GAO Auditor Independence Standard Fact Sheet

What Is the GAO Auditor Independence Standard All About?

The U.S. General Accounting Office (GAO) issued a final audit standard on Jan. 25, establishing significant changes to the auditor independence requirements under Government Auditing Standards (also known as the “Yellow Book.”). The standard applies to all Yellow Book audits for periods beginning on or after Oct. 1, 2002. GAO encourages early implementation. The new GAO Independence Standard is available on the GAO’s website at www.gao.gov/govaud/ybk01.htm.

Who Is Affected and How?

The GAO independence Standard establishes independence standards for CPAs, non-CPAs, government financial auditors, and performance auditors. It deals with a range of auditor independence issues, including restrictions on nonaudit services. The standard affects a significant number of audits, applying to auditors of federal, state and local governments as well as not-for-profit and for-profit recipients of federal (and some state) grant and loan assistance. (For example, colleges, universities, trade schools, hospitals, charitable organizations, cities, counties, school and utility districts, small businesses with Small Business Administration loans, U.S. Department of Housing and Urban Development projects and lenders, public housing authorities, and many state-administered programs and contracts.)

What Are the New Standards?

The GAO Independence Standard adopts an engagement-team-focused approach to independence for matters such as financial interests of an individual auditor, not unlike the American Institute of CPAs Code of Conduct. It also employs a principles-based approach to independence supplemented with certain safeguards for matters such as the performance of nonaudit services.
The standard for nonaudit services employs two overarching principles:

1. Audit organizations should not provide nonaudit services that involve performing management functions or making management decisions; and
2. Audit organizations should not audit their own work or provide nonaudit services in situations where the nonaudit services are significant/material1 to the subject matter of the audits.

Audit organizations may perform nonaudit services that do not violate the above principles only if all of the following seven safeguards are followed:

1. The audit organization should preclude personnel who provided the nonaudit services from planning, conducting or reviewing audit work related to the nonaudit service.
2. The audit organization is precluded from reducing the scope and extent of the audit work beyond the level that would be appropriate if the nonaudit work was performed by another unrelated party.
3. The audit organization should document its consideration of the nonaudit service, and document its rationale that providing the nonaudit service does not violate the two overarching principles.
4. Before performing nonaudit services, the audit organization should establish and document an understanding with the audited entity regarding the objectives, scope of work, and product or deliverables of the nonaudit service. The audit organization should also establish and document an understanding with management that management is responsible for the substantive outcomes of the work.
5. The audit organization’s quality control systems for compliance with independence requirements should include policies and procedures to assure consideration of the effect on the ongoing, planned and future audits when deciding whether to provide nonaudit services and a requirement to have the understanding with management of the audited entity documented. The understanding should be communicated to management in writing. Documentation must specify management’s responsibility for the nonaudit service, management’s qualifications to conduct the required oversight, and that management’s responsibilities were performed.
6. In cases where certain nonaudit services by their nature impair the audit organization’s ability to meet either or both of the overarching principles for certain types of audit work, the audit organization should communicate to management of the audited entity, before performing the nonaudit service, that the audit organization would not be able to perform subsequent audit work related to the subject matter of the nonaudit service.
7. For audits selected in the peer review, all related nonaudit services should be identified to the audit organization’s peer reviewer and the audit documentation made available for peer review.

What Nonaudit Services May Be Performed and Which Ones Are Expressly Prohibited?

The GAO Independence Standard permits auditors to participate on committees or task forces in a purely advisory capacity to advise entity management on issues related to the knowledge and skills of the auditors without impairing their independence. Auditors can also provide routine advice to the audited entity and management to assist them in activities such as establishing internal controls or implementing audit recommendations, can answer technical questions, and/or provide training. An auditor may also provide tools and methodologies, such as best practice guides, benchmarking studies and internal control assessment methodologies that can be used by management. These are routine activities that would not require the audit organization to apply the safeguards described above.

The GAO Independence Standard includes specific examples of nonaudit services that are permitted as long as the auditor complies with the two overarching principles and with the seven safeguards (e.g., the service must be immaterial/insignificant to the subject matter of the audit and must be performed by a separate engagement team). The GAO Independence Standard also expressly prohibits certain nonaudit services. Such examples are summarized in the following table.