Articles on Internal Auditing

GAO or IIA – Which Standards Should Government Auditors Follow?
By Mark R. Simmons, CIA CFE

A Difference in Philosophy

Government Auditing and Internal Auditing are very much differentiated by their focus and philosophy. The federal Government Accountability Office (GAO) Standards define the practice of government auditing. These standards are mandatory for federal auditors and CPA firms that audit federal dollars. They place emphasis on accountability of government officials and accountability of the auditor to conduct work professionally, but there is no requirement to evaluate management controls. Unless state or local law specifies to the contrary, the GAO Standards are not mandatory for state and local government auditors, but those departments that ascribe to the GAO philosophy voluntarily apply the GAO Standards.

Many other government audit departments focus on a problem solving and process improvement approach that fosters accountability by actively engaging responsible managers in effective risk management, control, and governance processes. Audit organizations that ascribe to this model are providing an internal auditing service as defined by the Institute of Internal Auditors (IIA) - the standard-setting body for the internal audit profession.

GAO Standards

GAO sees its role primarily as one that holds government officials fiscally and programmatically accountable to the legislature and the public so that resources are spent in the way the Congress intended. GAO audit work focuses on the most appropriate topics to maximize government accountability, provide the greatest opportunity to improve government operation, and cover areas of particular interest to Congress. The GAO standards focus on holding auditors accountable for the professionalism and independence of their work product. The primary focus is on the way an engagement is conducted and the manner in which results are communicated.

The issue of most concern is auditor independence. The GAO Standards identify these three principles that federal government auditors, or CPA firms auditing federal dollars, cannot violate if they want to retain independence and act in accordance with the GAO standards:

  • Federal auditors, or CPA firms auditing federal dollars, should not perform management functions or make management decisions
  • Federal auditors, or CPA firms auditing federal dollars, should not audit their own work
  • Federal auditors, or CPA firms auditing federal dollars, should not provide non-audit services that are material to the subject matter of an audit.

GAO defines “audits” as financial (financial statement opinion, transaction process and compliance), attestation (reviewing a subject or management assertion) or performance (assessing program performance and management). There is no requirement to evaluate internal control.

The GAO standards specifically prohibit a federal auditor, or CPA firm auditing federal dollars, from providing consulting services to the agency or organization being audited.

The GAO standards state specifically that federal auditors may participate on committees or task forces in purely advisory capacity to advise entity management on issues related to the knowledge and skills of the auditors without impairing their independence. However, in that capacity, auditors should not make management decisions or perform management functions. For example, federal auditors can provide routine advice to the audited entity and management to assist them in activities such as establishing internal controls or implementing audit recommendations and can answer technical questions and/or provide training. The decision to follow the auditors’ advice remains with management of the audited entity. These types of interactions are normal between auditors and officials of the audited entity given the auditors’ technical expertise and the knowledge auditors gain of the audited entity’s operations. Auditors may also provide tools and methodologies, such as best practice guides, benchmarking studies, and internal control assessment methodologies that can be used by management. By their very nature, these are routine audit activities.

Federal Government Auditors And CPA Firms

The federal GAO audit function is the audit arm of the U.S. Congress. Congress is the customer; taxpayers are the stakeholders. Federal Government auditors And CPA firms must follow the GAO standards when auditing federal agencies and non-federal agencies and organizations that receive federal funds.

Under this model, the emphasis is on accountability of government officials to the Congress and accountability of the auditor to conduct work professionally. There is no requirement to evaluate management controls. The executive leadership of the audited agencies is not the primary customer. Their input is not solicited as part of the audit process. Their input is not solicited in development of solutions (rather they are presented with "findings" to which the must "respond" – an approach that holds them “accountable”). The GAO approach cannot be considered an internal audit function under this model because the auditors do not act from within and in support of the leadership of the organizations that they audit.

Non-federal government audit organizations that ascribe to the GAO philosophy should use the GAO standards as a best practice. In so doing, however, they do not function according to the internal audit model as defined by the standard-setting body for the internal audit profession.

IIA Standards

The IIA Standards focus on the basic principles that represent the practice of internal auditing as it should be. They provide a framework for managing an internal audit department; establish the basis for the evaluation of internal audit performance (for auditors individually and the department as a whole); provide a framework for performing value-added internal audit activities; foster improved organizational processes and operations; and describe ways of conducting an engagement and communicating results.

The IIA Standards focus on improvement of risk management, control and governance processes within an organization so that issues of concern can be identified and corrected before they become persistent or pervasive problems. Internal audits under the IIA Standards help solve problems and move the organization forward.

The IIA Standards mandate organizational independence of the audit department and mandate individual auditor objectivity.

  • Internal auditors must report to a level within the organization that permits the audit department to fulfill its responsibilities
  • Internal auditors must not perform management functions or make management decisions
  • Internal auditors must not audit their own work
  • Internal auditors must determine the nature and scope of their work.

The IIA Standards identify audits as “assurance services”. Assurance services involve the internal auditor’s objective assessment of evidence to provide an independent opinion or conclusion about business risk, control or governance associated with a process, system or other subject matter. The IIA Standards identify assurance services as having three participants:

  • The person or group directly involved with the process, system or other subject matter – the process owner
  • The person or group making the assessment – the internal auditor
  • The person or group using the assessment - the user

The IIA Standards encourage adding value to the organization by working with management and the process owner to identify and solve mission-critical problems. Audits under the IIA Standards add value by assessing whether risk management, control and governance processes provide reasonable assurance that executive branch leaders and agency/department managers are meeting their responsibilities to safeguard the public assets and resources placed in their trust. This is accomplished by partnering with the department being audited to combine the operational expertise of the employees with the independent and objective judgment, management control expertise, and systematic disciplined evaluation methods of the auditor.

The IIA Standards include consulting within the definition of internal auditing as service that can be provided if the internal auditor so chooses. Consulting services are advisory in nature, and are generally performed at the specific request of a member of management. The nature and scope of the consulting engagement are subject to agreement with the person requesting the service.
The IIA Standards identify consulting services as having two participants:

  • The person or group offering the advice – the internal auditor
  • The person or group seeking and receiving the advice

When performing consulting services the IIA Standards require the internal auditor to maintain objectivity and not assume management responsibilities.

State and Local Government Auditors

Circumstances differ, but state and local government auditors (as observed by Michael Barrier in his article Caution Light for Government Auditors) may often be the functional equivalents of private sector internal auditors when reviewing agencies/departments of state or local governments.

  • The role of a state or local government auditor may compare to that of an internal auditor in a large corporation who reports to the board of directors or CEO (or the CFO) and audits the operating departments of the corporation.
  • Audit customers are the elected official(s) and the senior leadership of the organization
  • The audit department encourages input from senior leaders within the organization when planning work
  • The audit department supports its customers by helping identify significant business risks and challenges; by providing independent and objective assessments of the degree to which business risk, control and governance processes mitigate risk; and seeks to help reduce those business risks by helping responsible managers address issues before they become systemic, persistent or pervasive
  • The audit department focus is a problem solving and process improvement approach that fosters accountability by actively engaging responsible managers in effective risk management, control, and governance processes.

Audit organizations that ascribe to this model are providing an internal auditing service as defined by the standard-setting body for the internal audit profession. State and local government auditors who are members of the IIA, or who are Certified Internal Auditors must under the IIA Code of Ethics to which they have pledged compliance, follow the IIA Standards when providing internal audit services.

Conclusion

The decision as to how auditing can best serve the citizenry often will depend on many unique variables. There is no single “best way” to carry out government audit responsibilities at the state and local level. Those making that decision, however, should do so from an informed basis when defining the nature, philosophy and professional standards for the audit department.

Sources

Caution Light for Government Auditors
(Michael Barrier, Internal Auditor, 04-2003 - The Institute of Internal Auditors)

The International Standards for the Professional Practice of Internal Auditing
(02-2004 - The Institute of Internal Auditors)

Government Auditing Standards – 2003
(Comptroller General, United States General Accounting Office)

 

Copyright © 2005 Mark R. Simmons, All rights reserved

Home | Bio  | Internal Auditing | Fraud Investigation | Request to Reprint

© 1996-2008 Mark R Simmons, CIA, CFE. All rights reserved. Updated 05-Jun-2008
Designed and maintained by Web Wise Concepts, LLC for http://www.facilitatedcontrols.com