Going “GAGAS” for the GAO
Yellow Book
FGFOA Annual
Conference
Boca Raton, FL
June 24, 2013
Kristen A. Kociolek
1
Session Objectives
• Provide a general overview of the Yellow Book
• Highlight areas revised in the 2011 Yellow Book,
especially focusing on independence
• Use of conceptual framework
• Documentation requirements
2
Introduction:
Yellow Book = “GAGAS”
GAGAS—Generally Accepted Government
Auditing Standards
• Broad statements of auditors’ responsibilities
• An overall framework for ensuring that auditors
have the competence, integrity, objectivity, and
independence in planning, conducting, and
reporting on their work
• For financial audits and attestation
engagements, incorporates and builds on the
AICPA standards (SASs and SSAEs)
3
Primary Yellow Book Changes
• Updated independence
• Included a conceptual framework
• Added documentation requirements
• Additional documentation in independence
• Focus on non-audit services
• Focused on converging where practical
• Incorporated clarified SASs
• Fewer differences
• Made several revisions to details of the
performance audit chapters
4
The 2011 Yellow Book
Applicability
• Chapters 1, 2, and 3 apply to all GAGAS
engagements
• Chapter 1: Government Auditing: Foundation and
Ethical Principles
• Chapter 2: Standards for Use and Application of
GAGAS
• Chapter 3: General Standards
• Chapter 4: Standards for Financial Audits – applies
only to financial audits
• Chapter 5: Standards for Attestation Engagements applies only to attestation engagements
5
The 2011 Yellow Book
Applicability (continued)
• Chapters 6 and 7 apply only to performance audits
• Chapter 6: Field Work Standards for Performance
Audits
• Chapter 7: Reporting Standards for Performance
Audits
• Appendix: Provides additional guidance (not
requirements) for all GAGAS engagements
• Interpretations: Available on the Yellow Book web
page. Provide additional guidance (not requirements)
for areas of particular interest or sensitivity.
6
2011 Yellow Book
Effective Dates
• Effective for financial audit periods ending on
or after December 15, 2012
• Effective for attestation periods ending on or
after December 15, 2012
• Effective for performance audits starting on
or after December 15, 2011
• Independence may be impacted before the
beginning of an engagement
7
Chapter 1: Foundation and Ethical
Principles
• Provide a framework for conducting
high quality audits with competence,
integrity, objectivity, and
independence
• For use by auditors of government
entities and entities that receive
government awards
8
Chapter 2: Types of GAGAS
Engagements
• All audits begin with objectives, and those
objectives determine the type of audit to be
performed and the applicable standards to be
followed.
• The types of audits that are covered by GAGAS,
as defined by their objectives, are classified in
the Yellow Book as
• financial audits,
• attestation engagements, and
• performance audits.
9
Chapter 2: Financial Audits
• Financial audits provide an independent
assessment of and reasonable assurance about
whether an entity’s reported financial condition,
results, and use of resources are presented fairly
in accordance with recognized criteria
• Financial audits performed under GAGAS
include
• Financial statement audits
• Other types of financial audits
10
Chapter 2: Attestation Engagements
• In addition to financial audits
• Attestation engagements can cover a broad
range of financial or non-financial objectives and
may provide different levels of assurance about
the subject matter or assertion depending on the
users’ needs.
• The three types of attestation engagements are:
• Examination
• Review
• Agreed-Upon Procedures
11
Chapter 2: Performance Audits
• Performance audits are defined as audits that
provide findings or conclusions based on an
evaluation of sufficient, appropriate evidence
against criteria
• Performance audits provide objective analysis
to assist management and those charged with
governance and oversight in using the
information to
•
•
•
•
Improve program performance and operations
Reduce costs
Facilitate decision making, and
Contribute to public accountability
12
Chapter 2: Use of Terminology
•Standardized language to define the auditor
requirements
• Consistent with SAS No. 102:
• Must indicates an unconditional requirement
• Should indicates a presumptively mandatory
requirement
• Text not using the above conventions is
considered explanatory material
• Interpretive publications are recommendations
on the application of GAGAS specific
circumstances
13
Chapter 2: Standards for the Use
and Application of GAGAS
Clarified citing compliance with GAGAS
• Determining appropriate GAGAS compliance
statement is a matter of professional judgment
• Departures from presumptively mandatory
requirements
• Using GAGAS with other standards
14
Chapter 3: General Standards
• Independence
• Conceptual framework
• Provision of nonaudit services to auditees
• Professional judgment
• Competence
• Technical knowledge
• Continuing Professional Education
• Quality Assurance
• System of quality assurance
• Peer review
15
Chapter 3: Independence
• The following from the 2007 Yellow Book has been
removed from the 2011 revision:
• definition of independence in terms of personal,
external, and organizational independence, and
• the overarching principles that applied to assessing
nonaudit services.
