Government Pensions are in Trouble

One of the most compelling reason that talented individuals stay in government is the benefits and the stability. And in envy, I have attended a flurry of retirement parties this year. My colleagues have put in their time and are blissfully able to move on to second careers under the support of a state pension.

But these pensions are expensive and risky - and troubled. The City of Austin is no longer offering pensions to new hires, but instead is offering them a self-managed retirement savings plan. The State of Alaska moved from a defined benefit plan (which promises a stable monthly payment each month after retirement based on the last few years of wages) to a defined contribution plan (which promises to pay out only what you and your employer put in, plus earnings).

What happens when the financial markets take a hit as it did in 2008? The pension plans take a hit. And the governments who fund them must make up the difference.

The FASB has been pushing corporations to disclose pension obligations since the 1980s. The FASB requires corporations to own up to the true liability the pensions posed to their organizations. When confronted with the resulting terrible looking balance sheet, most corporations decided to do away with their pension plans. The GASB is also pushing goverments to recognize their true obligation when it comes to pensions and other post-employment benefits. The State of Texas disliked GASB 45 (subject matter: other post-employment benefits such as health care) so much, it passed a law allowing Texas governments to blow it off. Seehttp://www.window.state.tx.us/newsinfo/columns/070611gasb.html for the Texas Comptroller's take on this issue.

California Public Employees Retirement System, or Calpers, is suing bond rating agencies for inaccurate ratings, causing the pension fund to at least a $1 billion. Seehttp://www.nytimes.com/2009/07/15/business/15calpers.html

The PEW Center on the States issued a sobering report earlier this year - stating "at the end of fiscal year 2008, there was a $1 trillion gap between the $2.35 trillion states and participating localities had set aside to pay for employees’ retirement benefits and the $3.35 trillion price tag of those promises." Trillions - not billions! http://downloads.pewcenteronthestates.org/The_Trillion_Dollar_Gap_final.pdf

And this pressure to continue to meet those enormous pension obligations appears to have driven one state - New Jersy - to fraudulent activities and they are now under investigation by the SEC. http://www.sec.gov/news/press/2010/2010-152.htm

So how long are pensions going to be part of the government compensation package? I wouldn't be surprised to see them disappear in the next decade. How about you?

Comments on the 2010 Yellow Book - As Emailed to Michael Hrapsky at the GAO

Hi Michael –

I used the 2010 revision to teach with last week. So, I am going to take an initial stab at feedback about the new draft. Thanks for allowing me to do this informally- via email.

1. Independence: CPAs are still going to take the little bit of wiggle room you gave them and RUN with it. No one wants to give up drafting the financial statements as part of the audit and they are very busy justifying why their situation is different and they can still do what they have always done. I believe it would be better to prohibit it completely – with no professional judgment involved. It is wrong to create the subject matter that you opine on– period. And we are risking the integrity of the only service CPAs are actually licensed to provide – audits of financial statements. The AICPA is too lenient on their members on this subject and I would like to see the GAO do the right thing and flat out prohibit it.

2. Section 1.06. Auditors are still a bit confused on when the Yellow Book is applicable to their audit. They assume that if their client is a government – that the Yellow Book is automatically required. I’d like to see the language of 1.06 clarified and strengthened to says something to the effect of – “The Yellow Book is applicable to an engagement if it is required by law, policy, etc… Some organizations choose to voluntarily follow the yellow book. Just because the audited entity is a government or receives government funds, it does not mean that the government auditing standards are automatically required.” Yes, it is a bit redundant.

3. Section 1.07 – Some auditors erroneously believe that you have to be certified in order to be subject to the CPE requirements. 1.01a could be enhanced by adding “regardless of job title OR PROFESSIONAL CERTIFICATION.” Caps not necessary!

4. 3.53 – Professional judgment – This is my least favorite section of the yellow book. It is vague, redundant, and broad and I really struggle with teaching it. It is saying “turn your brain on” and then tells you when to turn your brain on. I wonder if you could merge 3.54 and 3.55 with evidence, 3.56 with competence, 3.57 with quality control, 3.58 with independence, 3.59 and 3.60 with planning, and get rid of 3.61 – which reads like an attorney’s fine print.

5. 3.84 human resources. Instead of doing a footnote back to the HR sentence in competence, I think it would be helpful to repeat the second sentence of 3.63 here… “Audit organizations should have a process for recruiting, hiring, developing, assigning, and evaluation staff to maintain a competent workforce.” Otherwise, I am afraid people are missing that because it is imbedded in another section, in the middle of a paragraph. Another solution would be to make the second sentence of 3.63 its own paragraph.

6. The appendix’s format is hard to decipher and it would be easier on the reader if you would indent the sub-topics. For instance on page 176 – c is a super topic, 1 is under c, and a is under 1. It is difficult to tell what is modifying what or what is listed under what. And this goes on for many pages.

