Why the Yellow Book is Really Gold
Performance Auditing Standards
Greta Bernard MacDonald, MPA Director, Macias Gini & O’Connell LLP
Scott P. Johnson, CPA, CGMA Partner, Macias Gini & O’Connell LLP
As the second article in a three-part series, this piece provides more detail on the professional standards associated with governmental performance audits. It provides discussion on (1) why an agency would want a performance audit instead of a non-audit engagement and vice versa; and (2) what key factors should be considered. As a recap, in Scott Johnson’s first article, “Does Your Organization Have a Need for an Independent Eye on Performance?,” his overview of the differences between engagement types and the applicable standards of each, which then provided a range, from a performance audit under generally accepted government auditing standards as set forth in Government Auditing Standards (commonly referred to as the Yellow Book or GAGAS) to an advisory services engagement under the AICPA’s Statement on Standards for Consulting Services. The forthcoming third article will focus on GAGAS performance audit reporting standards and a sample report outline.
In performance audit trainings, the same story is often told that the group that put the Yellow Book together in the 1970s intended it to have a gold cover; and it was originally titled, “The Golden Rules of Auditing.” While it may be just a myth, the truth of the matter is, regardless of the color assigned to the original book, GAGAS performance audits are the gold standard for governmental operational audits. The standards provide auditors with the framework they need for a solid, fully-supported product – exactly what the public demands for accountability and improvements when it comes to any taxpayer-funded program or operation. Performance audits also provide the end user of the report – citizens, government officials, and legislators, as well as the government entity (client) – with the added assurance of the auditors’ objectivity and independence.
This article is focused on government auditing, which is essential in providing accountability to legislators, oversight bodies, those charged with governance, and the public,1 as well as non-auditing consulting engagements in the government sector. The information presented can be useful to practitioners and clients in making engagement decisions, and for clients to better understand factors to be considered when an engagement opportunity arises.
Performance audits have become a central feature in responding to the need for accountability. This is a clear benefit because they go beyond traditional transactional or financial audits to address the efficiency, effectiveness, and economy of government programs. In terms that financial auditors may relate to, one can look at financial audits and performance audits as the flip sides of the same accountability coin. One side looks at whether management has provided users of financial statements with reliable information, while the other side whether management has met its responsibilities efficiently and effectively. Overall, both Financial and Performance Audits serve the taxpaying public because they hold managers of government programs accountable for the dual roles of ensuring fair representation of financial information and program operations are efficient, effective, or in compliance.
Performance Audits Defined:
Performance audits provide objective analysis that can assist management, and those charged with governance and oversight, in using the audit findings and conclusions which can improve program performance and operations, reduce costs, facilitate decision making by parties with responsibility to oversee or initiate corrective action, and contribute to public accountability.2 Performance audits provide findings or conclusions based on evaluation of sufficient, appropriate evidence against specified criteria. Performance audits conducted under GAGAS can provide one of the highest levels of assurance due to the level of work required to develop the required elements of a finding and provide recommendations, as compared to other types of engagements like attestation engagements, where the level of assurance can be lower, based on the objectives of the engagement.3
The professional standards that auditors must follow when conducting governmental performance audits are known as GAGAS, also known as the Yellow Book.4,5 Specifically, the Yellow Book states that GAGAS provides a “framework for conducting high quality engagements with competence, integrity, objectivity, and independence.”6
The Yellow Book is used by auditors of government entities, entities that receive government awards, and other audit organizations performing Yellow Book audits. These audits are “essential in providing accountability to legislators, oversight bodies, those charged with governance, and the public,” and “provide an independent, objective, nonpartisan assessment of the stewardship, performance, or cost of government policies, programs, or operations, depending upon the type and scope of the engagement.”7
1 See Paragraph 1.05 of GAGAS
2 See Paragraphs 1.21 and 8.14
3 Attestation engagement standards are covered in GAGAS Chapter 7, and include agreed-upon-procedures, reviews, and examinations. Examinations have the highest level of assurance of attestation, as an opinion is given, not so for the others. GAGAS incorporates AICPA standards by reference for financial audits and attestation engagements. In addition, AICPA promulgates the consulting standards. AICPA standards committees have taken the position that only the GAO sets performance audit standards.
4 The most recent version of the Yellow Book was issued by the Comptroller General of the United States in July 2018, and is effective for financial audits, attestation engagements, and reviews of financial statements for periods ending on or after June 30, 2020, and for performance audits beginning on or after July 1, 2019.
