How Government Auditing Standards add public-interest, independence, quality-management, internal-control, compliance, and reporting requirements to governmental engagements.
Government Auditing Standards, commonly called the Yellow Book or GAGAS, are issued by the U.S. Government Accountability Office. They apply to many audits of government entities, government programs, and entities that receive government awards.
The AUD exam usually tests what the Yellow Book adds beyond a normal GAAS financial statement audit: public-interest ethical principles, stricter independence analysis, quality-management requirements, internal-control and compliance reporting, and specialized performance-audit concepts.
flowchart TD
A["Engagement involves government funds, programs, or required GAGAS use"] --> B["Apply GAAS or other base standard"]
B --> C["Add Yellow Book requirements"]
C --> D["Evaluate independence and nonaudit-service threats"]
C --> E["Apply competence, CPE, and quality-management expectations"]
C --> F["Report internal control and compliance matters when required"]
C --> G["Use performance-audit standards when objective is economy, efficiency, or effectiveness"]
The Yellow Book does not replace GAAS in a financial statement audit. Instead, it adds government-audit requirements when the engagement is performed under GAGAS.
| Area | Yellow Book focus |
|---|---|
| Ethical principles | Public interest, integrity, objectivity, proper use of government information, and professional behavior. |
| Independence | Threats and safeguards, including close attention to nonaudit services. |
| Competence | Auditors must have the competence needed for the assigned work, including government-audit context. |
| Quality management | Audit organizations need systems to manage engagement quality and comply with professional standards. |
| Reporting | Financial audits often include additional reporting on internal control and compliance. |
| Performance audits | Standards address economy, efficiency, effectiveness, program results, internal control, and compliance objectives. |
As of 2026, the 2024 Yellow Book is the current revision for engagements within its effective dates. It superseded the 2018 revision and emphasizes a risk-based system of quality management.
Yellow Book engagements can include financial audits, attestation engagements, reviews of financial statements, and performance audits.
| Engagement type | Main objective | Exam clue |
|---|---|---|
| Financial audit | Express an opinion on financial statements, with additional GAGAS reporting. | Financial statements plus reports on internal control and compliance. |
| Attestation engagement | Report on subject matter or an assertion under applicable attestation standards and GAGAS. | Compliance, controls, or specified subject matter. |
| Review of financial statements | Provide limited assurance under applicable review standards and GAGAS when required. | Limited assurance with Yellow Book overlay. |
| Performance audit | Evaluate program effectiveness, economy, efficiency, internal control, compliance, or prospective analysis. | Program results, operations, cost-effectiveness, or recommendations. |
Performance audits are not financial statement audits. They may result in findings and recommendations rather than an opinion on financial statements.
Yellow Book independence issues are heavily tested because government auditors often provide advice or assistance to auditees. The auditor must evaluate whether a nonaudit service creates a threat to independence and whether safeguards reduce the threat to an acceptable level.
| Nonaudit-service issue | Yellow Book risk |
|---|---|
| Auditor prepares source documents or makes management decisions | Management-participation threat. |
| Auditor designs or operates controls later audited | Self-review threat. |
| Auditor prepares accounting records without appropriate safeguards | Self-review or management-participation threat. |
| Management lacks skills, knowledge, or experience to oversee the service | Safeguards may be insufficient. |
| Auditor documents threats and safeguards before accepting the service | Required independence analysis is stronger. |
The auditee must accept responsibility for nonaudit services, oversee the service, evaluate the results, and make management decisions. If management cannot do that, independence may be impaired.
In a Yellow Book financial audit, the auditor often reports on internal control over financial reporting and on compliance with laws, regulations, contracts, and grant agreements that could have a material effect on the financial statements.
| Finding type | Reporting implication |
|---|---|
| Material weakness | Reported because it is a severe internal-control deficiency. |
| Significant deficiency | Reported when required by the applicable standards and engagement circumstances. |
| Material noncompliance | Reported because it may affect the financial statements or public accountability. |
| Abuse or fraud indicators | Evaluated and reported as required by GAGAS and applicable law or regulation. |
| Immaterial matters | May still require communication depending on the engagement and legal requirements. |
The Yellow Book report on internal control and compliance does not express an opinion on internal control unless the auditor is engaged to provide one. It usually describes the scope of testing and the findings identified.
The 2024 Yellow Book moved from a quality-control framing to a quality-management framing. For exam purposes, the important idea is that audit organizations must proactively manage risks to quality.
Quality-management considerations include:
This is an audit-organization responsibility, not just a file-completion checklist.
Use this sequence for Yellow Book questions: