CPE for Government Auditors

Chapter 2: Types of Yellow Book Audits

As I revise my self-study book, “The Yellow Book Interpreted,” I will be sharing chapters with you.


  • Conclude which standards should and must be applied to each type of audit 
  • Distinguish among the three types of Yellow Book engagements

Relationship to Other Standards

GAGAS is just one of the standards that exists to guide you as an auditor. You may also use or be subject to the IIA’s Professional Practices Framework, the AICPA’s Statements on Auditing Standards, the AICPA’s Statements on Standards for Attestation Engagements, the Public Corporation Accounting Oversight Board (PCAOB) standards, or even one of many international auditing standards. What can make compliance so difficult is that these standards sometimes conflict or even try to outdo each other.

The Yellow Book is considered the toughest standard of them all. In 2006, I had the chance to meet David Walker, the Federal Comptroller General and leader of the GAO at the time, and I asked him whether he thought the standard-setting boards would ever come to agreement on terminology and standards. He said he was working on it. Then I put my foot in my mouth and said that the PCAOB standards were the preeminent standard and that everyone was scrambling to be like them. He quickly corrected me and said that the Yellow Book was the toughest standard out there, and his goal was that the Yellow Book would remain the preeminent standard that all other standard-setting bodies would emulate.

For most of my audit career, the Yellow Book has been a superior document to the AICPA standards. But in the last ten years, the AICPA has been working to tighten up their standards. The AICPA audit standards regarding risk assessment significantly changed the way that audit planning is conducted. All revisions of the Yellow Book, all chapters, including the financial, attestation, and performance chapters, sync up with the language contained in these and all subsequent AICPA audit standards. It is important to note that the performance standards – which do not have to follow the AICPA standards – borrow heavily from and use the same language as the AICPA.

If you conduct a financial or attestation engagement under the Yellow Book standards, you also must follow the AICPA standards for audits and attestation engagements. The performance auditing standards do not adopt the AICPA standards, although they do use similar language and have similar requirements to the AICPA standards.

The Yellow Book goes on to mention other standards and says that these other standards are not incorporated into GAGAS but can be used in conjunction with GAGAS. In case of conflict, GAGAS should prevail.

2.12     Auditors may use GAGAS in conjunction with professional standards issued by other authoritative bodies.

2.13     The relationship between GAGAS and other professional standards for financial audits, attestation engagements, and reviews of financial statements is as follows:

a. The American Institute of Certified Public Accountants (AICPA) has established professional standards that apply to financial audits, attestation engagements, and reviews of financial statements for nonissuers (entities other than issuers under the Sarbanes-Oxley Act of 2002 such as privately held companies, nonprofit entities, and government entities) conducted by certified public accountants (CPA). For financial audits and attestation engagements, GAGAS incorporates by reference AICPA Statements on Auditing Standards and Statements on Standards for Attestation Engagements. For reviews of financial statements, GAGAS incorporates by reference AR-C, section 90, Review of Financial Statements.

b.The International Auditing and Assurance Standards Board (IAASB) has established professional standards that apply to financial audits and assurance engagements. Auditors may elect to use the IAASB standards and the related International Standards on Auditing and International Standards on Assurance Engagements in conjunction with GAGAS.

c.The Public Company Accounting Oversight Board (PCAOB) has established professional standards that apply to financial audits and attestation engagements for issuers. Auditors may elect to use the PCAOB standards in conjunction with GAGAS.

2.15     For performance audits, GAGAS does not incorporate other standards by reference, but recognizes that auditors may use or may be required to use other professional standards in conjunction with GAGAS, such as the following:

1.International Standards for the Professional Practice of Internal Auditing, Institute of Internal Auditors, Inc.;

2.International Standards of Supreme Audit Institutions, International Organization of Supreme Audit Institutions;

3.Guiding Principles for Evaluators, American Evaluation Association;

4. The Program Evaluation Standards, Joint Committee on Standards for Education Evaluation;

5. Standards for Educational and Psychological Testing, American Psychological Association; and

6. IT Standards, Guidelines, and Tools and Techniques for Audit and Assurance and Control Professionals, Information Systems Audit and Control Association.

Defining Government Audits and Attestation Engagements

Defining the type of audit engagement is sometimes a matter of professional judgment. In other words, it isn’t a black-and-white decision. Understanding your options and choosing well is an important step in a Yellow Book audit.

Determining which type of audit you are conducting has confused more than one auditor and the requesting client. For example, if you are tasked with ensuring compliance with state regulations regarding a state grant for a school lunch program, you could, as we will see in the audit type definitions below, do that audit as a performance audit or as an attestation engagement.

One internal audit shop I work for on a regular basis operates inside a large state agency. They are responsible for a multitude of auditing and monitoring functions. Sergio, their audit director, is not a CPA. He is a certified internal auditor (CIA), a designation awarded by the IIA. Besides being an audit director, Sergio is on the international planning committee for the IIA. And he knows nothing about AICPA standards, and he doesn’t want to know about AICPA standards!

