In July 2018, the U.S. Government Accounting Office (GAO) released an updated version of its Government Auditing Standards reference, also known as the Yellow Book. The revision contains stronger guidelines to ensure an appropriate level of independence and transparency in the performance of audit services.
The new audit rules apply to any nonprofit organization required to provide audited financial statements under generally accepted government auditing standards (GAGAS).
To understand the concept of independence from an audit perspective, consider that an audit is a confirmation of an organization’s financial statements and performance. If the same person or entity is preparing the financial statements—the input of the audit—and then doing the audit itself, there is a potential threat to independence, and safeguards may have to be applied.
It’s not unusual for nonprofit organizations to outsource their bookkeeping and accounting to a firm that also provides auditing services. To avoid problems with independence, the GAO defines “significant threats” and suggests “safeguards” to reduce the threats to an “acceptable level.”
Here’s how the Yellow Book defines these three key concepts:
Threats are relationships or circumstances that could impair independence. In other words, if the preparation of financial statements and audit testing are performed by the same entity, that can be a self-review threat or a management participation threat.
Safeguards are actions or other measures that may eliminate or reduce a threat to an acceptable level. For example, some CPA firms have separate accounting and audit departments with significant barriers between them.
Acceptable level is the level at which a reasonable and informed third party who is aware of the relevant information would be expected to conclude that a member’s independence is not impaired.
To summarize the required independence framework, the first step is to identify potential threats, including non-audit services. The next step is for the auditor to evaluate the threat’s significance by considering the skills, knowledge, and experience of the non-audit service provider. If the threat is considered significant, then you must implement safeguards to reduce it to an acceptable level.
What would a reasonable and informed third party conclude about the independence of the auditor? “Acceptable level” is the crux of the matter. A possible conclusion is that using one firm to prepare financial statements and perform the audit would impair independence. But there is a caveat in the new Yellow Book revisions: The verbiage clarifies that preparing the financial statements “in their entirety” creates a significant threat that should be reduced to an acceptable level by safeguards.
It may be that your financial statement preparation is largely conducted in house or by another non-audit party, which would greatly reduce the threat to independence of the outside auditor. Maybe the outside auditor merely assists in drafting footnotes, for example.
Of course, in every scenario, your auditor will need to document threats and the safeguards in place to mitigate them and include them in the audit materials.
The new guidelines apply to financial audits, reviews of financial statements, and attestation engagements for periods ending on or after June 30, 2020, and for performance audits beginning on or after July 1, 2019.
Although early implementation is prohibited, now is the time for a conversation with your non-audit and audit providers about the new independence rules, potential threats to independence, and how to ameliorate them. For example, it might make sense to evolve your internal capabilities so that you are performing many of the accounting and controller services in house.
Above all, complying with the new independence rules requires a thoughtful approach to your accounting and audit choices. Be sure to involve your CPA and financial advisors in these decisions.