The Yellow Book Encourages Auditors to Embrace Their Internal ‘Control Freak'

February 13, 2019


I have lovingly been called a ‘control freak’ a few times by my friends and family; but, my family and friends are blissfully unaware of what my profession as an auditor entails and how auditors eat, breathe, and sleep internal controls.
With the 2018 version of the Yellow Book, internal controls will now be on auditors’ minds even more!


Directed by the Government Accountability Office’s (GAO) Yellow Book standards, public sector auditors consider internal controls in almost every step of the audit process. At a minimum, auditors must consider internal controls when gaining an understanding of the audit subject matter, assessing risk, designing testing, drawing conclusions, and reporting findings.
 
With the 2018 version of the Yellow Book, internal controls will now be on auditors’ minds even more! The biggest change to the 2018 Yellow Book for performance auditors is the inclusion of references to the 2014 Green Book, an internal control standard. This article presents key clauses regarding internal controls that you and your team should be aware of in the 2018 Yellow Book.

Formal Titles of the Yellow and Green Books

The Yellow Book is another name for Generally Accepted Government Auditing Standards. The 2018 version of the Yellow Book has a new format and includes a variety of various new paragraphs to align the Yellow Book more closely with AICPA standards.
 
The Green Book is another name for Standards for Internal Control in the Federal Government (issued in 2014). The Green Book is the federal government’s version of the 2013 COSO (Committee of Sponsoring Organizations of the Treadway Commission) model of internal controls. The Green Book is the gold standard of internal controls according to the Yellow Book as well as the Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards.
 
Both the Yellow Book and the Green Book are authored by the GAO, the legislative auditor for the federal government. You can find free copies of the Yellow Book and the Green Book on the GAO’s website (www.gao.gov).

A Focus on Internal Controls

By referring to the Green Book inside of the 2018 Yellow Book, the GAO is calling on auditors to:

Expand internal control documentation

The Green Book breaks the five components of internal control (i.e., control environment, risk assessment, control activities, information and communication, and monitoring), which were included in the original COSO model published in 1992, into 17 new underlying principles. The 2018 Yellow Book asks auditors to document controls using this further granular structure:
  • Section 8.40: “If it is determined that internal control is significant to the audit objectives, auditors should obtain an understanding of such internal control.”
  • Section 8.42: “If internal control is significant to the audit objectives, auditors determine which of the five components of internal control and underlying principles are significant to the audit objectives…”

As a result, your documentation of internal controls needs to include the seventeen 17 principles as well as the five components. This will increase the volume of the internal control documentation significantly. However, it is not as bad as it sounds because you are only responsible for evaluating controls relevant to your audit objective.

Therefore, if you limit your objectives–both in number and in scope–you will reduce your documentation burden. Do you want some advice on writing limited objectives? Then check out the IIA’s “Engagement Planning: Establishing Objectives and Scope” Practice Guide at https://tinyurl.com/IIA-Engagement-Planning-Guide published in 2017.
 
Additionally, the GAO is working on a tool to help auditors document the 17 principles for internal controls and anticipates having it ready in the spring of 2019.

Increase disclosures in the audit report

The GAO promotes the concept of transparency and encourages auditors to tell the readers of the audit report about the auditor’s responsibilities regarding internal controls. Now, the GAO asks auditors to address–you guessed it–the 17 principles in the audit report.
  • Section 9.29: “When internal control is significant within the context of the audit objectives, auditors should include in the audit report (1) the scope of their work on internal control and (2) any deficiencies in internal control that are significant within the context of the audit objectives and based upon the audit work performed.”
  • Section 9.30: “If not some but not all internal control components are significant to the audit objectives, the auditor should identify as part of the scope those internal control components and underlying principles that are significant to the audit objectives.”

Again, more granularity and more volume. The more objectives you cover in your audit, the bigger this section of the audit report will be. (Side note: the objective, scope and methodology sections for GAO audit reports often run over six pages!)

Internal controls are the cause

The GAO is not just in the business of pushing auditors to keep up with the latest techniques and models; they are also willing to share their hard-earned audit wisdom, such as the five elements (also known as the “five C’s”) of a finding. The GAO puts solid legs on the concept of transparency by requiring auditors to use the elements of a finding to describe each reportable condition. The auditor describes any reportable condition they find in detail by sharing the condition, effect, cause, criteria, and corrective action (i.e., recommendation) for any issue.
 
