GAAS vs. GAGAS: How to Report on Internal Controls; SAS No. 63 Goes beyond SAS No. 60 and the Yellow Book in Setting Audit Report Requirements

Article excerpt

GAAS vs. GAGAS: HOW TO REPORT ON INTERNAL CONTROLS

SAS no. 63 goes beyond both SAS no. 60 and the yellow book in setting audit report requirements. The new director of finance for the Agency for Art Endowment was perplexed. "When I was chief financial officer of Trans-Global Enterprises, we always got a very simple one-page internal control report from our auditors. Now I'm in the public sector, and the equivalent report is twice as long. Is this because your firm is doing more work on internal controls than would be the case for a private enterprise?"

"Actually, no," replied the audit partner. "The procedures relating to the internal control structure for a generally accepted auditing standards (GAAS) audit are the same as those for an audit conducted under generally accepted government auditing standards, or GAGAS. Only the report is different."

"Why's that?" asked the finance director.

"It's largely a function of the different audience these reports are intended for. You see, government reports generally become part of the public record. As such, they may be read by those less knowledgeable about the audit process and the auditor's role and responsibilities than a private sector audit, which is read by members of management and the audit committee, who have direct knowledge about the audit engagement."

NEW STANDARDS FOR REPORTING ON INTERNAL CONTROLS

The finance director's uncertainty is understandable. At first glance, two such different-looking reports might reflect different levels of performance by the auditor--yet that's not the case. In this article, we'll try to clear up some of the mystery surrounding this subject and provide a working knowledge of the reporting requirements under

* Statement on Auditing Standards no. 60, Communication of Internal Control Structure Related Matters Noted in an Audit.

* Government Auditing Standards, commonly known as the yellow book, issued by the U.S. General Accounting Office.

* SAS no. 63, Compliance Auditing Applicable to Governmental Entities and Other Recipients of Governmental Financial Assistance. However, we won't be covering the section of SAS no. 63 concerning performance and reporting under the Single Audit Act of 1984.

IMPROVING COMMUNICATIONS

Over the past several years, one of the major objectives of the auditing standard setters has been improving communications between auditors and the users of their services. To this end, early in 1988 the American Institute of CPAs auditing standards board issued several new SASs, some of which were aimed directly at enhancing auditor communications.

During the same period, increased public attention was being focused on audits of government entities. Thus, while the new SASs were being finalized, the GAO was revising GAGAS, as set forth in its yellow book. Like the related AICPA standards, the yellow book includes requirements for auditor communications. The yellow book is effective for audits beginning on or after January 1, 1989.

One of the communication areas addressed in the yellow book is the auditor's responsibility for communicating internal control structure matters noted during the course of the audit. This responsibility was addressed for GAAS audits in SAS no. 60.

However, although the yellow book does not provide any specific examples of the communications of matters related to internal control structure, its requirements in some respects are more extensive than GAAS. Therefore, to further help auditors apply GAAS in government audits, the ASB developed SAS no. 63, which provides guidance on how auditors should modify SAS no. 60 reports on the internal control structure to satisfy the requirements of the yellow book.

DIFFERENCES BETWEEN THE YELLOW BOOK AND SASs nos. 63 AND 60

Exhibit 1 Features of the internal control structure report compares the requirements of the yellow book and SASs nos. …