In response to the increase in the number and dollar amount of governmental programs and services, governmental auditing standards - as from time to time established by the U.S. General Accounting Office - were revised in 1981 and 1988. Many changes continue to occur to the governmental environment, leading to a demand for increased accountability by those entrusted with public funds. To ensure that standards remain current and meet the needs of the audit community and the public, the GAO revised the auditing standards again in June 1994.

The official title of the latest revision is Government Auditing Standards: 1994 Revision, and in keeping with the tradition that has led its informal name, it is also dressed in a yellow cover. The final 1994 revision represents a significant reversal of what the GAO wanted to do with the document. The GAO (as can be seen in the public statements of Comptroller General Charles Bowsher and Chief Accountant Donald Chapin) believes strongly in the importance of effective internal control systems - especially those related to safeguarding of assets and compliance with laws and regulations - where U.S. government funds are involved. The GAO initially sought to expand generally accepted government auditing standards (GAGAS), to include more emphasis on internal control testing and reporting than is now required by AICPA GAAS. For example the exposure draft would have required auditors to perform procedures separately for the control environment and the control procedures for safeguarding assets considered vulnerable to loss or misappropriation.

However, there was considerable opposition to including such expanded requirements in the revised standards. In light of SAS No. 55, Consideration of the Internal Control Structure in a Financial Statement Audit, guidance and the expanded discussion of internal controls in the report of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and its addendum, many respondents believed additional yellow-book requirements in the area of internal control were not needed. The final 1994 revision was responsive to these concerns. Instead of requiring additional audit work in the areas of control environment assessment and safeguarding of assets, the revision states, "GAGAS do not prescribe additional internal control standards for financial statement audits."

Rather than expand GAAS, the GAO chose to interpret and give guidance about what following GAAS means as it relates to government audits. But auditors should be on notice that the GAO wants internal controls to receive coverage in the audit to the full extent required by GAAS. It is safe to say, that if that does not occur, future revisions may revisit the need for additional GAO standards in this area.

Organization of the 1994 Revision

The 1994 revision is organized in an identical fashion to its 1988 predecessor. Both had seven chapters bearing the same rifles. The first three chapters give general guidance and relate to both financial audits and performance audits. Chapters four and five present the standards of field work and reporting of financial audits and chapters six and seven do the same for performance audits. This discussion will be confined to standards as they relate to the performance of financial audits.

Again like its predecessor, the 1994 revision sets forth four general standards for the conduct of government audits. The first three are basically the same as the three general standards of AICPA GAAS. They relate to the professional proficiency of the staff assigned, independence, and due professional care. The fourth general standard requires that each audit organization have an appropriate internal quality control system and undergo an external quality control review. This later standard is changed somewhat from the 1988 version which only required that the firm participate in an external quality control system. Now the requirement is to undergo a review.

The discussion of the third general standard relating to the exercising of due professional care in the conduct of audits is significantly shortened in the 1994 revision. The 1988 discussion included such issues as "materiality and significance," "relying on the work of others," "audit follow-up," and "audit scope impairments." In the 1994 revision these discussions were moved to the chapter on field work or dropped.

Of particular note under the general standards having to do with proficiency of the auditor, the continuing education requirements under the 1994 revision are unchanged.

The description of field-work and reporting standards in the 1994 revision, as in its predecessor, starts with the AICPA standards to which are added "additional standards" to satisfy GAGAS. In the 1988 version the additional standards were called "supplemental" standards. The change in wording presumably elevates the additional standards to the same level as GAAS.

As noted, the approach taken for 1994 is to take full advantage of AICPA GAAS by adding interpretive discussions as to what GAAS means in the governmental audit. As a result, there is somewhat less specific additional guidance. For example, the requirement that workpapers "contain a written audit program cross-referenced to the working papers" is not included in the 1994 revision.

The Important Changes

The more important changes in the fieldwork and reporting standards in the 1994 revision relate to -

* internal control awareness;

* communication about additional testing of controls;

* compliance with laws and regulations;

* reporting audit results; and

* other procedural requirements.

Increased Awareness of the Importance of Internal Control

The revised standards provide greater guidance about four aspects of internal controls: 1) control risk assessments, 2) control environment, 3) safeguarding controls, and 4) controls over compliance with laws and regulations. This guidance, even though not phrased in the form of procedural requirements, reminds auditors about the importance of internal control and related judgments.

The 1994 revision discusses issues related to control risk and its assessment in greater detail. It acknowledges auditors need not assess control below the maximum, but goes on to remind auditors of the work to be performed in those instances where control risk is assessed below the maximum to improve effectiveness and efficiency. It also reminds auditors that it may be necessary to reconsider the original assessment of control risk when substantive tests detect misstatements. The revision also reminds auditors that control environment related judgments can influence assessments about specific control procedures and vice versa.

