I’ve had a few months to digest the changes to the 2018 Yellow Book (Government Auditing Standards),and I’ve taught a few seminars and webinars about the changes. Most of the changes do not shock my audiences. But I am noticing that quite a few auditors are not familiar with the Green Book which was published by the GAO in 2014. This is not good because the Green Book is by far the biggest change to the Yellow Book.
The Green Book is the GAO’s version of the COSO model, and its formal title is “Standards for Internal Control in the Federal Government.”
Here are some quotes from one of the performance audit chapters in the 2018 Yellow Book that give performance auditors pause. (Financial auditors please read the section below titled ‘Financial auditors should be pleased.’) I added bolding to draw your eye to some new terms that I’d like you to notice.
8.41 Consideration of internal control in a performance audit begins with determining the significance of internal control to the audit objectives and documenting that determination. Some factors that may be considered when determining the significance of internal control to the audit objectives include
a.the subject matter under audit, such as the program or program component under audit, including the audited entity’s objectives for the program and associated inherent risks;
b.the nature of findings and conclusions expected to be reported, based on the needs and interests of audit report users;
c. the three categories ofentity objectives (operations, reporting, and compliance); and
d. the five components of internal control (control environment, risk assessment, control activities, information and communication, and monitoring) and the integration of the components.
8.42 If internal control is significant to the audit objectives, auditors determine which of the five components of internal control and underlying principles are significant to the audit objectives, as all components of internal control are generally relevant, but not all components may be significant to the audit objectives. This determination can also identify whether specific controls are significant to the audit objectives. Determining which internal control components and principles and/or specific controls are significant to the audit objectives is a matter of professional judgment.
8.47 Approaches for obtaining an understanding of internal control may vary and may include consideration of entity-level controls, transaction- level controls, or both. However, even when assessing only transaction- level controls, it may be beneficial to gain an understanding of entity-level controls that may affect transaction-level controls by obtaining a broad understanding of the five components of internal control at the entity level. This involves considering the relationships between the components, which work together in an integrated manner in an effective internal control system, and the principles of internal control that support each component. In addition to obtaining a broad understanding of internal control at the entity level, auditors may also obtain an understanding of internal control at the transaction level for the specific programs and processes under audit.
Here is an infographic from the Green Book that explains the highlighted terms:
The terms “three categories of entity objectives” appear at the top of the cube and the terms “five components of internal control” appear on the face of the cube. The seventeen “principles of internal control that support each component” are presented in a stack on the bottom left side of the infographic.
Nice infographic, now what?
Yes, the cube is cute and the stack is pretty… but so what? What does all this new language mean to performance auditors, practically? What the cube and the stack are illustrating is the most up-to-date structure for approaching internal controls. This means that performance auditors are going to have to change the way they document internal controls. The GAO is working on a tool right now to help you with this task, but it won’t be published until the spring of 2019.
So if you want to implement these changes in your internal control documentation now, you will need to create something yourself. Here are a few tools developed by forward thinking audit shops that might get your creative juices flowing:
The Florida Department of Economic Opportunity: http://www.
To save time…
As you can tell, this is going to be a lot of work! But before you start looking for another job, there is something you can do to minimize the documentation. You can refine your objective early in the audit process! The Yellow Book says auditors are only responsible for documenting internal controls that are relevant to the audit objective. Thank you, GAO! So, the more specific you are about your audit objectives, the less controls you will end up having to document! If you dig into controls AFTER you have performed your inherent risk assessment and refined your audit objectives, you will conserve precious audit resources and, maybe, be able to tolerate your job for another year or two.
If you want to know more about the Green Book and how to narrow your audit objectives, please check out these resources:
Newsletter explaining the Green Book: http://yellowbook-cpe.
A webinar or book on internal controls: http://yellowbook-
A newsletter explaining how to narrow objectives: http://yellowbook-
Or an on-demand video on audit objectives: http://yellowbook-
Financial auditors should be pleased
Financial auditors should be celebrating a rare moment when not much in the Yellow Book is new to them. Right now, the AICPA is driving the changes to the GAO standards, and financial auditors have been adjusting to the AICPA standards as they come out.
But performance auditors are not going to be able to join in on the celebration because the changes to the Yellow Book are new to them. Although, technically, performance auditors do not have to follow AICPA standards, performance auditors indirectly get dragged into the changes prompted by the AICPA anyway because the GAO seeks to keep the Yellow Book consistent throughout. So when the GAO plays along with the AICPA in the financial audit standards, they also have to play along with the AICPA in the performance audit standards.
In my next newsletter, I will discuss how internal control weaknesses can serve as the cause of a well-built finding.
Thanks for everything you do to keep the government running!