In this episode of THE SAMPLE, Leita Hart-Fanta, CPA answers the question, “Should I adopt the IIA Red Book, or the GAO Yellow Book for my audit shop?”
Welcome to The Sample, a quick discussion of auditing concepts and terms that will help you do your work. Conducting an audit in accordance with auditing standards is no small feat and I want to support you. We’ll be referring to the GAO, IIA and AICPA literature to bolster our conversations. Let’s get started.
In this episode, we answer the question, “Should I adopt the IIA Red Book, or the GAO Yellow Book for my audit shop?” So what are we talking about here? We’re talking about audit standards, and some audit teams have a choice whether to follow the Red Book or the Yellow Book.
Some teams have to follow both simultaneously due to a law. That is a law here in the state of Texas, that all state agencies and universities follow the Red Book and the Yellow Book simultaneously. Generally, the rule is when you have to follow both, you go with the more stringent rule in application.
Now, what do I mean by Red and Yellow? What is that? Well, both of them are slangs, shortened versions of a much longer title. The Red Book’s much longer title is the International Professional Practices Framework. Wow, that’s a mouthful, and it’s issued by the Institute of Internal Auditors. And the Yellow Book is a slang for a much longer title, Generally Accepted Government Auditing Standards, issued by the Government Accountability Office, who is the legislative auditor for the federal government. Wow. Lots of lingo here. And so, we just shortcut it and call it Red and Yellow.
So what I’m going to do, is I’m going to very briefly, obviously, cover what I think are the main sticking points that make people go one way or the other, if they’ve got a choice between the Red and Yellow Book. There are a lot of nuances here that I’m not going to delve into, but these are the big concerns, I’m going to say.
One is peer review. The Red Book asks that you have a peer, someone that knows something about auditing, come in and evaluate whether your shop is complying with standards every five years. The Yellow Book asks that every three years. So right there, it’d be much easier to follow the Red Book.
But when that peer reviewer comes in, speaking of peer review, which standard are you most likely to pass the peer review under? And I’m again going to give this to the Red Book, because as you know, we auditors like to have, and you’re going to be evaluated by an auditor, we like have firm criteria, and we like to have clear black and white rules to follow. And one of the things you might find beneficial about the Red Book is that it’s not as black and white as the Yellow Book.
The Red Book standards are in multiple documents, and a huge volume of documents, as you can tell by this diagram right here. They’ve got their standards, then they’ve got implementation guidance and supplemental guidance, and definitions and codes of ethics. And these are all located in separate documents, which is a little difficult to work with, but as an auditor, you know that in there somewhere, there will probably be some way for you to make a stand against a peer reviewer if they’ve got a comment. They say, “Well, you should do this,” and you say, “Well, in this other document, it says this.”
And then in the Yellow Book, it’s not as easy to do that, because it’s all combined into one master document. And the GAO has been working for the past couple of decades in making it clear which standards are mandatory by labeling them with a “must,” or presentably mandatory is labeled “should,” and then which ones are guidance. So they’ve been a lot more firm, therefore, less wiggle room. A little bit more wiggle room, I’m going to say with the Red Book, which can be a really good thing.
Another place where these two standards differ is with consulting services, when it comes to auditor independence. So let’s just consider this picture here on the left is an audit where the auditor evaluates an auditee and then reports back to a governing body. All right, on the right is a consulting engagement where the auditor is now called a consultant and then works with the client to create a subject matter. All right. The GAO calls consulting services, “non-audit services”. The IIA calls them consulting services.
Now, the big difference here in that the IIA actually encourages consulting and has a separate set of standards just for consulting. Because they believe that consulting adds value to the organization that you’re serving. All right? The GAO does not like consulting and has no standards for that and wants nothing to do with that, and puts as many barriers up to consulting as they can muster. So they try to prevent you from doing this.
Why? Okay, I’m going to get a little crude here. This will help you remember, though. On the right hand side with consulting, the auditor is helping to make the baby (is making the subject matter), and on the left hand side is being asked to say whether the baby is ugly or not. And the GAO does not think that you can both make the baby and then turn around and call the baby ugly. They wish you would just stick with the calling-your-baby-ugly part of the job and not be that helpful. So that is a big sticking point for internal auditors.
Both of them have strengths, different angles that they come at the standards from, that help them be stronger than the other one in a certain area. The Red Book does a great job telling us how to run an audit shop. And the Yellow Book does, in my opinion, a better job telling you how to run an individual audit engagement. So two different things, one is more global. The Red Book is, “This is how you run an entire audit shop.” And the Yellow Book is, “This is how you run each project.”
Now, how does this show up as a difference in the standards? There’s multiple places where it shows up, but here’s one. The IIA (the Red Book) demands that you follow up on prior audit comments, and you actually track them and keep a record so that you make sure that your recommendations are valid and that they’re being implemented. And again, that you’re adding value to the organization that you’re working for. And if you’re not getting a good response on those findings, it could be that you’re not hitting the nail on the head as an auditor or the client is not valuing your work. So that’s a how-to-run-your-audit-shop, how-to-add-value kind of perspective.
The Yellow Book doesn’t really care if you followup on those findings at all, ever. You finished the audit; you’re done. Now, they do ask you to consider prior audits that are relevant to your audit objective when planning your current engagement, and that’s as far as they go. See the difference in focus there?
So why the different perspective of each of these standards? We auditors love to talk about root cause, so let’s talk about that. And I believe the root cause of the differences between the Red Book and the Yellow Book have to do with who creates them.
Okay. So just look at these major differences here. The Red Book is created by their own members, and their members are all over the world. I think of the Red Book more as a collection of best practices that are agreed to by France, and Zimbabwe, and Japan, and cover all industries, right?
So they are not as specific and as (excuse the pun again) black and white as the Yellow Book is, because the Yellow Book is written by a legislative auditor who is truly independent. They have their own budget and they can tell the truth without suffering any consequence. They are the preeminent government audit organization in the known universe (I feel pretty good about saying that). And they wrote the standards initially for their own use.
So instead of getting everybody in the world to agree to the standards, they just have to agree internally. Yes, they go out for comment, but in the end they’re still writing it for their own use. And they’ve got to align with the AICPA, which is another conversation completely. Okay.
So one, the Yellow Book has a government perspective; Red Book has a multiple-industry perspective. One document’s written by a member organization, the other by a government entity, which tends to be a little bit more rule-based. And that’s why you’re going to see a difference with the top things we talked about: the peer review, the firmness of the standards, whether they appreciate consulting or not, and their perspective in general.
That wraps it up for another episode of The Sample. True to the nature of a sample, we didn’t talk about everything, so you’ve probably got questions. Write to me firstname.lastname@example.org and I’ll do my best to fill in the blanks. Thanks for playing.
For More Info: