Uncategorized

Yellow Book (GAGAS) Audit: Government Auditing Standards, Independence, CPE Requirements

A Yellow Book audit GAGAS engagement follows Generally Accepted Government Auditing Standards, the rules the Government Accountability Office sets for audits of government money. The standards raise the bar on independence well above the ordinary AICPA rules and impose a distinct continuing education requirement. The 2024 revision, the first major update since 2018, is now taking effect.

Key takeaways

  • The Yellow Book is the common name for Government Auditing Standards (GAGAS), issued by the U.S. Government Accountability Office under the authority of the Comptroller General.
  • GAGAS applies to audits of federal, state, and local government entities and to many entities receiving government funds, including every single audit under Uniform Guidance.
  • GAGAS independence runs on a conceptual framework: the auditor must identify threats, evaluate their significance, and apply safeguards, with particular attention to nonaudit services performed for an audited entity.
  • Auditors must complete 80 hours of continuing professional education every two years, of which 24 hours must directly relate to government auditing or the entity’s environment, per the GAGAS CPE requirement.
  • The 2024 revision is generally effective for financial audits, attestation engagements, and reviews of financial statements for periods beginning on or after December 15, 2025, and for performance audits beginning on or after December 15, 2025; early implementation is permitted.

What is a Yellow Book GAGAS audit?

The Yellow Book is the publication that contains Generally Accepted Government Auditing Standards, known by the acronym GAGAS. The Government Accountability Office issues it under the authority of the Comptroller General of the United States. The nickname comes from the document’s historically yellow cover. When an engagement is described as performed “under the Yellow Book” or “in accordance with GAGAS,” it means the auditor followed these standards in addition to the underlying AICPA or other professional standards.

GAGAS does not replace generally accepted auditing standards; it builds on them. A Yellow Book financial audit incorporates the AICPA standards and then adds government-specific requirements on independence, competence, quality, and reporting. The result is a more demanding engagement. The standards cover several engagement types: financial audits, attestation engagements, reviews of financial statements, and performance audits, which examine whether a program is operating economically, efficiently, and effectively.

The Yellow Book matters most where public money is at stake. Government bodies, the auditors who serve them, and the recipients of federal grants all operate within it. It is the foundation beneath the single audit and beneath much state and local audit work, and it is enforced through peer review and grantor oversight.

Who needs it

GAGAS applies whenever a law, regulation, contract, grant agreement, or policy requires it. The clearest case is the single audit: every single audit under Uniform Guidance must be performed in accordance with the Yellow Book, because 2 CFR Part 200 incorporates GAGAS by reference. A nonprofit or local government that crosses the federal-award threshold and needs a single audit therefore needs a Yellow Book auditor.

Beyond single audits, many federal program statutes, state laws, and grant agreements require GAGAS audits. State and local governments often must have their financial statements audited under the Yellow Book. Recipients of certain HUD, Department of Education, and other federal program funds face Yellow Book audit requirements written into their grant terms. Some loan covenants and bond indentures also call for it.

The auditor performing a Yellow Book engagement must be an independent public accountant or a government audit organization that meets the standards’ competence and independence rules. Not every CPA firm performs Yellow Book work, because the engagement carries the extra CPE, independence, and peer review obligations described below. This is one of the lines that distinguishes specialized assurance practices from those that handle only private-company audits, reviews, and compilations.

The reach of GAGAS is also broader than many assume because a requirement can flow downhill through a grant agreement. A subrecipient that receives federal money from a pass-through entity may find a Yellow Book audit obligation written into its subaward, even if the subrecipient itself is below the single audit threshold. Government contracts, state oversight statutes, and bond covenants can all incorporate GAGAS by reference, so the question is never simply whether an organization is itself a government body. The right first step on any engagement touching public money is to read the funding documents, identify whether they invoke Government Auditing Standards, and scope the engagement accordingly before fieldwork begins.

How it works: the mechanics

The most distinctive feature of GAGAS is its independence model. Rather than a list of prohibited relationships, GAGAS uses a conceptual framework. For every engagement, the auditor identifies threats to independence, evaluates whether a threat is significant, and, if so, applies safeguards to reduce it to an acceptable level. The recognized threat categories include self-interest, self-review, bias, familiarity, undue influence, management participation, and structural threats.