The new revision also notes the importance of internal controls related to safeguarding of assets, and states that "because preventing or detecting material misappropriation is an objective of safeguarding controls, understanding those controls can be essential to planning the audit." In addition, the revision suggests that a detailed understanding of such controls can help in recognizing risk factors such as -

* failure to adequately monitor decentralized operations;

* lack of controls over activities;

* lack of controls over computer processing;

* failure to develop or communicate policies and procedures for safety of data or assets; and

* failure to investigate significant unreconciled differences.

Communication About Additional Testing of Controls

As an additional reporting standard of GAGAS, the 1994 revision requires that auditors communicate to the audit committee, or to individuals with whom they contract to perform the audit, information about -

* auditors' responsibilities in a financial statement audit, including responsibilities for testing and reporting on internal controls and compliance with laws and regulations, and

* the nature of any additional testing of internal controls and compliance required by laws and regulations.

While such information can be communicated orally or in writing, if oral communication is used, it should be documented appropriately in the working papers.

The 1994 revision specifically notes that auditors should be familiar with requirements that exceed those specified in the yellow book in the areas of internal control and compliance with laws and regulations to comply with the following:

* The Single Audit Act of 1984,

* OMB Circulars A-128 and A-133, and

* The Chief Financial Officers Act of 1990.

In addition, many state and local governments have similar additional requirements.

Even after such additional requirements have been complied with, certain user needs in the areas of internal control and compliance may remain unmet. Such needs can be met by performing supplemental (or agreed-upon) procedures or an examination, resulting in an opinion.

Compliance with Laws and Regulations

Under AICPA GAAS, auditors are required to test compliance with laws and regulations that could have a direct and material impact on financial statement accounts. An additional field-work standard of the 1994 revision goes beyond this by requiring that auditors design the audit to provide reasonable assurance of detecting "material misstatements resulting from noncompliance with provisions of contracts or grant agreements that have a direct and material effect on the determination of financial statement amounts." If auditors become aware of specific information that provides evidence about noncompliance that could have an indirect material effect, audit procedures specifically designed to ascertain whether such noncompliance has occurred are required.

The discussion in the 1994 revision about illegal acts acknowledges that compliance with GAAS (and therefore GAGAS) will not guarantee the discovery of illegal acts or contingent liabilities resulting from them. It further acknowledges, "nor does the subsequent discovery of illegal acts committed during the audit period necessarily mean that the auditors' performance was inadequate, provided the audit was made in accordance with these standards."

Reporting Changes

As did the 1988 version, the 1994 revision requires that audit reports specifically include a statement that the audit was performed in accordance with GAGAS. As discussed in the accompanying sidebar, in practice, rather than refer to GAGAS, reports made reference to the official name of the yellow book, Government Auditing Standards.

The exposure draft of the 1994 revisions would have permitted auditors in some situations to issue reports using language different from that required under the AICPA's reporting standards. If an auditor decided that alternative language in the report would better serve the intended users of the report, such a report could have been issued under the exposure draft. However, there was considerable opposition expressed in comments received in response to the exposure draft. Consistent with such criticism, the final revision dropped changes with respect to report language.

The 1994 revision changes reporting requirements for internal control and compliance reporting. Prior yellow book standards required auditors to report on compliance with laws and regulations with a statement of positive assurance on items tested for compliance and a statement of negative assurance on items not tested. They also required auditors to classify and list the elements of an entity's internal-control structure for reporting purposes. These requirements have been deleted. instead, the 1994 revision requires there be a report on internal controls and compliance including -

* scope of the testing of compliance with laws and regulations and internal controls, and

* results of such tests, including irregularities, illegal acts, and other material noncompliance.

The report also should include any "reportable conditions" relating to internal controls. Reportable conditions are defined in SAS No. 60, Communication of Internal Control Structure Related Matters Noted in an Audit. The 1994 yellow book provides many examples of matters that may be reportable conditions.

The 1994 revision interprets the requirements with respect to reporting of illegal acts. It says the auditor is required to report irregularities or illegal acts directly to outside parties under two circumstances. First, the auditee may be required by law to communicate such matters to specified external patties. If the auditee fails to do so, auditors should communicate awareness of such failure to the auditee's governing body. Second, if management fails to take remedial steps and the irregularity or illegal act involves assistance received directly or indirectly from a government agency, auditors may have to report directly to the auditee's governing body or to the entity that provided government assistance and also, when necessary, to appropriate law enforcement authorities.

