This is the accessible text file for GAO report number GAO-06-729G 
entitled 'Government Auditing Standards: 2006 Revision' which was 
released on June 9, 2006.

United States Government Accountability Office: 
GAO: 

By the Comptroller General of the United States: 

June 2006: 

Government Auditing Standards: 

2006 Revision: 

Exposure Draft: 

GAO-06-729G: 

United States Government Accountability Office: 
Washington, DC 20548: 

June 2006: 

To Audit Officials And Others Interested In Government Auditing 
Standards: 

GAO invites your comments on the accompanying proposed changes to 
Government Auditing Standards (GAGAS), commonly known as the “Yellow 
Book.” These changes propose revisions throughout the entire set of 
standards. This letter describes the process used by GAO for revising 
GAGAS, summarizes the proposed major changes, discusses proposed 
effective dates, and provides instructions for submitting comments on 
the proposed standards. 

Process for Revising GAGAS: 

To help ensure that the standards continue to meet the needs of the 
audit community and the public it serves, the Comptroller General of 
the United States appointed the Advisory Council on Government Auditing 
Standards to review the standards and recommend necessary changes. The 
Advisory Council includes experts in financial and performance auditing 
drawn from all levels of government, private enterprise, public 
accounting, and academia. This exposure draft of the standards includes 
the Advisory Council’s suggestions for proposed changes. We are 
currently requesting public comments on the proposed revisions in the 
exposure draft. 

Summary of Major Changes: 

The proposed 2006 revision to GAGAS will be the fifth revision since 
the standards were first issued in 1972. The 2006 Yellow Book exposure 
draft seeks to emphasize the critical role of high quality government 
audits in achieving credibility and accountability in government. The 
overall focus of the proposed 2006 revised standards includes an 
increased emphasis on audit quality and ethics and an extensive update 
of the performance audit standards to include a specified level of 
assurance within the context of risk and materiality. In addition, this 
proposed revision modernizes GAGAS, with updates to reflect major 
developments in the accountability and audit environment. Finally, 
clarifications have been made throughout the standards. 

The standards are organized by separate chapters as follows: 

Chapter 1 – Use and Application of GAGAS: 
Chapter 2 – Auditor’s Ethical Responsibilities: 
Chapter 3 – General Standards: 
Chapter 4 — Field Work Standards for Financial Audits: 
Chapter 5 — Reporting Standards for Financial Audits: 
Chapter 6 – General, Field Work, and Reporting Standards for Attestation
Engagements: 
Chapter 7 – Field Work Standards for Performance Audits: 
Chapter 8 – Reporting Standards for Performance Audits: 
Appendix – Explanatory materials that do not represent GAGAS 
requirements. 

Effective Dates: 

When issued in final, the 2006 revision will supersede the 2003 
revision of the standards. We anticipate that, when finalized, 
standards will become effective for audits beginning on or after July 
1, 2007. For financial audits, certain standards issued by the Auditing 
Standards Board (ASB) of the American Institute of Certified Public 
Accountants have earlier effective dates. For financial audits 
performed under GAGAS, the effective dates of the new ASB standards 
will apply. 

Instructions for Commenting: 

The draft of the proposed changes to Government Auditing Standards, 
2006 Revision, is only available in electronic format and can be 
downloaded from GAO’s Yellow Book Web Page at [hyperlink, 
http://www.gao.gov/govaud/ybk01.htm]. 

We are requesting comments on this draft from audit officials and 
financial management at all levels of government, the public accounting 
profession, academia, professional organizations, public interest 
groups, and other interested parties. To assist you in developing your 
comments, specific issues are presented in an enclosure to this letter,
along with a detailed list of proposed changes. We encourage you to 
comment on these issues and any additional issues that you note. Please 
associate your comments with specific references to issue numbers 
and/or paragraph numbers in the proposed standards and provide your 
rationale for any proposed changes, along with suggested revised
language. Please send your comments electronically to 
yellowbook@gao.gov no later than August 15, 2006. 

If you need additional information please call Michael Hrapsky, Senior 
Project Manager, Financial Management and Assurance at (202) 512-9535, 
or Jeanette Franzel, Director, at (202) 512-9471. 

Sincerely yours, 

Signed by: 

Jeffrey C. Steinhoff: 
Managing Director: 
Financial Management and Assurance: 

Enclosures: 

[End of section] 

Enclosure 1: 

Questions for Commenters: 

The following discussion and questions are provided to guide users in 
commenting on the proposed 2006 revision of Government Auditing 
Standards. We encourage you to comment on these issues and any 
additional issues that you note. Please associate your comments with 
specific references to issue numbers and/or paragraph numbers in the
proposed standards. 

Chapter 1 – Use and Application of GAGAS: 

1. The section entitled, “Use of Terminology to Define Professional 
Requirements in GAGAS” was added to clarify the auditor’s 
responsibilities and to achieve consistency with other standard setting 
bodies. This new section is consistent with the AICPA Statement on 
Auditing Standards (SAS) No. 102, Defining Professional Requirements in
Statements on Auditing Standards issued by the Auditing Standards Board 
(ASB) of the American Institute of CPAs (AICPA) and with the approach 
taken by the Public Company Accounting Oversight Board (PCAOB). GAGAS 
requirements have also been rewritten in accordance with the 
terminology set forth in this section. This approach is intended to 
clarify auditors’ responsibilities and assist auditors in applying the 
standards. 

Please comment on the application and use of this terminology 
throughout the proposed revision to GAGAS. 

2. The section entitled “Citing Compliance with GAGAS in the Auditor’s 
Report” was added to clarify auditor responsibilities and to provide 
guidance to auditors in situations where they are unable to follow or 
chose not to follow certain standards. Complementary guidance is also 
provided in chapters 5 and 8. Please comment on the application and use 
of this guidance for citing compliance with GAGAS in auditors’ reports. 

Chapter 2 – Auditor’s Ethical Responsibilities: 

3. Chapter 2 is devoted solely to emphasizing the ethical 
responsibilities of government auditors. In the 2003 revision, GAGAS 
made reference to ethical responsibilities throughout Chapter 1. This 
2006 revision adds clarity and emphasis to the discussion of ethical 
responsibilities of government auditors to uphold and protect the 
public trust. This chapter employs a principles-based framework of 
concepts that government auditors use to guide all of their work. 

Please comment on the framework discussed in this chapter. 

Chapter 3 – General Standards: 

4. The discussion of nonaudit services and their impact on auditor 
independence has been significantly streamlined and reorganized from 
the 2003 revision of the standards to provide clarity. The discussion 
is in paragraphs 3.30 through 3.35. Additional information on nonaudit 
services that are generally unique to government audit organizations is 
presented in the appendix, paragraphs A3.02 through A3.03. 

Please comment on the description and categorization of nonaudit 
services and their impact on auditor independence. 

5. The section entitled “Quality Control and Assurance” has been 
expanded to describe the elements that should be present in an audit 
organization’s system of quality control. The addition of the specific 
elements is intended to strengthen the standards and to emphasize 
consistency of quality control standards among government audit 
organizations. 

Please comment on the expanded discussion of audit quality and the 
related elements. 

6. The section dealing with external peer review includes the following 
changes: (1) a transparency requirement that external audit 
organizations performing GAGAS audits make their results of an external 
peer review public, and (2) revision of peer review time frames based 
on risk and the underlying quality assurance system. The transparency 
requirement is intended to increase accountability and emphasize the
importance of quality for audit organizations that perform audits under 
GAGAS. The revisions to peer review time frames are risk based and 
emphasize quality and a rigorous annual inspection program. (The 
previous standard set the same requirement for all audit organizations, 
regardless of peer review results or the underlying quality assurance
system.) 

Please comment on the transparency requirements and the risk-based 
approach to peer review time frames. 

Chapters 4 and 5 – Financial Audits: 

7. The audit documentation standard has been updated and expanded based 
on the ASB’s revised standard, SAS No. 103, Audit Documentation. 
Paragraphs 4.22 through 4.39 are consistent with the AICPA standard. 
Paragraphs 4.40 and 4.41 are additional GAGAS standards to deal with 
unique issues associated with auditing in the government environment. 
The use of these standards is consistent for attest engagements (chapter
6) and performance audits (chapter 7). The overall goal of these 
revisions was consistency with the ASB standard and among the different 
types of GAGAS audits. 

Please comment on the adoption of this standard. 

8. The financial audit reporting standards have been updated to conform 
with the ASB’s and PCAOB’s definitions of material weakness and 
significant deficiency in internal controls. The definitions and 
related guidance are provided in paragraphs 5.13 and 5.14. The overall 
goal of adopting these revised definitions is to achieve consistency 
with the other standards setters. These definitions may be further 
clarified in the future by the other standards-setters, and we will 
continue to work closely with them. The application of these new 
definitions could affect the number and type of internal control 
weaknesses reported in GAGAS audits. 

Please comment on additional clarity or guidance that would assist in 
implementing these new definitions. 

Chapters 7 and 8 – Performance Audits: 

9. The standards for performance audits have been significantly revised 
to include a specified level of assurance within the context of audit 
risk and significance (materiality). 

The level of assurance for performance audits is defined in paragraph 
1.35 and incorporated throughout the performance audit standards in 
chapters 7 and 8. The level of assurance for performance audits is 
achieved within the context of significance (materiality) and audit 
risk. The description of significance and audit risk is included in
paragraphs 7.04 through 7.06, and the standards in chapters 7 and 8 
have been written within this context. 

Please comment on the discussion of levels of assurance, significance, 
audit risk, and their application throughout the performance audit 
standards. 

10. Significant discussion has been added to chapters 7 and 8 about the 
level of evidence needed to achieve the audit objectives in a 
performance audit. This discussion uses the terminology “sufficient, 
appropriate evidence” for consistency with other auditing standards 
setters. The intent of the discussion of sufficient, appropriate 
evidence is to provide clarity and guidance for making professional 
judgments about the levels of evidence needed to achieve the audit 
objectives. 

Please comment on the clarity of the standards and the discussion of 
sufficient appropriate evidence. 

Overall: 

11. The auditor’s responsibility for abuse for financial audits 
(paragraphs 4.18 through 4.20), attestation engagements (6.17 through 
6.22), and performance audits (7.34) has been clarified, but no change 
was made to the auditor’s responsibility for abuse. The changes were in 
response to questions received about implementing the standard on 
abuse. 

Please comment on the clarity of the definition of abuse. Please 
include in your comments any specific examples of abuse you have 
identified, along with supporting audit reports. 

12. An appendix has been added to provide supplemental guidance to 
assist auditors in the implementation of GAGAS. This guidance does not 
establish any additional auditor requirements. 

Please comment on the usefulness and need for the appendix. 

[End of enclosure] 

Enclosure 2: 

Summary of Major Changes: 

Chapter 1 – Use and Application of GAGAS: 

Introduction and Purpose and Applicability of GAGAS were rewritten to 
emphasize the role of auditing in government accountability and the 
role of GAGAS in achieving improved government operations and 
accountability. (1.01 – 1.05) 

Use of Terminology to Define Professional Requirements in GAGAS was 
added to modernize, harmonize, and clarify language used in the 
standards. (1.06 – 1.12) 

* The Public Company Accounting Oversight Board (PCAOB), International
Auditing and Assurance Standards Board (IAASB), and the American 
Institute of Certified Public Accountants (AICPA) have adopted similar 
standards to clarify auditors’ responsibilities. GAGAS terminology is 
consistent with the AICPA’s Statement on Auditing Standards No. 102, 
Defining Professional Requirements in Statements on Auditing Standards. 

* All chapters were significantly revised to clarify auditors’ 
responsibilities and to avoid the confusion that existed in previous 
versions of GAGAS through the use of the passive voice and other 
references that were unclear as to the requirement placed on the 
auditors.

Citing Compliance with GAGAS in the Auditors’ Report provides guidance 
on citing GAGAS in the auditors’ report when auditors do not comply 
with all unconditional or all presumptively mandatory requirements. 
(1.13 – 1.15) 

Relationship Between GAGAS and Other Professional Standards has been
updated to recognize that other sets of professional standards, such as 
those issued by the PCAOB and the IAASB, the Institute of Internal 
Auditors, and others can be used in conjunction with GAGAS and provides 
related guidance. (1.16 – 1.20) 

Types of Government Audits and Attestation Engagements has been 
modified to re-write the description of a performance audit to clarify 
the level of assurance and evidence needed. The concept of equity as a 
potential performance audit objective was incorporated, and examples of 
the types of performance audits were updated. (1.21 – 1.42) 

Chapter 2 – Auditors’ Ethical Responsibilities: 

Chapter 2 has been completely revised to focus solely on audit 
organizations’ overall ethics responsibilities and auditors’ need to 
observe overarching ethical concepts in performing their work. (2.01 – 
2.16) Other materials that had previously been in Chapter 2 have been 
included in Chapter 1 of the draft. 