Since he works for a Texas state agency, state law dictates that he must simultaneously use the Yellow Book and the Red Book (the IIA’s standards). He jokingly calls himself an “orange” shop (Get it? Red and yellow make orange.). He does not even factor the AICPA into his work or his thinking and, thus, calls everything he does a performance audit.

Is that okay? Yes, because the GAO says in 1.15 that some engagements may have objectives that could be met using more than one approach.

1.14      All GAGAS engagements begin with objectives, and those objectives determine the type of engagement to be conducted and the applicable standards to be followed. This document classifies financial audits, attestation engagements, reviews of financial statements, and performance audits, as defined by their objectives, as the types of engagements that are covered by GAGAS.

1.15      In some GAGAS engagements, the standards applicable to the specific objective will be apparent. For example, if the objective is to express an opinion on financial statements, the standards for financial audits apply. However, some engagements may have objectives that could be met using more than one approach. For example, if the objective is to determine the reliability of performance measures, auditors can perform this work in accordance with either the standards for attestation engagements or performance audits.

CPAs Also Have to Choose

And Sergio isn’t the only one faced with this decision. CPAs in public practice are regularly asked to help governmental entities with more than financial statement audits and single audits.

I had a long phone call with a partner from a national CPA firm who wanted to take on a project for one of her steady clients, but her technical advisors were prohibiting her from taking on the project. It seems that the client, a state agency, was unclear in their request for proposal. The request for proposal called for a performance audit of funds spent by their sub-recipients. But, to her, what she read in the request for proposal did not sound like a performance audit.

The state agency passed federal funds and state funds to not-for-profits. These not-for-profits reported their expenditures back to the state and asked for reimbursement. The state agency wanted to make sure the costs were valid but didn’t have the manpower to check for themselves. Instead, they sent out a request for proposal asking her firm and other firms to conduct a performance audit of these payments.

This simple project did not sound like a full-blown performance audit. It sounded more like a review or agreed-upon procedure to the partner and I agreed. The Yellow Book devotes two lengthy chapters to describe requirements for conducting a performance audit. A performance audit involves a lot of planning, including understanding internal controls and conducting a risk assessment.

A performance audit doesn’t simply stop at saying what is so; a good performance audit will also tell you why something is as it is. For instance, if the sub-recipient was not reporting the proper costs, the auditor would find out how this happened and then recommend something be done to keep it from happening in the future. It sounded from the request for proposal that the state agency only wanted to know if the amounts were correct, not why the amounts were not correct. What this project is called will make a huge difference in how much money is spent to get it done.

And it is not normal for a CPA firm to take on a performance audit. Not impossible, but not normal, either. Generally, legislative auditors or internal auditors, rather than CPA firms, perform performance audits because performance audit standards do not integrate or refer to AICPA requirements.

CPAs can choose among several engagement types and still apply AICPA standards. The AICPA rules the behavior of a CPA. But CPAs have a good amount of flexibility under the AICPA standards; they can perform their work under AICPA rules for financial audits, attestation engagements, or consulting engagements. It is very important for CPAs to call it the right type of engagement because the rules are different for each type of engagement. The CPAs’ choice will also impact their ability to perform other work for the government in the future.

The CPA firm partner was leaning toward calling this engagement an attestation engagement.
On an attestation engagement, a CPA would attest to the truth of a simple statement such as, “Costs reported by the sub-recipients are accurate and properly classified.” This will be a relatively inexpensive engagement. The CPA will not ask why the reports were inaccurate but will simply verify that they are or aren’t. If the reports are inaccurate, the state agency will have the responsibility to follow up to find out what happened.

How Much Is This Going to Cost?

I’m just ball-parking here (and I am sure I will get some emails on this!), but say that a performance audit costs $45,000, an attestation engagement costs $20,000, and it costs $6000 for some dude to simply check the numbers.

Who is this dude? He is so cheap! This dude is not a CPA and doesn’t follow any standards for his work. He will simply go out and verify that the numbers are OK and report back. And maybe in this case, that would be an appropriate thing for the state agency to pay for.

My CPA friend complained that these dudes are undercutting her and taking plenty of business. One dude even goes as far as to name his company using CPA-like words (like Assurance, Inc.) to imply that he does work similar to a CPA.

But my CPA friend wouldn’t touch a project without following standards with a ten-foot pole! Being a CPA, neither would I. The standards protect our clients and us by requiring that:

  • we remain independent of our subject matter,
  • we ensure professional competence regarding the subject matter,
  • we design methodologies that will yield sufficient and appropriate evidence,
  • our conclusions are based on documented fact,
  • our reports are thorough and free of exaggeration and error, and
  • our reports undergo quality review.