The framework bites hardest on nonaudit services. When an audit firm also performs bookkeeping, payroll, or other services for the same client, GAGAS requires the firm to evaluate the resulting self-review and management-participation threats. The firm may not assume management responsibilities, and management must have the skills, knowledge, and experience to oversee the nonaudit service and accept responsibility for the results. If those conditions are not met, the firm cannot perform both the audit and the nonaudit service. This is materially stricter than the general AICPA Code of Professional Conduct and is the issue most frequently flagged in Yellow Book peer reviews.

GAGAS also imposes a competence and continuing education requirement. Auditors who plan, direct, perform, or report on a GAGAS engagement must complete 80 hours of CPE every two years. Of that total, 24 hours must directly relate to government auditing, the government environment, or the specific subject matter of the entity audited. The remaining hours must enhance the auditor’s professional competence. Auditors who charge at least 20 percent of their time to GAGAS engagements are subject to the full requirement.

The competence rule reaches beyond raw hours. GAGAS requires the audit organization to ensure that, collectively, the engagement team has the technical knowledge, skills, and experience needed for the specific engagement, including knowledge of the relevant standards and the subject matter. For a single audit, that means familiarity with Uniform Guidance and the Compliance Supplement, not just general auditing skill. A firm cannot satisfy the requirement by assigning a generalist who has never worked with federal awards; if the in-house competence is not there, the firm must obtain it, whether through training, hiring, or engaging a specialist, before accepting the engagement.

Quality and peer review sit on top. An audit organization performing GAGAS work must establish a system of quality management and must have an external peer review at least once every three years. The peer review tests whether the firm’s GAGAS engagements complied with the standards, and the results affect the firm’s ability to keep doing government work. For financial audits, GAGAS also requires the auditor to report on internal control over financial reporting and on compliance, which parallels and informs internal-control-focused engagements such as the PCAOB AS 2201 integrated audit in the public-company world, though GAGAS reporting follows its own model. Readers looking for the surrounding government and assurance topics can start at our accounting learning hub.

GAGAS requirements at a glance

Requirement GAGAS rule Contrast
Independence Conceptual framework: identify, evaluate, safeguard threats Stricter than AICPA, especially on nonaudit services
Nonaudit services Evaluate self-review and management-participation threats; client must have skills to oversee AICPA permits a broader range without the same documentation
CPE 80 hours every 2 years, 24 government-specific AICPA generally 40 hours per year, no government carve-out
Peer review External peer review every 3 years Same cycle as AICPA but with GAGAS-specific scope
Reporting (financial audits) Report on internal control and on compliance Beyond a standard GAAS opinion
2024 revision effective date Periods beginning on or after Dec 15, 2025 (financial/attest/review and performance audits) Replaces the 2018 revision

Worked example

Assume Hartwell & Pine CPAs is engaged to audit the financial statements of a county housing authority that expends $1.8 million in federal awards. Because the authority crosses the single audit threshold and the federal funds carry Yellow Book terms, the engagement must be performed under GAGAS.

First, the firm tests its independence. It has historically prepared the authority’s annual financial statements, a nonaudit service. Under the GAGAS framework, financial statement preparation creates a significant self-review threat. Hartwell & Pine evaluates whether the authority has an employee with sufficient skill, knowledge, and experience to review and accept responsibility for the statements. The finance director is a licensed accountant who can do so, so the firm documents that safeguard, confirms it is not assuming management responsibility, and proceeds. Had the authority lacked such a person, the firm would have had to choose between preparing the statements and performing the audit.

Second, the firm confirms its engagement team meets the 80-hour CPE requirement, with at least 24 hours of government-specific training in the current two-year window. Third, because this is a GAGAS financial audit feeding a single audit, the firm issues a report on internal control over financial reporting and on compliance, in addition to its opinion on the financial statements. Finally, the firm’s most recent peer review, within the past three years, covered GAGAS engagements, so it is eligible to perform the work.