* Several of the ethical concepts in this chapter were included in the 
2003 GAGAS revision in Chapter 1 under “Auditors’ Responsibilities,” 
but they were not separately labeled as ethical responsibilities. 

* The revised Chapter 2 describes the following ethical concepts that 
auditors use to guide their work: 
- the public interest (2.05 – 2.07); 
- professional behavior (2.08 – 2.09); 
- integrity (2.10 – 2.11); 
- objectivity (2.12); 
- proper use of government information, resources, and position (2.13 –
2.16); 

Chapter 3 – General Standards: 

Independence was reorganized and the guidance on nonaudit services was 
clarified to facilitate implementing the standard. The standard on 
nonaudit services was not changed. Specifically, the discussion of 
nonaudit services was moved from “personal” to “organizational” 
impairments because it is often the audit organization’s independence
that is impaired rather than that of the individual auditor, 
reorganized the guidance into three categories of nonaudit services, 
and consolidated and streamlined examples that had previously been 
interspersed throughout the independence section. (3.02 – 3.35)

* The three distinct categories of nonaudit services are:
1. Nonaudit services that do not impair auditor independence and, 
therefore, do not require compliance with the supplemental safeguards. 
(3.30a and 3.31 – 3.32); 
2. Nonaudit services that would not impair independence if supplemental
safeguards are implemented. (3.30b and 3.33);
3. Nonaudit services that impair independence (3.30c and 3.34)

* Additional guidance in the appendix was included to deal with 
nonaudit services that are frequently conducted by government audit 
organizations. (A3.02 – A3.03). 

Professional Judgment was expanded to emphasize its importance and 
relate it to key steps in performing an audit. (3.36 – 3.45) 

Competence was expanded and clarified. (3.46 – 3.58) 

Quality Control and Assurance was expanded to describe five elements 
that should be present in an audit organization’s system of quality 
control: (1) ethics, (2) initiation and continuance of engagements, (3) 
human capital, (4) performance and reporting, and (5) monitoring 
quality. (3.61) 

External Peer Review has been changed to include a transparency 
requirement that audit organizations that report externally to third 
parties make peer review results publicly available (3.68). The section 
also establishes new peer review time frames based on risk and the 
underlying quality assurance system (3.69) Audit organizations are 
required to have a peer review: 

* within 18 months, if the most recent peer review opinion is adverse 
or modified, and every 18 months thereafter until the audit 
organization receives an unmodified opinion; 
* every 3 years if the audit organization has an unmodified peer review 
opinion and does not meet the enhanced quality assurance criteria for a 
5-year cycle or does not chose a 5-year period; 
* every 5 years if the audit organization has an unmodified peer review 
opinion and elects to meet the enhanced quality assurance criteria in 
3.70; 
* developed required enhanced quality assurance criteria for audit 
organizations electing a 5-year peer review cycle, including:
- a publicly available description of the audit organization’s quality
assurance system (3.70a);
- an effective annual internal quality inspection process that meets 
stated criteria (3.70b), and;
- a publicly available annual written assertion that is consistent with 
the results of the audit organization’s monitoring and inspection 
processes about the effectiveness of its quality assurance program 
[3.70b(3)]. 

Chapter 4—Field Work Standards for Financial Audits: 

The following changes have been made to update and clarify the 
standards for field work: 

* update of the AICPA field work standards cited to reflect recent 
AICPA changes (4.04);

* addition of a clear and prominent discussion on consideration of 
fraud and illegal acts which clarifies the existing standard (4.07 – 
4.08);

* clarifications to the description of abuse and the existing standard 
on the auditors’ responsibility for abuse in a financial audit that is 
material, either qualitatively or quantitatively (4.18 – 4.19), and; 

* update of the audit documentation standard for consistency with 
AICPA’s new standard (4.22 – 4.41). 

Chapter 5—Reporting Standards for Financial Audits: 

The following changes have been made to update and clarify the 
reporting standards: 

* update of definitions and terminology for internal control 
deficiencies to achieve consistency with PCAOB and AICPA terminology 
(5.12 – 5.15); 

* clarification of reporting requirements for internal control 
deficiencies, illegal acts, violations of provisions of contracts or 
grant agreements, or abuse (5.12 – 5.27); 

* addition of a section on emphasizing significant matters in the 
auditors’ report(5.28 – 5.31); 

* addition of a section on reporting on restatement of previously-
issued financial statements (5.32 – 5.38), and; 

* clarification of the auditors’ responsibilities for reporting views 
of responsible officials (5.39 – 5.44) and for issuing and distributing 
reports (5.48 – 5.51). 

Chapter 6 – General, Field Work, and Reporting Standards for Attestation
Engagements: 

Conforming changes were made to chapter 6 for consistency with changes 
in chapters 4 and 5. 

Chapter 7 – Field Work Standards for Performance Audits: 

The field work standards for performance audits have been significantly 
revised within a framework related to significance (materiality), audit 
risk, and reasonable assurance. The following changes were made: 

* addition of a section on the concept of significance in a performance 
audit (7.04 – 7.05); 

* addition of a section discussing audit risk (7.06); 

* definition of the level of assurance associated with a performance 
audit as providing reasonable assurance that auditors have adequate 
support to achieve the audit objectives and reach conclusions (7.13); 

* clarification throughout chapter 7 of the levels of evidence needed 
to achieve audit objectives, recognizing that objectives vary and, 
therefore, so will the nature of evidence needed; 

* incorporation of the concept of risk into the auditors’ planning and 
evaluation process; 

* inclusion of a section on information systems controls for the 
purpose of assessing audit risk and planning the audit (7.25 – 7.27); 

* emphasis of auditors’ professional judgment and the focus of audit 
work in relation to the audit objectives; 

* clarification of the auditors’ responsibility for responding to 
indications of potential fraud (7.31 – 7.33); 

* clarification of the auditors’ responsibility for abuse (7.34); 

* incorporation throughout the standard of the concept of “sufficient, 
appropriate evidence” to replace “sufficient, competent, and relevant 
evidence.” This terminology is consistent with other standards setters. 
(7.53 – 7.69)
- Appropriateness is defined as a measure of quality, which encompasses
relevance, reliability, and validity in providing support for audit 
objectives. (7.56 – 7.62)
- Sufficiency is defined as a measure of quantity and is evaluated 
based on the collective audit evidence supporting findings, 
conclusions, or recommendations related to the audit objectives. (7.63 
– 7.64); 

* description of and emphasis on the overall assessment of evidence to 
avoid confusion about how to apply the standards (7.65 – 7.69), and; 
?? revision of the audit documentation section to conform with chapter 
4. (7.74 – 7.92). 

Chapter 8 – Reporting Standards for Performance Audits: 

The reporting standards were streamlined and conforming changes were 
made to reflect changes in Chapter 7. The auditors’ responsibilities 
for reporting the views of responsible officials (8.35 – 8.40) and 
report issuance and distribution (8.44 – 8.47) were clarified. 

Appendix: 

An appendix has been added to provide supplemental guidance to assist 
auditors in the implementation of GAGAS. This guidance does not 
establish additional GAGAS requirements. 

[End of enclosure] 

Contents: 

Letter: 

Questions For Commenters: 

Summary Of Major Changes: 

Chapter 1: 

Use And Application Of Gagas: 

Introduction: 

Purpose and Applicability of GAGAS: 

Use of Terminology to Define Professional Requirements in GAGAS: 

Citing Compliance with GAGAS in the Auditors’ Report: 

Relationship Between GAGAS and Other Professional Standards: 

Types of Government Audits and Attestation Engagements: 

Financial Audits: 

Attestation Engagements: 

Performance Audits: 

Nonaudit Services Provided by Audit Organizations: 

Chapter 2: 

Auditors’ Ethical Responsibilities: 

Introduction: 

Overarching Ethical Concepts: 

The Public Interest: 

Professional Behavior: 

Integrity: 

Objectivity: 

Proper Use of Government Information, Resources, and Position: 

General Standards: 

Introduction: 

Independence: 

Personal Impairments: 

External Impairments: 

Organizational Independence: 

Organizational Independence When Reporting Externally to Third Parties: 

Organizational Independence When Reporting Internally to Management (as 
an internal audit function): 

Organizational Independence When Performing Nonaudit Services: 

Professional Judgment: 

Competence: 

Technical Knowledge and Competence: 

Additional Qualifications for Financial Audits and Attestation 
Engagements: 

Continuing Professional Education: 

Quality Control and Assurance: 

System of Quality Control: 

External Peer Review: 

Chapter 4: 

Field Work Standards For Financial Audits: 

Introduction: 

AICPA Field Work Standards: 
 
Additional Considerations for Financial Audits in Government: 

Consideration of Potential Fraud in a Financial Statement Audit and 
Illegal Acts by Auditees: 

Additional GAGAS Standards: 

Auditor Communication: 

Previous Audits and Attestation Engagements: 

Detecting Material Misstatements Resulting from Violations of Contract 
Provisions or Grant Agreements, or from Abuse: 

Developing Elements of a Finding: 

Audit Documentation: 

Chapter 5: 

Reporting Standards For Financial Audits: 

Introduction: 

AICPA Reporting Standards: 

Additional GAGAS Reporting Standards for Financial Audits: 

Reporting Auditors’ Compliance with GAGAS: 

Reporting on Internal Control and on Compliance with Laws, Regulations, 
and Provisions of Contracts or Grant Agreements: 

Reporting Deficiencies in Internal Control, Potential Fraud, Illegal 
Acts, Violations of Provisions of Contracts or Grant Agreements, or 
Abuse: 

Reporting Deficiencies in Internal Control: 

Reporting Potential Fraud, Illegal Acts, Violations of Provisions of 
Contracts or Grant Agreements, or Abuse: 

Direct Reporting of Potential Fraud, Illegal Acts, Violations of 
Provisions of Contracts or Grant Agreements, or Abuse: 

Emphasizing Significant Matters in the Auditors’ Report: 

Reporting on Restatement of Previously-Issued Financial Statements: 

Reporting Views of Responsible Officials: 

Reporting Privileged and Confidential Information: 

Issuing and Distributing Reports: 

Chapter 6: 

General, Field Work, And Reporting Standards For Attestation
Engagements: 

Introduction: 

AICPA General and Field Work Standards for Attestation Engagements: 

Additional Considerations for Attestation Engagements in Government: 

Additional GAGAS Field Work Standards for Attestation Engagements: 

Auditor Communication: 

Previous Audits and Attestation Engagements: 

Internal Control: 

Detecting Potential Fraud, Illegal Acts, Violations of Provisions of 
Contracts or Grant Agreements, or Abuse That Could Have a Material 
Effect on the Subject Matter: 

Developing Elements of Findings for Attestation Engagements: 

Attest Documentation: 

AICPA Reporting Standards for Attestation Engagements: 

Additional GAGAS Reporting Standards for Attestation Engagements: 

Reporting Auditors’ Compliance with GAGAS: 

Reporting Deficiencies in Internal Control, Potential Fraud, Illegal 
Acts, Violations of Provisions of Contracts or Grant Agreements, or 
Abuse: 

Reporting Deficiencies in Internal Control: 

Direct Reporting of Potential Fraud, Illegal Acts, Violations of 
Provisions of Contracts or Grant Agreements, or Abuse: 

Reporting Views of Responsible Officials: 

Reporting Privileged and Confidential Information: 

Issuing and Distributing Reports: 

Chapter 7: 

Field Work Standards For Performance Audits: 

Introduction: 

Significance in a Performance Audit: 

Audit Risk: 

Sufficient, Appropriate Evidence: 

Planning: 

Nature and Profile of the Program: 

Internal Control: 

Information Systems Controls: 

Legal and Regulatory Requirements, Contract Provisions, or Grant 
Agreements, Potential Fraud, or Abuse: 

Legal and Regulatory Requirements, Contracts, and Grants: 

Fraud: 

Abuse: 

Previous Audits and Attestation Engagements: 

Identifying Audit Criteria: 

Identifying Sources of Audit Evidence and the Amount and Type of 
Evidence Required: 

Considering Work of Others: 

Assigning Staff and Other Resources: 

Communicating with Management, Those Charged with Governance, and 
Others: 

Preparing the Audit Plan: 

Supervision: 

Obtaining Sufficient, Appropriate Evidence: 

Appropriateness: 

Sufficiency: 

Overall Assessment of Evidence: 

Audit Findings: 

Audit Documentation: 

Chapter 8: 

Reporting Standards For Performance Audits: 

Introduction: 

Reporting: 

Report Contents: 

Objectives, Scope, and Methodology: 

Findings: 

Reporting Deficiencies in Internal Control: 

Reporting Potential Fraud, Illegal Acts, Violations of Provisions of 
Contracts or Grant Agreements, or Abuse: 

Direct Reporting of Potential Fraud, Illegal Acts, Violations of 
Provisions of Contracts or Grant Agreements, or Abuse: 

Conclusions: 

Recommendations: 

Statement on Compliance with GAGAS: 

Reporting Views of Responsible Officials: 

Reporting Privileged and Confidential Information: 

Report Issuance and Distribution: 

Appendix: 

Introduction: 

Overall Supplemental Guidance: 

Examples of Significant Deficiencies in Internal Control: 

Examples of Abuse: 

Examples of Indicators of Fraud Risk: 

Determining Whether Laws, Regulations, or Provisions of Contracts or 
Grant Agreements Are Significant to Audit Objectives: 

Information to Accompany Chapter 1: 

The Role of Those Charged with Governance in Accountability: 

Management’s Role in Accountability: 

Laws, Regulations, and Guidelines that Require Use of GAGAS: 

Information to Accompany Chapters 3: 

Nonaudit Services: 

Information to Accompany Chapter 7: 

Types of Evidence: 

Appropriateness of Information in Relation to the Audit Objectives: 

Members Of The Comptroller General’s Advisory Council On
Government Auditing Standards: 

[End of section]

Chapter 1: Use and Application of GAGAS: 

Introduction: 

1.01: Government auditing is essential to the government’s 
responsibility of accountability to the public. Government audits are 
intended to provide an independent, objective, nonpartisan assessment 
of the stewardship, performance, and cost of government policies, 
programs, and operations. 

