CPE for Government Auditors

Does your team meet the 2018 Yellow Book Independence Standards?

Chapter 3: Independence

As I revise my self-study book, “The Yellow Book Interpreted,” I will be sharing chapters with you.


  • Classify your ethical responsibilities in the government environment 
  • Apply the conceptual framework in evaluating threats to your independence as an auditor 
  • Identify the attributes of professional judgment per GAO standards

All Three Together

In prior versions of the Yellow Book, the ethics, independence, and professional judgment standards were presented in different chapters. Now they are joined in one long chapter.

These are some of the least specific standards in the Yellow Book as all require the application of professionalism, maturity, and judgment. And how do you regulate professionalism, maturity, and judgment? You can’t. You can only talk about them in generalities.

We will cover the three standards in the order presented in Chapter 3 of the Yellow Book. First ethics, then independence, and lastly professional judgment.


In order to understand the GAO’s perspective on ethics and independence, we need to talk about three themes of the Yellow Book that kick off the standards in the first few pages of the Yellow Book. These three themes – accountability, transparency, and service –  put us in the right frame of mind when auditing in the government environment.


What is accountability? I had heard the term tossed around the government so frequently that I never even thought about its meaning. Now I know that accountability does notmean that you got it right. It just means that you take ownership of it.

I met a cowboy auditor in West Texas who said, “You might be right, or you might be wrong, but you’d better the hell document it.” That sums up accountability quite nicely. When things go bad, you are there to say, “Yes, that was me. I’m sorry.” When things go well, you can keep your job.

Recently on TV news, I saw a high school coach who was responsible for the death of one of his teenage football players. And instead of being contrite, he said something like, “Everyone is forgetting that I suffered a loss, too, and that I will hold on to this for the rest of my life.” That is not exactly what the parents of that boy wanted to hear. He deflected accountability and tried to engender empathy for himself. I doubt that will serve him well in his community.

The GAO repeatedly reminds us that we are accountable to the taxpaying public for our actions and that we, as auditors, have a role in holding government leaders accountable.

1.02     The concept of accountability for use of public resources and government authority is key to our nation’s governing processes.

1.05     Government auditing is essential in providing accountability to legislators, oversight bodies, those charged with governance, and the public. Auditsprovide an independent, objective, nonpartisan assessment of the stewardship, performance, or cost of government policies, programs, or operations, depending upon the type and scope of the engagement.

One of the tough things about the GAO standards is they are not written for government officials (although government officials are mentioned a few times); they are written as standards for auditors. So, while we hold public officials and employees accountable for their actions, we are accountable for our actions, too.


Actions and information that are transparent and open for everyone’s inspection and review.

1.07     Audits performed in accordance with GAGAS provide information used for oversight, accountability, transparency, and improvements of government programs and operations. GAGAS contains requirements and guidance to assist auditors in objectively acquiring and evaluating sufficient, appropriate evidence and reporting the results. When auditors perform their work in this manner and comply with GAGAS in reporting the results, their work can lead to improved government management, better decision making and oversight, effective and efficient operations, and accountability and transparency for resources and results.

The State of Texas government has put every single transaction online in real time. I can, with a few clicks of the mouse, see that the Texas Department of Transportation bought a van, how much the van was, who they bought it from, why they need it, and what color of funds (general revenue, special revenue, enterprise revenues) paid for it. They occasionally consider putting all state employee payroll data online – yes, names, pay grade, title, the whole bit. Why? Because citizens own the government, and we citizens have a right to know how our money is being used!

Theoretically, if you do as President Obama frequently advised in his speeches and shine light in the dark places, those in hiding will be exposed and held accountable.


If you audit Hurst Construction, your ultimate audience for the audit report is Mr. Hurst, his board of directors, and the bank. But, if you audit a public housing project, your ultimate clients are not the managers of the project, the boards of directors, or the banks. Your ultimate beneficiaries of the report are not even the grantors. The ultimate beneficiaries of your work are the low-income children who live in the housing project.

We have to remember, as governmental auditors, that we are checking to see whether tax dollars are being used for their intended purpose and whether the public is being served by our auditee’s efforts.

3.08     A distinguishing mark of an auditor is acceptance of responsibility to serve the public interest. This responsibility is critical when auditing in the government environment. GAGAS embodies the concept of accountability for public resources, which is fundamental to serving the public interest.

