GAO Yellow Book Standards and Independent Review Organizations

Thomas Herrmann | February 2010

The heightened focus on health care fraud, waste, and abuse at both the Federal and State levels in recent years has resulted in increasing numbers of voluntary settlements by health care providers subject to enforcement actions. A growing number of Federal settlement agreements are now executed along with a separate Corporate Integrity Agreement (CIA) with the HHS Office of Inspector General (OIG) leading to the formation of GAO Yellow Book standards for independent review organizations.

A CIA is essentially a contract between and a health care entity and the OIG. Under a CIA, a health care provider agrees to assume certain compliance obligations with respect to its future participation in Federal health care programs in exchange for the OIG’s agreement not to exclude the provider or entity from participation under its statutory authority. [1]

A CIA is usually five years in duration and is intended “to ensure the integrity of Federal health care program claims submitted by [a] provider” in future years. [2] Generally, a CIA contains a number of compliance requirements, including the retention of an Independent Review Organization (IRO) to review future claims submitted to Federal health care programs, or perform other system, arrangement, or transaction reviews. [3]

The retention of a properly qualified IRO to audit/review compliance with the terms of a CIA is a critical issue. Often overlooked in the selection process is the obligation for an IRO to conduct its review in accordance with “Generally Accepted Government Audit Standards” (“GAGAS”), as established by the General Accountability Office (GAO). The failure of an IRO to understand and apply these standards may result in continued problems.

First, the OIG will not receive adequate assurances that a health care organization is in compliance with all the requirements for continued participation in Federal health care programs.  And second, the health care entity will not receive an independent, objective, and comprehensive review of its operations, and identification of deficiencies needing remediation. This can lead to further engagements with Governmental enforcement authorities.

This article focuses on the GAGAS standards governing the review activities of an IRO, and the criteria to be used by both a health care organization in selecting an IRO and the OIG in approving a particular IRO.


On July 30, 2001, the OIG, in conjunction with the Health Care Compliance Association (HCCA) co-sponsored a “Government-Industry Roundtable” to discuss “issues surrounding the implementation and maintenance of effective compliance programs.” [4] Specifically addressed in the discussion was the OIG’s requirement, in the context of health care fraud and abuse settlements, that an IRO be retained by a health care entity to perform annual billing, systems, and/or other compliance reviews. Participants recognized that:

The OIG requires IROs because the OIG does not have the resources to conduct the level of review necessary to determine if a provider is meeting the requirements of the CIA as well as other Federal health care program requirements. Additionally, a review by an independent entity provides the OIG with assurances that a provider’s compliance program and billing systems are objectively reviewed. [5]

Roundtable participants referenced a number of advantages associated using an IRO. “IROs provide a broad industry perspective and expertise, are independent, help identify system weaknesses, make helpful recommendations, and their reviews serve as a useful benchmark for future reviews conducted by the provider.” [6]

OIG Requirements for IRO Independence

The obligations for an audit/review organization, such as an IRO, to meet “independence” standards are referenced in GAGAS, as set forth in by GAO in its “Yellow Book.”  These standards are applicable to financial audits, typically performed by Certified Public Accountants (CPAs), attestation engagements, and performance audits, which may be undertaken by professionals such as consultants and lawyers. [7]

The great majority of CIAs does not mandate financial audits, but are rather focused on performance audits, i.e., those involving claims, systems, or arrangements with referral sources that may implicate the Anti-Kickback Statute and Stark Law[8]

From the perspective of the OIG, it is essential that an IRO conduct its reviews with both independence and objectivity. A standard requirement in a OIG CIA is that “[t]he IRO must perform [its] review in a professionally independent and objective fashion, as appropriate to the nature of the engagement, taking into account any other business relationships or engagements….”

Typically, the IRO is obligated to provide a certification regarding its professional independence and objectivity. Further, the usual CIA specifies that “[i]n the event OIG has reason to believe that the IRO . . .  is not independent and objective . . . , the OIG may, at its sole discretion, require” the engagement of a  new IRO. [9]

The OIG has stated that an IRO should follow “the standards for auditor independence set forth in the General Accounting Office (GAO), Government Auditing Standards (2003 Revision).” [10] The OIG has indicated that, under these standards, “CIA reviews would be considered performance audits and IROs would be subject to the independence standards set forth in the Yellow Book that relate to performance audits.” [11]

In referencing the GAO Yellow Book’s applicability to IRO independence, the OIG has further noted:

When assessing independence, the two overarching principles that must be considered are that: (i) audit organizations should not perform management functions or make management decisions; and (ii) audit organizations should not audit their own work or provide non-audit services in situations where the non-audit services are significant/material to the subject matter of the audits. [12]

The GAO Yellow Book Standards

The GAO Yellow Book, first issued by the Comptroller General of the United States in 1972, is intended to:

  • Address the unique requirements of governmental entities;
  • Establish general standards for both governmental and nongovernmental auditors performing audits in accordance with GAGAS;
  • Supplement field work and reporting standards of the AICPA Auditing Standards Board; and
  • Establish field work and reporting standards for performance audits. [13]

In July 2007, the GAO issued its fourth revision of the “Yellow Book” standards.  With respect to performance audits, such as those performed by IROs, the new standards are applicable to those undertaken on or after January 1, 2008. [14]

The latest edition of the Yellow Book reinforces the principles of transparency, accountability, and quality in government auditing.  There is an increased emphasis placed on governing ethical principles, clarification of the impact of performing non-audit services on auditor independence, and enhancement of performance audit standards.