The dude doesn’t have to worry about standards or independence.

The dude doesn’t have to follow any of those standards. No wonder he is so cheap. And he doesn’t have to worry, as my CPA friend does, about compromising auditor and firm independence when it comes to future work.

It boils down to the question the client wants answered, whether they care about audit standards and cost.

Here is what the state agency hiring this help needs to consider:

  • Which is more important, cost or standards?
  • Is it important to the state agency that the auditor tell them that the numbers are accurate or why numbers are inaccurate or both?
  • Do they want to be sure that rigorous and thorough work was done to uncover the inaccuracies and reasons for the inaccuracies?

If the client answers yes to the second and third questions, they are right to call it a performance audit.

Is the state agency primarily interested in having a few simple questions answered about the numbers, such as accuracy or categorization of expenditures? If so, then they should choose to call this project an attestation engagement.

If the state agency doesn’t want any standards followed, then it can simply ask someone to verify the numbers for them and in this case, the dude can perform the work.

See how much more involved this decision is? I doubt the state agency really wants a performance audit, but they don’t want to take the time to think about and define what they really want. The term “performance audit” specifies what type of work is involved and selecting this term to describe a project in an RFP has its consequences. It means something specific and costly to the professionals responding to the RFP. And, in this case, it means that the state agency would spend more of the taxpayers’ money than necessary.

Four Types of Engagements

The GAO names four types of assurance engagements:

  1. financial audits
  2. attestation engagements
  3. reviews of financial statements
  4. performance audits.

The third type of engagement on this list is new to the Yellow Book as of 2018; reviews of financial statements.

1.  Financial Audit

The first type of audit is the financial audit. Financial audits are the most clearly defined type of audit.

1.17      Financial audits provide independent assessments of whether entities’ reported financial information (e.g., financial condition, results, and use of resources) is presented fairly, in all material respects, in accordance with recognized criteria. Financial audits conducted in accordance with GAGAS include financial statement audits and other related financial audits.

a.   Financial statement audits: The primary purpose of a financial statement audit is to provide financial statement users with an opinion by an auditor on whether an entity’s financial statements are presented fairly, in all material respects, in accordance with an applicable financial reporting framework. Reporting on financial statement audits conducted in accordance with GAGAS also includes reports on internal control over financial reporting and on compliance with provisions of laws, regulations, contracts, and grant agreements that have a material effect on the financial statements.

b.   Other types of financial audits: Other types of financial audits conducted in accordance with GAGAS entail various scopes of work, including

1. obtaining sufficient, appropriate evidence to form an opinion on a single financial statement or specified elements, accounts, or line items of a financial statement;

2.issuing letters (commonly referred to as comfort letters) for underwriters and certain other requesting parties

3.auditing applicable compliance and internal control requirements relating to one or more government programs; and

4.conducting an audit of internal control over financial reporting that is integrated with an audit of financial statements (integrated audit)

An audit concludes or opines on whether a subject matter meets criteria. In the case of a financial audit, the subject matter is either the financial statements or some component of the financial statements. And the criteria is generally accepted accounting principles (GAAP), or some other set of rules about what the financial statements should look like.

When finishing a financial audit, you conclude whether the financial statements met the criteria. This conclusion is called an opinion, and the financial auditor will say something like the following in their report: “In our opinion, the financial statements present fairly the results of operations … in accordance with generally accepted accounting principles (or GAAP).”

In order to express an opinion, a financial auditor has to do plenty of work to gather evidence that the information presented in the financial statements is valid. Opinions aren’t thrown around lightly, and these engagements take a lot of time and, therefore, cost the client a lot of money.

Why knowingly choose to have a financial audit performed when they are so costly? Because the users of financial statements cannot trust the creators of the financial statements to tell the full truth and follow rules on their own. Yes, it is a sad state of affairs that some people and organizations lie to make themselves look good. But you only have to remember the litany of corporate scandals our global economy has suffered due to those who have lied on their financial statements to see the need.

Some organizations are required to undergo financial audits by regulators or grantors. If the entity and trades stock on the US stock market, they must undergo a financial audit per SEC (Security and Exchange Commission) regulations. Or, if the entity receives federal grant funds and triggers a Single Audit, the federal government requires your auditor to express an opinion on the financial statements and verify compliance with the grant terms and conditions.

2. Attestation Engagements

But what if the client asks you to evaluate another subject matter against another criteria? Or what if the client doesn’t want to pay for an opinion? Instead, they would just like a CPA firm to check something for them because they want the CPA’s objective assessment of a situation.

In these cases, the CPA firm can perform an attestation engagement. The CPA attests to the veracity of a statement made by the client. For example, the client might assert, “We are in compliance with loan covenants.” Or, “We counted and included all inventory in our report to headquarters.” Or, “All expenditures are supported by documentation.”