We hold our clients to a higher standard of behavior than we do in the commercial sector. While it was OK for AIG to go on a lavish $500,000 spa junket before the US taxpayers bailed them out in 2008, it certainly was not OK after the bailout.

Later, we will see that the GAO asks you to report even more bad behaviors than the AICPA does. If Mr. Hurst wants to put his jet-setting, never-worked-a-day-in–their-life kids on the payroll, more power to him. Auditors in the commercial sector do not have a responsibility to say anything about that. But in the government realm, we call that abuse, and we do have a professional, and I have to add, moral, responsibility to do something with that knowledge. We’ll discuss more about abuse later.

Five Main Sections of the Ethics Section

The ethics discussion is divided into five main principles:

a.   The public interest 
            b.   Integrity 
            c.   Objectivity 
            d.   Proper use of government information, resources, and position 
            e.   Professional behavior 

Let’s discuss each one in turn.

The Public Interest

When Johnson and Johnson found out that someone had tampered with one of their products, Tylenol, and that people were dying as a result, they immediately recalled the product. This cost Johnson and Johnson an estimated $100 million. They could have made a lot of other, less responsible and possibly less expensive choices. But because they had a mission statement that put the customer first and the shareholders second, it was obvious what they should do.

In government, our first responsibility is to the public. Not to the person who hired us and is writing our checks. Not to the federal grantor. We are responsible for bringing anything to light that harms the kid in the housing development.  Sometimes this will cost us.

A city auditor told me that he sees a higher purpose in his work. It is his job to make sure that the monies collected by the city are turned back to support those who need services and who may not have a voice in the government. He works on the citizens’ behalf, and because of this higher purpose, doesn’t care whether he makes his auditees upset when he publishes his reports.

3.07     The public interest is defined as the collective well-being of the community of people and entities the auditors serve. Observing integrity, objectivity, and independence in discharging their professional responsibilities assists auditors in meeting the principle of serving the public interest and honoring the public trust. The principle of the public interest is fundamental to the responsibilities of auditors and critical in the government environment.

In my business, I transfer in and out of two worlds – the government world and the commercial world – and indeed they are different. In the commercial world fortunes are made by doing what is not expressly prohibited. In the government world, action won’t be taken unless it is expressly permitted.

Commercial entities are not interested in transparency. A friend of mine, an engineer, says that Apple is one of the most secretive organizations for which he has ever worked. At the corporate headquarters store, they sell a T-Shirt that says, “I visited the Apple Corporate Offices in Cupertino…and that is all I can say about it.” Apple doesn’t want their auditor shining light in their dark places.

But government auditors must shine light in dark places to serve the children, the elderly, and the disabled.

And taxpayers get very, very upset if even a tiny bit of their hard-earned tax dollars are squandered. Not long ago, I helped develop a training event for a government employee retirement system. Afterwards, to celebrate our success, the retirement system managers insisted that we dine at a first-rate steakhouse in Dallas – you know the type, where you pay $45 for an à la carte steak. We had wine and appetizers, and one guy ordered a $35 brandy. I was very uncomfortable. I thought that if any of their members walked in and recognized them as the folks in charge of their retirement funds, they would have a lot of explaining to do. The retirees don’t want their money going for high living! If you work for a corporation, go ahead and enjoy. Live it up! But in a conscientious government environment, I can’t even get a cup of coffee for free.


Both the integrity and objectivity sections of the Yellow Book mention independence and freedom from political or ideological bias.

When I started in public accounting, the managing partner made it very clear to me that I should not put any bumper stickers on my car indicating affiliation with any political party, university, or even a radio station! When talking to the client, I was not to express opinions on the events of the day or engage the clients in religious, social, or political discussions. I was to be personality-less! In this way, the client could never question whether I had a bias as I made my audit conclusions.

He was, not so subtly, pointing out that what the firm sold was auditor integrity and objectivity. And if the client doubted either or those, our product – our conclusions and opinions – was useless.

3.09     Public confidence in government is maintained and strengthened by auditors performing their professional responsibilities with integrity. Integrity includes auditors conducting their work with an attitude that is objective, fact-based, nonpartisan, and nonideological with regard to audited entities and users of the auditors’ reports. Within the constraints of applicable confidentiality laws, rules, or policies, communications with the audited entity, those charged with governance, and the individuals contracting for or requesting the audit are expected to be honest, candid, and constructive.