In issuing the 2007 edition, Comptroller General David M. Walker noted that the revision sets forth “changes from the 2003 revision that reinforce the principles of transparency and accountability and provide the framework for high-quality government audits that add value.” [15] A summary of the key Yellow Book principles that are applicable to performance audits undertaken by IROs, pursuant to CIAs, follows.

Have Compliance Concerns? We Have Solutions.

Speak with an Expert Today

1. Use and Application of GAGAS

Chapter one of the updated Yellow Book highlights the GAGAS standards, and states that they “provide a framework for conducting high quality government audits and attestation engagements with competence, integrity, objectivity, and independence.” [16]

It notes further that “GAGAS contain requirements and guidance dealing with ethics, independence, auditors’ professional competence and judgment, quality control, the performance of field work, and reporting.” [17] It explains:

Performance audits are defined as engagements that provide assurance or conclusions based on an evaluation of sufficient, appropriate evidence against stated criteria, such as specific requirements, measures, or defined business practices.

Performance audits provide objective analysis so that management and those charged with governance and oversight can use the information to improve program performance and operations, reduce costs, facilitate decision making by parties with responsibility to oversee or initiate corrective action, and contribute to public accountability. [18]

For performance audits, such as those undertaken by IROs, the revised Yellow Book indicates that certain other standards may also be utilized by reviewers in conjunction with GAGAS:

  • International Standards for the Professional Practice of Internal Auditing;
  • Guiding Principles for Evaluators;
  • The Program Evaluations Standards; and
  • Standards for Educational and Psychological Testing. [19]

2. Ethical Principles

Chapter two of the revised Yellow Book sets forth ethical principles to provide a foundation, discipline, and structure for an audit/review entity in applying GAGAS. It notes that “[e]thical principles apply in preserving auditor independence, taking on only work that the auditor is competent to perform, performing high-quality work, and following the applicable standards cited in the audit report.”

Further, “[i]ntegrity and objectivity are maintained when auditors perform their work and make decisions that are consistent with the broader interest of those relying on the auditors’ report, including the public.” [20] The following list of ethics are specified as guiding the work of reviewers and auditors and need to be both considered and addressed by an organization serving as an IRO:

  • The public interest;
  • Integrity;
  • Objectivity;
  • Proper use of government information, resources, and position; and
  • Professional behavior. [21]

3. General Standards

Chapter three of the Yellow Book update specifies general standards applicable to performing audits and reviews consistent with GAGAS.  These standards focus on:

  • Independence of the audit organization and individual auditors;
  • The exercise of professional judgment in the performance of work;
  • The competence of auditors/reviewers; and
  • Quality control and assurance, as well as external peer review.  [22]

While all of these factors are critical to activities of an IRO, of fundamental importance is the concept of “independence.”  “[T]he audit organization and individual auditor . . . must be free from personal, external, and organizational impairments to independence, and must avoid the appearance of such impairments to independence.” [23] The importance of “independence” is further highlighted

Auditors and audit organizations must maintain independence so that their opinions, findings, conclusions, judgments, and recommendations will be impartial and viewed as impartial by objective third parties with knowledge of the relevant information.

Auditors should avoid situations that could lead objective third parties with knowledge of the relevant information to conclude that the auditors are not able to maintain independence and thus are not capable of exercising objective and impartial judgment on all issues associated with conducting the audit and reporting on the work. [24]

Key challenges to auditor independence are personal impairments, external impairments, and organizational independence. Critical to assessing “organizational independence” is determining whether the audit organization also performs other professional, or non-audit services, for the audited entity. The Yellow Book advises that:

External audit organizations can be presumed to be free from organizational impairments to independence when the audit function is organizationally placed outside the reporting line of the entity under audit and the auditor is not responsible for entity operations. [25]

The revised Yellow Book sets forth two basic principles for determining auditor independence when assessing the impact of performing a non-audit service for an audited entity:

  • The audit organization must not provide non-audit services that involve performing management functions or making management decisions; and
  • The audit organization must not audit its own work or provide non-audit services in situations in which the non-audit services are significant or material to the subject matter of the audit. [26]

In the context of these “overarching principles,” the OIG has identified certain situations where an IRO’s independence might be compromised because of its prior relationship and work for an audited provider:

If the provider were to outsource its internal compliance audit function to the IRO, either before or after the execution of the provider’s CIA, the IRO’s independence likely would be impaired for purposes of conducting the provider’s CIA reviews. This is the case because internal audit is a management function and the outsourcing of the internal compliance audit function likely would result in the IRO auditing its own work as part of the CIA reviews. [27]

The OIG has stated that the most important consideration in assessing IRO independence “is whether the IRO is involved in performing a management function or making management decisions for the provider.”

