Eric Millbrook

Towson University Management Advisory and Compliance Services

6/18/14

Differences and Similarities between GAO GAGAS and IIA IPPF
The following table includes the major differences between the Governmental Accountability
Offices Generally Accepted Government Auditing Standards (GAGAS) and the Institute of Internal
Auditors International Professional Practices Framework (IPPF). In cases where both frameworks might
be applied, the shaded cell indicates the more rigorous or extensive ruling on the subject, and therefore
the one that ought to be followed to ensure compliance with both standards. Unshaded cells should
still be considered as requirements, and in cases where there is no shaded cell on the GAO or IIA side,
neither organization has the greater weight of consideration.

Items GAO IIA
Organization Responsible U.S. Governmental Accountability
Office
Institute of Internal Auditors
Reporting Standards The Generally Accepted
Government Auditing Standards
the Yellow Book
The International Professional
Practices Framework the Red
Book
Reports to U.S. Congress Independent
From where new and
Updated Standards come
The comptroller general appoints an
Advisory Council on Governmental
Auditing Standards to assist him/her
with his/her decisions on new and
updated standards.
The International Internal Audit
Standards Board (IIASB)
coordinates with the Professional
Issues Committee (PIC), the Public
Sector Committee (PSC) and the
International Professional Practices
Framework Oversight Council
(IPPFOC) to establish new and
updated standards.
Scope of compliance U.S. Federal, State, and Local
governmental agencies, and
international governmental bodies
and agencies, even where there is
no legal requirement to do so.
Foreign and domestic internal
auditors, plus some governmental
agencies in addition to compliance
with GAGAS,
Composition 7 Chapters:
1. Foundation and Ethical
Principles
2. Standards for Use and
Application of GAGAS
3. General Standards
4. Standards for Financial
Audits
5. Standards for Attestation
Engagements
6. Field Work Standards for
Performance Audits
7. Reporting Standards for
Performance Audits
3 Documents
1. Definition of Internal
Auditing
2. Code of Ethics
3. International Standards for
the Professional Practice of
Internal Auditing

Also available are Strongly
Recommended Guidance,
containing Practice Advisories,
Practice Guides, and Position
Papers.
Consulting Any service that is not an audit or
attestation service is a nonaudit
service.
Contained within the definition of
Internal Auditing; defined as
advisory and related client service
activities without the internal
auditor assuming management
responsibility.
Independence in
performance of Audit
Services
Auditors must be independent of
mind and independent in
appearance. Auditors should be
independent from the audited entity
during the time that falls within the
period covered by the subject
matter of the audit and the period
of the professional engagement.
IIA Standard 1130.A1 states: an
internal auditors objectivity is
presumed to be impaired if an
internal auditor provides assurance
services for an activity for which
the internal auditor had
responsibility within the previous
year.
Standard 1130.C1 allows for
consulting services, however.
Independence in
performance of Nonaudit
Work
Any impairment to Independence or
Objectivity must be disclosed and
the GAGAS compliance statement
altered accordingly.
- Identification of 7 Specific Threats
to Independence:
1. Management
Responsibilities
2. Preparing Accounting
Records and Financial
Statements
3. Internal Audit Assistance
Services Provided by
External Auditors
4. Internal Control Monitoring
as a Nonaudit Service
5. Information Technology
Systems Service
6. Valuation Services
7. Other Nonaudit Services
Any impairment to Independence
or Objectivity must be disclosed.
Code of Ethics
requirements
GAGAS 1.12 states ethics is a
matter of personal and
organizational responsibility. It
puts ethical principles in the context
of serving broader, including public,
interests.
GAGAS 1.13 stipulates the
requirements for Govt. Auditors to
follow the ethical codes and
requirements of other professional
organizations or licensing bodies
(such as the IIA)
The Code of Ethics is specifically
stated, with four guidelines and the
responsibilities of internal auditors
relating to each. IPPF Statement
2110.A1 adds the additional
requirement for auditors to
evaluate the design,
implementation, and effectiveness
of the organizations ethics-related
objectives, programs, and
activities. This suggests a periodic
evaluation of the ethics program as
a whole, which is beyond the
GAGAS requirements.
Risk Assessment for
Overall Auditing Plan
No written requirements for an
overall auditing plan.
Must have a documented risk
assessment, done at least annually,
upon which to base an audit plan.
Must also include the input of
senior management and the board
of directors.
External Quality Assurance Independent QA Review required
every three (3) years.
Independent QA Review required
every five (5) years.
Internal Quality Assurance Monitoring procedures must be
published annually.
Monitoring required, but no time
frame set.
Referencing Standards in
an Internal Audit Report
Must include a GAGAS compliance
statement in the audit report.
Only include an IPPF compliance
phrase if an external review has
determined that the internal audit
activity is in conformance with the
Standards, Definition of Internal
Auditing, and Code of Ethics of the
IIA.
Fraud Risk Reporting GAGAS 6.30 32 outline a
definition for fraud, procedures to
detect fraud risk, and steps to assess
fraud within the context of the audit
objectives. GAGAS Appendix 1.09
gives fourteen examples of
indicators of fraud risk.
The IIA posted in 2009 a Practice
Guide for Fraud, which is Strongly
Recommended Guidance. The
IPPF only mentions fraud in the
overarching discussions of risk.
Follow-up Audits GAGAS A1.08 states that
Managements responsibility
includes: addressing the findings
and recommendations of auditors,
and for establishing and maintaining
a process to track the status of such
findings and recommendations. It
does not, however, contain any
language for the auditors
responsibilities with respect to
previous audits.
IPPF Statement 2500 states
requirements for the Monitoring
Process. The chief audit executive
must establish and maintain a
system to monitor the disposition
of results communicated to
management. Further, The chief
audit executive must establish a
follow-up process to monitor and
ensure that management actions
have been effectively implemented
or that senior management has
accepted the risk of not taking
action.


Additional Information: IIA International Standards and Government Audit Standards (GAGAS) - A
Comparison, 2nd Edition. (Retrievable from: https://na.theiia.org/standards-
guidance/Public%20Documents/IIA%20International%20Standards%20and%20Government%20Audit%2
0Standards%20%28GAGAS%29%20-%20A%20Comparison,%202nd%20Edition.pdf )
Red Book vs. Yellow Book. By james Boyd, Inspector General, Florida Institute of Health; and Sheila
Roberts, Audit Supervisor, Orange County Comptroller. (Retrievable from:
http://c.ymcdn.com/sites/flclerks.site-
ym.com/resource/resmgr/Presentations/RED_BOOK_VS_YELLOW_BOOK.pdf )