3.10     Making decisions consistent with the public interest of the program or activity under audit is an important part of the principle of integrity. In discharging their professional responsibilities, auditors may encounter conflicting pressures from management of the audited entity, various levels of government, and other likely users. Auditors may also encounter pressures to inappropriately achieve personal or organizational gain. In resolving those conflicts and pressures, acting with integrity means that auditors place priority on their responsibilities to the public interest.



3.11      The credibility of auditing in the government sector is based on auditors’ objectivity in discharging their professional responsibilities. Objectivity includes independence of mind and appearance when providing audits, maintaining an attitude of impartiality, having intellectual honesty, and being free of conflicts of interest. Maintaining objectivity includes a continuing assessment of relationships with audited entities and other stakeholders in the context of the auditors’ responsibility to the public. The concepts of objectivity and independence are closely related. Independence impairments impact objectivity.

Proper Use of Government Information, Resources, and Position

A professor at University of Texas at Arlington teaches ethics and leadership to government leaders in communist bloc countries. He developed several case studies for the leaders-in-training to discuss. One case study described how a mayor used city employees to landscape his backyard– clearly an improper usage of government resources. But unlike previous case studies, the professor didn’t hear anything back from them the next week. Instead the leaders stalled for a month before they admitted that they just didn’t understand the ethical dilemma in the scenario. Using the labor of government employees for personal benefit is one of the perks of being a government leader in a communist bloc country! Not so under Yellow Book standards:

3.12     Government information, resources, and positions are to be used for official purposes and not inappropriately for the auditor’s personal gain or in a manner contrary to law or detrimental to the legitimate interests of the audited entity or the audit organization. This concept includes the proper handling of sensitive or classified information or resources.

3.13     In the government environment, the public’s right to the transparency of government information has to be balanced with the proper use of that information. In addition, many government programs are subject to laws and regulations dealing with the disclosure of information. To accomplish this balance, exercising discretion in the use of information acquired in the course of auditors’ duties is an important part in achieving this goal. Improperly disclosing any such information to third parties is not an acceptable practice.

3.14     Accountability to the public for the proper use and prudent management of government resources is an essential part of auditors’ responsibilities. Protecting and conserving government resources and using them appropriately for authorized activities is an important element in the public’s expectations for auditors.

3.15     Misusing the position of an auditor for financial gain or other benefits violates an auditor’s fundamental responsibilities. An auditor’s credibility can be damaged by actions that could be perceived by an objective third party with knowledge of the relevant information as improperly benefiting an auditor’s personal financial interests or those of an immediate or close family member; a general partner; an organization for which the auditor serves as an officer, director, trustee, or employee; or an organization with which the auditor is negotiating concerning future employment.

Professional Behavior

Any behavior that could cause someone to question your professionalism can detract from your credibility. And, credibility helps sell audit recommendations.

3.16     High expectations for the auditing profession include compliance with all relevant legal, regulatory, and professional obligations and avoidance of any conduct that might bring discredit to auditors’ work, including actions that would cause an objective third party with knowledge of the relevant information to conclude that the auditors’ work was professionally deficient. Professional behavior includes auditors putting forth an honest effort in performanceof their duties and professional services in accordance with the relevant technical and professional standards.

Consider the following true scenario (with a few small changes to protect identities): You are the internal audit director of a large city. You recently hired a new auditor fresh out of college and have been grooming him for a career conducting governmental audits. Recently, you assigned him to conduct a performance audit of your city’s police department.

Everything has been going well until last week when you saw a picture of him in the local newspaper at the city’s Mardi Gras celebration. He was pictured on the very top of a street light without his shirt wearing dozens of bead necklaces. The police stood below and appeared to be yelling at him to come down. You show him the picture and ask him what he thought he was doing. He becomes immediately defensive and tells you that what he does on his own time is none of your business. He had some college buddies in town and they were celebrating an upcoming wedding.

The professional behavior standard says nothing about distinguishing your behavior between your work life and your personal life. But does this new auditor’s personal behavior compromise his credibility with the police force? Yes, indeed! If he doesn’t respect the law on his personal time, he can’t expect the police department to respect his audit during his professional time.

To maintain your shop’s professional image, you will probably have to remove this auditor from the engagement and replace him with another auditor.

As auditors, we sell our credible, objective, high integrity opinions  andconclusions about an audit subject.

