The Mystery of Nonaudit Services

Written By Parker Skaats
Question mark

This week, I discuss a topic that some may find controversial, nonaudit services. The Yellow Book or GAGAS, has a specific section, from paragraphs 3.64 to 3.106, that talks about nonaudit services. 

Unfortunately, GAO does a disservice to auditors by using the term ‘nonaudit’

This had led to confusion among government auditors and the misconception that nonaudit services are any activities that an audit organization provides to an audited entity that do not meet the definition of an audit under GAGAS standards. 

But it couldn’t be any further from the truth!

GAO acknowledges in Yellow Book that “auditors have traditionally provided a range of…services that are consistent with their skills and expertise” (3.65). What types of services is GAO referring to? Well, here are some examples directly from GAGAS:

  • Routine activities that auditors perform related directly to conducting an engagement:

    • providing advice to the audited entity on an accounting matter as an ancillary part of the overall financial audit;

    • providing advice to the audited entity on routine business matters;

    • educating the audited entity about matters within the technical expertise of the auditors; and

    • providing information to the audited entity that is readily available to the auditors, such as best practices and benchmarking studies (3.71).

  • Services provided in response to a statutory requirement or an engaging party (such as a legislative oversight body):

    • providing information or data to a requesting party without auditor evaluation or verification of the information or data; 

    • providing assistance and technical expertise to legislative bodies or independent external organizations;

    • providing training, speeches, and technical presentations;

    • providing assistance in reviewing budget submissions;

    • providing audit, investigative, and oversight-related services that do not involve a GAGAS engagement, such as

      • investigations of alleged fraud, violation of contract provisions or grant agreements, or abuse;

      • periodic audit recommendation follow-up engagements and reports; and 

      • identifying best practices or leading practices for use in advancing the practices of government organizations (3.72).

Then what is a ‘nonaudit service’?

In simple terms, it’s any service that an auditor could provide to an audited entity that could create a threat to independence. 

The Yellow Book states that auditors should apply the conceptual framework at the audit organization, engagement team, and individual auditors levels to:

  1. Identify threats to independence.

  2. Evaluate the significance of the threats identified, both individually and in the aggregate.

  3. Apply safeguards as necessary to eliminate the threats or reduce them to an acceptable level. 

The Yellow Book includes a decision tree for the conceptual framework for you to consider.

GAO Conceptual Framework for Independence

Examples of auditor activities that could impair independence

Auditors should conclude that any management responsibilities that they may perform for an audited entity would impair their independence. If the auditors were to assume management responsibilities for an audited entity, the management participation threats created would be so significant that no safeguards could reduce them to an acceptable level.

The following are some examples of what the Yellow Book considers management responsibilities:

  • setting policies and strategic direction for the audited entity;

  • directing and accepting responsibility for the actions of the audited entity’s employees in the performance of their routine, recurring activities;

  • accepting responsibility for designing, implementing, or maintaining internal control; and

  • serving as a voting member of an audited entity’s management committee or board of directors.

You said this was controversial, why?

Members of the oversight community in recent years have strived to provide more timely and relevant information to decision makers. One way audit organizations have done this is by producing agile products. Agile work products highlight issues requiring immediate action for oversight officials or legislative stakeholders and others who have requested reviews of high-risk areas. Agile products can inform, without requiring actions, by providing transparency and ensuring key agency leadership, stakeholders, and the public have access to information more quickly.

Where professional disagreement lies is whether these agile work products should follow Yellow Book standards and whether they are considered nonaudit services. A lot of agile work products are short memorandums or management alerts that are meant to share information based on previous audit work or the current status of program activities or funding. They do not always include findings or recommendations like a typical performance audit. 

GAO has updated the Yellow Book to provide more flexibility in the types of performance audits that can be performed under GAGAS. In the 2011 Yellow Book the definition of a performance audit included the term ‘criteria’. In the 2018/2021 Yellow Book the term ‘criteria’ was removed from the definition, thereby increasing the flexibility for government audit organizations to produce more informational engagements under performance audit standards. 

Want to learn more about agile work products?

Check out our video course on agile oversight for government auditors where we discuss how to implement agile practices in an audit office and look at case studies of offices who have done so successfully.

Parker Skaats
Previous

Gold Standard Meetings for State and Local Governments: Paving the Way for Enhanced Collaboration
Next

What is the Fraud Triangle?