In order to conduct an attestation engagement, the auditor must also apply the AICPA’s SSAEs or Statements on Standards for Attestation Engagements.

1.18      Attestation engagements can cover a broad range of financial or nonfinancial objectives about the subject matter or assertion depending on the users’ needs. In an attestation engagement, the subject matter or an assertion by a party other than the auditors is measured or evaluated in accordance with suitable criteria. The work the auditors perform and the level of assurance associated with the report vary based on the type of attestation engagement. 

Attestation engagements are divided into three subcategories depending on how much assurance the auditor provides: examinations, reviews, and agreed-upon procedures. Examinations are the most intense, reviews are less so, and agreed-upon engagements are the least intense of all three. Check out the description from the Yellow Book of these three types of engagements:

1.18a    Examination: An auditor obtains reasonable assurance by obtaining sufficient, appropriate evidence about the measurement or evaluation of subject matter against criteria in order to be able to draw reasonable conclusions on which to base the auditor’s opinion about whether the subject matter is in accordance with (or based on) the criteria or the assertion is fairly stated, in all material respects. The auditor obtains the same level of assurance in an examination as in a financial statement audit.

b.         Review: An auditor obtains limited assurance by obtaining sufficient, appropriate review evidence about the measurement or evaluation of subject matter against criteria in order to express a conclusion about whether any material modification should be made to the subject matter in order for it to be in accordance with (or based on) the criteria or to the assertion in order for it to be fairly stated. Review-level work does not include reporting on internal control or compliance with provisions of laws, regulations, contracts, and grant agreements. The auditor obtains the same level of assurance in a review engagement as in a review of financial statements.

c.         Agreed-upon procedures engagement: An auditor performs specific procedures on subject matter or an assertion and reports the findings without providing an opinion or a conclusion on it. The specified parties to the engagement agree upon and are responsible for the sufficiency of the procedures for their purposes. The specified parties are the intended users to whom use of the report is limited.

When would a client ask for an examination? When they have a subject matter on which they want an opinion that doesn’t qualify as a financial audit.

When would a client ask for a review? When they don’t want to pay for a full-blown audit but do want some sort of assurance that the subject matter is OK. Notice that you do not express an opinion on a review. Instead you say, “Nothing came to our attention that leads us to believe the subject matter does not meet the criteria.”

And when would a client ask you to perform an agreed-upon procedure? When they want to hire someone they can trust to be objective and independent to do something for them that they don’t trust themselves or those for whom they are responsible to do themselves. Please realize I am generalizing …

Levels of Assurance

Audit literature frequently uses the term “levels of assurance.” If the client wants a high level of assurance that the subject matter meets the criteria, the auditor has to do an awful lot of work. In other words, in order for the auditor to pinky-swear that the subject matter meets the criteria, the auditor must gather a lot of evidence, and gathering and documenting evidence takes a lot of work. High assurance generally equates to an opinion in CPA-land. In recent audit literature, the term ‘high assurance’ has been replaced with ‘reasonable assurance’ because the AICPA has become uncomfortable promising a high-level assurance!


If the client can tolerate a moderate amount of assurance – if they are OK with the CPA telling them that “nothing came to their attention” that needs adjustment – then they can ask for a review.

If they want no assurance that something is true, the client can ask the auditor to perform an agreed-upon procedure engagement. In that case, a CPA simply says, “I did this and here is what resulted” – no opinion, no consideration of anything outside of the agreed-upon procedure itself.

For example, my church undergoes a financial audit every two years that costs them around $13,000. In the off years, they ask the CPA firm to conduct a review of controls over cash receipts, which costs them only $5,000. While it costs less, the church also receives less assurance over a more limited subject matter.

To recap the difference between a financial audit and an attestation engagement:

  • A financial audit provides the client with a reasonable (high) level of assurance that the financial statements meet GAAP.
  • An attestation engagement can provide the client with a reasonable (high) level of assurance, a moderate level of assurance, or no assurance about a wide variety of subject matters evaluated against a wide variety of criteria.

3. Performance Audits

Performance audits are wide open! The only thing a performance auditor cannot do is opine on whether the financial statements are presented in accordance with GAAP. Every other audit objective is fair game in this category.

Performance audits are generally conducted at a reasonable (high) level of assurance although technically, performance auditors can also offer a moderate level of assurance.

The GAO defines performance audits as engagements that provide assurance or conclusions based on an evaluation of sufficient, appropriate evidence against stated criteria, such as specific requirements, measures, or defined business practices.  Performance audits can include any subject that can be assessed against criteria.

1.21      Performance audits provide objective analysis, findings, and conclusions to assist management and those charged with governance and oversight with, among other things, improving program performance and operations, reducing costs, facilitating decision making by parties responsible for overseeing or initiating corrective action, and contributing to public accountability. 