• The 2011 revision
• requires “independence of mind” and “independence
in appearance” (para 3.03)
• and establishes a risk-based conceptual framework
within which to evaluate seven broad categories of
“threats to independence.”
16
17
Chapter 3: Independence
Timeframes
• Impairment exists during
• The period of the audit – usually the fiscal year
• The professional engagement
• usually starts with earlier of start of planning
or engagement agreement.
• usually ends on the last report date.
• Depending on the circumstances, independence
may be impacted beyond this timeframe.
• Recurring engagement may mean that some
activities or circumstances will always impair.
18
Chapter 3: Applying the Framework
• New approach combines a conceptual
framework with certain rules (prohibitions)
• Balances principle and rules based standards
• Serves as a hybrid framework
• Certain prohibitions remain
• Generally consistent with Rule 101 AICPA
• Beyond a prohibition
• Apply the conceptual framework
• Will be used more often than AICPA
19
Chapter 3: Applying the Framework
(continued)
Threats could impair independence
• Do not necessarily result in an independence
impairment
Safeguards could mitigate threats
• Eliminate or reduce to an acceptable level
20
Chapter 3: Applying the Framework
(continued)
Conceptual Framework:
1. Identify threats to independence
2. Evaluate the significance of the threats identified, both
individually and in the aggregate
3. Apply safeguards as necessary to eliminate the threats
or reduce them to an acceptable level
4. Evaluate whether the safeguard is effective
Documentation Requirement:
Para 3.24: When threats are not at an acceptable level
and require application of safeguards, auditors should
document the safeguards applied.
21
GAGAS Conceptual Framework for
Independence
Assess condition or activity for
threats to independence
Threat identified?
No
Proceed
Yes
Is threat related to a nonaudit
service?
No
Yes
Is the nonaudit service specifically
Yes
prohibited in GAGAS paragraphs
3.36 or 3.49 through 3.58?
No
Assess threat for significance
Is threat significant?
No
Proceed
Yes
Identify and apply safeguard(s)
Assess safeguard(s)
effectiveness
Is threat eliminated or reduced to No
an acceptable level?
Yes
Document nature of threat and
any safeguards applied
Proceed
Independence
impairment; do
not proceed
22
Chapter 3: Categories of Threats
1.
2.
3.
4.
5.
6.
7.
Management participation threat
Self-review threat
Bias threat
Familiarity threat
Undue influence threat
Self interest threat
Structural threat
23
Chapter 3: Examples of Safeguards
• Reassign individual staff members who may
have a threat to independence.
• Have separate staff perform the non-audit and
audit services.
• Have professional staff from outside of the team
review the work.
• Use or consult with an independent third party.
• Involve another audit organization.
• Decline to do the requested scope of the nonaudit service.
24
Chapter 3: Routine Audit Services
and
Nonaudit Services
Routine audit services pertain directly to the audit
and include:
• Providing advice related to an accounting
matter
• Researching and responding to an audited
entity’s technical questions
• Providing advice on routine business matters
• Educating the audited entity on technical
matters
Other services not directly related to the audit are
considered nonaudit services
25
Chapter 3: Routine Audit Services
and
Nonaudit Services (continued)
Services that are considered nonaudit services include:
• Financial statement preparation
• Bookkeeping services
• Cash to accrual conversions (a form of
bookkeeping)
• Other services not directly related to the audit
Unless specifically prohibited, nonaudit services MAY be
permissible but should be documented
• In relation to the conceptual framework
• In relation to the auditor’s assessment of
managements’ skill, knowledge or experience
26
Chapter 3: Prohibited Nonaudit
Services
Management Responsibilities:
• setting policies and strategic direction for the audited entity;
• directing and accepting responsibility for the actions of the
audited entity’s employees in the performance of their routine,
recurring activities;
• having custody of an audited entity’s assets;
• reporting to those charged with governance on behalf of
management;
• deciding which of the auditor’s or outside third party’s
recommendations to implement;
• accepting responsibility for the management of an audited
entity’s project;
27
Chapter 3:Prohibited Nonaudit
Services (continued)
Management Responsibilities (cont):
• accepting responsibility for designing, implementing, or
maintaining internal control;
• providing services that are intended to be used as
management’s primary basis for making decisions that are
significant to the subject matter of the audit;
• developing an audited entity’s performance measurement
system when that system is material or significant to the
subject matter of the audit; and
• serving as a voting member of an audited entity’s
management committee or board of directors.
28
Chapter 3: Prohibited Nonaudit
Services (continued)
IT Services:
• Design or develop an IT system that would be subject to or
part of an audit.
• Make significant modifications to an IT system’s source code.
• Operate or supervise an IT system.
Internal Controls
• May not provide ongoing monitoring services.
• May not design the system of internal controls and then
assess its effectiveness.
Full list of prohibited services: para 3.36 and para
3.49 – 3.58
29
Chapter 3: Nonaudit Services Commonly
Requested of Government Auditors
• Signing off on an agency’s policies and procedures
• Establishing a strategic plan for an agency
• Determining the priority for implementing audit
recommendations
• Participating in human capital decisions for key
government staff
• Participating in committees as a voting member
30
Chapter 3: Nonaudit Services
1. Determine if there is a specific prohibition.
Unless specifically prohibited, nonaudit services
MAY be permitted but should be documented.
2. If not prohibited, assess the nonaudit service’s
impact on independence using the conceptual
framework.
3. If the auditor assesses any identified threat to
independence as higher than insignificant,
assess the sufficiency of audited entity
management’s skill, knowledge, and experience
to oversee the nonaudit service.
And…
31
Chapter 3: Nonaudit Services
(continued)
4. If the auditor concludes that performance of the
nonaudit service will not impair independence,
document assessments in relation to both:
• safeguards applied in accordance with the
conceptual framework and
• the auditor’s assessment of sufficiency of
audited entity managements’ skill, knowledge
or experience to oversee the nonaudit service
(paragraph 3.34).
32
Chapter 3: Preconditions to Performing
Nonaudit Services
• Management should take responsibility for
nonaudit services performed by the auditors
• Auditors should document (GAGAS and AICPA)
their understanding with management regarding
the nonaudit service
• Auditors should assess (AICPA) and document
(GAGAS) whether management possesses
suitable skill, knowledge, or experience to
oversee the nonaudit service
33
Chapter 3: Assessing
Management’s Skill, Knowledge, or
Experience
Factors to document include management’s:
• Understanding of the nature of the service
• Knowledge of the audited entity’s mission and
operations
• General business knowledge
• Education
• Position at the audited entity
Some factors may be given more weight than others
GAGAS does not require that management have the
ability to perform or reperform the service
34
Chapter 3: Sufficiency of Skills,
Knowledge and Experience
Sufficient skills, knowledge and experience may be
judged in part based on:
• Ability of the identified client personnel to identify material
errors or misstatements in a non audit service work
product
• Ability of the client to sufficient background to understand
the nature and results of the audit service
• Ability of management to take responsibility and
understand the work
Client prepared material in poor condition may indicate the
client is not capable of taking responsibility for the service.
Significant audit findings and adjustments may also be
indicative of this issue.
35
Chapter 3: Bookkeeping Services
May be performed provided the auditor does not
• Determine or change journal entries, account
codings or classifications for transactions, or other
accounting records without obtaining client approval
• Authorize or approve transactions
• Prepare source documents
• Make changes to source documents without client
approval
Consistent with AICPA ET 101-3
36
Chapter 3: Financial Statement
Preparation
Auditors may prepare financial statements
• Considered by GAGAS a nonaudit service
• Must apply the conceptual framework
• Two additional documentation requirements
• Document application of safeguards
• Document assessment of management’s skill,
knowledge or expertise
37
Chapter 3: Assessing Significance for
Bookkeeping and Financial Statement
Preparation
Relative significance is a continuum
• Indicators of significant threats for bookkeeping and
financial statement preparation may include:
• Financial statement preparation with other non-audit
services such bookkeeping or cash to accrual
conversions
• Condition of client prepared books and records
• Level of anticipated “correction” or adjustments to
client prepared schedules and documents
• Condition of the general ledger/trial balance
• Less significant may be:
• Purely mechanical calculations
38
Chapter 3: Independence
Documentation Requirements
Para 3.59 summarizes documentation requirements for
independence:
• Threats that require the application of safeguards along
with the safeguards applied (3.24)
• Safeguards in place if an audit organization is structurally
located within a government entity (3.30)
• Consideration of sufficiency of audited entity management’s
skill, knowledge, and experience to take responsibility for
and effectively oversee the nonaudit services (3.34)
• The auditor’s understanding with an audited entity
regarding nonaudit services to be provided (3.39)
39
Case Study #1
•
Can ABC Audit Firm prepare the financial
statements of We Help People (WHP), a notfor-profit organization, and remain independent
under the AICPA and Yellow Book Standards?
a. Yes
b. No
c. Maybe
40
Case Study #1 (continued)
•
ABC has proposed in excess of 50 adjusting
entries to correct WHP financial statements. Is
ABC independent with respect to WHP?
a. Yes
b. No
c. Maybe
41
Case Study #1 (continued)
•
ABC has also identified the following issues:
•
•
•
•
WHP’s trial balance is not in balance
The balance sheet has account balances that appear to
be materially wrong—assets with credit balances and
liabilities with debit balances
Bank reconciliations are materially different thafrom the
trial balance
ABC has been asked by WHP to do whatever
necessary to get the books in order to complete
the audit. ABC can take on this role:
a. Yes
b. No
42
Chapter 3: Continuing Professional
Education (CPE)
No revision to overall requirements:
• Minimum of 24 hours of CPE every 2 years
• Government
• Specific or unique environment
• Auditing standards and applicable accounting
principles
• Additional 56 hours of CPE for auditors involved in
• Planning, directing, or reporting on GAGAS
assignments; or
• Charge 20 percent or more of time annually to
GAGAS assignments
• Minimum of 20 hours of CPE each year
43
Chapter 3: Competence
CPE requirements for external specialists:
• External specialists are not required to meet
GAGAS CPE requirements, but should be
qualified and maintain professional competence
44
Chapter 3: Competence (continued)
CPE requirements for internal specialists:
• Internal specialists serving as auditors are
subject to all CPE requirements
• Specialized CPE count towards the required 24
hours
• Internal consulting specialists are not required
to meet GAGAS CPE requirements, but should
be qualified and maintain professional
competence
45
Chapter 3: Quality Control and
Assurance
Each audit organization performing audits or
attestation engagements in accordance with
GAGAS must:
• establish a system of quality control that is designed
to provide the audit organization with reasonable
assurance that the organization and its personnel
comply with professional standards and applicable
legal and regulatory requirements, and
• have an external peer review at least once every 3
years.
46
Chapter 3: System of Quality Control
•
•
Each audit organization must document its quality control
policies and procedures and communicate those policies and
procedures to its personnel.
Added a requirement that the quality control policies and
procedures collectively address:
• Leadership responsibilities for quality within the audit
organization
• Independence, legal, and ethical requirements
• Initiation, acceptance, and continuance of audit and
attestation engagements
• Human resources
• Audit and attestation engagement performance,
documentation, and reporting
• Monitoring of quality
47
Chapter 3: Changes to Quality
Control Monitoring Procedures
Audit organizations should analyze and summarize,
in writing, the results of monitoring procedures at
least annually:
• Include identification of any systemic issues
needing improvement
• Include recommendations for corrective action
• Communicate deficiencies noted to appropriate
personnel and make recommendations for
remedial action
48
Chapter 3: Changes Related to
Peer Reviews
The peer review team uses professional judgment
in deciding the type of peer review report. The
following are the types of peer review reports:
• Peer review rating of pass
• Peer review rating of pass with deficiencies
• Peer review rating of fail
49
Chapter 3: External Peer Reviews
Transparency of peer review
• Audit organization should make the most recent peer review report
publicly available
• Audit organizations seeking to enter into a contract to perform an
audit in accordance with GAGAS should provide a a copy of the most
recent peer review report and any subsequent peer review reports
received during the period of the contract
• Auditors who are using another audit organization’s’work should
request a copy of the audit organization’s latest peer review report.
50
Chapter 4: Financial AuditsOverall Changes
•
•
•
•
Considered Clarity Project conventions
Streamlined language to harmonize with AICPA
Clarified additive requirements
Combined 2007 GAGAS chapters 4 and 5 into
one chapter (2011 GAGAS chapter 4)
No new requirements were added for financial
audits and attestation engagements
51
Chapter 4: Special Considerations for
Government Engagements
Applying certain AICPA standards
• Materiality
• Early communication of deficiencies (SAS No.
115)
52
Chapter 4: Financial Audits: SAS 125
Alert That Restricts the Use of the
Auditor’s Written Communication
SAS 125 makes a special provision for the
GAGAS report on internal control over
financial reporting and compliance.
• Don’t use the communication required for
other audits. Instead, the alert should:
• Describe the purpose of the
communication, and
• State that the communication is not
suitable for any other purpose.
53
Chapter 4: SAS 125: Sample Language
for GAGAS Report on ICFR and
Compliance
“The purpose of this report is solely to describe the
scope of our testing of internal control over financial
reporting and compliance, and the results of that
testing, and not to provide an opinion on the
effectiveness of the entity’s internal control over
financial reporting or on compliance. This report is
an integral part of an audit performed in accordance
with Government Auditing Standards in considering
the entity’s internal control over financial reporting
and compliance. Accordingly, this report is not
suitable for any other purpose.”
54
Chapter 5: Attestation Engagements
Separated attest requirements
• Examination
• Review
• Agreed-Upon Procedures
Update considerations
• Identified practice issue
• Clarified distinctions between engagement
types
• Emphasized AICPA reporting requirements
55
Chapter 5: Attestation Engagements
(continued)
Within each section, emphasized
• Citing compliance with GAGAS
• Required elements of AICPA reporting
• Communicating the services to be performed
56
Chapter 6: Field Work Standards for
Performance Audits
Guidance for conducting performance audits,
including
•
•
•
•
Planning the audit
Supervising staff
Obtaining sufficient, appropriate evidence
Preparing audit documentation
57
Chapter 6: Overall Framework for
Performance Audits
• Level of assurance associated with a performance
audit
• Provide reasonable assurance that the evidence is
sufficient and appropriate to support the auditors’ findings
and conclusions
• Concept of significance
• Defined as the relative importance of a matter within the
context in which it is being considered, including
quantitative and qualitative factors
• Audit risk
• Defined as the possibility that the auditor’s findings,
conclusions, recommendations, or assurance may be
improper or incomplete
58
Chapter 6: Planning for Performance
Audits
• Auditors must adequately plan and document the
planning of the work necessary to address the audit
objectives
• Auditors should assess audit risk and significance by
gaining an understanding of:
•
•
•
•
Nature and profile of the program and user needs
Internal control
Information systems controls
Legal and regulatory requirements, contract provisions or
grant agreements, fraud, or abuse
• Previous audits
• Auditors should prepare a written audit plan
59
Chapters 6: Audit Risk Considerations for
Performance Audits
Auditors must plan the audit to reduce
audit risk to an appropriate level for the
auditors to provide reasonable assurance
that the evidence is sufficient and
appropriate to support the auditors’
findings and conclusions
Chapters 6: Fraud Considerations
for Performance Audits
In planning the audit, auditors should assess risks of fraud
occurring that is significant within the context of the audit
objectives
Auditors should
• Discuss fraud risks among the audit team
• Gather and assess information to identify risk of fraud that are significant
within the scope of the audit objectives or that could affect the findings and
conclusions
When auditors identify factors or risks related to fraud that has
occurred or is likely to have occurred that are significant within
the context of the audit objectives, they should design procedures
to provide reasonable assurance of detecting such fraud
Chapters 6: Abuse Considerations
for Performance Audits
• If auditors become aware of indications of abuse that
could be quantitatively or qualitatively significant to the
program under audit, auditors should apply audit
procedures specifically directed to ascertain
• The potential effect on the program under audit within the
context of the audit objectives
• However, because the determination of abuse is
subjective, auditors are not required to provide
reasonable assurance of detecting abuse
• After performing additional work, auditors may discover
that the abuse represents potential fraud or illegal acts
Chapter 6: Sufficient, Appropriate
Evidence
Appropriateness is defined as a measure of
quality of evidence that encompasses the
relevance, validity, and reliability of evidence
used for addressing the audit objectives and
supporting findings and conclusions.
Sufficiency is defined as a measure of quantity
of evidence used for addressing the audit
objectives and supporting findings and
conclusions.
63
Chapter 6: Technical Changes
• The definition of validity as an aspect of the quality of
evidence has been revised:
• the extent to which evidence is a meaningful or
reasonable basis for measuring what is being
evaluated. In other words, validity refers to the extent
to which evidence represents what it is purported to
represent. (6.60b)
• The assessment the sufficiency and appropriateness of
computer-processed information includes
considerations regarding the completeness and accuracy
of the data for the intended purposes. (6.66) (For additional
guidance, see GAO publication, Assessing the Reliability of Computer-Processed
Data)
64
Chapter 6: Overall Assessment
• Overall assessment of the collective evidence to support
the findings and conclusions
• Assessment of evidence depends on the nature of the
evidence, how it is used, and the audit objectives
• Evidence is sufficient and appropriate when it provides a
reasonable basis for supporting the findings or conclusions
within the context of the audit objectives
65
Chapter 6: Documentation for
Performance Audits
• Auditors must prepare audit documentation
related to planning, conducting, and reporting for
each audit.
• Auditors should document the following:
• the objectives, scope, and methodology of the audit
• the work performed to support significant judgments and
conclusions
• evidence of supervisory review, before the audit report is
issued, of the work performed that supports findings,
conclusions, and recommendations contained in the audit
report
66
Chapter 7: Reporting Standards for
Performance Audits
Guidance for reporting on performance audits,
including
• Reporting Form
• Report Contents
• Distributing Reports
67
Chapter 7: Report Contents
• Auditors should prepare audit reports that
contain
• Objectives, scope, and methodology of the audit
• Audit results, including findings, conclusions, and
recommendations, as appropriate
• Statement about the auditors’ compliance with
GAGAS
• Summary of the views of responsible officials
• Nature of any confidential or sensitive information
omitted
68
Chapter 7: Technical Changes
• The fraud reporting requirement is now limited to
occurrences that are significant within the
context of the audit objectives (7.21), with a
requirement to communicate in writing other
instances of fraud that warrant the attention of
those charged with governance. (7.22)
• Early communication of deficiencies has been
added as a consideration auditors may follow in
the course of the performance audit. (6.78)
69
Chapter 7: Citing Compliance in the Audit
Report
GAGAS statement in audit report
When auditors comply with all applicable GAGAS
requirements, they should use the following
language in the report:
“We conducted this performance audit in accordance with
generally accepted government auditing standards. Those
standards require that we plan and perform the audit to
obtain sufficient, appropriate evidence to provide a
reasonable basis for our findings and conclusions based
on our audit objectives. We believe that the evidence
obtained provides a reasonable basis for our findings and
conclusions based on our audit objectives.”
70
Appendix:
Supplemental Guidance
Added an appendix to provide supplemental
guidance to assist auditors in the
implementation of GAGAS
• Does not establish additional GAGAS requirements
• Overall supplemental guidance includes examples of
• Deficiencies in internal control
• Abuse
• Fraud Risk
• Overall guidance includes guidance on determining
whether laws, regulations, or provisions of contracts are
significant
71
Where to Find the Yellow Book
 The Yellow Book is available on
GAO’s website at:
www.gao.gov/yellowbook
 For technical assistance, contact us at
yellowbook@gao.gov
(202) 512-9535
72
Standards for Internal Control
in the Federal Government
Standards for Internal Control in
the Government
Going Green
Reasons for Green Book Revision
• Last issued in November 1999
• Adapt to a more global, complex, and technological
landscape
• Maintain relevancy to changing standards
• Harmonize federal standards with the updated
Committee of Sponsoring Organizations of the Treadway
Commission (COSO) Framework
74
What’s in Green Book for
State and Local Governments?
• May be an acceptable framework for internal
control on the state and local government level
under proposed OMB Uniform Guidance for
Federal Awards
• Written for government
• Leverages the COSO Framework
• Uses government terms
75
What’s in Green Book for
Management and Auditors?
• Provides a framework for management
• Provides criteria for auditors
• Can be used in conjunction with other standards,
e.g. Yellow Book
76
The Yellow Book: Framework for
Audits
• Findings are composed of
• Condition (What is)
• Criteria (What should be)
• Cause
• Effect (Result)
• Recommendation (as applicable)
77
Linkage Between Criteria (Yellow Book)
and Internal Control (Green Book)
• Green Book provides
criteria for the design,
implementation, and
operating effectiveness of
an effective internal control
system
78
The Yellow Book: Framework for
Audits
• Findings are composed of
• Condition (What is)
• Criteria (What should be)
• Cause
• Effect (Result)
• Recommendation (as applicable)
79
Linkage Between Findings (Yellow Book)
and Internal Control (Green Book)
• Findings may have causes
that relate to internal control
deficiencies
80
Green Book and Yellow Book
• Can be used by
management to
understand
requirements
• Can be used by
auditors to
understand criteria
81
Where to Find the Green Book
• Once exposed, the Green Book will be on GAO’s
website at: www.gao.gov
• For technical assistance, contact us at:
greenbook@gao.gov
82
Questions?
83