Leaders' Edge

More restrictive than AICPA or SEC independence rules, the GAO’s independence standard resulted in controversy and confusion … leading to delayed implementation. But, there are no more delays.

After nearly three years since issuance, it’s finally time to implement the General Accounting Office (GAO, and recently renamed Government Accountability Office) independence standard. Although the principles were issued January 25, 2002, because of the controversy and confusion, implementation was delayed to take effect this year for all audits beginning with fiscal years ending after January 1, 2003.

These new principles are not merely guidelines, but standards that must be followed. They are part of Government Auditing Standards (the Yellow Book) and are considered to be Generally Accepted Government Auditing Standards (GAGAS).

The new changes affect both CPA firms and government auditors, including all auditors of federal, state, local governments, nonprofit and for-profit recipients of federal and state grant and loan funds. Examples include auditors of cities, counties, school districts, colleges, hospitals, charitable organizations and many more.

The new standard significantly tightens and adds to independence provisions. It is far broader and much more restrictive than AICPA or SEC independence rules. It has strong potential to drive up audit costs and knock out a great deal of government entity consulting work. The standard weakens self-regulation powers and even more regulation could be on the horizon. If your firm is not intimately familiar with the new standard, close examination is a must.

General Independence Requirements
The general independence standard is as follows:

In all matters relating to the audit work, the audit organization and the individual auditor, whether government or public should be free both in fact and appearance from personal, external and organizational impairments to independence.

Personal impairments involve the auditor having one or more of following relationships with an audit client: having family members involved in decision making, direct or indirect financial interests, influence on decision making, preparation of source documents, preconceived notions or biases, or the seeking of employment. Audit organizations must have policies to prevent these basic conflicts. The most dramatic changes relating to the new standard center around personal impairments and are discussed in detail in the following section.

External impairments are factors relating to pressure from management or employees of an audit organization that could interfere with the auditors’ ability to form independent and objective opinions. Examples include unreasonable time restriction to complete an audit report, restrictions on funds or resources necessary to perform audit work, and the threat of replacement over disagreements.

Organizational impairments have potential to occur if one is a government audit organization because of its place within the government structure. This area does not impact most private firms. Sections 3.21-3.32 details ways for governmental auditors to free themselves from these types of impairments.

The Big Changes
In its simplest form, the biggest impact of the new independence standard can be best summed up by its two overarching principles relating to personal impairments (paragraph 3.13):

On the surface, these principles sound easy enough to follow, but a closer look yields confusion and complex decisions. First, the auditor must meet both of these principles. Second, questions arise as to the level of management decisions, what constitutes non-audit services, and how do auditors prove they acted properly.

It must be shown that management of the audit client is responsible for and possesses the necessary skills for virtually everything that is being audited. The client cannot influence the product that is being audited. These concepts can be complicated to prove.

In regard to non-audit services, a wide range of these services is now under the microscope:

The SEC and AICPA have extensive guidance in dealing with independence and non-audit services. However, the GAO’s standard is far more restrictive. For example, the GAO generally prohibits payroll services. SEC and AICPA rules do not consider most of this work as management functions. The GAO limits payroll functions to tasks such as computing pay amounts for the entity’s employees based on time records, pay rates and deduction schedules that the entity maintains and approves. The GAO expressly prohibits processing the entity’s payroll, if it is a material amount to the subject matter of an audit.

Another example involves bookkeeping services, which are severely limited by the GAO; and their rules even clearly disallow posting of transactions. The AICPA, on the other hand, specifies permitted items such as posting of transactions. Although the GAO does permit preparing draft financial statements based on management’s chart of accounts and trial balances, maintaining or preparing the audited entity’s basic accounting is not allowed.

A final example revolves around information technology. The AICPA and SEC rules are less restrictive than the GAO’s and generally permit information technology services if the client makes the final decisions. The GAO only allows advising if management takes responsibility and does not rely on the auditor’s work as a basis for determining the adequacy of the system or in making the decision on whether or not to implement the new system.

One area where practitioners can rest a bit easier is tax services. The SEC, and especially the AICPA, both support the premise that tax services do not impair auditor independence. Similarly, the GAO does not prohibit an auditor from providing tax services. Guidelines specifically state that preparing taxes in accordance with IRS, state and local government laws and rules is permitted.

Guidelines to Follow
As one can see, there are a lot of grey areas and adherence to standard can be tricky business. The AICPA Fact Sheet also lists seven safeguards to help guide practitioners (Exhibit 1 provides an abbreviated version). Keep in mind, non-audit services may only be performed if ALL seven safeguards are met. Once again, this is a very difficult task to achieve. Paragraph 3.17 (a. through g.) of the standard provides useful help.

