    A public accounting firm contracted to conduct an audit in accordance with GAGAS should clarify report distribution responsibilities with the engaging party. If the contracting firm is responsible for the distribution, it should reach agreement with the party contracting for the audit about which officials or organizations will receive the report and the steps being taken to make the report available to the public.


Minor Theme #9: Discovery of Insufficient Evidence after the Report Is Issued

Yes, it is possible that you find out that you were wrong about something in your audit report after the report is issued. I venture to say that anyone who has been auditing for a while (say over 20 years) has experienced the need to withdraw a report due to events that occur or new information that comes to light after the report issued. This is what the GAO advises when you get in these situations:

9.68    If, after the report is issued, the auditors discover that they did not have sufficient, appropriate evidence to support the reported findings or conclusions, they should communicate in the same manner as that used to originally distribute the report to those charged with governance, the appropriate officials of the audited entity, the appropriate officials of the entities requiring or arranging for the audits, and other known users, so that they do not continue to rely on the findings or conclusions that were not supported. If the report was previously posted to the auditors’ publicly accessible website, the auditors should remove the report and post a public notification that the report was removed. The auditors should then determine whether to perform the additional audit work necessary to either reissue the report, including any revised findings or conclusions, or repost the original report if the additional audit work does not result in a change in findings or conclusions. 



Congratulations, reader! We have covered a lot of ground and we are now at the end!

The Yellow Book gives auditors a framework to maintain their ethical behavior, independence, competence, and audit quality. The Yellow Book also instructs auditors on how to plan and conduct an audit and what the resulting audit report should contain. I am inspired by what the Yellow Book stands for – accountability, transparency, and service – and I hope that after reading “The Yellow Book Interpreted” you appreciate the standards, too.

Let me leave you with one more quote from the yellow book, but this time from the letter introducing the 2018 yellow book signed by Gene Dodaro, the Comptroller General.

Audits provide essential accountability and transparency over government programs. Given the current challenges facing governments and their programs, the oversight provided through auditing is more critical than ever. …. These standards, commonly referred to as generally accepted government auditing standards (GAGAS), provide the foundation for government auditors to lead by example in the areas of independence, transparency, accountability, and quality through the audit process. 

I am glad you are doing your part to make government work for all of us.

Visit the Yellowbook-CPE.com Student Center
Click to learn more about Yellowbook requirements.


Lost your password?