Free Consultation
Accounting and
Tax FAQs
Tax Tips
Subscribers' Area
audit skills

Assessing Risk in the Government Environment
Print Articleprint

by Sefton Boyars, CPA, CGFM

October 2009

In conducting audits, we should always be alert to the potential of serious criticism. Failing to follow up on a sensitive area could not only cause us to miss a finding, but might also result in major damage to our audit organization.

Auditors are used to assessing risk when they conduct external audits. Indeed, we must assess risk in order to meet AICPA standards (GAAS) and Yellow Book standards. The standards require auditors to consider the risk to the entity and the areas being audited.

In the governmental environment, auditors cannot look at just financial issues. They also need to consider both:

  • Risks resulting from programmatic deficiencies that may have a much greater financial impact than the cost of the programs themselves

  • Risks to the audit organization because they missed a programmatic deficiency.
    We generally assume that if we conduct our audits in a sound manner, we assume no significant risk. This may not always be the case.

Corruption hits home

For example, John, a hypothetical auditor, is conducting a Single Audit of a city that received grant funds originating from the federal government. In accordance with the Single Audit, John will report on the city's financial statements, its internal controls, and its compliance with the various federal grant requirements.

John conducts a risk assessment in connection with the audit. In looking at the city's activities, John had suspicions of conflict of interest or nepotism, but the amounts involved were relatively minor in comparison to the overall financial statements. They were also relatively minor in connection with the federal grant programs. Accordingly, John decided to forgo testing in that area in favor of issues that involved more significant funds.

John completes the audit, and issues his report. All appears to be fine. However, a month or two after John issued his report, a former city employee who was denied a promotion alerts the local newspaper to the conflicts of interest in the governmental unit. The City Manager had directed consulting contracts to old friends and relatives and had put relatives on the city payroll. The newspaper knows that articles on this topic are popular with its readers, so it decides to issue a series of stories.

A week after the initial articles ran, the newspaper finds out about John's Single Audit. It gets a copy, but sees no findings regarding conflicts of interest or nepotism. A reporter calls John and asks how he could have missed the "corruption at City Hall." John replies that he conducted the audit in accordance with all current audit standards, and cannot comment on issues beyond the scope of his review.

This did not satisfy the reporter, who then brought up a similar, but more serious case in a neighboring town. Because of conflicts of interest, the Mayor of the other town was criminally prosecuted, the City Manager was fired, and two supervisors were recalled. John was pilloried in the press for conducting an audit "with blinders on."

Did John correctly evaluate risk as it related to the city's finances? Very likely. Did he correctly evaluate risk as it related to internal controls and program compliance? Perhaps. But issues like conflicts of interest impact the control environment, and may well have warranted more evaluation. Did he correctly evaluate the risk to his own audit organization? Clearly not.

The issue of risk assessment raises the question of what do we mean by "significance" or "materiality". We usually consider them in connection with financial impact. But, remember, the Yellow Book states that we have to consider both quantitative and qualitative measures when determining significance or materiality. In the governmental arena, programmatic deficiencies that don't involve a large amount of dollars can have immense repercussions.

Safety is bigger than money

For example, imagine that we are auditing a pre-school. Imagine further, that in the last few years, the newspapers reported that another pre-school had released a child to a non-custodial parent. Another set of newspaper reports disclosed that in a third pre-school, a child had wandered off-campus during the day and was hit by a car.

The issue of child safety is probably low on most auditors' risk assessments, but if a child is hurt at a pre-school, the financial effect could be devastating. If it appeared that the school was not taking appropriate precautions, a lawsuit could easily bankrupt it. The media may harshly criticize an auditor who did not identify and report such a potential problem. Of course, if a child is seriously harmed, virtually everyone would consider it significant!

Scenarios such as these lead to two conclusions:

  • In a government environment, risk in connection with social programs is often far greater than the financial cost of those programs.

  • Auditors need to consider whether they put themselves at risk for not examining issues that can generate above average public interest.

Sefton Boyars, CPA, CGFM
Sefton Boyars is a retired GAO auditor living in California. For more information on Sefton or to book him for a seminar, see