Other Procedural Requirements

GAAS requires that auditors maintain a record of their work in the form of working papers. Under AICPA standards, auditors can support their work by other means in addition to working papers, since the purpose of working papers is to provide primary support for the audit report and to help in the conduct and supervision of the audit. GAGAS requirements are more strict since the audits are subject to review and oversight by others on a more frequent basis. The 1994 revision requires as an additional GAGAS standard that working papers be sufficient "to enable an experienced auditor having no previous connection with the audit subsequently to ascertain from them the evidence that supports the auditors' significant conclusions and judgments."

In governmental audits, programs of common interest may be audited by different auditors. Hence, the 1994 revision notes that auditors should make their working papers available, upon request, to other auditors to avoid duplication of audit effort. To avoid confidentiality problems and to comply with professional ethics requirements, the contractual arrangements for audits performed trader the yellow book's guidance should provide for access to working papers by those likely to need such access.

Auditors may rely on the work of internal auditors. In the 1998 version, specific guidance was given for reliance on their work. In the 1994 revision, such guidance has been eliminated under the assumption that GAAS guidance is sufficient.

The 1994 revision requires that auditors provide a copy of their most recent external quality control review report to 1) persons responsible for procuring audit services, 2) other auditors using their work, and 3) appropriate oversight bodies.

Effective, Not Just Efficient

The 1994 revision to the yellow book contains some significant changes to governmental auditing practice, especially in the areas of internal control related testing and communication, audit reporting, and compliance with laws and regulations. These changes seek to promote reliable assessments of governmental performance with an emphasis on effective - not just efficient - use of resources. The revised standards are effective for audits of periods ending on or after January 1, 1995 and for performance audits beginning on or after January 1, 1995. Early application is permissible.

RELATED ARTICLE: REPORTABLE CONDITIONS

The yellow book lists deficiencies in internal controls that auditors should report. Examples of reportable conditions include the following:

* Absence of appropriate segregation of duties consistent with appropriate control objectives;

* Absence of appropriate reviews and approvals of transactions, accounting entries, or systems output;

* Inadequate provisions for the safeguarding of assets;

* Evidence of failure to safeguard assets from loss, damage, or misappropriation;

* Evidence that a system fails to provide complete and accurate output consistent with the auditee's control objectives because of the misapplication of control procedures;

* Evidence of intentional override of internal controls by those in authority to the detriment of the overall objectives of the system;

* Evidence of failure to perform tasks that are part of internal controls, such as reconciliations not prepared or not timely prepared;

* Absence of a sufficient level of control consciousness within the organization;

* Significant deficiencies in the design or operation of internal controls that could result in violations of laws and regulations having a direct and material effect on the financial statements; and

* Failure to follow up and correct previously identified deficiencies in internal controls.

RELATED ARTICLE: GAGAS ARE BACK

Prior to the 1988 revision to the "yellow book," when its official title was Standards for Audit of Government Organizations, Programs, Activities, and Functions, it was common to refer to generally accepted government auditing standards or GAGAS. The auditor's report relating to an audit subject to the "yellow book" often included reference to both generally accepted auditing standards (GAAS) and generally accepted government auditing standards (GAGAS). The 1998 revision carried the title Government Auditing Standards on the cover, but on the inside, also referred to "Standards for Audit of Governmental Organizations, Programs, Activities, and Functions." A requirement supplement of the 1988 revision said:

A statement should be made in the auditor's report that the audit was made in accordance with generally accepted government auditing standards.

In practice, however, based principally on the suggested wording of the AICPA audit guide Audits of State and Local Governmental Units, auditors stated their audits were conducted in accordance with GAAS and Government Auditing Standards, referring specifically to the name of the GAO document and not to "generally accepted" government auditing standards. This is in line with some thinking that the "general acceptance" concept does not apply to standards set by the General Accounting Office in its "yellow books." It sets the standards, and those wishing to do audits under its jurisdiction have no choice but to follow them. The acceptability of the standards is not an issue.

The 1994 revision, however, again states -

Audit reports should state that the audit was made in accordance with generally accepted government auditing standards.

And unlike its 1988 predecessor, the 1994 revision uses the GAGAS tag frequently throughout the document. It appears the authors of the 1994 revision wish to reinstate GAGAS as a common reference to GAO auditing standards. It will be interesting to see what the AICPA does in its subsequent revisions to suggested report language now that GAGAS has returned.

Clifford D. Brown, PhD, is chair of the Department of Accountancy at Bentley College. He is a co-author of the AICPA's continuing professional education course titled, Accounting and Auditing for Certain Non-Profit Organizations. Charts Melchin, CFE, is assistant deputy auditor (audit operations) of the Commonwealth of Massachusetts. K. Raghunandan, PhD, is an associate professor of accounting at the University of Massachusetts at Dartmouth.