1.02: The concept of accountability for use of public resources and 
government authority is key in our nation’s governing processes. 
Government officials entrusted with public resources are responsible 
for carrying out public functions efficiently, economically, 
effectively, ethically, equitably, [Footnote 1] and legally. Government 
managers are responsible for providing reliable and useful information 
for accountability of government programs and their operations. 
[Footnote 2] Legislators, government officials, and the public need to 
know whether (1) government manages public resources and uses its 
authority properly and in compliance with laws and regulations, (2) 
government programs are achieving their objectives and desired 
outcomes, (3) government services are being provided efficiently, 
economically, effectively, ethically, and equitably, and (4) government 
managers are held fully accountable for their use of public resources. 
Government auditing provides independent assessments of that 
information for the benefit of those charged with oversight and for the 
public. 

Purpose and Applicability of GAGAS: 

1.03: The professional standards and guidance contained in this 
document, often referred to as generally accepted government auditing 
standards (GAGAS), are intended for use by auditors [Footnote 3] of 
government entities and audit organizations [Footnote 4] to help ensure 
that they perform high quality work with competence, integrity, 
objectivity, and independence in planning, conducting, and reporting on 
government audits. Auditors and audit organizations use GAGAS when 
required by law, regulation, contract, grant agreement, or policy. 

1.04: The standards and guidance in this document apply to auditors who 
conduct audits and attestation engagements of government entities, 
programs, activities, and functions, and of government assistance 
administered by contractors, nonprofit entities, and other 
nongovernmental entities. If auditors hold themselves out as complying 
with GAGAS, regardless of whether the auditors are required to follow 
such standards, the auditors should follow all applicable GAGAS 
standards, and refer to compliance with GAGAS as set forth in 
paragraphs 1.13 through 1.15. 

1.05: GAGAS contain standards dealing with ethics, independence, 
auditors’ professional competence and judgment, quality control, the 
performance of field work, and reporting. GAGAS are intended to help 
ensure that audits and attestation engagements performed under GAGAS 
provide reasonable assurance about the information needed for oversight
and accountability of government programs and operations by requiring 
auditors to objectively acquire and evaluate evidence and report the 
results. When auditors perform their work in this manner and comply 
with GAGAS in reporting the results, their work can lead to improved 
government management, decision making and oversight, effective and 
efficient operations, and accountability for resources and results. 
Government auditing is also a key element in fulfilling the 
government’s duty to be accountable to the public. 

Use of Terminology to Define Professional Requirements in GAGAS: 

1.06: GAGAS contain professional requirements together with related 
guidance in the form of explanatory material. [Footnote 5] Auditors 
have a responsibility to consider the entire text of GAGAS in carrying 
out their work on an engagement and in understanding and applying the 
professional requirements of the relevant standards. 

1.07: Not every paragraph of GAGAS carries a professional requirement 
that the auditors are expected to fulfill. Rather, the professional 
requirements are communicated by the language and the meaning of the 
words used in GAGAS. 

1.08: GAGAS use two categories of professional requirements, identified 
by specific terms, to describe the degree of responsibility they impose 
on auditors, as follows: 

a. Unconditional requirements. The auditor is required to comply with 
an unconditional requirement in all cases in which the circumstances 
exist to which the unconditional requirement applies. GAGAS use the 
words must or is required to indicate an unconditional requirement. 

b. Presumptively mandatory requirements. The auditor is also required 
to comply with a presumptively mandatory requirement in all cases in 
which the circumstances exist to which the presumptively mandatory 
requirement applies; however, in rare circumstances, the auditor may 
depart from a presumptively mandatory requirement provided the auditor 
documents his or her justification for the departure and how the
alternative procedures performed in the circumstances were sufficient 
to achieve the objectives of the presumptively mandatory requirement. 
GAGAS use the word should to indicate a presumptively mandatory 
requirement. 

1.09: If GAGAS provide that a procedure or action is one that the 
auditor “should consider” the consideration of the procedure or action 
is presumptively required, whereas carrying out the procedure or action 
is not. The professional requirements of GAGAS are to be understood and 
applied in the context of the explanatory material that provides 
guidance for their application. 

1.10: Explanatory material is defined as the text within GAGAS that 
may: 
a. provide further explanation and guidance on the professional 
requirements; or; 
b. identify and describe other procedures or actions relating to the 
activities of the auditor. 

1.11: Explanatory material that provides further explanation and 
guidance on the professional requirements is intended to be descriptive 
rather than imperative. That is, it may explain the objective of the 
professional requirements (where not otherwise self evident); explain 
why the auditor might consider or employ particular procedures,
depending on the circumstances; or provide additional information for 
the auditor to consider in exercising professional judgment in 
performing the engagement. 

1.12: Explanatory material that identifies and describes other 
procedures or actions relating to the activities of the auditor is not 
intended to impose a professional requirement on the auditor to perform 
the suggested procedures or actions. How and whether the auditor 
carries out such procedures or actions in the engagement depends on the 
exercise of professional judgment in the circumstances consistent with 
the objective of the standard. The words may, might, and could are used 
to describe these actions and procedures. 

Citing Compliance with GAGAS in the Auditors’ Report: 

1.13: Auditors should include one of the following types of GAGAS 
compliance statements in reports on GAGAS engagements, as appropriate, 
based on the provisions of paragraphs 1.14 through 1.15. 

a. Unqualified GAGAS compliance statement. The auditors state that the 
engagement was performed in accordance with GAGAS. 

b. Qualified GAGAS compliance statement. The auditors state that the 
engagement was performed in accordance with GAGAS, except for specific 
applicable standards that were not followed. 

c. Negative GAGAS compliance statement. The auditors state that the 
engagement was not performed in accordance with GAGAS. 

1.14: When auditors comply with all applicable unconditional and 
presumptively mandatory GAGAS requirements, they should include an 
unqualified GAGAS compliance statement in the audit report. (See 
paragraphs 5.05, 6.47, and 8.33.) 

1.15: When auditors did not comply with applicable unconditional and/or 
presumptively mandatory requirements, they should assess the 
significance of not following the requirement to the scope of the audit 
and the auditors’ overall compliance with GAGAS and document the 
assessment, along with the reasons for not following the standard. 
Based on this assessment, the auditors should determine whether and to 
what extent to disclose in the report the applicable standard(s) not 
followed, the reasons for not following the standard(s), and how not 
following the standards affected, or could have affected the audit. In 
addition, auditors should consider modifying the GAGAS compliance 
statement as follows. These determinations are a matter of professional
judgment: 

a. When auditors do not comply with all unconditional requirements that 
are applicable based on the audit objectives, they should determine 
whether to include a qualified GAGAS compliance statement or a negative 
GAGAS compliance statement in the report. 

b. When auditors do not comply with all presumptively mandatory 
requirements that are applicable based on the audit objectives, they 
should determine whether to include a qualified GAGAS compliance 
statement or an unqualified GAGAS compliance statement in the report. 
When auditors have justification for not following a presumptively
mandatory requirement, an unqualified GAGAS statement may be  
appropriate. 

c. When auditors did not comply with multiple presumptively mandatory 
requirements, they should determine whether they should include a 
negative GAGAS compliance statement in the report. 

Relationship Between GAGAS and Other Professional Standards: 

1.16: Auditors may use GAGAS in conjunction with professional standards 
issued by other authoritative bodies. If there are conflicts between 
the standards, and the auditors cannot satisfy both standards, the 
auditors should provide disclosure in the auditors’ report about any 
standards not followed and the impact on the audit. (See paragraphs
5.06, 6.47 and 8.34) 

1.17: Auditors use professional judgment in determining how to follow 
GAGAS and the other standards, and how to handle any inconsistencies 
between GAGAS and other standards. 

1.18: For financial audits, GAGAS incorporate other professional 
standards, as follows: 

a. The American Institute of Certified Public Accountants (AICPA) has 
established professional standards that apply to financial audits and 
attestation engagements for nonissuers [Footnote 6] performed by 
certified public accountants (CPA). For financial statement audits, 
GAGAS incorporate the AICPA’s field work and reporting standards and the
related statements on auditing standards (SAS) unless specifically 
excluded or modified by GAGAS. [Footnote 7] 

b. The International Auditing and Assurance Standards Board (IAASB) has 
established professional standards that apply to financial audits and 
attestation engagements that are conducted internationally. Auditors 
may use GAGAS in conjunction with the IAASB standards and the related 
statements on International Statements on Auditing (ISA). 

c. The Public Company Accounting Oversight Board (PCAOB) has established
professional standards that apply to financial audits and attestation 
engagements for issuers. Auditors may use GAGAS in conjunction with the 
PCAOB standards. 

1.19: For attestation engagements, GAGAS incorporate the AICPA’s 
general standard on criteria, and the field work and reporting 
standards and the related statements on the standards for attestation 
engagements (SSAE), unless specifically excluded or modified by GAGAS. 

1.20: For performance audits, auditors may use other professional 
standards in conjunction with GAGAS, such as the following: 

a. International Standards for the Professional Practice of Internal 
Auditing, The Institute of Internal Auditors, Inc.; 

b. Guiding Principles for Evaluators, American Evaluation Association; 

c. The Program Evaluation Standards, Joint Committee on Standards for 
Education Evaluation; and; 

d. Standards for Educational and Psychological Testing, American 
Psychological Association. 

Types of Government Audits and Attestation Engagements: 

1.21: This section describes the types of audits and attestation 
engagements that audit organizations may perform under GAGAS. This 
description is not intended to limit or require the types of audits or 
attestation engagements that may be performed under GAGAS. 

1.22: All engagements begin with objectives, and those objectives 
determine the type of work to be performed and the applicable standards 
to be followed. The types of work, as defined by their objectives that 
are covered by GAGAS, are classified in this document as financial 
audits, attestation engagements, and performance audits. 

1.23: In some engagements, the standards applicable to the specific 
audit objective will be apparent. For example, if the audit objective 
is to express an opinion on financial statements, the standards for 
financial audits apply. However, some engagements may have multiple or 
overlapping objectives. For example, if the objectives are to determine
the reliability of performance measures, this work can be done in 
accordance with either the standards for attestation engagements or for 
performance audits. In cases where there is a choice between applicable 
standards, auditors should evaluate users’ needs and the auditors’ 
knowledge, skills, and experience in deciding which standards to 
follow. 

Financial Audits: 

1.24: Financial audits provide an independent assessment of whether an 
entity’s reported financial condition, results, and use of resources 
are presented fairly in accordance with recognized criteria. Reporting 
on financial audits performed in accordance with GAGAS also includes 
reports on internal control, compliance with laws and regulations, and 
provisions of contracts and grant agreements as they relate to 
financial transactions, systems, and processes. 

1.25: The primary purpose of a financial audit is to provide an opinion 
(or disclaim an opinion) about whether an entity’s financial statements 
are presented fairly in all material respects in conformity with 
generally accepted accounting principles (GAAP), [Footnote 8] or with a 
comprehensive basis of accounting other than GAAP. Other types of 
financial audits, which provide for different levels of assurance and 
entail various scopes of work, may include: 

a. providing special reports, such as for specified elements, accounts, 
or items of a financial statement; [Footnote 9] 

b. reviewing interim financial information; 

c. issuing letters for underwriters and certain other requesting 
parties; 

d. reporting on the processing of transactions by service 
organizations; and; 

e. auditing compliance with regulations relating to federal award 
expenditures and other governmental financial assistance in conjunction 
with or as a by-product of a financial statement audit. 

1.26: For financial statement audits, GAGAS incorporate the AICPA’s 
field work and reporting standards and the related statements on 
auditing standards unless specifically excluded or modified by GAGAS. 
GAGAS establish ethical responsibilities, independence standards, 
general standards, and additional field work and reporting standards 
beyond those provided by the AICPA when performing financial audits. 
(See chapters 2, 3, 4, and 5 for standards and guidance for auditors 
performing a financial audit in accordance with GAGAS.) 

1.27: For financial statement audits, GAGAS can also be used in 
conjunction with standards issued by the PCAOB or IAASB. (See 
paragraphs 1.16–1.18.) 

Attestation Engagements: 

1.28: The primary purpose of an attestation engagement [Footnote 10] is 
to report on a subject matter or management’s assertions about a 
subject matter compared with stated criteria. Attestation engagements 
can cover a broad range of financial or nonfinancial objectives and may 
provide different levels of assurance about the subject matter or 
assertion
depending on the users’ needs. 

1.29: In an attestation engagement, auditors issue an examination, a 
review, or an agreed-upon procedures report on a subject matter or on 
an assertion about a subject matter, that is the responsibility of 
another party. Attestation engagements can cover a broad range of 
financial or nonfinancial objectives and can be part of an audit or a
separate engagement. The three levels of attestation engagements 
include the following: 

a. Examination: Auditors perform sufficient testing to express an 
opinion on whether the subject matter is based on (or in conformity 
with) the criteria in all material respects or the assertion is 
presented (or fairly stated), in all material respects, based on the 
criteria. 

b. Review: Auditors perform sufficient testing to express a conclusion 
about whether any information came to the auditors’ attention on the 
basis of the work performed that indicates the subject matter is not 
based on (or in conformity with) the criteria or the assertion is not 
presented (or fairly stated) in all material respects based on the 
criteria. [Footnote 11] 

c. Agreed-Upon Procedures: Auditors perform testing to issue a report 
of findings based on specific procedures performed on subject matter. 

1.30: The subject matter of an attestation engagement may take many 
forms, including historical or prospective performance or condition, 
physical characteristics, analyses, internal controls, systems and 
processes, or compliance with laws, regulations, contracts, or other 
requirements. Possible subjects of attestation engagements could
include reporting on: 

a. prospective financial or performance information; 

b. quantity, condition, and/or valuation of inventory or assets; 

c. management’s discussion and analysis (MD&A) presentation; 

d. an entity’s internal control over financial reporting;

e. the effectiveness of an entity’s internal control over compliance 
with specified requirements, such as those governing the bidding for, 
accounting for, and reporting on grants and contracts; 

f. an entity’s compliance with requirements of specified laws, 
regulations, rules, contracts, or grants; and; 

g. specific procedures performed on a subject matter (agreed-upon 
procedures). 

1.31: For attestation engagements, GAGAS incorporate the AICPA’s 
general standard on criteria, and the field work and reporting 
standards and the related Statements on Standards for Attestation 
Engagements (SSAE), unless specifically excluded or modified by GAGAS. 
GAGAS establish ethical responsibilities, independence standards, 
general standards and additional field work and reporting standards 
beyond those provided by the AICPA for attestation engagements. (See 
chapters 2, 3, and 6 for standards and guidance for auditors performing 
an attestation engagement in accordance with GAGAS.) 

1.32: As discussed in paragraph 1.19, GAGAS incorporate the AICPA’s 
general standard on criteria, the field work and reporting standards 
and the related statements on the standards for attestation engagements 
when performing attestation engagements. 

Performance Audits: 

1.33: Performance audits provide assurance or conclusions relating to 
audit objectives that provide an evaluation against objective criteria, 
such as specific requirements or measures, or good business practices. 
[Footnote 12] Performance audits provide objective analysis so that 
management and those charged with governance and oversight may improve
program [Footnote 13] performance, operations, reduce costs, facilitate 
decision making by parties with responsibility to oversee or initiate 
corrective action, and contribute to public accountability. Performance 
audits can also provide descriptive information in response to audit 
objectives to describe a process or a condition. The term performance 
audit includes audits classified by some audit organizations as program 
or performance evaluations, program effectiveness and results audits, 
economy and efficiency audits, operational audits, management audits, 
compliance audits, and value-for-money audits. 

1.34: Audit objectives for performance audits may vary widely and may 
encompass a variety of objectives, including assessing program economy, 
efficiency, effectiveness, results, or equity; internal control; 
[Footnote 14] compliance with legal, policy, procedural, or other
requirements; and providing assurance about prospective analyses, 
guidance, or summary information. These overall objectives are not 
mutually exclusive. Thus, a performance audit may have more than one 
overall objective. For example, often a performance audit with an 
initial objective of program effectiveness may also involve an 
underlying objective of evaluating internal controls to determine the 
reasons for a program’s lack of effectiveness or how effectiveness can 
be improved. 

1.35: Performance audits provide reasonable assurance that the auditors 
have sufficient, appropriate evidence concerning the achievement of the 
audit objectives and the conclusions reached. For descriptive audit 
objectives, the audit provides reasonable assurance about the 
descriptive information. The levels of evidence and tests of evidence 
will vary based on the audit objectives and conclusions. Objectives for
performance audits range from narrow to broad and may involve specific 
evidence or extensive evidence. In some engagements, sufficient, 
appropriate evidence is easily obtained, and in others, information may 
have limitations. Auditors use professional judgment in determining the 
audit scope and methodology needed to address the audit’s objectives, 
while providing the appropriate level of assurance that the evidence 
obtained is sufficient and appropriate to meet the audit’s objectives. 

1.36: A performance audit is a dynamic, iterative process which 
includes consideration of the applicable standards taken as a whole 
throughout the course of the audit. An ongoing reassessment of the 
objectives, audit risk, audit procedures, and evidence during the 
course of the audit facilitates the auditors’ determination of what to 
report and the proper context for the audit conclusions, including 
discussion about the nature, type, and quality of evidence being used 
as a basis for the audit conclusions. Performance audit conclusions 
logically flow from all of these elements, and include the proper 
context based on the underlying evidence. 

1.37: The audit objectives for performance audits generally fall into 
the following categories: program effectiveness and results, economy 
and efficiency, internal control, compliance, and prospective analysis. 

1.38: Program effectiveness and results audit objectives are frequently 
interrelated with economy and efficiency objectives. Audit objectives 
that focus on program effectiveness and results address the 
effectiveness of a program and typically measure the extent to which a 
program is achieving its goals and objectives. Audit objectives that 
focus on economy and efficiency address the costs and resources used to 
achieve program results. Examples of audit objectives in these 
categories include: 

a. assessing the extent to which legislative, regulatory, or 
organizational goals and objectives are being achieved; 

b. assessing the relative ability of alternative approaches to yield 
better program performance or eliminate factors that inhibit program 
effectiveness; 

c. analyzing the relative cost effectiveness of a program or activity; 
[Footnote 15] 

d. determining whether a program produced intended results or produced 
results that were not consistent with the program’s objectives; 

e. determining whether a program provides equitable access to or 
distribution of public resources within the context of statutory 
parameters; 

f. assessing the extent to which programs duplicate, overlap, or 
conflict with other related programs; 

g. evaluating whether the audited entity is following sound and 
equitable procurement practices; 

h. assessing the reliability, validity, or relevance of performance 
measures concerning program effectiveness and results, or economy and 
efficiency; 

i. assessing the reliability, validity, or relevance of financial 
information related to the performance of a program; 

j. determining whether government resources (inputs) are obtained at 
reasonable costs while meeting timeliness and quality considerations; 

k. determining whether appropriate value was obtained based on the cost 
or amount paid; 

l. determining whether government services and benefits are accessible 
to those citizens who have a right to access those services and 
benefits; 

m. determining whether and how the government program’s unit costs can 
be decreased or its productivity increased; and; 

n. analyzing budget proposals or budget requests to assist legislatures 
in the budget process. 

1.39: Internal control audit objectives relate to an assessment of the 
component of an organization’s system of internal control that is 
designed to provide reasonable assurance of achieving effective and 
efficient operations, reliable financial and performance reporting, and 
compliance with applicable laws and regulations. Internal control 
objectives are also relevant when determining the cause of 
unsatisfactory program performance. Internal control comprises the 
plans, methods, and procedures used to meet the organization’s mission, 
goals, and objectives. Internal control includes the processes and 
procedures for planning, organizing, directing, and controlling
program operations, and management’s system for measuring, reporting, 
and monitoring program performance. Examples of audit objectives 
related to internal control include an assessment of the extent that 
internal control provides reasonable assurance that: 

a. organizational missions, goals, and objectives are achieved 
effectively and efficiently; 

b. resources are used in compliance with laws, regulations, or other 
requirements; 

c. resources are safeguarded against unauthorized acquisition, use, or 
disposition; 

d. management information and public reports that are produced, such as 
performance measures, are complete, accurate, and consistent to support 
performance and decision making; 

e. the integrity of computerized information and information systems 
are achieved, and;  

f. contingency planning for information systems provides essential back-
up to prevent unwarranted disruption of activities and functions the 
systems support. 

1.40:  Compliance audit objectives relate to compliance criteria 
established by laws, regulations, contract provisions, grant 
agreements, and other requirements [Footnote 16] that could affect the 
acquisition, protection, and use of the entity’s resources and the 
quantity, quality, timeliness, and cost of services the entity produces 
and delivers. Compliance objectives include determining whether: 

a. the purpose of the program, the manner in which it is to be 
conducted, the services delivered, the outcomes, or the population it 
serves are in compliance with laws, regulations, contract provisions, 
grant agreements, and other requirements; 

b. government services and benefits are distributed or delivered to 
citizens based on the citizens’ right to obtain those services and 
benefits; and; 

c. incurred or proposed costs are in compliance with applicable laws, 
regulations, and contract or grant agreement terms. 

1.41: Prospective audit objectives provide analysis or conclusions 
about information that is based on assumptions about events that may 
occur in the future along with possible actions that the audited entity 
may take in reaction to the future events. Examples of objectives 
pertaining to this work include providing analysis or conclusions 
about: 

a. current and projected trends and future potential impact on 
government programs and services; 

b. program or policy alternatives, including forecasting program 
outcomes under various assumptions; 

c. policy proposals for decision makers; 

d. prospective information prepared by management; 

e. forecasts that are based on (1) assumptions about expected future 
events and (2) management’s expected reaction to those future events; 
and; 

f. management’s assumptions on which prospective information is based. 

1.42: As discussed in paragraphs 1.16 through 1.17 and 1.20, other 
professional standards may be used in conjunction with GAGAS when 
conducting performance audits. 

Nonaudit Services Provided by Audit Organizations: 

1.43: GAGAS do not cover nonaudit services since such services are not 
audits or attestation engagements. Therefore, auditors should not 
report that the nonaudit services were conducted in accordance with 
GAGAS. However, audit organizations may report that nonaudit services 
were conducted in compliance with the audit organization’s internal 
quality control system and/or with any other applicable standards, 
guidance, or generally accepted practices. When performing nonaudit 
services, audit organizations have a responsibility to communicate with 
requestors and other users, as appropriate, in order to clarify that 
the scope of work performed does not constitute an audit under GAGAS. 

1.44: Audit organizations that provide nonaudit services should 
evaluate whether providing nonaudit services creates an independence 
impairment either in fact or appearance with respect to the entities 
they audit. Further discussion of nonaudit services and potential 
impact on auditor independence is included in Chapter 3, paragraphs 
3.24 through 3.35 and in the appendix, paragraphs A3.02 through A3.03. 