The performance auditor and the auditee need to agree on several important matters. The auditor and the client must need to agree on the criteria, the objective, the level of assurance, and whether the auditor should follow any audit standard other than the Yellow Book.

This level of flexibility makes CPA firms quite nervous. They don’t like to be non-commital when comes to the promises they make; they’ve got to worry about that liability, you know.  So, AICPA standards require CPAs to get the client to agree to the audit criteria, objective, level of assurance and audit standards in writing before they begin the engagement. Performance auditors are not held to this requirement.

To summarize, financial audits express an opinion on the financial statements – some component of the financial statements – and/or add a bit of compliance work (as in the case of the single audit). Any other type of assurance engagement can either be classified as an attestation engagement or a performance audit. Performance audits can be just about anything EXCEPT opinion audits of the financial statements. And performance audits, like financial audits, require a lot of work because they usually involve working at a reasonable (high) level of assurance.

4. Reviews of Financial Statements: A New Type of Engagement

For the first time in the 2018 version of the Yellow Book, the GAO mentions a new type of engagement – a review of financial statements. The level of assurance is similar to a review conducted under the AICPA attestation standards (SSAEs), but the applicable standards are not the SSAEs but instead the SSARS. SSARS stands for Statement on Standards for Accounting and Review Services and specifically the GAO addresses SSARS No. 21, Section 90, Review of Financial Statements

SSARS 21: 90.04 The objective of the accountant when performing a review of financial statements is to obtain limited assurance as a basis for reporting whether the accountant is aware of any material modifications that should be made to the financial statements for them to be in accordance with the applicable non-financial reporting framework, primarily through the performance of inquiry and analytical procedures

The Yellow Book addresses these sorts of engagements in the attestation standards, chapter 7.

Using the Name GAGAS in Vain

The GAO has felt it necessary to spell out which standards are optional and which are mandatory because the GAO doesn’t want you following GAGAS in spirit only.  In chapter 2, the GAO defines the terms “must” and “should.” In general, “must” means mandatory and “should” means mandatory unless you have a compelling reason to deviate.

The GAO emphasizes that not every paragraph of the Yellow Book contains mandatory requirements. Here is how the differences are explained:

2.02     GAGAS uses two categories of requirements, identified by specific terms, to describe the degree of responsibility they impose on auditors and audit organizations:

1.Unconditional requirements: Auditors and audit organizations must comply with an unconditional requirement in all cases where such requirement is relevant. GAGAS uses must to indicate an unconditional requirement.

2.Presumptively mandatory requirements: Auditors and audit organizations must comply with a presumptively mandatory requirement in all cases where such a requirement is relevant except in rare circumstances discussed in paragraphs 2.03, 2.04, and 2.08. GAGAS uses should to indicate a presumptively mandatory requirement

Unconditional requirements mean that you do not have an option to follow the requirement. You must comply with these requirements. When you see the word “must,” you will have a hard time justifying a departure and will not be able refer to the GAO in your report. If you see the word “should,” then you have a little more wiggle room. You can choose not to comply with a “should” statement, but you will need to justify the departure in your working papers and disclose your non-compliance in your audit report. Ouch!

2.03     In rare circumstances, auditors and audit organizations may determine it necessary to depart from a relevant presumptively mandatory requirement. In such rare circumstances, auditors should perform alternative procedures to achieve the intent of that requirement.

2.04     If, in rare circumstances, auditors judge it necessary to depart from a relevant presumptively mandatory requirement, they must document their justification for the departure and how the alternative procedures performed in the circumstances were sufficient to achieve the intent of that requirement.

In the 2018 Yellow Book, the must and should statements appear in a box.

The GAO goes on to explain a third category of discussion in the standards – explanatory material. Explanatory material is introduced with the words “may,” “might,” or “could.” In the 2018 Yellow Book, the explanatory material sits outside the box.

2.07     GAGAS contains requirements together with related explanatory material in the form of application guidance. Not every paragraph of GAGAS carries a requirement. Rather, GAGAS identifies the requirements through use of specific language. GAGAS also contains introductory material that provides context relevant to a proper understanding of a GAGAS chapter or section. Having an understanding of the entire text of applicable GAGAS includes an understanding of any financial audit, attestation, and reviews of financial statement standards incorporated by reference. 

Say “GAGAS” only if you mean it!

After explaining that you need to follow every “must” and “should,” the GAO goes on to say that you can’t claim to follow the Yellow Book if you didn’t follow every “must.” If you do not follow a “should” statement, you can claim to have followed the Yellow Book in your report, but you are going to have to disclose which should statement you did not follow. The GAO calls these “modified compliance statements.”

2.17     Auditors should include one of the following types of GAGAS compliance statements in reports on GAGAS engagements, as appropriate.