5 Throughout this article, the terms “GAGAS” and “Yellow Book” are used interchangeably.
6 See Paragraph 1.06 of the Yellow Book.
7 See Paragraph 1.05 of the Yellow Book.
While the role of performance auditing has become more pronounced for audit institutions and state and local governments, especially in determining efficiency and promoting accountability, another product offering is available. The decision between the products can be confusing to both clients and practitioners: Operational assessments, which are in-depth, objective studies or analyses of an organization, can also be performed as non-audits, otherwise known as Consulting Engagements. These are a go-to for accounting firms that serve both corporate and government clients. Consulting engagements are aimed to serve management’s need for specific information or operational improvements when the effort required for an audit is not required. The client is the customer and the end user of the product, as opposed to a performance audit where the public or regulatory body, is the end user. The other important distinction between audits and consulting engagements is the end user of the work product and the client relationship. Consulting engagements are governed by the AICPA’s Statements on Standards for Consulting Services (SSCS) CS Section 100.02, which states that the nature and scope of work is determined solely by the agreement between the practitioner and the client. Generally, the work is performed only for the use and benefit of the client. The latter fact is what sets consulting engagements apart from performance audits. In consulting engagements - there are only two parties involved: the auditor and the client. There is a third party in government audits - the tax paying public or regulatory body, which are the primary beneficiaries of the product. It is important to make the distinction that consulting engagements are non-audit services and GAGAS does not cover these, other than under the topic of independence.
Other Factors for Consideration – Audit vs. Non-Audit
This leads to the most important factor in determining the engagement type - audit or non-audit. What is the purpose of the work (who, what are we looking at?) and the audience of the end product (who is it for?). Governmental audit reports routinely provide assurance to outside parties, especially the general public or other governmental entities.8 Performance audits typically provide historical perspectives of performance, compliance or efficiency, and effectiveness of a particular agency or program, or can provide prospective analysis. These audits are sometimes required by regulations, requested by legislators, and are aimed at determining compliance and/or program efficiency and effectiveness. Consulting engagements – non-audits – provide information, findings, or recommendations to benefit the client, and tend to be more forward-looking. Requests for these engagements typically come from internal management wanting to look into their own operations and for specific information. Sometimes just identifying the audience of the product will point to the appropriate engagement type. For example, if the end product goes nowhere beyond a client’s desk or is limited to distribution internally within a department, then a consulting engagement is preferable. Conversely, if the report will be seen by a governing board, or the intent is to make it a public document, an audit performed under GAGAS may be preferable when there is a need for accountability and recommendations for improvements in efficiency and effectiveness.
It helps to start with the intended user of the report: If it is strictly for management’s internal use, especially if there is a narrow scope of work that management has pre-determined, the non-audit option is preferable. The decision will then depend on factors as shown below. Figure 1.0 below provides an overview of a decision matrix to narrow down the determination of the best approach for the type of engagement.
8 Urton Anderson, Chapter 4 Assurance and Consulting services. 2003 Internal Audit Research Foundation.
Figure 1.0: Decision Matrix
The first major distinction between the two engagement types is the scope. While in a consulting engagement, the objectives are determined by management; in a performance audit, the scope is often determined by the auditor who determines coverage and depth depending on the time, cost, and other constraints. The second distinction lies in the requirement of preliminary work, such as the mandatory risk assessment, fraud questions, and internal control assessment. In a performance audit the auditor can determine the time period covered, sources of evidence, the population to be reviewed, and sample size rationale, and can focus the audit to address risk appropriately.11 These are key components auditors would normally determine in the planning phase of a performance audit, based on a preliminary assessment, risk assessment, and review of internal controls. All of these requirements allow the auditors to determine the focus of the audit as needed.
9 Urton Anderson, Chapter 4 Assurance and Consulting services. 2003 Internal Audit Research Foundation.
10 GAGAS 3.08: A distinguishing mark of an auditor is acceptance of responsibility to serve the public interest. This responsibility is critical when auditing in the government environment. GAGAS embodies the concept of public accountability for public resources, which is fundamental to serving the public interest.