Recent changes 2024 to 2026

The GAO issued the 2024 revision of Government Auditing Standards on February 1, 2024, the first comprehensive update since 2018. The revision is generally effective for financial audits, attestation engagements, and reviews of financial statements for periods beginning on or after December 15, 2025, and for performance audits for periods beginning on or after December 15, 2025. Early implementation is permitted, so some 2025 engagements already apply it.

The central change is a new requirement to design and implement a system of quality management, aligning GAGAS with the AICPA’s quality management standards (SQMS) and the international equivalents. Audit organizations must have the new system in place by December 15, 2025, and must complete an evaluation of the system’s operation within one year of that date. The revision also updated and clarified the standards on key audit matters in certain engagements, modernized terminology, and refined the discussion of waste and the auditor’s responsibilities for fraud.

The 2024 revision retained the core architecture that practitioners know: the conceptual independence framework, the 80-hour CPE rule with its 24-hour government component, and the three-year peer review cycle. Firms doing government work in 2025 and 2026 should confirm whether their engagements fall under the 2018 or 2024 standards based on the period covered, since the effective date keys to periods beginning on or after December 15, 2025.

The quality management shift is the part firms should plan for now rather than later. Under the 2018 standards, an audit organization maintained a system of “quality control.” The 2024 revision replaces that with a system of “quality management” built on a risk-based approach: the firm identifies the quality risks specific to its practice, designs responses to those risks, and then evaluates how the system actually operated. This mirrors the AICPA’s Statements on Quality Management Standards and the international ISQM model, so multi-service firms can align their government and non-government quality systems. The catch is timing. A firm must have the new system designed and implemented by December 15, 2025, and must perform its first evaluation of the system within one year after that date, which means the work cannot wait until a peer reviewer asks for it.

Common pitfalls

Frequently asked questions

What is the Yellow Book?
It is the common name for Government Auditing Standards (GAGAS), issued by the U.S. Government Accountability Office. It sets the rules for audits of government entities and many entities receiving government funds.
When does GAGAS apply?
Whenever a law, regulation, contract, or grant agreement requires it. The clearest case is the single audit, which 2 CFR Part 200 requires to be performed under the Yellow Book. Many state and local audits and federal grant audits also require GAGAS.
How is GAGAS independence different?
It uses a conceptual framework requiring auditors to identify threats, evaluate their significance, and apply safeguards, with heightened scrutiny of nonaudit services. It is stricter than the general AICPA independence rules.
What is the CPE requirement?
Auditors on GAGAS engagements must complete 80 hours of continuing professional education every two years, of which 24 must directly relate to government auditing or the audited entity’s environment.
How often is peer review required?
A GAGAS audit organization must undergo an external peer review at least once every three years, and the review specifically tests GAGAS engagement quality.
How does the Yellow Book relate to the single audit?
Every single audit must be performed in accordance with GAGAS. The Yellow Book financial audit is the foundation, and the compliance audit of major programs sits on top of it under Uniform Guidance.
When is the 2024 revision effective?
Generally for financial audits, attestation engagements, and reviews of financial statements for periods beginning on or after December 15, 2025, and for performance audits for periods beginning on or after the same date. Early implementation is allowed.
Can the same firm audit and do bookkeeping for a government client?
Only if the firm evaluates the self-review and management-participation threats, confirms the client has someone able to oversee and accept responsibility for the nonaudit work, and applies safeguards. If those conditions fail, the firm cannot do both.

Bottom line

The Yellow Book is the rulebook for auditing government money, and GAGAS layers heightened independence, an 80-hour CPE requirement, and triennial peer review on top of ordinary auditing standards. It underpins every single audit, and the 2024 revision, effective for periods beginning on or after December 15, 2025, adds a formal system of quality management to the existing framework.

Sources and methodology

This article relies on primary sources: the GAO Government Auditing Standards (the Yellow Book), 2018 and 2024 revisions, including the independence conceptual framework, the CPE requirement, and the peer review requirement; the GAO press release and Federal Register notice for the 2024 revision (effective for periods beginning on or after December 15, 2025); and 2 CFR Part 200, which incorporates GAGAS into the single audit. Effective dates and the quality management requirement were verified against GAO’s 2024 issuance.