Yellow Book Update

July 27, 2020 | by Nicole Bourne, CPA

The Government Accountability Office released a new version of the Government Auditing Standards, also known as the Yellow Book, in July of 2018. The updated standards are effective for financial statement audits, reviews, and other attestation engagements for the period ending on or after June 30, 2020 – This year!

The major update that happened with the 2018 version of the Yellow Book pertains to the rules auditors must follow when providing nonattest services. Nonattest services include items such as preparing the financial statements, proposing adjusting journal entries, preparing the data collection form, hosting and maintaining the depreciation schedule, etc. All of these items are the auditee’s management’s responsibility to prepare, but some have elected to have us, the  auditors, prepare them on their behalf. In order for us to be able to perform nonattest services on management’s behalf, there are certain requirements that have to be met to make sure that our auditor independence is  not impaired.

As auditors, we are required to identify, document, and evaluate any threats to our independence. Providing nonattest services creates a self-review threat, which is defined in the Yellow Book as “the threat that an auditor or audit organization that has provided nonaudit services will not appropriately evaluate the results of previous judgements made or services provided as part of the nonaudit services when forming a judgement significant to a GAGAS engagement.”

Once threats have been identified, auditors are required to evaluate these threats to independence. We need to consider if the threats are at a level that may impair our independence. If the threats are at a level where independence may be impaired, we then need to evaluate if there are any safeguards that could be applied to reduce these threats to an acceptable level and allow the auditor to maintain their independence.

Prior to accepting a new audit engagement, auditors are required to determine if the client has the Skills, Knowledge, and/or Experience (SKE) to accept responsibility for the financial statements. This is required for all audits. Once the auditor has determined there is someone with suitable SKE, there is still a threat to independence, but that can be mitigated by applying safeguards. SKE can be accomplished one of two ways:

  • There may be someone within the organization who has the SKE or;
  • Management may decide to contract the responsibility to someone outside the organization, for example another CPA firm.


Applying safeguards – this is where the auditee’s help is needed. According to the Yellow Book, safeguards are “actions or other measures, individually or in combination, that auditors and audit organizations take that effectively eliminate threats to independence or reduce them to an acceptable level.” There are many different types of safeguards that can be applied, but here are some examples that we commonly use:

  • The auditors provide the person identified as having the SKE a copy of the drafted financial statements, proposed journal entries, and grouping schedules used to draft the financial statements for their review and approval. These are management’s financial statements, so they must accept and approve the work performed by the auditors.
  • Have an auditor who was not a member of the engagement team review the work performed. BC+S always has an auditor not involved in the audit perform an independent review of the financial statements to look for any material errors that could be present.


Key Takeaways to Consider

  • Yellow Book standards are putting more requirements in place when it comes to assessing nonattest work performed by auditors.
  • Additional documentation and analysis are required by the auditors in order to comply with Yellow Book standards.
  • When nonattest services are provided, auditors need to document what services are being provided, if there are threats to independence, and what safeguards will be applied to maintain auditor independence.
  • Any nonattest services provided by your auditor are the responsibility of management. Management either needs to have the skills, knowledge, and/or experience to accept responsibility for the work performed by the auditor or assign this responsibility to an outside person, such as a contract CPA or accountant.