11 See GAGAS paragraphs 8.05 through 8.19 for additional context.
GAGAS 8.16. “Audit risk is the possibility that the auditors’ findings, conclusions, recommendations, or assurance may be improper or incomplete, as a result of factors such as evidence that is not sufficient or appropriate, an inadequate audit process, or intentional omissions or misleading information because of misrepresentation or fraud. The assessment of audit risk involves both qualitative and quantitative considerations. Factors impacting audit risk include the time frames, complexity, or sensitivity of the work, size of the program in terms of dollar amounts and number of citizens served, adequacy of the audited entity’s systems, and processes for preventing and detecting inconsistencies, significant errors, or fraud, and auditors’ access to records.”
This is in contrast to consulting engagements where the scope is usually determined by management, and no preliminary work is required. In these engagements, management directs the scope, the time frame, and sometimes even dictates the methodologies to employ, or prescribes the sample size.
GAGAS Provides Consistency Across Audit Organizations
GAGAS ensures consistency of the work for auditors and across the many audit organizations or private companies performing the work. For example, performance auditors are required to adhere to standards during the course of an audit; for instance, Fieldwork Standards. This does not represent the sum total of the requirements. The audit organization and audit team must also comply with a set of standards that include Independence, Quality Control, and Competency standards. With regard to how engagements are staffed, auditors must ensure that adequate and appropriate training occurs. They must exercise professional judgment while exhibiting ethical behavior and, most importantly, it is their responsibility to employ a system of quality control that ensures personnel comply with those professional standards.
The following GAGAS standards highlight what sets performance auditing apart from a consulting engagement and why a performance audit renders the preferable product when the public or regulatory body is the intended audience. Specific standards must be followed when conducting performance audits that serve to ensure sound, well-supported findings in the report, which make the case for change and improvements: Fieldwork Standards, Quality Control and Assurance, and Competence Standards. For each of these standards, the Consulting Standards do not provide detailed information for comparison.
The Independence standards are another key component in differentiating between a Consulting Engagement and a Performance Audit. In the government sector, performance audits are performed by auditors serving the public interest. GAGAS states that, “auditors and audit organizations maintain independence so that their opinions, findings, conclusions, judgments, and recommendations will be impartial and viewed as impartial by reasonable and informed third parties.12 Auditors should avoid situations that could lead reasonable and informed third parties to conclude that the auditors are not independent and thus are not capable of exercising objective and impartial judgment on all issues associated with conducting the audit and reporting on the work.” 13
Consulting engagements are performed by staff that also may conduct audits, but their role in a non-audit service is to serve the client. While objectivity and integrity are required, there is no concern for a lack of independence due to the nature of the work and, thus, Consulting Standards do not address independence. CSS 100.07 states (that staff), “Serve the client interest by seeking to accomplish the objectives established by the understanding with the client while maintaining integrity and objectivity.”
GAGAS does, however, take independence very seriously when it comes to auditors performing non-audit services, and requires that the auditors document that independence has not been compromised by applying the conceptual framework,14 that the client (management) has the skills, knowledge, and experience to oversee the work, and requires management to agree that they are responsible for the results of the consulting engagement.15,16
Chapter 8 of GAGAS provides fieldwork requirements and guidance for performance audits. The purpose of fieldwork requirements is to establish an overall approach for auditors to apply in obtaining reasonable assurance that the evidence is sufficient and appropriate to support the auditors’ findings and conclusions. The fieldwork requirements for performance audits relate to planning the audit, supervising staff, obtaining sufficient, appropriate evidence, and preparing audit documentation. The concepts of reasonable assurance, significance, and audit risk form a framework for applying these requirements. Chapter 8 contains 141 paragraphs related to these sections.
Consulting standards SCSS 100.06 do not provide guidance for performing the engagement or a framework, but in bullet form, do require (1) planning and supervision; and (2) sufficient and relevant data.
Quality Control and Peer Review
An organization that conducts performance audits shows commitment to performing quality assurance work, which can be recognized by the users of the reports, clients, potential clients, and the national standards setters. GAGAS states that each audit organization performing audits in accordance with GAGAS must: a) establish and maintain a system of quality control that is designed to provide the audit organization with reasonable assurance that the organization and its personnel comply with professional standards and applicable legal and regulatory requirements;17 and b) “must obtain an external peer review conducted by reviewers independent of the audit organization being reviewed.”18 The peer review allows an independent reviewer to look at the design of the audit organization’s system of quality control, and whether the organization is complying with its quality control system so that it has reasonable assurance that it is performing and operating in conformity with professional standards. In other words, these requirements ensure that quality control measures, such as policies and procedures, are in place within the organization that performed the audit, and that quality assurance activities are actually being performed on all audits.