Out of these five elements, the cause is often the most difficult to identify and support with evidence. Thankfully, the new Yellow Book gives us a key to writing a finding that can make it easier for auditors to find and support the cause:
  • Section 8.129: “The cause of a finding may relate to an underlying internal control deficiency…”
  • Section 8.130: “Considering internal control in the context of a comprehensive internal control framework, such as Standards for Internal Control in the Federal Government or Internal Control—Integrated Framework, can help audits determine whether underlying internal control deficiencies exist as the root cause of findings…”

This means that, ideally, the condition statement should state the problem and the cause statement should describe the control weakness that caused the problem. For example, if you find that the student financial aid office gave financial aid to ineligible students, the condition could say that ineligible students are receiving financial aid and the cause is that no one reviewed the applications against eligibility criteria (i.e., a control weakness).
 
By encouraging auditors to use the control weakness as the cause, the GAO is also, by default, encouraging auditors to perform two kinds of testing—a test of fact to support the condition and a test of controls to support the cause.

If the auditor ignores the advice of the GAO and starts with the control weakness as the condition, the cause ends up being vaguely personal and mildly insulting because it is hard to say why a control failed without blaming someone. For instance, if the condition is that no one reviewed the applications against eligibility criteria, where do you go with the cause? You might have to say that the student financial aid staff needs training (implying they are not too smart) or that they did not prioritize their work properly (a euphemism for poor time management).
 
Both of these causes are personal and hard to back up with evidence. Auditors following the Yellow Book performance audit standards assert that they used evidence to support their findings, as stated in section 9.03, “We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.”
 
By encouraging auditors to use the control weakness as the cause, the GAO is also, by default, encouraging auditors to perform two kinds of testing—a test of fact to support the condition and a test of controls to support the cause.

Why All This Hubbub About Internal Controls?

The GAO encourages auditors to be more thorough in evaluating internal controls. As a result, in a back door sort of way, auditors will end up indirectly educating the managers of government-funded programs on internal controls and holding those managers to a higher standard. Better internal controls should lead to improvements in government programs and processes, which will ultimately be good for us all.
 
The renewed emphasis on internal control documentation is onerous, but it is good for you, program managers, and the taxpayer alike. The introductory letter to the 2018 Yellow Book sums this up nicely:

“Audits provide essential accountability and transparency over government programs. Given the current challenges facing governments and their programs, the oversight provided through auditing is more critical than ever. Government auditing provides the objective analysis and information needed to make the decisions necessary to help create a better future.”

What Should a Forward-Thinking Auditor Do Now?

The implementation date of the new Yellow Book is for performance audits beginning after July 1, 2019. Therefore, it is important to be prepared.
 
Does your whole team understand the 17 principles? If not, it is time to learn and embrace the principles, which is now necessary for internal control documentation. Stay on the lookout for GAO’s tool for documenting internal controls. In the interim, you could create something yourself and practice using it to document internal controls.
 
Look at how you structure your findings and ask yourself if your causes are valid. Are causes backed-up with evidence? Did you use a control weakness as the cause or as the condition? Make sure you are performing tests of both facts and tests of controls so that you can support your finding with evidence.
 
Please also take time to read sections 8.39-8.58 and 9.29-9.34 of the Yellow Book as the GAO has significantly revamped their requirements regarding internal controls in these sections. Make sure you feel comfortable that your team is on track to comply.
 
If you do all this, you can shrug off anyone that shames you and proudly declare yourself an ‘internal control freak.’

About the Author

Leita Hart-Fanta

Leita Hart-Fanta, CPA, CGFM, CGAP is the founder of YellowBook-CPE and the author of “The Yellow Book Interpreted” and “The Green Book: Standards for Internal Control.” She has taught seminars for over 500 audit teams and...
Read Full Author Bio

Leita Hart-Fanta

Leita Hart-Fanta, CPA, CGFM, CGAP is the founder of YellowBook-CPE and the author of “The Yellow Book Interpreted” and “The Green Book: Standards for Internal Control.” She has taught seminars for over 500 audit teams and regularly teaches audit reporting and audit essentials courses for university, government, and corporate auditors.
 

Articles
The Yellow Book Encourages Auditors to Embrace Their Internal ‘Control Freak'