[End of chapter] 

Chapter 2: Auditors’ Ethical Responsibilities: 

Introduction: 

2.01: Because government auditing is essential to government 
accountability to the public, government auditors have ethical 
responsibilities to uphold and protect the public trust. The public 
expects audit organizations and auditors in the government environment 
to conduct their audit work in accordance with ethical principles.
Management of the audit organization sets the tone for ethical behavior 
throughout the organization by maintaining an ethical culture, clearly 
communicating acceptable behavior and expectations to each employee, 
and creating a positive work environment. The ethical values maintained 
and demonstrated by management and staff are an essential element of a 
positive ethical environment for the audit organization. 

2.02: While audit organizations have overall responsibility for 
creating the environment to promote conducting audit work in accordance 
with ethical principles, ethics are also a matter of personal 
responsibility. It is essential that government auditors observe 
overarching ethical concepts in the performance of their professional 
responsibilities. Ethical concepts apply in preserving auditor 
independence,17 taking on work that the auditor is competent to 
perform, performing high quality work, and following applicable 
standards when cited in the audit report. Integrity and objectivity are 
maintained when auditors complete their work and make decisions that 
are consistent with the broader interest of those relying on the 
auditors’ report, including the public. 

Overarching Ethical Concepts: 

2.03: The overarching ethical concepts contained in the following 
sections provide the overall framework for application of the GAGAS 
standards, including general standards, field work standards, and 
reporting standards for auditors’ use in performing their professional 
responsibilities. It is essential that government auditors conduct 
their work in such a manner that these concepts are observed throughout 
all of their professional activities. Each concept is presented in a 
descriptive manner, rather than setting forth a series of requirements, 
so that auditors can consider the facts and circumstances of each
situation within the framework of these ethical concepts. Auditors also 
have a responsibility to understand and comply with other ethical 
requirements or codes of professional conduct, when applicable. 
[Footnote 18] 

2.04: The ethical concepts that guide the work of government auditors 
include: 

a. The Public Interest; 

b. Professional Behavior; 

c. Integrity; 

d. Objectivity; and 

e. Proper Use of Government Information, Resources and Position. 

The Public Interest: 

2.05: The public interest is defined as the interests of those relying 
on the auditors’ work, including the public. In discharging their 
professional responsibilities, auditors observe the principles of 
serving the public interest by maintaining the highest degree of
integrity, objectivity, and independence. These principles are 
fundamental to the responsibilities of auditors and critical in the 
government environment. 

2.06: A distinguishing mark of a professional auditor is acceptance of 
responsibility toward the public interest. This responsibility is 
critical when auditing in the government environment. Therefore, it is 
critical that auditors in the government environment act in a way that 
will serve the public interest and honor the public trust. GAGAS embody 
the concept of accountability for public resources, which is 
fundamental to serving the public interest. 

2.07: In discharging their professional responsibilities, auditors may 
encounter conflicting pressures from management of the audited entity, 
various levels of government, and others who rely on the auditors’ 
work. In resolving those conflicts, auditors have a responsibility to 
act with integrity, guided by the precept that when auditors fulfill 
their responsibilities, the public interest is best served. 

Professional Behavior: 

2.08: It is essential that auditors’ professional behavior include 
compliance with laws and regulations and acting in a manner consistent 
with the high expectations for their profession, while avoiding any 
conduct that might bring discredit to their work, including actions 
that would cause a reasonable and informed third party, having 
knowledge of all relevant information to conclude that the conduct or 
work performed by the government auditors or audit organization was 
professionally deficient. Professional behavior includes auditors 
putting forth an honest effort in the performance of their duties and 
carrying out their professional services in accordance with the 
relevant technical and professional standards. 

2.09: The professional behavior of auditors practicing in the 
government environment is expected to be above reproach. Professional 
behavior is realized when auditors conduct themselves in a manner that 
avoids having their actions and work misinterpreted or that gives the 
appearance of being biased or misleading. By observing ethical 
principles, auditors promote confidence in the integrity of government 
operations and programs. 

Integrity: 

2.10: Public confidence in government is maintained and enhanced by 
accountability professionals such as auditors performing their 
professional responsibilities with the highest degree of integrity. 
Integrity includes auditors conducting their work with an attitude that 
is objective, fact-based, nonpartisan, and non-ideological with regard 
to audited entities and users of the auditors’ reports. It is crucial 
for auditors to be honest, candid, and constructive with the audited 
entity and users of the auditors’ work in the conduct of their work, 
within the constraints of the audited entity’s confidentiality laws,
rules, or policies. 

2.11: Integrity can accommodate the inadvertent error and the honest 
difference of opinion; it cannot accommodate deceit or subordination of 
the principles of fairness and objectivity to personal gains. In 
applying the principle of integrity, it is essential that auditors 
observe both the form and the spirit of the relevant ethical standards. 

Objectivity: 

2.12: The credibility of government auditing is based on auditors’ 
objective attitude in discharging their professional responsibilities. 
Objectivity includes being independent in fact and appearance when 
providing audit and attestation services, maintaining an attitude of 
impartiality, having intellectual honesty, and being free of conflicts 
of interest. It is crucial that auditors avoid conflicts that may in 
fact or appearance impair auditors’ objectivity in performing the audit 
or attestation engagement. Maintaining objectivity includes a 
continuing assessment of relationships with audited entities and other
stakeholders in the context of the auditors’ responsibility to the 
public. 

Proper Use of Government Information, Resources, and Position: 

2.13: Government information, resources, or positions are to be used 
for official purposes and not misused for the auditor’s personal gain 
or in a manner that would be contrary to the law or detrimental to the 
legitimate interests of the audited entity or the audit organization. 
This concept also includes the proper handling of sensitive or 
classified information or resources. 

2.14: In the government environment, the public’s right to the 
transparency of government information has to be balanced with the 
proper use of government information. To accomplish this balance, it is 
important that auditors exercise prudence in the use of information 
acquired in the course of their duties or as a result of professional 
and business relationships. Auditors should not disclose any such
information to third parties without proper and specific authority, 
unless there is a legal and professional right or obligation to 
disclose. 

2.15: As government accountability professionals, auditors are 
accountable to the public for their own proper use and prudent 
management of government resources. It is important that auditors 
protect and conserve government resources and not use them for
other than authorized activities. 

2.16: It is a fundamental responsibility of government auditors to 
conduct themselves in such a manner that they do not misuse their 
positions for personal gain. It is important that auditors not take any 
action that could be perceived by a knowledgeable person as benefiting 
their personal financial interests or those of an immediate or close 
family member; a general partner; an organization for which the auditor 
serves as an officer, director, trustee, or employee; or a person or 
organization with which the auditor is negotiating or has an 
arrangement concerning future employment. (See paragraph 3.06 through 
3.09 for further discussion of personal impairments to independence.) 

[End of chapter]

Chapter 3: General Standards: 

Introduction: 

3.01: This chapter establishes general standards and provides guidance 
for performing financial audits, attestation engagements, [Footnote 19] 
and performance audits under GAGAS. These general standards, along with 
the overarching ethical concepts presented in chapter 2, establish a 
foundation that adds credibility to auditors’ work. Credibility is 
essential to all audit organizations performing work that government 
leaders and others use for making decisions and achieving government 
accountability. Credibility is what the public expects of information 
provided by government auditors. These general standards emphasize the 
independence of the audit organization and its individual auditors; the
exercise of professional judgment in the performance of work and the 
preparation of related reports; the competence of audit staff; audit 
quality control and assurance; and external peer reviews. 

Independence: 

3.02: In all matters relating to the audit work, the audit organization 
and the individual auditor, whether government or public, must be free 
both in fact and appearance from personal, external, and organizational 
impairments to independence. 

3.03: Auditors and audit organizations must maintain independence so 
that opinions, conclusions, judgments, and recommendations will be 
impartial and will be viewed as impartial by knowledgeable third 
parties. Auditors have a responsibility to avoid situations that could 
lead reasonable and objective third parties with knowledge of the 
relevant facts and circumstances to conclude that the auditors are not 
able to maintain independence and, thus, are not capable of exercising 
objective and impartial judgment on all issues associated with 
conducting the audit and reporting on the work. 

3.04: When evaluating whether independence impairments exist either in 
fact or appearance with respect to the entities for which audit 
organizations perform audit or attestation services, audit 
organizations consider three general classes of impairments to
independence--personal, external, and organizational. [Footnote 20] If 
one or more of these impairments affects an individual auditor’s 
capability to perform the work and report results impartially, the 
auditor should either decline to perform the work—or in those 
situations in which the auditor, because of a legislative requirement 
or for other reasons,
cannot decline to perform the work—the auditors must disclose the 
impairment or impairments in the scope section of the audit report. 

3.05: When auditors use the work of a specialist, [Footnote 21] 
auditors should assess the specialist’s ability to perform the work and 
report results impartially. In conducting this assessment, auditors 
should provide external specialists with the GAGAS independence 
requirements and obtain representations from the specialist regarding 
the specialist’s independence from the activity or program under audit. 
Internal specialists who are members of the audit team should follow 
the same standards and processes as the other members of the audit team.

Personal Impairments: 

3.06: Auditors participating on an audit assignment must be free from 
personal impairments to independence. [Footnote 22] Personal 
impairments of staff members result from relationships and beliefs that 
might cause auditors to limit the extent of the inquiry, limit 
disclosure, or weaken or slant audit findings in any way. Individual 
auditors should notify the appropriate officials within their audit 
organizations if they have any personal impairments to independence. 
Examples of personal impairments of individual auditors include, but 
are not limited to, the following: 

a. immediate family or close family member [Footnote 23] who is a 
director or officer of the audited entity, or as an employee of the 
audited entity, is in a position to exert direct and significant 
influence over the entity or the program under audit; 

b. financial interest that is direct, or is significant though 
indirect, in the audited entity or program; [Footnote 24] 
c. responsibility for managing an entity or decision making that could 
affect operations of the entity or program being audited; for example 
as a director, officer, or other senior position of the entity, 
activity, or program being audited, or as a member of management
in any decision making, supervisory, or ongoing monitoring function for 
the entity, activity, or program under audit; 

d. concurrent or subsequent performance of an audit by the same 
individual who maintained the official accounting records when such 
services involved preparing source documents or originating data, in 
electronic or other form; posting transactions (whether coded by 
management or not coded); authorizing, executing, or consummating
transactions (for example, approving invoices, payrolls, claims, or 
other payments of the entity or program being audited); maintaining an 
entity’s bank account or otherwise having custody of the audited 
entity’s funds; or otherwise exercising authority on behalf of the 
entity, or having authority to do so; 

e. preconceived ideas toward individuals, groups, organizations, or 
objectives of a particular program that could bias the audit; 

f. biases, including those induced by political, ideological, or social 
convictions, that result from employment in, or loyalty to, a 
particular type of policy, group, organization, or level of government; 
and; 

g. seeking employment during the conduct of the audit with an audited 
organization or an individual or entity with a direct interest in the 
outcome of the audit. 

3.07: Audit organizations and auditors may encounter many different 
circumstances or combination of circumstances that could create a 
personal impairment. Therefore, it is impossible to identify every 
situation that could result in a personal impairment. Accordingly, 
audit organizations should include as part of their internal quality 
control system procedures to identify personal impairments and help 
ensure compliance with GAGAS independence requirements. At a minimum, 
audit organizations should: 

a. establish policies and procedures to identify personal impairments 
to independence (see paragraph 3.06);

b. communicate the audit organization’s policies and procedures to all 
auditors in the organization and help ensure understanding of the 
policies and procedures through training or other means such as 
auditors periodically acknowledging their understanding; 

c. establish internal policies and procedures to monitor compliance 
with the audit organization’s policies and procedures; 

d. establish a disciplinary mechanism to promote compliance with the 
audit organization’s policies and procedures; 

e. stress the importance of independence and the expectation that 
auditors will always act in the public interest; and; 

f. maintain documentation of the steps taken to identify potential 
personal independence impairments as well as actions taken to resolve 
any impairments. 

3.08: When the audit organization identifies a personal impairment to 
independence prior to or during an audit, the audit organization should 
take action to resolve the impairment in a timely manner. In situations 
in which the personal impairment is applicable only to an individual 
auditor on a particular assignment, the audit organization may be able 
to mitigate the personal impairment by requiring the auditor to 
eliminate the personal impairment. For example, the auditor could sell 
a financial interest that created the personal impairment, or the audit 
organization could remove that auditor from any work on that audit 
assignment. If the personal impairment cannot be mitigated through
these means, the audit organization should withdraw from the audit. In 
situations in which government auditors cannot withdraw from the audit, 
they should follow the requirement in paragraph 3.04. 

3.09: If the audit organization identifies a personal impairment to 
independence after the audit report is issued, the audit organization 
should assess the impact on the audit. The audit organization should 
consider whether, given the impact on the audit, to notify regulatory 
agencies that have jurisdiction over the audited entity and persons 
known to be using the audit report about the independence impairment 
and the impact on the audit. Auditors should make such notifications in 
writing. 