It notes that “if the IRO participates in any form of decision-making . . . the IRO likely would be precluded from performing the CIA reviews because the IRO is in the position of making management decisions for the provider.” [28]

4. Field Work Standards for Performance Audits

Chapter seven of the revised Yellow Book sets forth field work standards and provides guidance for performance audits conducted. These standards include planning the audit, supervising staff, obtaining sufficient and appropriate evidence, and preparing audit documentation. Critical to establishing and following these standards are the following concepts:

  • Reasonable assurance;
  • Significance; and
  • Audit Risk. [29]

A performance audit, such as an IRO review, must “provide reasonable assurance that evidence is sufficient and appropriate to support the auditors’ findings and conclusions.” [30] “Significance is defined as the relative importance of a matter with the context in which it is being considered, including quantitative and qualitative factors.” [31]

And audit risk is “the possibility that the auditors’ findings, conclusions, recommendations, or assurance may be improper or incomplete.” [32] Thus, the IRO, in planning and conducting its review, must be cognizant of these factors and ensure that the review process and findings are in accord with these principles.

5. Reporting Standards for Performance Audits

Chapter eight of the revised Yellow Book sets forth the form of the report, the report contents, report issuance, and distribution. [33] Critical to issuance of an IRO report is the presentation of “sufficient, appropriate evidence to support the findings and conclusions in relation to the audit objectives.” [34]

Observations and Conclusions

The HHS OIG has expressly adopted the GAO Yellow Book standards as governing IROs. Accordingly, the current Yellow Book provisions need to be carefully reviewed and followed by a health care entity in selecting an organization to serve as an IRO. Moreover, the Yellow Book standards need to be recognized and followed by an IRO in conducting its activities.

Critical to successful compliance with the terms of a CIA with the OIG is ensuring that mandated IRO reviews are conducted in an independent, objective and comprehensive manner. This is necessary in order to provide assurances to the Government that a health care entity is qualified, capable, and competent to continue participating in Federal health care programs. Both the OIG and the subject health care entity are reliant upon an IRO’s commitment and capability to conduct its reviews in accordance with the GAGAS standards.

Therefore, the Yellow Book standards must be recognized and adhered to by the IRO retained by a health care entity subject to an OIG CIA. In light of this, any health care entity that is subject to a CIA should address the following questions when selecting an IRO:

  • Does a review organization have knowledge of and past experience in applying the GAGAS standards to its audits and reviews?
  • Are there any constraints on an organization’s independence and objectivity in conducting OIG mandated reviews as set forth in a CIA, either in terms of past or current engagements with the health care organization or other industry activities?
  • Does the audit/review organization have the capability, capacity, and competence to perform the OIG required performance audits, e.g., claims, systems, or arrangements review?
  • Does the organization have quality control and assurance procedures to ensure the reliability and integrity of its audits/reviews?
  • Can the audit/review organization certify and attest that it has conducted its review in accordance with GAGAS, as set forth in the revised GAO Yellow Book? [35]

[1] 42 USC 1320a-7a.

[2] 74 Fed. Reg. 52965.


[4] “Building a Partnership for Effective Compliance,” The Third Government-Industry Roundtable.

[5] Id. at 2.

[6] Id.  at 3.

[7] Government Auditing Standards, July 2007 revision,  § 1.20, at 23 (GA0-07-731G)(“Yellow Book”).

[8] 42 USC 1320a-7b(b), 42 USC 1395(a).


[10] “Frequently Asked Questions Related to IRO Independence,”  The author notes that the referenced  GAO Government Auditing Standards were updated by the U.S. Government Accountability Office in a July 2007 Revision.  See Publication GAO-07-731G.

[11] Id.

[12] Id. at 1-2.

[13] Presentation by W. A. Broadus Jr., CPA, CGFM, September 21, 2009.

[14] Yellow Book at 3.

[15] Id. at 2.

[16] Yellow Book at 5-6.

[17] Id.

[18] Id.  at 17.

[19] Id. at 12.

[20] Id.  at 24.

[21] Id.  at 25.

[22] Id.  at 29.

[23] Id.

[24] Id.

[25] Id. at 36.

[26] Id. at 41.

[27] Frequently Asked Questions Related to IRO Independence at 7,

[28] Id.  at 5.

[29] Yellow Book at 122.

[30] Id.

[31] Id.  at 123.

[32] Id.

[33] 160.

[34] Id. at 163.

[35] Yellow Book at 169.

About the Author

Thomas Herrmann advises health care clients on compliance and regulatory matters, with a focus on development and management of effective health care compliance programs. Mr. Herrmann is a recognized expert on issues related to the federal Anti-Kickback Statute, Stark Law and the False Claims Act.