1.Unmodified GAGAS compliance statement: Stating that the auditors conducted the engagement in accordance with GAGAS. Auditors should include an unmodified GAGAS compliance statement in the audit report when they have

(1) followed unconditional and applicable presumptively mandatory GAGAS requirements or (2) followed unconditional requirements, documented justification for any departures from applicable presumptively mandatory requirements, and achieved the objectives of those requirements through other means.

2.Modified GAGAS compliance statement: Stating either that (1) the auditors conducted the engagement in accordance with GAGAS, except for specific applicable requirements that were not followed, or (2) because of the significance of the departure(s) from the requirements, the auditors were unable to and did not conduct the engagement in accordance with GAGAS.

 2.18    When auditors use a modified GAGAS statement, they should disclose in the report the applicable requirement(s) not followed, the reasons for not following the requirement(s), and how not following the requirement(s) affected or could have affected the engagement and the assurance provided. 

One team of monitors who was not required under any statute, law, or policy to follow the Yellow Book decided to brag that they followed Yellow Book standards in their audit reports. It was a point of pride with the team, and the client was duly impressed with their extra professionalism. However, the monitoring team had never undergone a peer review and had no plans to suffer one. Also, the management of the team didn’t want to pay for everyone on the team to be current with the 80-hour CPE requirements. At best, the team members got 20 or so hours of education every two years. The management team reasoned that they were following the Yellow Book in spirit.

In light of the definitions of “must” and “should,” they had a choice to make. They needed to either (1) explain in their audit reports that they were following most governmental standards but were uneducated or unwilling to undergo the scrutiny that they put their clients to, or (2) drop reference to the Yellow Book in their audit reports all together. They chose the latter.

In a roundabout way, the GAO has emphasized the significance of their standards by requiring us to tell on ourselves when we do not take the standards seriously. The concepts of transparency and accountability are now being applied to us!

I should mention here that performance auditors have whole paragraph that they must add to their report.

9.03     When auditors comply with all applicable GAGAS requirements, they should use the following language, which represents an unmodified GAGAS compliance statement, in the audit report to indicate that they conducted the audit in accordance with GAGAS:

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Do I need an audit, a review, or a monitoring visit? What is the difference?

If you have doubts that your audit customer understands what you do and how important you are 🙂 , share this article with them: 

Plenty, my friend!  Plenty.

So, you think you need an audit?  Or maybe you heard that you could get by with a review instead?  Maybe you were asked to find someone to do a performance audit? The folks who perform these tasks all give you some level of “assurance” that the something (like financial statements or a performance metric) is true; thus, we refer to them as assurance providers.

Wherever you are coming from, I hope that answering the questions below will do the following for you:
·      help you clarify what type of service and assurance provider you really need;
·      help you understand what your finished project will look like;
·      help you talk the “lingo” with your assurance provider when getting a bid;
·      help you find out how much this assurance service will cost you;
·      and give the appropriate assurance provider clarity on what you need them to do – exactly.
Because, as you can imagine, assurance providers are a pretty exacting bunch and you don’t want to waste your time or money!

Here are the questions to consider:

1. How “sure” do you want the professional to be of the truth?
2. Do you expect the professional to follow a professional standard in doing their work?
3. What exactly do you want verified?
4. Which professional are you going to ask to do the verification?
5. Who is using the report and do they have any expectations?
6. Do you need this professional to be completely objective and independent in order for the verification to hold water?
7. How much do you have to spend?
8. Do you want help making the necessary improvements that the professional identifies?

Let’s take each question in turn:

1. How “sure” do you want the professional to be of the truth?

Auditors, reviewers, and monitors are all offering assurance or verification that something is true.   [d1] Several audit standards refer to the work that auditors do as ”assurance services.”

And the more assurance a client wants that something is true, the more it costs the assurance provider to provide the assurance service.  Anyone can quickly scan a situation and decide if something is true or not or look into someone’s eyes and decide that they trust whatever the person is saying.  But assurance professionals don’t scan or trust!  They verify!  They test, they analyze, and they gather evidence to support everything they say in their final report.

Now, I want to be clear, that no assurance provider will promise absolutely that something is true, unequivocally, without a doubt.  That would be too scary a promise for them to make. But, they will provide “reasonable assurance” that something is true.

The term “audit” is reserved for engagements that offer a high level of assurance, as is the related term “examination.” In other words, a ”high level of assurance” means the auditor has gathered convincing, strong evidence that the subject matter meets the criteria.  A “review” offers a moderate level of assurance, and therefore, costs less to perform.  An ”agreed-upon procedure” offers no assurance whatsoever.  And a ”monitoring visit” is often silent about assurance all together and instead, points out flaws or noncompliance.  Monitors also help the entity fix the flaws or non-compliance.

Please notice that I will be using the term ”assurance service” instead of the term ”audit” as we discuss each of the questions. Because not every assurance service is a full-blown audit conducted at a high level of assurance.