External Impairments: 

3.10: Audit organizations must be free from external impairments to 
independence. Factors external to the audit organization may restrict 
the work or interfere with auditors’ ability to form independent and 
objective opinions and conclusions. External impairments to 
independence occur when auditors are deterred from acting objectively
and exercising professional skepticism by pressures, actual or 
perceived, from management and employees of the audited entity or 
oversight organizations. For example, under the following conditions, 
auditors may not have complete freedom to make an independent and 
objective judgment, thereby adversely affecting the audit: 

a. external interference or influence that could improperly limit or 
modify the scope of an audit or threaten to do so, including exerting 
pressure to reduce inappropriately the extent of work performed in 
order to reduce costs or fees; 

b. external interference with the selection or application of audit 
procedures or in the selection of transactions to be examined; 

c. unreasonable restrictions on the time allowed to complete an audit 
or issue the report; 

d. restriction on access to records, government officials, or other 
individuals needed to conduct the audit; 

e. external interference over the assignment, appointment, and 
promotion of audit personnel;  

f. restrictions on funds or other resources provided to the audit 
organization that adversely affect the audit organization’s ability to 
carry out its responsibilities; 

g. authority to overrule or to inappropriately influence the auditors’ 
judgment as to the appropriate content of the report; 

h. threat of replacement over a disagreement with the contents of an 
audit report, the auditors’ conclusions, or the application of an 
accounting principle or other criteria; and; 

i. influences that jeopardize the auditors’ continued employment for 
reasons other than incompetence, misconduct, or the need for audit 
services. 

3.11: Audit organizations should include, as part of their internal 
quality control system for compliance with GAGAS independence 
requirements, internal policies and procedures for reporting and 
resolving external impairments. 

Organizational Independence: 

3.12: In addition to the preceding paragraphs that address personal and 
external impairments, a government audit organization’s ability to 
perform the work and report the results impartially can be affected by 
its place within government and the structure of the government entity 
that the audit organization is assigned to audit as well as by nonaudit 
services it has provided to audited entities. Whether performing work 
to report externally to third parties outside the audited entity or 
internally to top management within the audited entity, audit 
organizations must be free from organizational impairments to 
independence with respect to the entities they audit. 

Organizational Independence When Reporting Externally to Third Parties: 

3.13: Government auditors reporting externally to third parties can be 
presumed to be free from organizational impairments to independence if 
their audit organization is organizationally independent from the 
audited entity. Government audit organizations can meet the requirement 
for organizational independence in a number of ways. 

3.14: First, a government audit organization reporting externally to 
third parties may be presumed to be free from organizational 
impairments to independence from the audited entity, if the audit 
organization is: 

a. assigned to a level of government other than the one to which the 
audited entity is assigned (federal, state, or local), for example, 
federal auditors auditing a state government program, or; 

b. assigned to a different branch of government within the same level 
of government as the audited entity; for example, legislative auditors 
auditing an executive branch program. 

3.15: Second, a government audit organization reporting externally to 
third parties may also be presumed to be free from organizational 
impairments if the audit organization’s head meets any of the following 
criteria: 

a. directly elected by voters of the jurisdiction being audited; 

b. elected or appointed by a legislative body, subject to removal by a 
legislative body, and reports the results of audits to and is 
accountable to a legislative body; 

c. appointed by someone other than a legislative body, so long as the 
appointment is confirmed by a legislative body and removal from the 
position is subject to oversight or approval by a legislative body, 
[Footnote 25] and reports the results of audits to and is accountable to
a legislative body; or; 

d. appointed by, accountable to, reports to, and can only be removed by 
a statutorily created governing body, the majority of whose members are 
independently elected or appointed and come from outside the 
organization being audited. 

3.16: In addition to the presumptive criteria in paragraphs 3.14 and 
3.15, GAGAS recognize that there may be other organizational structures 
under which a government audit organization could be considered to be 
free from organizational impairments and thereby be considered 
organizationally independent for reporting externally. These other
structures provide safeguards to prevent the audited entity from 
interfering with the audit organization’s ability to perform the work 
and report the results impartially. For an audit organization to be 
considered free from organizational impairments for reporting 
externally under a structure different from the ones listed in 
paragraphs 3.14 and 3.15, the audit organization should have all of the 
following safeguards: 

a. statutory protections that prevent the abolishment of the audit 
organization by the audited entity; 

b. statutory protections that require that if the head of the audit 
organization is removed from office, the head of the agency reports 
this fact and the reasons for the removal to the legislative body; 

c. statutory protections that prevent the audited entity from 
interfering with the initiation, scope, timing, and completion of any 
audit; 

d. statutory protections that prevent the audited entity from 
interfering with the reporting on any audit, including the findings, 
conclusions, and recommendations, or the manner, means, or timing of 
the audit organization’s reports; 

e. statutory protections that require the audit organization to report 
to a legislative body or other independent governing body on a 
recurring basis; 

f. statutory protections that give the audit organization sole 
authority over the selection, retention, advancement, and dismissal of 
its staff; and; 

g. statutory access to records and documents that relate to the agency, 
program, or function being audited and government officials or other 
individuals needed to conduct the audit. [Footnote 26] 

3.17: If the head of the audit organization concludes that the 
organization meets all the safeguards listed in paragraph 3.16, the 
audit organization may be considered free from organizational 
impairments to independence when reporting the results of its audits
externally to third parties. In such situations, the audit organization 
should document how the safeguards discussed in paragraph 3.16 were 
satisfied and provide the documentation to those performing quality 
control monitoring and to the external peer reviewers to determine 
whether all the necessary safeguards have been met. 

Organizational Independence When Reporting Internally to Management (as 
an internal audit function): 

3.18: Certain federal, state, or local government audit organizations 
or audit organizations within other government entities employ auditors 
to work for management of the audited entities. These auditors may be 
subject to administrative direction from persons involved in the 
government management process. Such audit organizations are internal 
audit organizations and are encouraged to follow the IIA International 
Standards for the Professional Practice of Internal Auditing. In 
addition, under GAGAS, a government internal audit organization can be 
presumed to be free from organizational impairments to independence 
when reporting internally to management if the head of the audit 
organization meets all of the following criteria: 

a. accountable to the head or deputy head of the government entity or 
to those charged with governance; 

b. reports the results of the audit organization’s work to the head or 
deputy head of the government entity and to those charged with 
governance; 

c. located organizationally outside the staff or line management 
function of the unit under audit, and; 

d. has access to those charged with governance. 

3.19: If the conditions of paragraph 3.18 are met, the audit 
organization may be considered free of organizational impairments to 
independence to audit internally and report objectively to the entity’s 
management and those charged with governance. Further distribution of 
reports outside the organization may be made in accordance with
applicable law, rule, regulation, or policy. In these situations, 
auditors must clearly disclose in their reports the fact that they are 
auditing in their employing organizations. 

3.20: The placement of the internal audit organization is essential so 
that auditors are sufficiently removed from political pressures such 
that they can conduct their audits objectively and report their 
findings, opinions, and conclusions objectively without fear of 
political repercussions. An internal audit organization’s independence 
is enhanced when its personnel system for compensation, job tenure, and 
advancement is based on performance. 

3.21: The audit organization should report regularly to the entity’s 
independent audit committee and/or the appropriate government oversight 
body. 

3.22: When internal audit organizations that are free of organizational 
impairments to independence, under the criteria in paragraph 3.18, 
perform audits external to the government entities to which they are 
directly assigned, such as auditing contractors or outside party 
agreements, and no personal or external impairments exist, they may be
considered independent of the audited entities and free to report 
objectively to the heads or deputy heads of the government entities to 
which they are assigned, to those charged with governance, and to 
parties outside the organizations in accordance with applicable
law, rule, regulation, or policy. 

3.23: The audit organization should document the conditions that allow 
it to be considered free of organizational impairments to independence 
to report internally and provide the documentation to those performing 
quality control monitoring and to the external peer reviewers to 
determine whether all the necessary safeguards have been met. 

Organizational Independence When Performing Nonaudit Services: 

3.24: Audit organizations at times perform other professional services 
(nonaudit services) that are not performed in accordance with GAGAS. 
Audit organizations that provide nonaudit services must evaluate 
whether providing nonaudit services creates an independence impairment 
either in fact or appearance with respect to entities they audit. 
[Footnote 27] Based on the facts and circumstances, auditors exercise 
professional judgment in determining whether a nonaudit service would 
impair an audit organization’s independence with respect to entities 
they audit. Auditors also exercise professional judgment in determining 
whether any previously performed nonaudit services would impair an 
audit organization’s independence with respect to entities they audit. 
Those within the audit organization with sufficient knowledge, 
experience, and competence to fully understand the current and future 
issues the audit organization may face should make this determination. 

3.25: Government audit organizations generally have broad audit 
responsibilities and therefore should establish policies and procedures 
for accepting engagements to perform nonaudit services so that 
independence is not impaired with respect to entities they audit. 
[Footnote 28] Independent public accountants may provide audit and 
nonaudit services (commonly referred to as consulting) under 
contractual commitments to an entity and should consider whether 
nonaudit services they have provided or are committed to provide have a 
significant or material effect on the subject matter of the audits. 

3.26: Nonaudit services are an important consideration in an audit 
organization’s internal quality control monitoring and its external 
peer reviews. Audit organizations should disclose nonaudit services 
described in paragraph 3.30b related to individual audits selected for 
review in an internal inspection or peer review and provide the 
documentation required by paragraphs 3.35a through 3.35e to 
inspectors/reviewers. 

Overarching Independence Principles: 

3.27: The following two overarching principles apply to auditor 
independence when assessing the impact of performing a nonaudit service 
for audited entities: (1) audit organizations must not provide nonaudit 
services that involve performing management functions or making 
management decisions and (2) audit organizations must not audit their 
own work or provide nonaudit services in situations where the nonaudit 
services are significant/material to the subject matter of audits. 
[Footnote 29] 

3.28: In considering whether audits performed by the audit organization 
can be significantly or materially affected by the nonaudit service, 
audit organizations should evaluate (1) ongoing audits; (2) planned 
audits; (3) requirements and commitments for providing audits, which 
includes laws, regulations, rules, contracts, and other agreements; and 
(4) policies placing responsibilities on the audit organization for
providing audit services. 

3.29: If requested [Footnote 30] to perform nonaudit services that 
would impair the audit organization’s ability to meet either or both of 
the overarching independence principles for certain types of audit 
work, the audit organization should inform the requestor and the 
audited entity that performing the nonaudit service would impair the 
auditor’s independence with regard to subsequent audit or attestation 
engagements. 

Types of Nonaudit Services: 

3.30: Nonaudit services generally fall into one of the following 
categories: [Footnote 31] 

a. Nonaudit services that would not impair auditor independence with 
respect to entities they audit and, therefore, do not require 
compliance with the supplemental safeguards in paragraph 3.35. (See 
paragraph 3.31 through 3.32.) 

b. Nonaudit services that do not impair the audit organization’s 
independence with respect to entities they audit as long as the 
supplemental safeguards in paragraph 3.35 are complied with. (See 
paragraph 3.33.) 

c. Nonaudit services that would impair the audit organization’s 
independence. Compliance with the supplemental safeguards will not 
overcome this impairment. (See paragraph 3.34.) 

Nonaudit Services That Do Not Impair Auditor Independence: 

3.31: In this type of nonaudit service, auditors provide technical 
advice based on the auditors’ technical knowledge and expertise. This 
type of nonaudit service does not impair auditor independence with 
respect to entities they audit and does not require the audit 
organization to apply the supplemental safeguards. However, auditor
independence would be impaired if auditors made management decisions or 
performed management functions. 

3.32: Examples of the types of services in this category include the 
following: 

a. Participating in activities such as commissions, committees, task 
forces, panels, and focus groups as an expert in a purely advisory, non-
voting capacity to: 

(1) advise entity management on issues based on the knowledge and 
skills of the auditors, and; 

(2) address urgent problems or policy issues. 

b. Providing tools and methodologies, such as guidance and good 
business practices, benchmarking studies, and internal control 
assessment methodologies that can be used by management. 

c. Providing targeted and limited technical advice to the audited 
entity and management to assist them in activities such as (1) 
answering technical questions and/or providing training, (2) 
implementing audit recommendations, (3) performing internal control 
self assessments, and (4) providing information on good business 
practices. 

Nonaudit Services That Would Not Impair Independence if Supplemental
Safeguards Are Implemented. 