12 GAGAS 3.22
13 GAGAS 3.19
14 See Paragraph 3.64 of GAGAS.
15 See Paragraph 3.76 of GAGAS.
16 See Paragraph 3.107 of GAGAS.
17 See Paragraph 5.02 of GAGAS.
18 See Paragraph 5.60 of GAGAS.
Competence and Continuing Professional Education
The competence requirements provide a guarantee to the client, and those relying on the audit that, in addition to independence and objectivity, staff assigned to the audit (1) have the knowledge of specific GAGAS requirements, as well as the skills and abilities to proficiently apply it to their work; and (2) are current with their continuing professional education requirements and have taken courses to enhance their skills. This ensures a team of staff with a high-level of competency appropriate for each staff level and specific government auditing related training; assigned to each audit. See below for GAGAS 4.16.
AICPA Consulting Standards have general competence standards; however, they are not detailed or specific in terms of type and total amount required. It is assumed that a CPA firm that provides consulting services has their own training requirements; and with CPAs on staff, they must obtain a certain number and type of continuing education depending on the state they are licensed in.
While the competency standards provide an added guarantee that staff performing the work have the required training and experience in government auditing, there is strength in an established multi-disciplinary team that conduct performance audits. Since performance auditing is more similar to program evaluation than financial audits, the staff that conduct performance audits often can have a broad range of educational backgrounds and training, and their experience or specializations provide additional value to the quality of performance audits. Career government auditors and evaluators often have graduate level degrees in Public Administration, Public Policy, Economics and Social Science backgrounds, with experience at federal and state auditor levels, as well as some traditional CPAs with governmental clients.
19 Therefore, each auditor performing work in accordance with GAGAS should complete, every 2 years, at least 24 hours of CPE that directly relates to government auditing, the government environment, or the specific or unique environment in which the audited entity operates. Auditors who are involved in any amount of planning, directing, or reporting on GAGAS engagements and auditors who are not involved in those activities, but charge 20 percent or more of their time annually to GAGAS engagements should also obtain at least an additional 56 hours of CPE (for a total of 80 hours of CPE in every 2-year period) that enhances the auditors’ professional expertise to conduct engagements.
20 See Paragraph 4.16 and 4.25 of the Yellow Book.
Government auditing serves a critical function for accountability and strengthens governance, while the application of GAGAS establishes a foundation for the credibility of the auditor’s work. Engagement quality assurance, peer review requirements, and competency requirements are the real “gold” behind a performance audit. Yellow Book standards assure the client that the findings were intensely scrutinized and sound, while the report is balanced and neutral. There is no question that governmental auditing or consulting of government programs or business units can add value in terms of providing an independent look into operations. While the performance audit framework can be useful when applied to other non-audit advisory engagements, such as a consulting engagement under the AICPA’s Statement on Standards for Consulting Services, there is no substitute for conducting a performance audit in accordance with the Yellow Book when it comes to public accountability of government entities.
Greta Bernard MacDonald, MPA
Director, Macias Gini & O’Connell LLP
Ms. MacDonald has a Bachelor of Arts degree in Economics from California State University, Chico, and a Master of Public Administration from the University of Southern California. She has over 17 years of experience conducting performance audits according to GAGAS. Specifically, she has participated in over 35 performance audits according to GAGAS, in addition to performing dozens of other engagements leading, designing, and conducting risk assessments, operational and compliance audits of state and local government agencies, and non-profit organizations.
Scott P. Johnson, CPA, CGMA
Partner, Macias Gini & O’Connell LLP
Scott Johnson has a combined experience of over 35 years working in the government industry, with over 24 years successfully overseeing government agencies’ internal service operations including: debt management, information technology, human resources, municipal finance, and budget. He has led large and mid-sized operations for California government agencies, including the cities of Santa Clara, Milpitas, San Jose, Oakland, and Concord and the County of Santa Clara. Scott is a past president of the California Society of Municipal Finance Officers (CSMFO), and a member of the AICPA Government Performance and Accountability Committee (GPAC). He is currently a partner with Macias Gini & O’Connell LLP (MGO), leading the Advisory Services sector specializing in State and Local Governments, based out of California.