2. Do you expect the professional to follow a professional standard in doing their work?

I am sure you are aware by watching the news and reading the newspaper that journalists do not promise to follow any standard of evidence in their reporting. Oftentimes hearsay, rumor, and personal opinion will suffice.  This gives journalists lots of leeway and freedom.

But professional assurance providers don’t have leeway and freedom. Every statement they make in their reports has to be backed up by convincing evidence. Professional assurance providers make a promise in their reports that something is true, and they have tests and documentation to back them up.

If the assurance provider follows a professional standard, you can have even more comfort that their promise is true because all professional assurance standards require that the assurance provider back up what they say with evidence.  I regularly teach seminars to assurance providers on how to gather and document strong, convincing evidence and the students love it.  It is probably their favorite topic because they are always looking for ways to get better evidence to support their audit reports.

All assurance standards require the auditor to gather evidence, undergo quality control reviews, and experience an audit themselves (called a peer review) that evaluates whether they are following standards and gathering good evidence.  You will have to trust the “word” of the assurance provider who does not follow these standards because there will be no quality standards or quality control system to make sure what they are saying is valid.

How can you tell if your assurance provider is following standards?  Look at their most recent reports.  If you see the following, you are golden:
“We conducted this audit in accordance with generally accepted audit standards…”
“We conducted this audit in accordance with generally accepted government auditing standards…”
“We conducted this audit in accordance with the International Professional Practices Framework….”

The standards do not say what I am about to say… because they have no right to say it… and neither do I, really.  But I am going to say it anyway!– and it is a very touchy thing to say to those who provide assurance.  Here it is: A person should not call themselves an auditor unless they follow a professional standard. They can call themselves a monitor or an evaluator or a reviewer or an assurance specialist, whatever seems most comfortable… but I believe the term auditor is reserved for folks who follow an audit standard.

3. What exactly do you want verified?  An assurance professional can give you assurance about a variety of things.  You must provide to the assurance professional an “assurance objective”, which is the question you want answered.  The assurance objective needs two components, a subject matter and a criteria to evaluate the subject matter against.

The more finite and specific the subject matter is, the easier it is for the assurance professional to evaluate.  For instance, if you asked me to tell you whether the State Government of California was operating in compliance with laws and regulations, I would quickly let you know that I need an army of assurance professionals to do the job and it will take us several years.  Remember, I have to gather and document evidence for everything I end up telling you in the audit report about whether the State of California was in compliance.

But, if instead, you asked me to verify whether the Treasury sold state bonds for infrastructure improvements to Marin County in accordance with federal and state laws, I could do that for you with just a few auditors, and I’d have the audit report to you in a matter of weeks.

Criteria is also really important here.  So, when I am evaluating the bond issuances of the California State Treasury I will need to compare them to state and federal law.  The state and federal law is my criteria.  If a state law is fuzzy and open to interpretation, I am going to struggle using it and I may end up in a fight with the Department of Treasury because my interpretation of the law differs from theirs.  This is a huge waste of time and can damage relationships.  So, the clearer you can pose your question, the better for everyone: those accountable for the subject matter, the assurance professional, and the person paying for the assurance.

For more on this subject, see the archived Yellowbook-CPE whitepaper on audit objectives at https://yellowbook-cpe.com/the-key-to-good-audits.html?doing_wp_cron=1473104237.4875650405883789062500

4. Do you need this professional to be completely objective and independent in order for the verification to hold water?

If you were to ask me if I thought my girls were off the charts beautiful, I would say, “Yes!” without hesitating.  But I am not exactly objective, am I?

Instead, let’s say that I have been asked to evaluate whether a department within the Treasury is complying with rules and regulations.  Where I work and who I report my assurance results to impacts my objectivity and independence and could impact the truthfulness of the final report.  Just like being a mom affects my assessment of my own children.  If the assurance provider is not able to freely tell the truth without suffering any negative consequences, their independence is compromised and the veracity of their promise is questionable.

Here are three common situations to consider:

Situation A: I work for a CPA firm who was hired through a competitive bidding process to audit the department. I will report to the board of directors of the Treasury.
Situation B: I work for the CFO of the organization, I will report my results back to the CFO, and the department being evaluated is also under the control of the CFO.
Situation C: I am an internal auditor for the Treasury and I report directly to the board of directors of the Treasury.  I am a peer, not an underling, of the CFO.

A CPA hired through a competitive bidding process will most likely be able to maintain their independence and objectivity in performing the review.  We can assume a CPA will have other clients and will not be wholly dependent on this one client for all their income.  So, we can trust the results of the assurance provider in situation A.

In situation B, the CFO may not appreciate the assurance provider sharing negative results in their report that would make the CFO look bad.  The independence of the assurance provider, and therefore the veracity of the assurance report, may be compromised.