Borrowing from the later discussion on independence in chapter 3:

3.22     Auditors and audit organizations maintain independence so that their opinions, findings, conclusions, judgments, and recommendations will be impartial and viewed as impartial by reasonable and informed third parties. 

3.19     Auditors and audit organizations should avoid situations that could lead reasonable and informed third parties to conclude that the auditors and audit organizations are not independent and thus are not capable of exercising objective and impartial judgment on all issues associated with conducting the engagement and reporting on the work. 


Did you notice how many times the words independence and objectivity showed up in the ethics requirements? Independenceis one of the most complicated and granular standards in the Yellow Book clocking, in at almost 30 pages of text!

I am going to summarize the major requirements of the Yellow Book regarding independence. But as you know, summaries leave out details that might be important to you. So please at least scan Chapter 3 to make sure you have applied the independence standards to your specific situation.

The GAO Isn’t Empathetic When It Comes to Independence

The GAO, a legislative auditor, is in a rare situation; they are truly independent. They can say whatever needs to be said and not suffer any consequences because they are funded by and report directly to Congress, not the federal agencies that they audit.

The GAO did not set out to have anythingto do with internal or external auditors. They wrote the Yellow Book for themselves. But over the decades, through a series of laws and regulations, they became responsible for groups of folks for whom they seem to have little empathy because both internal auditors and external auditors have inherent independence challenges. Internal auditors are employees of the entity they audit and attend the same holiday parties as their auditees. External auditors are contractors who are paid by the auditee, and if they don’t make the auditee happy, they don’t get to keep the gig during the next audit cycle.

For the last few decades, the GAO has been working with mixed success to clarify and strengthen the auditor independence standards so that all government auditors are working with the highest level of objectivity and integrity. Along the way, they decided that going their own way with the standards confused CPAs in public practice. So, they adopted the AICPA rules for independence and added a few significant modifications. The AICPA invented something called the “conceptual framework” for evaluating auditor independence, which I will explain shortly.

The Bottom Line of Auditor Independence

The essential steps the GAO wants you to go through if you encounter an independence threat are:

  1. apply the conceptual framework when you encounter a threat
  2. document your application of the conceptual framework
  3. if the threat involves you performing a non-auditservice, make sure the client has SKE
  4. document the client’s SKE
  5. have the client agree they are responsible for the results of the non-audit service
  6. document this understanding with the client in writing

Let’s go through each step.

Apply the Conceptual Framework

The AICPA uses a decision process for evaluating independence that they call the “conceptual framework.” Typical of the AICPA, they make something very straightforward sound complex and involved. You know, something only a well-paid, CPA-typeprofessional can implement!

I am not intimidated or wowed by their conceptual framework, and you shouldn’t be either. It is simply putting fancy terminology around the way all humans make decisions. First, we understand our options, then we decide what is important to us, and then we choose. But since you have to use the conceptual framework, it would be good for you to use the exact language the AICPA and GAO use:

3.27     Auditors should apply the conceptual framework at the audit organization, engagement team, and individual auditor levels to 

1.identify threats to independence; 

2.evaluate the significance of the threats identified, both individually and in the aggregate; and 

3.apply safeguards as necessary to eliminate the threats or reduce them to an acceptable level. 

Let’s think through the conceptual framework in more personal terms before we take on an audit example. Let’s talk about the decision process you go through when dating!

Step 1 of the Conceptual Framework: Identify Threats

In dating terms, identifying threats means spending time with your intended to find out more about them and identify potential relationship killers or aspects of their personality, habits, or baggage that could cause you future misery. Maybe he is way too close to his mother, or his ex-wife is extremely hard to handle, or his football/golf/hunting/fishing hobby is likely to leave you on your own most weekends.

Step 2 of the Conceptual Framework: Evaluate the Significance of the Threats Identified, Both Individually and in the Aggregate

In dating terms, this means you now need to figure out whether you can actually tolerate being left alone most weekends. Maybe you like to be alone, so you can shop, spend time with friends, or volunteer. But if his mother’s constant visits and calls are unwanted, his ex-wife’s picture is still on his mantle, and he spent the last three weekends getting sunburned and drunk at the golf course, this is what the AICPA calls “threats in the aggregate.”

