Update Log

The 2018 revision of Government Auditing Standards is effective for financial audits, attestation engagements, and reviews of financial statements for periods ending on or after June 30, 2020, and for performance audits beginning on or after July 1, 2019. Early implementation is not permitted. The 2018 revision of Government Auditing Standards supersedes the 2011 revision (GAO-12-331G, December 2011), the 2005 Government Auditing Standards: Guidance on GAGAS Requirements for Continuing Professional Education (GAO-05-568G, April 2005), and the 2014 Government Auditing Standards: Guidance for Understanding the New Peer Review Ratings (D06602, January 2014). The 2018 revision should be used until further updates and revisions are made. An electronic version of this document can be accessed on GAO’s Yellow Book web page at https://www.gao.gov/yellowbook.

Updates to Most Recent Revision

The following technical updates have been made to the 2018 revision of Government Auditing Standards (known as the Yellow Book). These technical updates to the 2018 revision of Government Auditing Standards are effective upon issuance.
The 2018 Revision of Government Auditing Standards April 2021 Technical Updates
1.02 The concept of accountability for use of public resources and government authority is key to our nation’s governing processes. Management and officials entrusted with public resources are responsible for carrying out public functions and providing service to the public effectively, efficiently, economically, and ethically within the context of the statutory boundaries of the specific government program. 1.02 The concept of accountability for use of public resources and government authority is key to our nation’s governing processes. Management and officials entrusted with public resources are responsible for carrying out public functions and providing service to the public effectively, efficiently, economically, ethically, and equitably within the context of the statutory boundaries of the specific government program.
1.03 As reflected in applicable laws, regulations, agreements, and standards, management and officials of government programs are responsible for providing reliable, useful, and timely information for transparency and accountability of these programs and their operations. Legislators, oversight bodies, those charged with governance, and the public need to know whether (1) management and officials manage government resources and use their authority properly and in compliance with laws and regulations; (2) government programs are achieving their objectives and desired outcomes; and (3) government services are provided effectively, efficiently, economically, and ethically. 1.03 As reflected in applicable laws, regulations, agreements, and standards, management and officials of government programs are responsible for providing reliable, useful, and timely information for transparency and accountability of these programs and their operations. Legislators, oversight bodies, those charged with governance, and the public need to know whether (1) management and officials manage government resources and use their authority properly and in compliance with laws and regulations; (2) government programs are achieving their objectives and desired outcomes; and (3) government services are provided effectively, efficiently, economically, ethically, and equitably.
1.23 Examples of program effectiveness and results audit objectives include

  1. determining whether a program provides access to or distribution of public resources within the context of statutory parameters;

1.23 Examples of program effectiveness and results audit objectives include

  1. determining whether a program provides equitable access to or distribution of public resources within the context of statutory parameters;

3.83 Auditors who previously provided nonaudit services for an entity that is a prospective subject of an engagement should evaluate the effect of those nonaudit services on independence before agreeing to conduct a GAGAS engagement. If auditors provided a nonaudit service in the period to be covered by the engagement, they should (1) determine if GAGAS expressly prohibits the nonaudit service; (2) if audited entity management requested the nonaudit service, determine whether the skills, knowledge, and experience of the individual responsible for overseeing the nonaudit service were sufficient; and (3) determine whether a threat to independence exists and address any threats noted in accordance with the conceptual framework. 3.83 Auditors who previously provided nonaudit services for an entity that is a prospective subject of an engagement should evaluate the effect of those nonaudit services on independence before agreeing to conduct a GAGAS engagement. If auditors provided a nonaudit service in the period to be covered by the engagement, they should (1) determine if GAGAS expressly prohibits the nonaudit service; (2) if audited entity management requested the nonaudit service, determine whether the skill, knowledge, or experience of the individual responsible for overseeing the nonaudit service was sufficient; and (3) determine whether a threat to independence exists and address any threats noted in accordance with the conceptual framework.
8.42 If internal control is significant to the audit objectives, auditors determine which of the five components of internal control and underlying principles are significant to the audit objectives, as all components of internal control are generally relevant, but not all components may be significant to the audit objectives. This determination can also identify whether specific controls are significant to the audit objectives. Determining which internal control components and principles and/or specific controls are significant to the audit objectives is a matter of professional judgment. 8.42 If internal control is significant to the audit objectives, auditors determine which of the five components of internal control are significant to the audit objectives, as all components of internal control are generally relevant, but not all components may be significant to the audit objectives. This determination can also identify the underlying principles, control objectives, or specific controls that are significant to the audit objectives. Determining which internal control components, principles, control objectives, and/or specific controls are significant to the audit objectives is a matter of professional judgment.
8.49 If internal control is determined to be significant to the audit objectives, auditors should assess and document their assessment of the design, implementation, and/or operating effectiveness of such internal control to the extent necessary to address the audit objectives. 8.49 If internal control is determined to be significant to the audit objectives, auditors should plan and perform audit procedures to assess internal control to the extent necessary to address the audit objectives.
9.30 If some but not all internal control components are significant to the audit objectives, the auditors should identify as part of the scope those internal control components and underlying principles that are significant to the audit objectives. 9.30 When reporting on the scope of their work on internal control, auditors should identify the scope of internal control assessed to the extent necessary for report users to reasonably interpret the findings, conclusions, and recommendations in the audit report.
9.32 Control components and underlying principles that are not considered significant to the audit objectives may be identified in the scope if, in the auditors’ professional judgment, doing so is necessary to preclude a misunderstanding of the breadth of the conclusions of the audit report and to clarify that control effectiveness has not been evaluated as a whole. Auditors may also identify and describe the five components of internal control so that report users understand the scope of the work within the context of the entity’s internal control system. 9.32 Auditors may identify the control components, underlying principles, control objectives, or specific controls assessed in describing the scope of their work on internal control. Auditors may also identify the level of internal control assessment performed, as discussed in paragraph 8.50. Control components and underlying principles that are not considered significant to the audit objectives may be identified in the scope if, in the auditors’ professional judgment, doing so is necessary to preclude a misunderstanding of the breadth of the conclusions of the audit report and to clarify that control effectiveness has not been evaluated as a whole. Auditors may also identify and describe the five components of internal control so that report users understand the scope of the work within the context of the entity’s internal control system.
Conforming changes have been made to the figures to reflect the technical updates.