3.33: These services would not impair the audit organization’s 
independence with respect to the entities they audit so long as they 
comply with the supplemental safeguards. Examples of the types of 
services in this category include the following: 

a. Providing basic accounting assistance limited to services such as 
preparing draft financial statements that are based on management’s 
chart of accounts and trial balance and any adjusting, correcting, and 
closing entries that have been approved by management; preparing draft 
notes to the financial statements based on information determined and 
approved by management; preparing a trial balance based on management’s 
chart of accounts; maintaining depreciation schedules for which
management has determined the method of depreciation, rate of 
depreciation, and salvage value of the asset. [Footnote 32] 

b. Providing payroll services when payroll is not material to the 
subject matter of the audit or to the audit objectives. Such services 
are limited to using records and data that have been approved by entity 
management. 

c. Providing appraisal or valuation services limited to services such 
as reviewing the work of the entity or a specialist employed by the 
entity where the entity or specialist provides the primary evidence for 
the balances recorded in financial statements or other information that 
will be audited; valuing an entity’s pension, other post-employment
benefits, or similar liabilities provided management has determined and 
taken responsibility for all significant assumptions and data. 

d. Preparing an entity’s indirect cost proposal33 or cost allocation 
plan provided that the amounts are not material to the financial 
statements and management assumes responsibility for all significant 
assumptions and data. 

e. Providing advisory services on information technology limited to 
services such as advising on system design, system installation, and 
system security if management, in addition to the safeguards in 
paragraph 3.35, acknowledges responsibility for the design, 
installation, and internal control over the entity’s system and does 
not rely on the auditors’ work as the primary basis for determining (1) 
whether to implement a new system, (2) the adequacy of the new system 
design, (3) the adequacy of major design changes to an existing system, 
and (4) the adequacy of the system to comply with regulatory or other 
requirements. 

f. Providing human resource services to assist management in its 
evaluation of potential candidates when the services are limited to 
activities such as serving on an evaluation panel of at least three 
individuals to review applications or interviewing candidates to
provide input to management in arriving at a listing of best qualified 
applicants to be provided to management. 

g. Preparing routine tax filings in accordance with federal tax laws, 
rules, and regulations of the Internal Revenue Service, and state and 
local tax authorities, and any other applicable tax laws that do not 
violate the overarching independence principles. For example, preparing 
tax returns, including IRS form 990, “Return of Organization Exempt 
from Income Tax,” based on information provided by the audited entity,
providing advice on deposits due to a taxing authority, and 
representing an audit entity in IRS matters such as in an IRS audit or 
in obtaining IRS rulings or other agreements, ordinarily would be 
included in this category of nonaudit services. [Footnote 34]  

h. Documenting existing processes and internal controls. 

Nonaudit Services That Impair Independence: 

3.34: Compliance with the supplemental safeguards will not overcome 
independence impairments in this category. By their nature, certain 
nonaudit services directly support the entity’s operations and impair 
the audit organization’s ability to meet either or both of the 
overarching independence principles in paragraph 3.27 for certain types 
of audit work. 

Examples of the types of services under this category include the 
following: 

a. Maintaining or preparing the audited entity’s basic accounting 
records or maintaining or taking responsibility for basic financial or 
other records that the audit organization will audit. 

b. Posting transactions (whether coded or not coded) to the entity’s 
financial records or to other records that subsequently provide input 
to the entity’s financial records. 

c. Determining account balances or determining capitalization criteria. 

d. Designing, developing, installing, or operating the entity’s 
accounting system or other information system that are material or 
significant to the subject matter of the audit. 

e. Providing payroll services that (1) are material to the subject 
matter of the audit or the audit objectives, and/or (2) involve making 
management decisions. 

f. Providing appraisal or valuation services that exceed the scope 
described in paragraph 3.33 c. 

g. Recommending a single individual for a specific position that is key 
to the entity or program under audit, or otherwise ranking or 
influencing management’s selection of the candidate; or conducting an 
executive search or a recruiting program for the audited entity. 

h. Developing an entity’s performance measurement system when that 
system is material or significant to the subject matter of the audit. 

i. Performing the entity’s internal control self-assessment process or 
developing the internal control system. 

j. Developing an entity’s policies, procedures, and internal controls. 

k. Providing services that are used as management’s primary basis for 
making decisions that are significant to the subject matter under 
audit. 

l. Internal audit functions, when performed by external auditors. 

m. Serving as voting members of an entity’s management committee or 
board of directors, making policy decisions that affect future 
direction and operation of an entity’s programs, supervising entity 
employees, developing programmatic policy, authorizing an entity’s
transactions, or maintaining custody of an entity’s assets. [Footnote 
35] 

Supplemental Safeguards for Maintaining Auditor Independence When 
Performing Nonaudit Services Described in Paragraph 3.33: 

3.35: Performing nonaudit services described in paragraph 3.33 will not 
impair independence if the overarching independence principles stated 
in paragraph 3.27 are not violated. For these nonaudit services, the 
audit organization must comply with the following safeguards. 

a. The audit organization documents its consideration of the nonaudit 
services, including its conclusions about the impact on independence. 

b. Before performing nonaudit services, the audit organization 
establishes and documents an understanding with the audited entity 
regarding the objectives, scope of work, and product or deliverables of 
the nonaudit service. The audit organization also establishes and 
documents an understanding with the audited entity that its management
is responsible for (1) the subject matter of the nonaudit services, (2) 
the substantive outcomes of the work, (3) making any decisions that 
involve management functions related to the nonaudit service and 
accepting full responsibility for such decisions. 

c. The audit organization precludes personnel who provided the nonaudit 
services from planning, conducting, or reviewing audit work of the 
subject matter of the nonaudit service under the overarching 
independence principle that auditors must not audit their own work. 
[Footnote 36]  

d. The audit organization does not reduce the scope and extent of the 
audit work below the level that would be appropriate if the nonaudit 
work were performed by an unrelated party. 

e. The audit organization’s quality control systems for compliance with 
independence requirements should include: (1) policies and procedures 
to consider the effect on the ongoing, planned, and future audits when 
deciding whether to provide nonaudit services, and (2) a requirement to 
document the understanding with management of the audited entity 
discussed above. The understanding should be communicated to management 
in writing and can be included in the engagement letter. In addition, 
the documentation should specifically identify management’s 
responsibilities discussed above. 

Professional Judgment: 

3.36: Auditors must use professional judgment, including professional 
skepticism and reasonable care and diligence, in planning and 
performing audits and attestation engagements and in reporting the 
results. 

3.37: As a key component of professional judgment, auditors exercise 
professional skepticism, which is an attitude that includes a 
questioning mind and a critical assessment of evidence. Professional 
skepticism includes a mindset where auditors neither assume that 
management is dishonest nor of unquestioned honesty, and auditors
are not to be satisfied with less than persuasive evidence because of a 
belief that management is honest. 

3.38: Auditors use their professional knowledge, skills, and experience 
to diligently perform, in good faith and with integrity, the gathering 
of information and the objective evaluation of the sufficiency and 
appropriateness of evidence. Professional judgment and competence are 
interrelated, since judgments made are dependent upon the competence
of personnel. 

3.39: Professional judgment represents the application of the 
collective knowledge, skills, and experiences of all the personnel 
involved with an audit engagement, as well as the professional judgment 
of individual auditors. In addition to personnel directly involved in 
the audit, professional judgment may involve collaboration with other
stakeholders, outside experts, and management in the audit 
organization. 

3.40: Auditors use professional judgment in all aspects of carrying out 
professional responsibilities, including following the independence 
standards, maintaining objectivity and credibility, assigning competent 
audit staff to the engagement, and maintaining appropriate quality 
control over the engagement process. 

3.41: Auditors also use professional judgment in planning and 
performing a GAGAS audit, including determining the type of assignment 
to be performed and the standards that apply to the work; defining the 
scope of work; selecting the methodology; determining criteria suitable 
to the audit objectives; determining the type and amount of data or 
information to be gathered; selecting and performing the tests and 
procedures; assessing the appropriateness of information and 
sufficiency of evidence obtained; and evaluating and reporting the 
results of the work. 

3.42: Auditors use professional judgment in determining the required 
level of the understanding of the audit subject matter and related 
circumstances. This includes consideration about whether their 
collective experience, training, knowledge, skills, abilities, and 
overall understanding are sufficient to assess the risks that the 
subject matter under audit may contain a significant inaccuracy or 
could be misinterpreted. 

3.43: Auditors also consider the risk level of each assignment, 
including the risk that they may come to an improper conclusion. Within 
the context of this overall audit risk, auditors exercise professional 
judgment in determining the sufficiency and appropriateness of 
information to be used to support the findings and conclusions based on 
the audit objectives and any recommendations reported. 

3.44: By its nature, the exercise of professional judgment is 
subjective. As such, auditors should document significant decisions 
affecting the audit’s objectives, scope, methodology, and findings; 
conclusions, and recommendations resulting from professional judgment. 
Since professional judgment is subjective, different auditors may
differ as to the audit approach. 

3.45: While this standard places responsibility on each auditor and 
audit organization to exercise professional judgment in planning and 
performing an assignment, it does not imply unlimited responsibility, 
nor does it imply infallibility on the part of either the individual 
auditor or the audit organization. Absolute assurance is not attainable
because of the nature of evidence and the characteristics of fraud. 
Professional judgment does not mean eliminating all possible 
limitations or weaknesses associated with a specific audit, but rather 
identifying, considering, minimizing, mitigating, and explaining
them. 

Competence: 

3.46: The staff assigned to perform the audit or attestation engagement 
must collectively possess adequate professional competence for the 
tasks required. 

3.47: Competence is an essential dimension of the human capital 
management component of an audit organization’s system of quality 
control. (See paragraph 3.61c.) The audit organization’s management 
should assess skill needs to consider whether its workforce has the 
essential skills that match those necessary to successfully achieve the
audit mandate or scope of audits to be performed. Accordingly, audit 
organizations should have a process for recruitment, hiring, continuous 
development, assignment, performance evaluation, advancement and 
compensation of staff to assist the organization in maintaining a 
workforce that has adequate competence. The nature, extent, and 
formality of the process will depend on various factors such as the 
size of the audit organization, its work, and its structure. 

3.48: Competence is derived from a synthesis of education and 
experience. It begins with a mastery of the common body of knowledge. 
Competencies are not necessarily measured by years of auditing 
experience because such a quantitative measurement may not accurately 
reflect the kinds of experiences gained by an auditor in any given time
period. Auditors maintain competence through a commitment to learning 
and development throughout an auditor’s professional life. Competence 
enables an auditor to make sound professional judgments. 

3.49: In planning or performing an audit, auditors may employ the 
skills and knowledge of a specialist to assist with complex or 
subjective issues. 

3.50: Auditors have a continuing duty to maintain professional 
knowledge and skill to provide competent professional service based on 
current developments in applicable technical and professional standards 
practice, legislation, and techniques.

Technical Knowledge and Competence: 

3.51: Staff members assigned to conduct an audit or attestation 
engagement under GAGAS must collectively possess the technical 
knowledge, skills, and experience necessary to be competent for the 
type of work being performed before beginning work on that assignment. 
In assigning personnel to engagements, audit organizations consider
the workload requirements of an engagement, the skills, competence, and 
experience needed in relation to the complexity or other needs of an 
engagement, and the extent of supervision to be provided. Staff members 
should collectively possess: 

a. knowledge of GAGAS applicable to the type of work they are assigned 
and the education, skills, and experience to apply such knowledge to 
the work being performed; 

b. general knowledge of the environment in which the audited entity 
operates and the subject matter under review; 

c. skills to communicate clearly and effectively, both orally and in 
writing; and; 

d. skills appropriate for the work being performed. For example: 

(1) staff or specialists with statistical sampling skills if the work 
involves use of statistical sampling; 

(2) staff or specialists with information technology skills if the work 
involves review of information systems; 

(3) staff or specialists with engineering skills if the work involves 
review of complex engineering data; 

(4) staff or specialists with skills in specialized audit methodologies 
or analytical techniques, such as the use of complex survey 
instruments, actuarial-based estimates, or statistical analysis tests, 
if the work calls for such skills; or; 

(5) staff or specialists with skills in specialized subject matters, 
such as scientific, medical, environmental, educational, or any other 
specialized subject matter, if the work calls for such expertise. 

