What Are the GAO Standards for Auditing?

The standards issued by the Government Accountability Office (GAO) provide a specialized framework for audits involving public funds. Officially titled Generally Accepted Government Auditing Standards (GAGAS), these mandates are commonly known as the “Yellow Book” because of the historical color of its cover. The purpose of GAGAS is to guide auditors in performing high-quality reviews of government organizations, programs, activities, and entities that receive government awards. The standards establish a uniform set of principles and procedures that ensure integrity, objectivity, and independence in the audit process to promote accountability and build trust in government operations.

The Foundational Framework of GAGAS

A core GAGAS requirement is that an audit organization must establish and maintain a comprehensive system of quality management. This risk-based approach ensures the firm and its personnel comply with professional standards and legal requirements. While the 2018 revision of the Yellow Book remains in effect for audits of periods beginning before December 15, 2025, the 2024 revision mandates a new quality management system. This new system must be designed and implemented for audits of periods beginning on or after December 15, 2025, though early adoption is permitted. An audit firm’s internal system must be evaluated by December 15, 2026, to confirm its effectiveness.

Independence is a requirement, which encompasses both independence of mind and independence in appearance. This means auditors must be free from conflicts of interest and avoid any circumstances that would lead a reasonable third party to question their impartiality. Auditors must also exercise professional judgment in all aspects of their work.

Competence is maintained through specific Continuing Professional Education (CPE) requirements. Auditors must complete at least 80 hours of qualifying CPE every two years. A minimum of 24 of these hours must be in subjects directly related to the government environment, government auditing, or the specific environment in which the audited entity operates. The remaining hours must be in subjects that directly enhance the auditor’s professional expertise to perform their work.

The GAGAS framework is built upon ethical principles that guide the conduct of auditors. They include serving the public interest, acting with integrity, and maintaining objectivity. Auditors are also bound by the principle of proper use of government information, resources, and positions, ensuring they are used for official purposes only. The final principle is professional behavior, requiring auditors to maintain the good reputation of the profession.

Applicability of Government Auditing Standards

GAGAS is mandatory for audits of federal government organizations, programs, and functions, forming the basis of work for the GAO itself and various Offices of Inspectors General. The standards are not confined to the federal level; they also apply to state and local government entities when required by law, regulation, or other mandates.

GAGAS also extends to non-governmental organizations (NGOs) and for-profit businesses. These entities become subject to GAGAS when they receive government awards, such as grants or contracts. For instance, under the Single Audit Act, an audit that complies with GAGAS is required if a non-federal entity expends $1,000,000 or more in federal awards during its fiscal year for fiscal years beginning on or after October 1, 2024.

An entity may become subject to GAGAS through direct legal or regulatory mandate or by policy adoption. A law, regulation, or the terms of a contract or grant agreement may explicitly require a GAGAS audit. In other instances, an organization may choose to adopt the Yellow Book standards as a matter of policy to demonstrate a commitment to accountability.

Standards for Specific Engagement Types

Financial Audits

Financial audits conducted under GAGAS have a broader scope than their commercial counterparts. While GAGAS incorporates the auditing standards issued by the American Institute of Certified Public Accountants (AICPA) by reference, it imposes additional requirements.

Beyond the financial statements, GAGAS requires additional reporting on internal control over financial reporting and on compliance with provisions of laws, regulations, contracts, and grant agreements. This provides a more comprehensive view of the entity’s financial management.

Attestation Engagements

Attestation engagements involve an auditor issuing a report on a specific subject matter, or an assertion about that subject matter, which is the responsibility of another party. GAGAS recognizes several types of these engagements, including examinations, reviews, and agreed-upon procedures. An examination provides a high level of assurance, resulting in an opinion on whether the subject matter conforms to the established criteria, while a review provides a lower level of assurance.

GAGAS adds specific requirements to these engagements beyond standard professional guidelines. These additions often relate to considerations of internal control over the subject matter and compliance with relevant laws and regulations.

Performance Audits

Performance audits are a component of government auditing addressed by GAGAS. Their objective is to provide independent assessments of a government organization, program, activity, or function to improve program effectiveness and operations, reduce costs, and facilitate decision-making.

GAGAS fieldwork standards for performance audits require that auditors:

• Properly plan the audit, which includes defining the objectives and scope, and understanding the program being audited
• Ensure adequate supervision of all audit staff
• Obtain sufficient, appropriate evidence to provide a reasonable basis for the findings and conclusions
• Prepare comprehensive audit documentation that supports their work and conclusions

GAGAS Reporting Requirements

A GAGAS audit report contains disclosures and statements not typically found in a standard commercial audit report. This enhanced reporting provides a more complete picture of the audited entity’s operations and is designed to meet the accountability needs of government officials and the public.

A defining feature of a GAGAS report is the required reporting on internal control and compliance. Auditors must issue a written report on their assessment of internal control over financial reporting and their tests of compliance with laws, regulations, contracts, or grant agreements. This report describes the scope of the auditor’s work and any significant deficiencies or material weaknesses identified, but it is not an opinion on overall internal control effectiveness.

When an audit identifies deficiencies, GAGAS prescribes a specific structure for presenting these findings. A complete finding includes four elements, and auditors are also encouraged to include recommendations for corrective action. The four elements are:

• Criteria: What should be.
• Condition: The situation that exists.
• Cause: The reason the condition occurred.
• Effect: The outcome of the condition.

To ensure a balanced report, GAGAS requires auditors to include the views of responsible officials of the audited entity. The audit report should summarize the officials’ perspectives on the findings and conclusions, including any planned corrective actions. If the officials’ comments are not included directly, the report must state that they were requested and obtained.