7. 4.23 – why is abuse grouped with noncompliance? Shouldn’t it have its own number – number 4?

8. 4.22-4.30 –The 2 additional letters on internal control and compliance are out of date. So in 4.23 we find the list all of the things that trigger a reportable condition. And then we write letters on only two of them - internal controls and compliance. And the language that is used in these letters – in reality –is obscure and only vaguely related to what this section requires. I remember asking Michael about the purpose of these letters and he explained that they enhance transparency for the user. After the AICPA gets a hold of them and creates a stream of legalistic and confusing language to satisfy this requirement – we are being anything but transparent. Auditors simply go to the AICPA for model reports and plug the name of the entity in the blank. Users don’t understand them or, I might argue, need them if there is nothing to report. I would like to see the GAO reconsider the purpose of these letters and ask whether these letters are the best way to serve this purpose. If the GAO decides to keep these letters – I would suggest updating them to include the requirements for the auditor’s responsibility for fraud and abuse. Could the GAO propose some standard language for a straight yellow book audit that is clear and straightforward – like the mandatory performance audit paragraph at 7.30 in the 2010 proposed revision?

Thanks for allowing me to say things significant and not-so-significant! You guys are the best!

Leita

The 2010 Revision's Impact on Internal Audit Independence

The GAO’s 2010 proposed revision to the Yellow Book isn’t saying much that is new. Instead it is saying the same stuff – just in a different way.

For instance, the section on independence regarding non-audit services caused plenty of heartburn in the 2007 revision. The GAO asked auditors to evaluate whether they were 1. Auditing their own work in performing the non-audit service or 2. Making management decisions when performing the non-audit services. Obviously, auditing your own work and making management decisions compromises and auditor’s independence because the auditor will not be motivated to admit that they messed up either the work or the decision if and when they do the audit.

One state audit organization I worked with said that they had, many years ago, become frustrated with the state agency responsible for calculating pension obligations. It seems that the auditor was constantly writing the agency up for not calculating it correctly, so the agency finally just said, “You know what? We don’t really know how to do it. Will you do it for us?” And unfortunately, the auditor decided that was a good idea.

So, one assistant state auditor made the calculation for a decade or so until he retired. When a new auditor took over the job, she quickly realized that the calculation had been wrong the whole time and that the state owed the pension plan major dinero. How embarrassing is that for the state auditor to admit!?!

And the state auditor didn’t want to admit it and was trying desperately to figure out a way to avoid admitting their mistake. The only thing I can think for the auditor to do to avoid accountability is to write the state a check for a few million out of your personal state salaried accounts. I am sure they can spare it.

This is the sort of dilemma that independence standards allow us to avoid. But at the same time, independence causes internal auditors a special brand of heartburn.

Let’s look at what the proposed new standards say:

Some 2010 Clauses Significant to Internal Auditors

The revision to the Yellow Book takes a different path, but ends up at the same place. It talks about ‘threats’ to independence – and the following sound like they were written with internal auditors in mind:

GAGAS 2010 3.10

b. Self-review threat - the threat that an auditor will not appropriately evaluate the results of a previous judgment made or service performed by the auditor, or the audit organization, on which the auditor will rely when forming a judgment significant to an audit;

d. Familiarity threat - the threat that due to a long or close relationship with management or personnel of an audited entity or employer, an auditor will be too sympathetic to their interests or too accepting of their work;

f. Management participation threat - the threat that results from an auditor’s taking on the role of management or otherwise performing management functions on behalf of the entity undergoing an audit or attestation engagement;

And then goes on to expressly prohibit one common internal audit activity:

3.49 Accepting responsibility for designing, implementing or maintaining internal control includes accepting responsibility for designing, implementing or maintaining monitoring procedures. Monitoring involves the use of ongoing monitoring procedures or separate evaluations to gather and analyze persuasive information supporting conclusions about the effectiveness of the internal control system. Ongoing monitoring procedures are built into the routine, recurring operating activities of an organization. Therefore, the management participation threat created by an auditor performing ongoing monitoring procedures is so significant that no safeguards could reduce the threat to an acceptable level. On the other hand, nonaudit services providing separate evaluations often are performed by individuals who are not directly involved in the operation of the controls being monitored. As such, it is possible for an auditor to provide an objective analysis of control effectiveness by performing separate evaluations without creating a significant threat of management participation that would impair independence. However, in all such cases, the significance of the threat created by performing separate evaluations should be evaluated and safeguards applied when necessary to eliminate the threat or reduce it to an acceptable level. Auditors should assess the frequency of the separate evaluations as well as the scope or extent of the controls (in relation to the scope of the audit performed) being tested in evaluating the significance of the threat.