Step 3 of the Conceptual Framework: Apply Safeguards as Necessary to Eliminate the Threats or Reduce Them to an Acceptable Level

In dating terms, this might mean breaking up, finding a new supportive social structure, agreeing to limits on his hobby, or moving to another country without phone or internet service to escape his mother.

Not exactly rocket science, huh? Conceptual framework… PLEASE!

The GAO just adds to the aura of complexity by coming up with a diagram in the appendix. I can tell when people have gotten a bit too granular when I see two things: a key that explains acronyms and terminology and/or a flowchart. When auditors feel the need to add a key that explains acronyms and technical terms to the back cover of their report, they mistakenly assume their readers care enough to actually use it to read their complex report! The same is true when they have to draw a flowchart similar to the following:

GAGAS chart

Trifecta Step #1 – Identify Threats

Let’s start by looking at the list of threats: conceptual framework step #1.

3.30     Auditors should evaluate the following broad categories of threats to independence when applying the GAGAS conceptual framework: 

1.Self-interest threat: The threat that a financial or other interest will inappropriately influence an auditor’s judgment or behavior. 
2.Self-review threat: The threat that an auditor or audit organization that has provided nonauditservices will not appropriately evaluate the results of previous judgments made or services provided as part of the nonauditservices when forming a judgment significant to a GAGAS engagement. 
3.Bias threat: The threat that an auditor will, as a result of political, ideological, social, or other convictions, take a position that is not objective. 
4.Familiarity threat: The threat that aspects of a relationship with management or personnel of an audited entity, such as a close or long relationship, or that of an immediate or close family member, will lead an auditor to take a position that is not objective. 
5.Undue influence threat: The threat that influences or pressures from sources external to the audit organization will affect an auditor’s ability to make objective judgments. 
6.Management participation threat: The threat that results from an auditor’s taking on the role of management or otherwise performing management functions on behalf of the audited entity, which will lead an auditor to take a position that is not objective. 
7.Structural threat: The threat that an audit organization’s placement within a government entity, in combination with the structure of the government entity being audited, will affect the audit organization’s ability to perform work and report results with integrity.

3.38     Examples of circumstances that create self-interest threats for an auditor follow: 

a.   An audit organization having undue dependence on income from a particular audited entity. 
b.   A member of the audit team entering into employment negotiations with an audited entity.
c.   An audit organization discovering a significant error when evaluating the results of a previous professional service provided by the audit organization. 
d.   A member of the audit team having a direct financial interest in the audited entity. However, this would not preclude auditors from auditing pension plans that they participate in if (1) the auditors have no control over the investment strategy, benefits, or other management issues associated with the pension plan and (2) the auditors belong to such pension plan as part of their employment with the audit organization or prior employment with the audited entity, provided that the plan is normally offered to all employees in equivalent employment positions. 

3.39     Examples of circumstances that create self-review threats for an auditor follow: 

1.An audit organization issuing a report on the effectiveness of the operation of financial or performance management systems after designing or implementing the systems. 
2.An audit organization having prepared the original data used to generate records that are the subject matter of the engagement. 
3.An audit organization providing a service for an audited entity that directly affects the subject matter information of the engagement. 
4.A member of the engagement team being, or havingrecently been, employed by the audited entity in a position to exert significant influence over the subject matter of the engagement. 

3.40     Examples of circumstances that create bias threats for an auditor follow: 

1.A member of the engagement team having preconceptions about the objectives of a program under audit that arestrong enough to affect the auditor’s objectivity. 
2.A member of the engagement team having biases associated with political, ideological, or social convictions that result from membership or employment in, or loyalty to, a particular type of policy, group, entity, or level of government that could affect the auditor’s objectivity. 

3.41     Examples of circumstances that create familiarity threats for an auditor follow: 

a.   A member of the engagement team having a close or immediate family member who is a principal or senior manager of the audited entity. 
b.   A member of the engagement team having a close or immediate family member who is an employee of the audited entity and is in a position to exert significant influence over the subject matter of the engagement. 
c.   A principal or employee of the audited entity having recently served on the engagement team in a position to exert significant influence over the subject matter of the engagement. 
d. An auditor accepting gifts or preferential treatment from an audited entity, unless the value is trivial or inconsequential. 
e. Senior engagement personnel having a long association with the audited entity. 

3.42     Examples of circumstances that create undue influence threats for an auditor or audit organization include existence of the following: 

a.   External interference or influence that could improperly limit or modify the scope of an engagement or threaten to do so, including exerting pressure to inappropriately reduce the extent of work performed in order to reduce costs or fees. 
b.   External interference with the selection or application of engagement procedures or in the selection of transactions to be examined. 
c.   Unreasonable restrictions on the time allowed to complete an engagement or issue the report.
d.   External interference over assignment, appointment, compensation, and promotion. 
e.    Restrictions on funds or other resources provided to the audit organization that adversely affect the audit organization’s ability to carry out its responsibilities. 
f.    Authority to overrule or to inappropriately influence the auditors’ judgment as to the appropriate content of the report. 
g.   Threat of replacing the auditor or the audit organization based on a disagreement with the contents of an audit report, the auditors’ conclusions, or the application of an accounting principle or other criteria. 
h.   Influences that jeopardize the auditors’ continued employment for reasons other than incompetence, misconduct, or the audited entity’s need for GAGAS engagements. 

3.43     Examples of circumstances that create management participation threats for an auditor follow: 

1.A member of the engagement team being, or having recently been, a principal or senior manager of the audited entity. 
2.An auditor serving as a voting member of an entity’s management committee or board of directors, making policy decisions that affect future direction and operation of an entity’s programs, supervising entity employees, developing or approving programmaticpolicy, authorizing an entity’s transactions, or maintaining custody of an entity’s assets. 
3.An auditor or audit organization recommending a single individual for a specific position that is key to the audited entity or program under audit, or otherwise ranking or influencing management’s selection of the candidate. 
4.An auditor preparing management’s corrective action plan to deal with deficiencies detected in the engagement. 

3.44     Examples of circumstances that create structural threats for an auditor follow: 

1.For both external and internal audit organizations, structural placement of the audit function within the reporting line of the areas under audit. 
2.For internal audit organizations, administrativedirection from the audited entity’s management. 

By the way, performing a non-audit service in addition to your audit is automatically a threat.

Conceptual Framework Step #2 – Evaluate the Significance of the Threat

Did you see yourself inStep 1? If so, proceed to the conceptual framework/trifecta step #2 evaluating the significance of the threat. Whether a threat is a big deal or not is entirely up to your judgment, even though the standard does ask you to imagine a hypothetical judge – the classic “objective third party with knowledge of relevant facts.”

3.46     When evaluating threats to independence, an acceptable level is a level at which a reasonable and informed third party would likely conclude that the audit organization or auditor is independent. The concept of a reasonable and informed third party is a test that involves an evaluation by a hypothetical person. Such a person possesses skills, knowledge, and experience to objectively evaluate the appropriateness of the auditor’s judgments and conclusions. This evaluation entails weighing all the relevant facts and circumstances, including any safeguards applied, that the auditor knows, or could reasonably be expected to know, at the time that the evaluation is made. 

Conceptual Framework Step #3 – Apply Safeguards

If you decide that you or the imaginary third party believes these threats to be significant, you move on to conceptual framework/trifecta step #3: apply safeguards:

3.49     Safeguards are actions or other measures, individually or in combination, that auditors and audit organizations take that effectively eliminate threats to independence or reduce them to an acceptable level. Safeguards vary depending on the facts and circumstances. 

3.50     Examples of safeguards include 

a.   consulting an independent third party, such as a professional organization, a professional regulatory body, or another auditor to discuss engagement issues or assess issues that are highly technical or that require significant judgment; 
b.   involving another audit organization to perform or re-perform part of the engagement; 
c.   having an auditor who was not a member of the engagement team review the work performed; and 
d.   removing an auditor from an engagement team when that auditor’s financial or other interests or relationships pose a threat to independence. 

3.69     The following are examples of actions that in certain circumstances could be safeguards in addressing threats to independence related to nonauditservices: 

a.   not including individuals who provided the nonauditservice as engagement team members; 
b.   having another auditor, not associated with the engagement, review the engagement and nonauditwork as appropriate; 
c.   engaging another audit organization to evaluate the results of the nonauditservice; or 
d.   having another audit organization re-perform the nonauditservice to the extent necessary to enable that other audit organization to take responsibility for the service. 

And, typical of a Yellow Book audit standard, you don’t get to just go through the process in your head. You get to document your reasoning process, too. Yes, you will need another memo!

After applying the conceptual framework, you might be just fine. If you have a threat, you put a safeguard in place and go on your merry way. But if the nature of your threat is caused because you are taking on a non-audit service, a handful of additional requirements apply.

