Transcription
United States Government Accountability OfficeBy the Comptroller General of theUnited StatesApril 2021GOVERNMENTAUDITINGSTANDARDS2018 RevisionTechnical Update April 2021Accessible VersionGAO-21-368G
2021 Technical Updates to the 2018 Revision ofGovernment Auditing StandardsThe following technical updates have been made to the 2018 revision ofGovernment Auditing Standards (known as the Yellow Book). Thesetechnical updates to the 2018 revision of Government AuditingStandards are effective upon issuance.2018 Revision of Government Auditing Standards2021 Technical Updates1.02 The concept of accountability for use of public resources andgovernment authority is key to our nation’s governing processes.Management and officials entrusted with public resources areresponsible for carrying out public functions and providing serviceto the public effectively, efficiently, economically, and ethicallywithin the context of the statutory boundaries of the specificgovernment program.1.02 The concept of accountability for use of public resources andgovernment authority is key to our nation’s governing processes.Management and officials entrusted with public resources areresponsible for carrying out public functions and providing serviceto the public effectively, efficiently, economically, ethically, andequitably within the context of the statutory boundaries of thespecific government program.1.03 As reflected in applicable laws, regulations, agreements, andstandards, management and officials of government programs areresponsible for providing reliable, useful, and timely informationfor transparency and accountability of these programs and theiroperations. Legislators, oversight bodies, those charged withgovernance, and the public need to know whether (1)management and officials manage government resources and usetheir authority properly and in compliance with laws andregulations; (2) government programs are achieving theirobjectives and desired outcomes; and (3) government servicesare provided effectively, efficiently, economically, and ethically.1.03 As reflected in applicable laws, regulations, agreements, andstandards, management and officials of government programs areresponsible for providing reliable, useful, and timely informationfor transparency and accountability of these programs and theiroperations. Legislators, oversight bodies, those charged withgovernance, and the public need to know whether (1)management and officials manage government resources and usetheir authority properly and in compliance with laws andregulations; (2) government programs are achieving theirobjectives and desired outcomes; and (3) government servicesare provided effectively, efficiently, economically, ethically, andequitably.1.23 Examples of program effectiveness and results auditobjectives includef. determining whether a program provides access to ordistribution of public resources within the context ofstatutory parameters;1.23 Examples of program effectiveness and results auditobjectives includef. determining whether a program provides equitable accessto or distribution of public resources within the context ofstatutory parameters;3.83 Auditors who previously provided nonaudit services for anentity that is a prospective subject of an engagement shouldevaluate the effect of those nonaudit services on independencebefore agreeing to conduct a GAGAS engagement. If auditorsprovided a nonaudit service in the period to be covered by theengagement, they should (1) determine if GAGAS expresslyprohibits the nonaudit service; (2) if audited entity managementrequested the nonaudit service, determine whether the skills,knowledge, and experience of the individual responsible foroverseeing the nonaudit service were sufficient; and (3) determinewhether a threat to independence exists and address any threatsnoted in accordance with the conceptual framework.3.83 Auditors who previously provided nonaudit services for anentity that is a prospective subject of an engagement shouldevaluate the effect of those nonaudit services on independencebefore agreeing to conduct a GAGAS engagement. If auditorsprovided a nonaudit service in the period to be covered by theengagement, they should (1) determine if GAGAS expresslyprohibits the nonaudit service; (2) if audited entity managementrequested the nonaudit service, determine whether the skill,knowledge, or experience of the individual responsible foroverseeing the nonaudit service was sufficient; and (3) determinewhether a threat to independence exists and address any threatsnoted in accordance with the conceptual framework.8.42 If internal control is significant to the audit objectives,auditors determine which of the five components of internalcontrol and underlying principles are significant to the auditobjectives, as all components of internal control are generallyrelevant, but not all components may be significant to the auditobjectives. This determination can also identify whether