This excerpt points out a significant thematic difference between the IIA’s Professional Practices Framework (the red book) and the yellow book. Members of the IIA like to be helpful to their employers, the GAO does not. The GAO standards are written as if the auditor is an “external” auditor – not an internal auditor. A gentleman at the GAO once told me that internal auditor is a troublesome term. How can you be internal and be an auditor. The Yellow Book discourages auditors from performing ‘consulting’ engagements and instead prefers that internal auditors concentrate on the “assurance” aspect of their work.

One of the ‘hot’ topics – if you can go as far as to call anything in auditing “HOT” – at the HOTlanta IIA International Conference last summer was continuous monitoring. Internal auditors are working themselves into a frenzy figuring out how to do it.

BUT – when working in Yellow Book land, continuous monitoring – unless used by the internal audit shop to do their audit risk assessments – compromises auditor independence.

In one of my recent courses, we were discussing the COSO model and were talking about controls that the auditee should have in place over a federal grant. An internal auditor in the audience said that one of the best controls over a federal grant possible would be a strong internal audit shop monitoring the grant. And I immediately went, “No, I am not writing that up on the board!” A sharp reaction to a simple idea.

I immediately regretted shutting him down so hard and wrote it up on the board because I didn’t want to dwell on auditor independence that particular afternoon because it was off topic. But in Yellow Book land, the internal auditor is not to perform management functions. An auditor is an objective third-party that can give an unbiased assessment of what is really going on. This participant was looking at things from the IIA perspective – where it is OK to help management.

If the auditor took on monitoring the federal grant and then later criticized compliance or operations for same federal grant… they’d be in a bind, wouldn’t they? Because they were responsible for monitoring and thus for helping the client out. And unless the client is superhuman – they will usually come to depend on the auditor and assume (wrongly) that everything is OK and they have nothing to worry about. And then the auditor will have to write them a big fat check from his personal account for the questioned cost that they were complicit in generating. (I do realize that auditors won’t be writing any checks) by the way.

If this discussion has made you a little hot under the collar – go to the 2010 Proposed Revision athttp://www.gao.gov/new.items/d10853g.pdf and carefully read Sections 3.02-3.50. Yes, it is a lot to look over. But it is new and worth the time.

This is the time to let the GAO know what you think. Write to yellowbook@gao.gov by November 22 to have an impact on the next revision.

If you want to discuss the major differences between the Yellow Book and the Red Book – attend the 2010 Single Audit and Government Conference in Austin and catch Helen Young and I arguing over which standard is best. We had a huge laugh fest last week talking about our opposing views on the red book and yellow book. For more info, see: http://www.tscpa.org/Public/Catalog/CourseDetails.aspx?courseID=11CGC01

The GAO's Proposed Independence Standard is a Rehash

The GAO issued a proposed revision of the Yellow Book a few weeks ago and most of the revision is less than noteworthy. The GAO is cleaning things up, reorganizing, and syncing up its language with the AICPA.

On first blush - I thought the revision to the independence standard was the biggest change and would have the biggest impact on CPAs in public practice. But today, I find that the GAO is simply repeating what the AICPA has been saying all along regarding independence in its Code of Professional Conduct... please seehttp://www.aicpa.org/Research/Standards/CodeofConduct/Pages/et_101.aspx#et_101

and compare and contrast that with the start of chapter 3 in the proposed Yellow Book revision athttp://www.gao.gov/new.items/d10853g.pdf

I knew, from hearing Marcia Buchanan (GAO project manager for GAGAS... aka the Yellow Book) speak, that they had plucked the most difficult controversial quote direclty from the AICPA standards. Here is a quote from the 2010 revision:

GAGAS 3.46 Management is responsible for the preparation and fair presentation of the financial statements in accordance with the applicable financial reporting framework. Consequently an auditor’s acceptance of responsibility for the preparation and fair presentation of financial statements that the auditor will subsequently audit would impair the auditor’s independence. Auditors should determine that audited entity management taking responsibility for the preparation and fair presentation of the financial statements possesses suitable skill, knowledge, and/or experience to evaluate the adequacy of any services in this area provided by the auditor.

But this sounds so much like the AICPA, I am afraid it won't change anyone's actual behavior when it comes to both creating and auditing the financial statements.

AICPA CODE OF ETHICS .05 101-3—Performance of nonattest services.

General Requirements for Performing Nonattest Services

1. The member should not perform management functions or make management decisions for the attest client. However, the member may provide advice, research materials, and recommendations to assist the client's management in performing its functions and making decisions.