What Is a Nonaudit Service?

A non-audit service is almost anything that you do for the auditee that isn’t an audit. Examples include helping them document internal controls, monitoring transactions on their behalf, or creating financial statements.

Non-audit services are called “consulting services” by other standards. For instance, the IIA divides their standards up into two main pieces, assurance standards andconsulting standards. And the IIA encourages internal auditors to perform consulting engagements in order to add value to their organization.

The GAO wishes you would just stick with auditing and let someone else provide consulting services because they believe that consulting services have an impact on your auditor independence. To make auditors think twice about taking on consulting services (non-audit services), the GAO requires that the client has skills, knowledge, and experience (SKE) and that the client takes responsibility for the product of the non-audit service in writing.


The GAO wants to make sure that the client is sophisticated enough to tell if the auditor made a mistake with the product of their consulting service. Pay close attention to a new sentence at the bottom of 3.79 (bolding added).

3.73     Before auditors agree to provide nonauditservices to an audited entity that the audited entity’s management requested and that could create a threat to independence, either by themselves or in aggregate with other nonauditservices provided, with respect to any GAGAS engagement they conduct, auditors should determine that the audited entity has designated an individual who possesses suitable skill, knowledge, or experience and that the individual understands the services to be provided sufficiently to oversee them. 

3.74     Auditors should document consideration of management’s ability to effectively oversee nonauditservices to be provided. 

3.75     In cases where the audited entity is unable or unwilling to assume these responsibilities (for example, the audited entity does not have an individual with suitable skill, knowledge, or experience to oversee the nonauditservices provided, or is unwilling to perform such functions because of lack of time or desire), auditors should conclude that the provision of these services is an impairment to independence. 

3.79     A critical component of determining whether a threat to independence exists is consideration of management’s ability to effectively oversee the nonauditservice to be provided. Although the responsible individual in management is required to have sufficient expertise to oversee the nonauditservices, management is not required to possess the expertise to perform or re-perform the services. However, indicators of management’s ability to effectively oversee the nonauditservice include management’s ability to determine the reasonableness of the results of the nonauditservices provided and to recognize a material error, omission, or misstatement in the results of the nonauditservices provided. 

ClientMust Take Responsibility in Writing

Once you have documented your application of the conceptual framework, applied safeguards, and decided and documented that the client has SKE, you now create a letter of agreement with the client stating that the client is responsible for the results of the non-audit service.

3.76     Auditors providing nonauditservices to audited entities should obtain agreement from audited entity management that audited entity management performs the following functions in connection with the nonauditservices: 

1.assumes all management responsibilities; 
2.oversees the services, by designating an individual, preferably within senior management, who possesses suitable skill, knowledge, or experience; 
3.evaluates the adequacy and results of the services provided; and
4.accepts responsibility for the results of the services. 

The Bottom Line of Auditor Independence: A Review

Again, I recommend that you read the independence section of the Yellow Book yourselfbecause as I summarize and simplify the standard, I naturally have to leave some detail out that might be pertinent to you!  Here again is the bottom line:

  1. apply the conceptual framework when you encounter a threat
  2. document your application of the conceptual framework
  3. if the threat involves a non-audit service, make sure the client has SKE
  4. document the client’s SKE
  5. have the client agree they are responsible for the results of the non-audit service
  6. document this understanding with the client in writing

Notice three levels of documentation: the application of the conceptual framework, the proof of SKE, and the letter assigning responsibility for the subject matter to the client.

Specifically Addressed Non-Audit Services

The GAO knows that auditors are still performing non-audit services, regardless of the GAO’s disdain for them and their repeated warnings. And they also know of a handful of non-audit services that are performed pretty regularly. I want to mention two of thembecause I see these non-audit services being performed quite often myself. One is continuous monitoring and the other is financial statement preparation.

Continuous Monitoring as a Non-Audit Service

Continuous monitoring is always a hot topic at IIA conferences. Continuous monitoring technology allows managers to watch transactions and controls in real time to identify outliers and correct errors or even fraud promptly. But, in a list of non-auditservices that impair auditor independence, the GAO specifically prohibits the auditor from performing internal control monitoring on behalf of the client.