specificcontrols are significant to the audit objectives. Determining whichinternal control components and principles and/or specific controlsare significant to the audit objectives is a matter of professionaljudgment.8.42 If internal control is significant to the audit objectives,auditors determine which of the five components of internalcontrol are significant to the audit objectives, as all components ofinternal control are generally relevant, but not all components maybe significant to the audit objectives. This determination can alsoidentify the underlying principles, control objectives, or specificcontrols that are significant to the audit objectives. Determiningwhich internal control components, principles, control objectives,and/or specific controls are significant to the audit objectives is amatter of professional judgment.Page iGAO-21-368G Government Auditing Standards
8.49 If internal control is determined to be significant to the auditobjectives, auditors should assess and document theirassessment of the design, implementation, and/or operatingeffectiveness of such internal control to the extent necessary toaddress the audit objectives.8.49 If internal control is determined to be significant to the auditobjectives, auditors should plan and perform audit procedures toassess internal control to the extent necessary to address theaudit objectives.9.30 If some but not all internal control components are significantto the audit objectives, the auditors should identify as part of thescope those internal control components and underlying principlesthat are significant to the audit objectives.9.30 When reporting on the scope of their work on internal control,auditors should identify the scope of internal control assessed tothe extent necessary for report users to reasonably interpret thefindings, conclusions, and recommendations in the audit report.9.32 Control components and underlying principles that are notconsidered significant to the audit objectives may be identified inthe scope if, in the auditors’ professional judgment, doing so isnecessary to preclude a misunderstanding of the breadth of theconclusions of the audit report and to clarify that controleffectiveness has not been evaluated as a whole. Auditors mayalso identify and describe the five components of internal controlso that report users understand the scope of the work within thecontext of the entity’s internal control system.9.32 Auditors may identify the control components, underlyingprinciples, control objectives, or specific controls assessed indescribing the scope of their work on internal control. Auditorsmay also identify the level of internal control assessmentperformed, as discussed in paragraph 8.50. Control componentsand underlying principles that are not considered significant to theaudit objectives may be identified in the scope if, in the auditors’professional judgment, doing so is necessary to preclude amisunderstanding of the breadth of the conclusions of the auditreport and to clarify that control effectiveness has not beenevaluated as a whole. Auditors may also identify and describe thefive components of internal control so that report usersunderstand the scope of the work within the context of the entity’sinternal control system.Conforming changes have been made to the figures to reflect the technical updates.Page iiGAO-21-368G Government Auditing Standards
ContentsLetter1Chapter 1: Foundation and Principles for the Use and Application of Government Auditing Standards3IntroductionTypes of GAGAS UsersTypes of GAGAS EngagementsFinancial AuditsAttestation Engagements and Reviews of Financial StatementsPerformance AuditsTerms Used in GAGASThe GAGAS FormatChapter 2: General Requirements for Complying with Government Auditing Standards36781011161719Complying with GAGASRelationship between GAGAS and Other Professional StandardsStating Compliance with GAGAS in the Audit ReportChapter 3: Ethics, Independence, and Professional Judgment19212326Ethical PrinciplesThe Public InterestIntegrity 28Objectivity 28Proper Use of Government Information, Resources, and PositionsProfessional BehaviorIndependenceGAGAS Conceptual Framework Approach to IndependenceProvision of Nonaudit Services to Audited EntitiesConsideration of Specific Nonaudit ServicesDocumentationProfessional JudgmentChapter 4: Competence and Continuing Professional Education2627CompetenceContinuing Professional EducationChapter 5: Quality Control and Peer Review687387Quality Control and AssuranceSystem of Quality ControlLeadership Responsibilities for Quality within the AuditOrganizationPage iii292930324552596068878888GAO-21-368G Government Auditing Standards
