Three Things We Wish People Knew About Yellow Book
February, 2017
A summary of the workshop Doug Hileman presented at the Institute of Internal Auditors’ (LA) Government Auditing conference on February 8, 2017.
The Generally Accepted Government Auditing Standards (GAGAS, or “Yellow Book”) is the standard for government audits. GAGAS differs from the IIA’s International Professional Practices Framework (IPPF, or “Red Book”) in several significant ways. Government auditors can get frustrated when people don’t appreciate just what is involved in doing audits using the Yellow Book. This includes the audit sponsors, auditees, and even other auditors not familiar with Yellow Book standards.
At the IIA Los Angeles Chapter’s government auditors’ conference on February 8, 2017, attendees came up with a list of “things we wish people knew about the Yellow Book.” This fun, interactive exercise was In the fashion of “Yellow Book Idol.” The top three vote-getters of things they most wished people knew are listed below.
- We need sufficient, relevant evidence. We wish auditees understood that auditors must compile evidence. Furthermore, auditors need sufficient – and relevant – evidence. Just because you gave us one thing, it might not be enough. If you gave us the wrong thing, it doesn’t help at all.
- Everything We Do Isn’t an “Audit”. People use the terms “audit”, “review”, “report”, “assessment”, and “evaluation” interchangeably. Unless the exercise (there’s another term) has been done in accordance with professional audit standards – for government auditors, that’s the Yellow Book – it’s not properly an “audit.” We wish people understood the difference between the terms, and would not refer to things as “audits” when they aren’t audits.
- Know what it takes to do what you’re asking for. Once Internal Auditors have become trusted advisors, there can be a different set of challenges. Sponsors and stakeholders ask for an audit – in a week. Or, they’ll ask to include a few more items in the annual audit plan. Or they’ll ask for “a quick look-see”, and expect that they can get – and rely on – an answer from Internal Audit for their Board meeting next week. We wish that sponsors understood what’s involved in the audit process from start to finish.
Two honorable mentions are listed below.
- Planning for a Yellow Book audit takes more time than for other audits. One attendee with experience in government and private sector internal auditing quipped that, “If I spent as much time on planning at [private sector auditing consultant] as I do on an audit at [government entity], I would have been written up or fired.” The audit planning memo is time-consuming, but it is the basis for all that follows, so it’s important.
- We look at samples – not at everything. So we’re going to miss something. This is a frustration expressed by government and private sector internal auditors alike. Sample sizes may be small, and the auditors may use different sample methodologies. We base our conclusions upon the sample selected. That’s why we spell this out in our reports (“Of the 50 records tested, seven were found to have….”). if a problem arises from a record outside of those 50, then we didn’t see it.
Some of these are distinctive to Yellow Book auditors, and others will sound familiar to everyone. The author provides training in Audit Readiness – a good answer to Item #1. Watch for more in a future newsletter, or another IIA meeting soon.
Doug Hileman led this session at the IIA LA’s Government Auditing conference on February 8, 2017. He is VP Advocacy for the IIA Los Angeles Chapter, and on the (global) Guidance Development Committee. His firm supports compliance and audit efforts in operations, non-financial reporting, and risk management.