Despite best efforts to simplify, the subject matter of the new standard is so confusing that the GAO has issued a question and answer book to help clear matters up. A few key areas regarding the overarching principles and safeguards are as follows:

Q: If an audit organization has a completely separate consulting unit, could the work of the consulting unit affect the organization’s independence to perform audits?
A: Yes. Both units are still part of the same organization and the overarching safeguards would apply. Thus, a completely separate engagement team from top to bottom must be in place.

Q: Is independence impaired if the audit firm is affiliated with a team or another partnering firm?
A: It depends on the level of involvement. A close relationship may in fact impair your firm’s independence.

Q: Is there a safeguard for an auditor that performs minimal routine non-audit work for the audit client?
A: If a firm provides a total of 40 hours or fewer non-audit hours, the separate engagement team requirement is waived.

Q: Can an auditor still perform monthly bookkeeping functions?
A: Absolutely not. Either the bookkeeping or the audit must go!

Q: Can auditors still prepare financial statements for the client and audit those same statements?
A: Yes. There is nothing in the new standard that prohibits this as long as all the information and source documents used to prepare the financial statements are from the client and management understands and takes responsibility for that information.

On a more basic level, documentation is a key to staying out of trouble. Clearly detail your rationalization and prove why and how you are not making or influencing management decisions. Also, keep thorough records showing how you are not auditing your own work.

The engagement letter becomes increasingly important with the new standard. This will be your road map to maintaining independence and the proof you need to document that management clearly understands and accepts responsibility. Exhibit 2 provides basic tips for performance of non-audit services. Even with these guidelines, maintaining independence will be like walking a tightrope.

Are Non-Audit Services Worth the Risk?
Government auditors must seriously consider whether or not to stay in the consulting business or give up audits of entities they provide non-audit services for. Remember, it’s your firms’ reputation and your career at stake when you sign on the dotted line.

Much of this is uncharted waters and can be left to the subjective opinions of your peer reviewer, and quite likely, the media and public will be involved. Even if one carefully documents decisions and follows appropriate guidelines, it would be wise to get a second opinion prior to taking on an engagement. Back-up from auditors outside your firm or even your region may prove invaluable in the long run.

The new independence standard, revised Yellow Book and the Q&A guide can all be accessed and downloaded from the GAO’s web site. Other helpful web sites with information relating to the new standard are also listed in Exhibit 3.

About the Author
Dr. Craig Foltin, CPA, is mayor of the City of Lorain, Ohio, and part-time lecturer at Cleveland State University.

Exhibit 1
GAO’s Seven Non-Audit Safeguards

1. Preclude personnel who provide non-audit services from planning, conducting or reviewing audit work related to the non-audit service. The GAO does allow for a provision to exclude non-audit services that aggregate to 40 hours or less.

2. Scope and extent of the audit work should at least be that of what would be appropriate if the non-audit work was performed by another unrelated party.

3. Document consideration and rationale that providing non-audit service does not violate the two overarching principles.

4. Prior to performance of non-audit service, establish and document objectives, scope of work and product, as well as the understanding with management of their responsibility.

5. Quality control systems for compliance should include written measures to evaluate whether to provide non-audit services and written understanding by management.

6. If impairment of overarching principles exists, it must be communicated in writing that the subsequent audit will not be performed by said firm.

7. For audits selected in the peer review process, all non-audit services should be identified with documentation provided to the peer reviewer.

For more detailed information, see section 3.17 of the Yellow Book or the AICPA document GAO Auditor Independence Standard Fact Sheet.

Exhibit 2
New Independence Standard Tips

Dos

Document. Document. Document! Even your rationale.
Shore up the engagement letter. Be precise and detailed.
Be comfortable that the client has a strong internal control system in place.
Clearly have the client designate a management level person in writing who is responsible for decision-making regarding non-audit work. Know this person’s background and knowledge level.
Seek a second opinion from outside your firm whenever possible.

Don’ts

Do not reduce audit work in areas where non-audit services were performed.
Do not have same employee audit who performed non-audit services. (It’s best not to get involved with 40-hour exception rule).
Keep away from any posting of transactions.
Do not get involved in employment searches.
Do not log into an entity’s computer system. Request needed information from client.

Exhibit 3
Helpful Web Sites

General Accounting Office (Governmental Accountability Office)

Michigan Association of CPAs

American Institute of CPAs

Govt. Finance Officers Association

Public Oversight Board

Govt. Accounting Standards Board

National Assoc. of L.G. Auditors

Assoc. of Government Accountants

Accounting & Auditing articles brought to you by MACPA Corporate Sponsor, MSW Group PLC.