In situation C, if the internal auditor is shielded from any negative ramifications of telling the truth and reports directly to the board of directors, we can trust the results of the assurance provider.

5. Who is using the report and do they have any expectations?

Who is requiring the assurance report?  Is it a bank?  Is it a grantor?  A regulator?  Or is it someone internal to your organization, like a division head or a board of directors? Each of these users has a different expectation for the content of the report and whether the assurance provider needs to follow specific standards and guidelines.

One way to figure this out is to look at prior assurance reports to see if any particular standard was followed and who performed the engagement.  Looking at old reports is far from foolproof, however, because it assumes that the assurance provider who prepared the prior report knew what they were doing and that is never a good assumption!

Next, ask the user of the report what they expect or if they have any guidelines you need to follow.  You should be able to find out who the users are by finding out who got copies of prior reports (again, not foolproof!)

If the users are not sure, your next move is to ask organizations that are in a similar situation as yours what sort of assurance service they obtain.  As you perform your due diligence, make sure you ask each person about the applicable laws, policies, contracts, and formation documents that could contain audit requirements.   I frequently work with government auditors and for these auditors, contract terms, grant agreements, federal policy, and local law can all impact the content of the audit report and distribution list for the report.

6. Do you want help making the necessary improvements that the professional identifies?

A true, blue assurance engagement simply evaluates whether the subject matter meets the criteria period, end of story. But often, the assurance provider is expected to help fix problems.  If the assurance provider crosses the line and becomes a consultant, their independence on future engagements is compromised.

I am going to get a little crude here… but please hang in with me.  A consultant helps the client they are working with to create or improve on a subject matter.  The consultant is helping to make the pretty baby, if you will.

A pure auditor will not help make the baby pretty. That is not their job. Their job is to say whether the baby is ugly and report the results back to the board of directors.

If the auditor does decide to cross the line and become a consultant and help make the baby pretty, they will not be as objective about the baby next time they come to audit.  In other words, if you help make the baby, you can’t be trusted to say whether the baby is ugly or not… just like I can’t be trusted to be objective about how beautiful my precious girls are.

For more on this line of reasoning, see an archived article on Yellowbook-CPE.com about the difference between auditors and monitors. https://yellowbook-cpe.com/who-are-you-most-like-2.html?doing_wp_cron=1473104037.1631679534912109375000

And the subject matter and the controls over the subject matter are ultimately the responsibility of management, not the assurance provider.

7. How much do you have to spend?

Four things make the price of an assurance service rise – the level of assurance, the breadth of the subject matter, the complexity of the criteria, and whether the assurance provider follows audit standards.

In general, it costs more for an auditor to provide a higher level of assurance, so an audit will cost more than a “‘review” of the same subject matter.  For instance, my church has an audit done every two years of its financial statements by a local CPA firm. This audit costs $15,000.  In the off two year period, the church hires the same CPA firm to do a ”review” of its revenues and disbursements and this costs only $6000.

If the subject matter is large or broad, it will take a small army of assurance providers a long time to reach their conclusions.  And if the audit criteria is vague or complex or highly specialized, the assurance provider will need specific skills and the rarer those skills are, the higher the price.

It will also cost more if the auditor follows audit standards because it costs more for the auditor to earn and maintain the necessary credentials, maintain convincing documentation, ensure audit quality, and undergo external reviews of audit quality.

If you are hiring a CPA, please read this

What you title the assurance service matters an awful lot to the professional you are hiring because it dictates to them which audit standards they need to follow and what level of assurance they must report to you.

For instance, a CPA firm would be very happy to earn your money by providing assurance, but they need to know what type of assurance project you want them to complete.  Do you want a:
·      Financial audit – where the subject matter is the financial statements or a component of the financial statements and the assurance level is high.
·      Examination – where the subject matter is not the financial statements and the assurance level is high.
·      Review – where the subject matter is varied and defined by the client and the assurance level is moderate.
·      Agreed-upon procedure – where the CPA firm performs a specific procedure for the client and reports on the results and no assurance is given.
·      A performance audit – where the assurance service provides a high level of assurance and is structured similarly to a financial audit, but the subject matter is not the financial statements.  (It is very rare for a CPA firm to conduct a performance audit, because their standard setting body [(The AICPA] has not addressed this sort of engagement.  More often than not, they will call this type of assurance service an examination.)

A CPA firm must know which type of assurance engagement you prefer because the standard setting bodies dictate what procedures they must follow in planning and conducting the audit and the standards also tell them the language that they must include in their resulting assurance reports. This topic deserves a more detailed description, so, please look for more in future posts.

I hope this helped you understand a little more about what audits are and aren’t.  If you have any questions, please write to me at Leita@yellowbook-cpe.com

Visit the Yellowbook-CPE.com Student Center
Click to learn more about Yellowbook requirements.


Lost your password?