I have some great news to share!
On April 14, 2021, the GAO issued a technical update to the 2018 Yellow Book. The update is like a beautiful spring bouquet for performance auditors because it eliminates two requirements that were overcomplicating a performance auditor’s work regarding internal control.
What were the complications?
The 2018 version of the Yellow Book required performance auditors to document and report on the application of the 17 principles of internal control to their audit objectives (that is, if internal controls were relevant to the audit objectives!) AND to document whether the auditor was evaluating the design, implementation and/or the operating effectiveness of internal controls.
The first requirement was much too granular and the second was nonsensical.
Thankfully, the GAO has eliminated the language causing these complications in the technical update to the 2018 Yellow Book.
The 17 principles started off innocently enough
The 17 principles began innocently enough and were designed to help readers digest the COSO model.
The first version of the COSO model – issued in 1992 – was full of thick paragraphs and convoluted language that was often misinterpreted. The 2013 version of the COSO model sought to assuage some of that confusion by breaking the large paragraphs that described each of the 5 components of internal control into smaller chunks that the COSO organization called “17 underlying principles.” And those smaller chunks -the 17 underlying principles – were, indeed, fabulously edifying.
Next, in 2014, the GAO copied the 2013 COSO model into a document they call the Green Book. The Green Book’s formal title is Standards for Internal Control in the Federal Government.
So as of 2014, all is well. Everyone digs the new, clearer standards on internal controls. But then the GAO takes the logical next step. When the GAO issues the 2018 Yellow Book (formally titled Goverment Auditing Standards) they integrate terms and concepts from the Green Book into the Yellow Book.
Here is where it went off the rails
However this next – seemingly logical – step is where the GAO went too far.
In 2018, the GAO decided not just to include the clarifying concepts from the Green Book in that year’s revision of the Yellow Book, but instead required auditors to document and report on their application of the 17 principles.
So a concept that was initially intended to be helpful (breaking the 5 components into 17 more discreet principles) was now a mandatory documentation and reporting burden for auditors.
And I can’t help but point out that adding the 17 principles to the audit report was almost comical, as most audit report users do not understand, need, or desire that level of detail about internal controls. I imagine hundreds of users looking at the updated performance audit report language regarding internal controls and uttering, “Huh?”
The GAO recognizes the challenge
I really have to hand it to the GAO and again thank them for acknowledging the challenge of applying the new standards. The GAO has always been about truth, transparency and accountability and this technical update certainly models those qualities for the audit community.
You see this technical update was not part of the GAO’s original plan. My understanding is that the GAO created a tool in 2018 to help auditors apply the 17 principles to their audit and shopped it around to leaders in the government audit community for comment. The audit community balked at the complexity of the tool and the GAO withdrew it, promising to issue another version of the tool before too long.
Now, almost three years later, instead of issuing another, more manageable version of the tool, the GAO has wisely changed course and instead eliminated the requirements that made the new tool necessary.
A nonsensical requirement was also removed
As a last little tidbit regarding the technical update to the 2018 Yellow Book… years ago, I wrote to the GAO asking them to explain new language in the 2018 Yellow Book that asked auditors to choose whether they were evaluating the ‘design, implementation, and operating effectiveness’ of controls.
I argued that if a control was not operating effectively, it was probably because it was not well designed and/or not implemented. I went on to say that asking auditors to evaluate the ‘operating effectiveness’ of a control was therefore redundant and unnecessary.
Obviously, I was not the only one to struggle with this requirement, so they have, thankfully, eliminated that language in the technical update to the 2018 Yellow Book.
Where can you find the technical update to the 2018 Yellow Book?
To see your own copy of the technical update to the 2018 Yellow Book follow this link and scroll to pages i and ii.
I will talk about the concept of equity, which was added back to the Yellow Book through this technical update, in a future newsletter.