Independence, Legal, and Ethical RequirementsInitiation, Acceptance, and Continuance of EngagementsHuman ResourcesEngagement PerformanceMonitoring of QualityExternal Peer ReviewAdditional Requirements for Audit Organizations Not Affiliated withRecognized OrganizationsChapter 6: Standards for Financial Audits8990919297102Additional GAGAS Requirements for Conducting Financial AuditsCompliance with StandardsLicensing and CertificationAuditor CommunicationResults of Previous EngagementsInvestigations or Legal ProceedingsNoncompliance with Provisions of Laws, Regulations, Contracts,and Grant AgreementsFindings 122Audit DocumentationAvailability of Individuals and DocumentationAdditional GAGAS Requirements for Reporting on FinancialAuditsReporting the Auditors’ Compliance with GAGASReporting on Internal Control; Compliance with Provisions ofLaws, Regulations, Contracts, and Grant Agreements;and Instances of FraudPresenting Findings in the Audit ReportReporting Findings Directly to Parties outside the Audited EntityObtaining and Reporting the Views of Responsible OfficialsReporting Confidential or Sensitive InformationDistributing ReportsChapter 7: Standards for Attestation Engagements and Reviews of Financial Statements117117118119120120Examination EngagementsCompliance with StandardsLicensing and CertificationAuditor CommunicationResults of Previous EngagementsInvestigations or Legal ProceedingsNoncompliance with Provisions of Laws, Regulations, Contracts,and Grant AgreementsFindings 141Page 138138139140141GAO-21-368G Government Auditing Standards
Examination Engagement DocumentationAvailability of Individuals and DocumentationReporting the Auditors’ Compliance with GAGASReporting Deficiencies in Internal ControlReporting on Noncompliance with Provisions of Laws,Regulations, Contracts, and Grant Agreements orInstances of FraudPresenting Findings in the ReportReporting Findings Directly to Parties outside the Audited EntityObtaining and Reporting the Views of Responsible OfficialsReporting Confidential or Sensitive InformationDistributing ReportsReview EngagementsCompliance with StandardsLicensing and CertificationNoncompliance with Provisions of Laws, Regulations, Contracts,and Grant AgreementsReporting Auditors’ Compliance with GAGASDistributing ReportsAgreed-Upon Procedures EngagementsCompliance with StandardsLicensing and CertificationNoncompliance with Provisions of Laws, Regulations, Contracts,and Grant AgreementsReporting Auditors’ Compliance with GAGASDistributing ReportsReviews of Financial StatementsCompliance with StandardsLicensing and CertificationNoncompliance with Provisions of Laws, Regulations, Contracts,and Grant AgreementsReporting Auditors’ Compliance with GAGASDistributing ReportsChapter 8: Fieldwork Standards for Performance AuditsPlanningAuditor CommunicationInvestigations or Legal ProceedingsResults of Previous EngagementsAssigning AuditorsPreparing a Written Audit PlanConducting the EngagementNature and Profile of the Program and User NeedsPage 171171172172GAO-21-368G Government Auditing Standards
Determining Significance and Obtaining an Understanding ofInternal ControlAssessing Internal ControlInternal Control Deficiencies ConsiderationsInformation Systems Controls ConsiderationsProvisions of Laws, Regulations, Contracts, and GrantAgreementsFraud 186Identifying Sources of Evidence and the Amount and Type ofEvidence RequiredUsing the Work of OthersSupervisionEvidenceOverall Assessment of EvidenceFindings 198Audit DocumentationAvailability of Individuals and DocumentationChapter 9: Reporting Standards for Performance AuditsReporting Auditors’ Compliance with GAGASReport FormatReport ContentReporting Findings, Conclusions, and RecommendationsReporting on Internal ControlReporting on Noncompliance with Provisions of Laws,Regulations, Contracts, and Grant AgreementsReporting on Instances of FraudReporting Findings Directly to Parties outside the Audited EntityObtaining the Views of Responsible OfficialsReport DistributionReporting Confidential or Sensitive InformationDiscovery of Insufficient Evidence after Report edgments235Comptroller General’s Advisory Council on Government AuditingStandards (2016-2020)GAO Project TeamStaff AcknowledgmentsPage vi235236236GAO-21-368G Government Auditing Standards
FiguresFigure 1: Generally Accepted Government Auditing StandardsConceptual Framework for IndependenceFigure 2: Independence Considerations for Preparing AccountingRecords and Financial StatementsFigure 3: Developing Peer Review Communications for ObservedMatters in Accordance with Generally AcceptedGovernment Auditing StandardsFigure 4: Consideration of Internal Control in a GenerallyAccepted Government Auditing Standards an Institute of Certified Public AccountantsAR-CAICPA Codification of Statements on Standards forAccounting and Review ServicesAT-CAICPA Codification of Statements on Standards for AttestationEngagementsAU-CAICPA Codification of Statements on Auditing StandardsCPAcertified public accountantCPEcontinuing professional educationGAGAS generally accepted government auditing standardsIAASBInternational Auditing and Assurance Standards BoardITinformation technologyOMBOffice of Management and BudgetPCAOB Public Company Accounting Oversight BoardSASStatements on Auditing StandardsSSAEStatements on Standards for Attestation EngagementsThis is a work of the U.S. government and is not subject to copyright protection in theUnited States. The published product may be reproduced and distributed in its entiretywithout further permission from GAO. However, because this work may containcopyrighted images or other material, permission from the copyright holder may benecessary if you wish to reproduce this material separately.Page viiGAO-21-368G Government Auditing Standards