3.97     Auditors should conclude that providing or supervising ongoing monitoring procedures over an entity’s system of internal control impairs independence because the management participation threat created is so significant that no safeguards could reduce the threat to an acceptable level. 

Creating the Financial Statements

The GAO also specifically addresses this non-audit service, and although it does not firmly prohibit auditors from both creating the subject matter of the audit (the financial statements) and opiningon the same subject matter, they do make the auditor think and rethink his or her decision to proceed.

Relevant clauses regarding preparing the financial statements include the following:

3.87     Auditors should conclude that the following services involving preparation of accounting records impair independence with respect to an audited entity: 

1.determining or changing journal entries, account codes or classifications for transactions, or other accounting records for the entity without obtaining management’s approval; 
2.authorizing or approving the entity’s transactions; and 
3.preparing or making changes to source documents without management approval. 

3.88     Auditors should conclude that preparing financial statements in their entirety from a client-provided trial balance or underlying accounting records creates significant threats to auditors’ independence, and should document the threats and safeguards applied to eliminate and reduce threats to an acceptable level in accordance with paragraph 3.33 or decline to provide the services. 

3.89     Auditors should identify as threats to independence any services related to preparing accounting records and financial statements, other than those defined as impairments to independence in paragraph 3.87 and significant threats in paragraph 3.88. These services include 

1.recording transactions for which management has determined or approved the appropriate account classification, or posting coded transactions to an audited entity’s general ledger; 
2.preparing certain line items or sections of the financial statements based on information in the trial balance; 
3. posting entries that an audited entity’s management has approved to the entity’s trial balance; and
4. preparing account reconciliations that identify reconciling items for the audited entity management’s evaluation. 

3.90     Auditors should evaluate the significance of threats to independence created by providing any services discussed in paragraph 3.89 and should document the evaluation of the significance of such threats

So, although the GAO does not expressly prevent auditors from both preparing and auditing the financial statements, the GAO puts up as many barriers as they can:

Barrier # 1: The auditor must identify the preparation of the financials as a threat and apply appropriate safeguards.

Barrier # 2. The auditor must document their rationale that the threat has been mitigated through safeguards or decline the engagement.

Barrier # 3. The auditor must determine that the client has the skills, knowledge, andexperience to be able to tell if the auditor made a mistake in the financials and document that rationale

Barrier #4. The client must take responsibilities for the financials in writing.

That’s enough to keep me away from preparing and auditing the financial statements. How about you?

Professional Judgment

Professional judgment is one of the least specific Yellow Book standards. It is similar to the warning that your mother would give you when you were going out to play, “Be careful!”

Now if mom had given me specific instructions, like “Don’t play in the street,” I would know what she expected of me. But, “Be careful!”? How does a five-year-old know what “careful” looks like? That is similar to what we read in the professional judgment standard. The GAO cautions us to apply professional judgment but then never defines the term. Instead,they offer this explanation:

3.110    Professional judgment includes exercising reasonable care and professional skepticism. 

Yep, sounds like your mama, “Be reasonable, girl! Take care, girl! And don’t let anyone pull the wool over your eyes! It is a wicked world out there.”

Maybe I will show my kids this explanation of professional skepticism some day:

3.110    Attributes of professional skepticism include a questioning mind, awareness of conditions that may indicate possible misstatement owing to error or fraud, and a critical assessment of evidence. Professional skepticism includes being alert to, for example, evidence that contradicts other evidence obtained or information that brings into question the reliability of documents or responses to inquiries to be used as evidence. Further, it includes a mindset in which auditors assume that management is neither dishonest nor of unquestioned honesty. Auditors may accept records and documents as genuine unless they have reason to believe the contrary. Auditors may consider documenting procedures undertaken to support their application of professional skepticism in highly judgmental or subjective areas under audit. 

Maybe that explanation will keep both my kids and us auditors out of trouble.

In the next chapter, we introduce the competency standard. And thoughtfully, the GAO has provided a nice segue for to the topic of competence at the end of Chapter 3:

3.111    Using the auditor’s professional knowledge, skills, and abilities, in good faith and with integrity, to diligently gather information andobjectivelyevaluate the sufficiency and appropriateness of evidence is a critical component of GAGAS engagements. Professional judgment and competence are interrelated because judgments made depend upon the auditor’s competence, as discussed in chapter 4. 

Visit the Yellowbook-CPE.com Student Center
Click to learn more about Yellowbook requirements.


Lost your password?