2. The client must agree to perform the following functions in connection with the engagement to perform nonattest services:

a. Make all management decisions and perform all management functions;

b. Designate an individual who possesses suitable skill, knowledge, and/or experience, preferably within senior management, to oversee the services;

c. Evaluate the adequacy and results of the services performed; and

d. Accept responsibility for the results of the services;

The member should be satisfied that the client will be able to meet all of these criteria and make an informed judgment on the results of the member's nonattest services. In assessing whether the designated individual possesses suitable skill, knowledge, and/or experience, the member should be satisfied that such individual understands the services to be performed sufficiently to oversee them. However, the individual is not required to possess the expertise to perform or re-perform the services.

In cases where the client is unable or unwilling to assume these responsibilities (for example, the client does not have an individual with suitable skill, knowledge, and/or experience to oversee the nonattest services provided, or is unwilling to perform such functions due to lack of time or desire), the member's provision of these services would impair independence.

See... very similar.

What does all of this mean, bottom line? Well, I guess we won't know for sure until the fat lady sings... or until the GAO finalizes the standard in February. I know that many CPAs really aren't interested in giving up their financial statement drafting gig and so will read the standard to their own advantage. And the GAO has left them some wiggle room.

If you have an opinion, now is the time to voice it. Write toyellowbook@gao.gov to give the folks at the GAO a piece of your mind... if you can spare it today, that is.

Observations From a Few Courses

At the end of August, I taught two days for the a chapter of the Texas Society of CPAs. One topic was "Planning an Audit: Yellow Book Style." The other was, "Government Financial Statement Analysis."

1. In the audit planning course, I talk about how SAS 117 allows auditors to apply the risk assessment standards to the Single Audit. We now officially have the ability to use our professional judgment to reduce our effort on the low impact requirements and choose to spend more time on the more significant compliance requirements. During the class, I use a lame but useful analogy. My step-mother is a fabulous cook - Paula Dean style. Collard greens, black eyed peas, corn bread, cheese grits, Boston butt... southern culinary extravagance. And when I visit her, I COULD partake of everything she offers. But, since I am in my mid-40's - my Leita butt (not from Boston) doesn't look good if I eat everything. So, I have to make some hard choices. I can live without cheese grits, but I can't live without black eyed peas. I have a limited calorie intake - so I have to choose carefully. I have spoonful of grits, but a bowl full of black eyed peas and cornbread. And am I happy? Heck yeah!

Auditors who work for CPA firms doing federal compliance audits face the same dilemma. They have bid a certain amount on the job and they need to work within those constraints or they will lose money. CPA firms can't cover every single federal requirement in great detail. Notice, please, that I did not include government (internal, state, or federal) auditors in this category. From my experience, few of them set limits on how long projects need to take and can get as `fat' as they want!

One participant in my course, an auditor at a CPA firm , who was auditing the Head-Start program at a daycare, was very excited by this revelation. He needed to cut back on his work, and the AICPA's risk assessment formula gave him justification for doing just that. Take that boring stuff off your plate! You can't afford the calories.

2. During the government financial statement analysis course, I asked the crowd five questions about government financial statements - such as "Which of these funds is a proprietary fund?" and the like. And guess what? Only a third of them knew the answers. One gentleman, who had been doing government audits for 20 years missed every single question. WHAT? I hope he was just having a bad day or barely paying attention.

Many of the audience were newbies. And I am very glad to talk to them. Unfortunately, many CPA firms send green auditors out to do small municipalities and not-for-profits and reserve their more experienced staff for larger, riskier projects. Where does that leave the citizen in a small city? With inaccurate, uninterepreted financial statements. One city that we analyzed disclosed the same per capita income of $57,000 per citizen for the past 10 years. Unlikely.

Who else is going to hold these small governments and not-for-profits accountable, if not us. And since we both create and audit the financial statements (a practice that the GAO is doing its best to put a stop to) - who is truly watching the financial operations of a government? If we send our least experienced staff to the gig - to work with the CRAZILY complicated, post GASB-34 financial statements, who is going to catch these sort of errors? The GAO says in the 2007 version of the yellow book that "Auditing is essential to government accountability to the public." A pretty serious responsibility.

How easy it is for me to look at the game after it is all after and criticize. And - do not mistake me. I am not claiming to be Christ-like. As a matter of fact, I am quite a screw-up. But, on our journey to be the best professionals we can be, I think we can use a little redirecting occasionally. Compliance audits can and should be risk based and a newbie should not be sent out to take care of a government audit.

Proposed Yellow Book out as of 8/23/10

It's here! http://www.gao.gov/new.items/d10853g.pdf

The most signficant proposed change is to independence. Otherwise, the standards have been reorganized and pared down. If the AICPA already says it - the GAO doesn't have to repeat it.

The GAO makes clear their disdain for both drafting and auditing financial statements. Halleluah!

More later as I disect it and teach it!