441 G St. N.W.Washington, DC 20548Comptroller Generalof the United StatesLetterAudits provide essential accountability and transparency over governmentprograms. Given the current challenges facing governments and theirprograms, the oversight provided through auditing is more critical thanever. Government auditing provides the objective analysis andinformation needed to make the decisions necessary to help create abetter future. The professional standards presented in this 2018 revisionof Government Auditing Standards (known as the Yellow Book) provide aframework for performing high-quality audit work with competence,integrity, objectivity, and independence to provide accountability and tohelp improve government operations and services. These standards,commonly referred to as generally accepted government auditingstandards (GAGAS), provide the foundation for government auditors tolead by example in the areas of independence, transparency,accountability, and quality through the audit process.This revision contains major changes from, and supersedes, the 2011revision. These changes, summarized below, reinforce the principles oftransparency and accountability and strengthen the framework for highquality government audits.·All chapters are presented in a revised format that differentiatesrequirements and application guidance related to those requirements.·Supplemental guidance from the appendix of the 2011 revision iseither removed or incorporated into the individual chapters.·The independence standard is expanded to state that preparingfinancial statements from a client-provided trial balance or underlyingaccounting records generally creates significant threats to auditors’independence, and auditors should document the threats andsafeguards applied to eliminate and reduce threats to an acceptablelevel or decline to perform the service.·The peer review standard is modified to require that auditorganizations comply with their respective affiliated organization’speer review requirements and GAGAS peer review requirements.Additional requirements are provided for audit organizations notaffiliated with recognized organizations.·The standards include a definition for waste.·The performance audit standards are updated with specificconsiderations for when internal control is significant to the auditobjectives.Page 1GAO-21-368G Government Auditing Standards
LetterEffective with the implementation dates for the 2018 revision ofGovernment Auditing Standards, GAO is also retiring GovernmentAuditing Standards: Guidance on GAGAS Requirements for ContinuingProfessional Education (GAO-05-568G, April 2005) and GovernmentAuditing Standards: Guidance for Understanding the New Peer ReviewRatings (D06602, January 2014).This revision of the standards has gone through an extensive deliberativeprocess, including public comments and input from the ComptrollerGeneral’s Advisory Council on Government Auditing Standards (AdvisoryCouncil). The Advisory Council consists of experts in financial andperformance auditing and reporting from federal, state, and localgovernment; the private sector; and academia. The views of all partieswere thoroughly considered in finalizing the standards.The 2018 revision of Government Auditing Standards is effective forfinancial audits, attestation engagements, and reviews of financialstatements for periods ending on or after June 30, 2020, and forperformance audits beginning on or after July 1, 2019. Earlyimplementation is not permitted.An electronic version of this document can be accessed athttp://www.gao.gov/yellowbook.I extend special thanks to the members of the Advisory Council for theirextensive input and feedback throughout the process of developing andfinalizing the standards.Gene L. DodaroComptroller General of the United StatesJuly 2018Page 2GAO-21-368G Government Auditing Standards
Chapter 1: Foundation and Principles for theUse and Application of Government AuditingStandardsChapter 1: Foundation andPrinciples for the Use andApplication of GovernmentAuditing Standards1.01 This chapter provides guidance for engagements conducted inaccordance with generally accepted government auditing standards(GAGAS). This chapter alsoa. explains the types of auditors and audit organizations that mayemploy GAGAS to conduct their work,b. identifies the types of engagements that may be conducted inaccordance with GAGAS, andc. explains terminology that is commonly used in GAGAS.Introduction1.02 The concept of accountability for use of public resources andgovernment authority is key to our nation’s governing processes.Management and officials entrusted with public resources are responsiblefor carrying out public functions and providing service to the publiceffectively, efficiently, economically, ethically, and equitably within thecontext of the statutory boundaries of the specific government program.1.03 As reflected in applicable laws, regulations, agreements, andstandards, management and officials of government programs areresponsible for providing reliable, useful, and timely information fortransparency and accountability of these programs and their operations.Legislators, oversight bodies, those charged with governance, and thepublic need to know whether (1) management and officials managegovernment resources and use their authority properly and in compliancewith laws and regulations; (2) government programs are achieving theirobjectives and desired outcomes; and (3) government services areprovided effectively, efficiently, economically, ethically, and equitably.Page 3GAO-21-368G Government Auditing Standards
Chapter 1: Foundation and Principles for theUse and Application of Government AuditingStandards1.04 “Those charged with governance” refers to the individualsresponsible for overseeing the strategic direction of the entity andobligations related to the accountability of the entity. This includesoverseeing the financial reporting process, subject matter, or programunder audit, including related internal controls. Those charged withgovernance may also be part of the entity’s management. In someaudited entities, multiple parties may be charged with governance,including oversight bodies, members or staff of legislative committees,boards of directors, audit committees, or parties contracting for theengagement.1.05 Government auditing is essential in providing accountability tolegislators, oversight bodies, those charged with governance, and thepublic. GAGAS engagements provide an independent, objective,nonpartisan assessment of the stewardship, performance, or cost ofgovernment policies, programs, or operations, depending upon the typeand scope of the engagement.1.06 The professional standards and guidance contained in thisdocument provide a framework for conducting high-quality engagementswith competence, integrity, objectivity, and independence. Auditors ofgovernment entities, entities that receive government awards, and otherentities, as required by law or regulation or as they elect, may use thesestandards. Overall, GAGAS contains standards for engagementscomprising individual requirements that are identified by terminology asdiscussed in paragraphs 2.02 through 2.10. GAGAS containsrequirements and guidance dealing with ethics, independence, auditors’professional judgment and competence, quality control, peer review,conducting the engagement, and reporting.1.07 Engagements conducted in accordance with GAGAS provideinformation used for oversight, accountability, transparency, andimprovements of government programs and operations. GAGAS containsrequirements and guidance to assist auditors in objectively obtaining andevaluating sufficient, appropriate evidence and reporting the results.When auditors conduct their work in this manner and comply with GAGASin reporting the results, their work can lead to improved governmentmanagement, better decision making and oversight, effective and efficientoperations, and accountability and transparency for resources andresults.1.08 Laws, regulations, contracts, grant agreements, and policiesfrequently require that engagements be conducted in accordance withPage 4GAO-21-368G Government Auditing Standards
Chapter 1: Foundation and Principles for theUse and Application of Government AuditingStandardsGAGAS. In addition, many auditors and audit organizations voluntarilychoose to conduct their work in accordance with GAGAS. Therequirements and guidance in GAGAS in totality apply to engagementspertaining to government entities, programs, activities, and functions, andto government assistance administered by contractors, nonprofit entities,and other nongovernmental entities when the use of GAGAS is requiredor voluntarily adopted.1.09 The following are some of the laws, regulations, and otherauthoritative sources that require the use of GAGAS:a. The Inspector General Act of 1978, as amended (5 U.S.C. App.),requires that the federal inspectors general appointed under thatact comply with GAGAS for audits of federal establishments,organizations, programs, activities, and functions. The act furtherstates that the inspectors general shall take appropriate steps toassure that any work performed by nonfederal auditors complieswith GAGAS.b. The Chief Financial Officers Act of 1990 (Public Law 101-576), asexpanded by the Government Management Reform Act of 1994(Public Law 103-356), requires that GAGAS be followed in auditsof major executive branch departments’ and agencies’ financialstatements. The Accountability of Tax Dollars Act of 2002 (PublicLaw 107-289) generally extends this requirement to mostexecutive agencies not subject to the Chief Financial Officers Act.c. The Single Audit Act Amendments of 1996 (Public Law 104-156)requires that GAGAS be followed in audits of state and localgovernments and nonprofit entities that receive federal awards.Subpart F of OMB’s Uniform Administrative Requirements, CostPrinciples, and Audit Requirements for Federal Awards (2 C.F.R.part 200), which provides the government-wide guidelines andpolicies on conducting audits to comply with the Single Audit Act,reiterates the requirement to use GAGAS.1.10 Other laws, regulations, or authoritative sources may require the useof GAGAS. For example, auditors at the state and local governmentlevels may be required by state and local laws and regulations to followGAGAS. Also, auditors may be required by the terms of an agreement orcontract to follow GAGAS. Auditors may also be required to followGAGAS by federal audit guidelines pertaining to program requirements.Being aware of such other laws, regulations, or authoritative sources mayPage 5GAO-21-368G Government Auditing Standards
Chapter 1: Foundation and Principles for theUse and Application of Government AuditingStandardsassist auditors in performing their work in accordance with the requiredstandards.1.11 Even if not required to do so, auditors may find it useful to followGAGAS in conducting engagements pertaining to federal, state, and localgovernment programs as well as engagements pertaining to state andlocal government awards that contractors, nonprofit entities, and othernongovernmental entities administer. Though not formally required to doso, many audit organizations, both in the United States and in othercountries, voluntarily follow GAGAS.Types of GAGAS Users1.12 GAGAS provides standards that are used by a wide range ofauditors and audit organizations that audit government entities, entitiesthat receive government awards, and other entities. These auditors andaudit organizations may also be subject to additional requirements uniqueto their environments. Examples of the various types of users who maybe required or may elect to use GAGAS include the following:a. Contract auditors: audit organizations that specialize in conductingengagements pertaining to government acquisitions and contractadministrationb. Certified public accounting firms: public accounting organizationsin the private sector that provide audit, attestation, or reviewservices under contract to government entities or recipients ofgovernment fundsc. Federal inspectors general: government audit organizations withinfederal agencies that conduct engagements and investigationsrelating to the programs and operations of their agencies andissue reports both to agency management and to third partiesexternal to the audited entityd. Federal agency internal auditors: internal government auditorganizations associated with federal agencies that conductengagements and investigations relating to the programs andoperations of their agenciesPage 6GAO-21-368G Government Auditing Standards
Chapter 1: Foundation and Principles for theUse and Application of Government AuditingStandardse. Municipal auditors: elected or appointed officials in governmentaudit organizations in the United States at the city, county, andother local government levelsf.State auditors: elected or appointed officials in audit organizationsin the governments of the 50 states, the District of Columbia, andthe U.S. territoriesg. Supreme audit institutions: national government auditorganizations, in the United States or elsewhere, typically headedby a comptroller general or auditor generalTypes of GAGAS Engagements1.13 This section describes the types of engagements that auditorganizations may conduct in accordance with GAGAS. This descriptionis not intended to limit or require the types of engagements that may beconducted in accordance with GAGAS.1.14 All GAGAS engagements begin with objectives, and those objectivesdetermine the type of engagement to be conducted and the applicablestandards to be followed. This document classifies financial audits,attestation engagements, reviews of financial statements, andperformance audits, as defined by their objectives, as the types ofengagements that are covered by GAGAS.1.15 In some GAGAS engagements, the standards applicable to thespecific objective will be apparent. For example, if the objective is toexpress an opinion on financial statements, the standards for financialaudits apply. However, some engagements may have objectives thatcould be met using more than one approach. For example, if the objectiveis to d
Government Auditing Standards (known as the Yellow Book). These technical updates to the 2018 revision of Government Auditing Standards are effective upon issuance. 2018 Revision of Government Auditing Standards 2021 Technical Updates 1.02 The
