Clifford, a CPA in public practice, wrote to ask me recently if a not for profit audit he just took on had to be conducted in accordance with Yellow Book auditing standards. He was relieved to hear that in his particular case, the answer was no.
What would have changed my answer?
You see, the Yellow Book has to be called into play by a law, regulation, or policy. So if there were an authoritative body that required the use of the Yellow Book, I would have changed my answer.
These laws, regulations, or policies can be created at the federal, state, or local government level. In addition, the auditee might have its own policies that require the application of the Yellow Book, or the auditor might have an audit charter that calls the Yellow Book into play.
Just because the Yellow Book exists and is called “GOVERNMENT auditing standards” doesn’t mean that you have to apply the Yellow Book to all governments or all government funding. Tricky, right?
Examples of requirements
Here are some examples of requirements that might call the Yellow Book into play:
- In Texas, the Internal Auditing Act requires that internal auditors at state agencies follow the Yellow Book along with IIA standards.
- In California, if a not for profit has gross revenues over $2M, they have to pay for a financial audit performed in accordance with the Yellow Book. For a list of state requirements regarding audits of not for profits, see this site.
- Auditees (no matter the entity type) expending more than $750,000 in federal funds in a year trigger the Single Audit requirements. To perform the Single Audit, the auditor has to follow the requirements in the Uniform Guidance and the Yellow Book.
- One major city had a policy that required all grantees that received city funds to be audited in accordance with Yellow Book standards, regardless of the amount of government funding.
- Some internal audit charters (the document that lays out the role, responsibilities and power of the internal audit shop) expressly require the use of the Yellow Book.
Clifford’s not for profit audit was in California, but didn’t spend enough federal funding to trigger the Single Audit or bring in enough revenues to trigger the state requirement. Clifford was off the hook.
Why the confusion for CPAs?
I think a lot of it has to do with the way the AICPA standards work. If CPAs are conducting a financial audit of a US entity, they must follow the AICPA standards for conducting financial audits just because they exist. So, CPAs naturally assume that that is the way the Yellow Book works, too.
But, that is NOT how the Yellow Book works. Something else official – a law, a regulation, a contract, a grant agreement, a policy – has to require the Yellow Book to be used.
Unfortunately, the CPA has to do some more work to uncover these official documents that require the use of the Yellow Book. One place to start is the laws or regulations of major funding sources who might care about the results of the not for profit audit.
The client may not be any help at all
Clifford logically turned to the audit client and asked if they knew of any authoritative document requiring the Yellow Book. As is often the case, the leadership at this not for profit only knew they needed an audit, but didn’t really understand what audit standards are. So, they weren’t sure if a Yellow Book audit was required, either!
The conundrum doesn’t apply only to financial auditors
Later that same week (and hence this blog post!), Margaret, the leader of an internal audit team at a community college, called to ask me if she had to follow the Yellow Book in her audit shop.
I asked her if she had looked at her internal audit charter and any state or local laws that formed the college. I also suggested that she inquire with members of the audit committee to see if they had any knowledge of the requirement.
What are these auditors trying to avoid?
For Clifford, the CPA, it wasn’t really about what he was trying to avoid… he just wanted to remain in compliance.
The Yellow Book has some additional requirements that can hang financial auditors up in a peer review. For one, a Yellow Book audit report looks different than a plain ol’ AICPA financial audit, as it requires auditors to add a letter addressing internal controls to the set of standard letters. For examples of these letters, go to this AICPA website.
For Margaret, she needed to know whether she was a Yellow Book shop pronto! She was trying to avoid a pending peer review. If she was only following IIA standards in her shop, her peer review would be due every five years. Under Yellow Book standards, she is required to get a peer review every three years, and hers was due! On top of that, as you have read in a previous blog post, the Yellow Book prefers that internal auditors stay away from consulting work and Margaret needs to know if the Yellow Book applies before she takes on any consulting engagement.
So what’s the bottom line?
Auditors don’t have to apply the Yellow Book just because it exists and has a relevant sounding title. Auditors are going to have to do a little digging to find another authoritative document that requires the audit to be conducted according to Yellow Book Standards.
What no one wants – the client, the user, or the auditor – is to find out the audit should have been done according to the Yellow Book standards and wasn’t.
A mistake here won’t kill anyone, of course, but it will be a hassle and possibly cause you to be reprimanded by an oversight body.
If you just can’t get sure and want to feel safe, just go ahead and follow the Yellow Book. It won’t hurt anything. It just means you have to do a little more than you would if you were doing a plain ol’ financial audit or a performance audit using IIA standards. It may hurt your pride later when someone proves you wrong, but I think you can handle that.