Additional Qualifications for Financial Audits and Attestation 
Engagements: 

3.52: Auditors performing financial audits in which U.S. auditing 
standards for nonissuers are to be followed should be knowledgeable in 
generally accepted accounting principles (GAAP) and the AICPA’s 
generally accepted auditing standards for field work and reporting and 
the related Statements on Auditing Standards (SAS) and any other
accounting principles or basis of accounting used, and they should be 
competent in applying these standards and SAS to the task assigned. 
Also, if auditors use GAGAS in conjunction with standards of the IAASB 
or PCAOB, they should be knowledgeable and competent in applying these 
standards. 

3.53: Similarly, for attestation engagements in which U.S. attestation 
engagement standards are to be followed, GAGAS incorporate the AICPA’s 
attestation standards. Auditors should be knowledgeable in the AICPA 
general attestation standard related to criteria and the AICPA 
attestation standards for field work and reporting and the related
Statements on Standards for Attestation Engagements (SSAE), and they 
should be competent in applying these standards and SSAE to the task 
assigned. 

3.54: Auditors engaged to perform financial audits or attestation 
engagements should be licensed certified public accountants or persons 
working for a licensed certified public accounting firm or a government 
auditing organization. Public accountants and accounting firms are also 
subject to licensing requirements provisions of public accountancy law 
and rules of the jurisdiction(s) where the audit is being performed, and
the jurisdiction(s) in which the public accountants and their firms are 
licensed. 

Continuing Professional Education: 

3.55: Auditors performing work under GAGAS, including planning, 
directing, performing field work, or reporting on an audit or 
attestation engagement under GAGAS, must maintain their professional 
competence through continuing professional education (CPE). Therefore, 
each auditor performing work under GAGAS should complete, every 2 
years, at least 80 hours of CPE that enhance the auditor’s professional 
proficiency to perform audits and/or attestation engagements. Auditors 
should take subjects directly related to government auditing, the 
government environment, or the specific or unique environment in which 
the audited entity operates for at least 24 of the 80 hours of CPE. 
[Footnote 37] Auditors should complete at least 20 hours of the 80 in 
any 1 year of the 2-year period. 

3.56: CPE programs are structured educational activities with learning 
objectives designed to maintain or enhance participants’ knowledge, 
skills, and abilities in areas applicable to performing audits or 
attestation engagements. Determining what subjects are appropriate for 
individual auditors to satisfy both the 80-hour and the 24-hour
requirements is a matter of professional judgment to be exercised by 
auditors in consultation with appropriate officials within their audit 
organizations. Among the considerations in exercising that judgment are 
the auditors’ experience, the responsibilities they assume in 
performing GAGAS audits or attestation engagements, and the operating 
environment of the audited entity. 

3.57: Individual auditors have primary responsibility for improving 
their competencies and for meeting CPE requirements. The audit 
organization should have quality control procedures to help ensure that 
auditors meet the continuing education requirements, including 
documentation of the CPE completed. GAO has developed guidance 
pertaining to CPE requirements to assist auditors and audit 
organizations in exercising professional judgment in complying with the 
CPE requirements.[Footnote 38]  

3.58: External specialists assisting in performing a GAGAS assignment 
should be qualified and should maintain professional competence in 
their areas of specialization but are not required to meet the CPE 
requirements described here. However, auditors who use the work of 
external specialists should assess the professional qualifications of
such specialists and document their findings and conclusions. Internal 
specialists who are part of the audit organization and perform as a 
member of the audit team, should comply with GAGAS, including the CPE 
requirements. 

Quality Control and Assurance: 

3.59: Each audit organization performing audits and/or attestation 
engagements in accordance with GAGAS must have an internal quality 
control system in place that is designed to provide reasonable 
assurance that the organization and its personnel comply with 
professional standards and regulatory and legal requirements, and that 
reports issued are in accordance with professional standards. 

System of Quality Control: 

3.60: An audit organization’s system of quality control encompasses the 
audit organization’s structure and the policies adopted and procedures 
established to provide the organization with reasonable assurance of 
complying with applicable professional standards governing audits and 
attestation engagements. The audit organization should design the 
nature, extent, and formality of its quality control policies and 
procedures to be appropriately comprehensive and suitably designed in 
relation to the audit organization’s size, number of offices, the 
knowledge and experience of its personnel, the nature and complexity of 
the audit work, and appropriate cost-benefit considerations. Thus, the 
systems established by individual audit organizations and the extent of 
their documentation of the systems will vary based on an audit 
organization’s circumstances. 

3.61: An audit organization should include policies and procedures in 
its system of quality control addressing each of the following 
elements: 

a. Ethics: Policies and procedures designed to provide reasonable 
assurance that the audit organization and its personnel comply with 
relevant ethical concepts which include: the public interest; 
professional behavior; integrity; objectivity; and proper use of 
government information, resources, and position. (See chapter 2 for the 
overarching ethical concepts that apply to auditors in conducting their 
work in accordance with GAGAS.) 

b. Initiation and continuance of audit and attest engagements: Policies 
and procedures for the initiation and continuance of audit work, 
designed to provide reasonable assurance that the audit organization 
will only undertake or continue relationships and engagements where it: 

(1) is competent to perform the engagement and has the capabilities, 
time and resources to do so; 

(2) is independent and can comply with professional standards and 
ethical principles; and; 

(3) is within the legal mandate or authority of the audit organization. 

c. Human capital management: Policies and procedures designed to 
provide the audit organization with reasonable assurance that it has 
sufficient personnel with the competence necessary to perform its 
engagements in accordance with professional standards and regulatory 
and legal requirements, and to enable the audit organization to issue 
reports that are appropriate in the circumstances. Policies and 
procedures related to competence of personnel address the following: 

(1) recruitment of qualified personnel; 

(2) assignment of personnel with the competence and independence39 
needed for specific engagements; 

(3) performance evaluation, professional development, continuing 
professional education, promotion, and compensation. 

d. Engagement performance and reporting: Policies and procedures 
designed to provide the audit organization with reasonable assurance 
that engagements are performed in accordance with professional 
standards and regulatory and legal requirements, and that the audit 
organization issues reports that are appropriate in the circumstances 
include the following: 

(1) information and communication provided to engagement teams so that 
team members sufficiently understand the objectives of their work; 

(2) processes for engagement planning and supervision; 

(3) processes for complying with applicable engagement-related 
standards; 

(4) reviewing the work performed, the significant judgments made and 
the resulting report; 

(5) appropriate documentation of the work performed and review of audit
documentation, including appropriate management-level reviews; 

(6) communication at the appropriate professional level with 
individuals within or outside the audit organization to resolve a 
difficult or contentious matter; 

(7) procedures for resolving disagreements among team members and 
between the team and those consulted; and; 

(8) reporting that is appropriate to circumstances associated with the 
engagement, is supported by the work performed, and is in accordance 
with applicable professional standards and regulatory and legal 
requirements. 

e. Monitoring of quality: Policies and procedures designed to provide 
management of the audit organization with reasonable assurance that the 
policies and procedures relating to the system of quality control are 
suitably designed and operating effectively in practice. Audit 
organizations should have monitoring procedures that include an ongoing
consideration and evaluation of the audit organization’s system of 
quality control for achieving the objectives in (a) through (d) above, 
including: 

(1) relevance and adequacy of the organization’s policies and 
procedures; 

(2) appropriateness of the organization’s guidance materials, and; 

(3) compliance with the organization’s policies and procedures. 

3.62: Where practical, audit organizations are strongly encouraged to 
implement monitoring procedures that include the enhanced quality 
assurance criteria discussed in paragraph 3.70. 

3.63: Each audit organization should prepare documentation for its 
system of quality control as well as documentation to demonstrate 
compliance with its policies and procedures for a period of time 
sufficient to enable those performing monitoring procedures and peer 
reviews to evaluate the extent of the audit organization’s compliance 
with the quality control policies and procedures. The form and content 
of such documentation is a matter of judgment. 

External Peer Review: 

3.64: Audit organizations performing audits and attestation engagements 
in accordance with GAGAS must have an external peer review of their 
auditing and attestation engagement practices in accordance with the 
time frames set forth in paragraph 3.69. [Footnote 40] 

3.65: The external peer review must determine whether, during the 
period under review, the reviewed audit organization’s internal quality 
control system was adequate and whether quality control policies and 
procedures, including the monitoring process, were being complied with 
to provide the audit organization with reasonable assurance of
conforming with applicable professional standards. Audit organizations 
should take remedial, corrective actions as needed based on the results 
of the peer review. 

3.66: Members of the external peer review team should meet the 
following requirements: 

a. The review team collectively has current knowledge of GAGAS and of 
the government environment relative to the work being reviewed. 

b. Each review team member is independent (as defined in GAGAS) of the 
audit organization being reviewed, its staff, and the audits and 
attestation engagements selected for the external peer review. A review 
team or a member of the review team does not review the audit 
organization that conducted its audit organization’s most recent 
external peer review. 

c. The review team collectively has sufficient knowledge of how to 
perform a peer review. Such knowledge may be obtained from on-the-job 
training, training courses, or a combination of both. Having personnel 
on the peer review team with prior experience on a peer review or 
internal inspection team is desirable. 

3.67: Audit organizations should obtain a peer review that meets the 
following requirements: 

a. The peer review includes a review of the audit organization’s 
internal quality control policies and procedures, including related 
monitoring procedures, audit and attestation engagement reports, audit 
and attest documentation, and other necessary documents (for example, 
independence documentation, CPE records, and personnel management
files related to compliance with hiring, performance evaluation, 
advancement, compensation, and assignment policies). The review also 
includes interviews with various levels of the reviewed audit 
organization’s professional staff to assess their understanding of and 
compliance with relevant quality control policies and procedures. 

b. The review team uses one of the following approaches to selecting 
audits and attestation engagements for review: (1) select audits and 
attestation engagements that provide a reasonable cross-section of the 
assignments performed by the reviewed audit organization in accordance 
with GAGAS or (2) select audits and attestation engagements that 
provide a reasonable cross-section of the reviewed audit organization’s 
work subject to its quality control system, including assignments 
performed in accordance with GAGAS. [Footnote 41] 

c. The peer review is sufficiently comprehensive to provide a 
reasonable basis for concluding whether the reviewed audit 
organization’s system of quality control was complied with to provide 
the organization with reasonable assurance of conforming with
professional standards in the conduct of its work, and the peer review 
includes consideration of the adequacy and results of the reviewed 
audit organization’s monitoring efforts. 

d. The review team prepares a written report(s) communicating the 
results of the external peer review. The report indicates the scope of 
the review, including any limitations thereon, and includes an opinion 
on whether the system of quality control of the reviewed audit 
organization’s audit and/or attestation engagement practices was
adequately designed based on specified standards or criteria and 
whether the audit organization’s quality control policies and 
procedures were being complied with during the year reviewed to provide 
the audit organization with reasonable assurance of conforming with 
professional standards. The report states the professional standards or
criteria to which the reviewed audit organization is being held. The 
report also describes the reasons for any modification of the opinion. 
When there are matters that resulted in a modification to the opinion, 
the report includes a detailed description of the findings and
recommendations, either in the peer review report or in a separate 
letter of comment, to enable the reviewed audit organization to take 
appropriate actions. The written report refers to the letter of comment 
if such a letter is issued along with a modified report. 

3.68: An audit organization that reports externally to third parties 
should make the results of its most recent external peer review 
publicly available; for example, by posting the peer review opinion on 
an external Web site. [Footnote 42] Internal audit organizations that 
report internally to management should provide a copy of the external 
peer review report to those charged with governance. Government audit 
organizations should also transmit their external peer review reports 
to appropriate oversight bodies. [Footnote 43] 

3.69: Audit organizations should have an external peer review conducted 
according to the following time frames: 

a. within 18 months, if the most recent external peer review opinion is 
adverse or modified, with continued peer reviews every 18 months until 
the audit organization receives an unmodified opinion; 

b. every 3 years if the audit organization has an unmodified peer 
review opinion from its recent peer review, and does not qualify for or 
does not elect a 5-year period; or; 

c. every 5 years if the audit organization’s most recent external peer 
review opinion was unmodified and the audit organization elects to meet 
the enhanced quality assurance and other criteria in paragraph 3.70. 
[Footnote 44] 

3.70: The following represents the enhanced quality assurance criteria 
for audit organizations that elect a 5-year peer review cycle. Audit 
organizations that do not elect a 5-year peer review cycle are strongly 
encouraged to adopt these criteria as a means to strengthen quality 
assurance. In order to qualify for a 5-year peer review cycle, the audit
organization should meet the following criteria: 

a. The audit organization makes public on its Web site a description of 
the overall system of quality assurance used to provide the 
organization with reasonable assurance of complying with applicable 
standards governing audits and attestation engagements. [Footnote 45] 
The audit organization provides the description of its system of 
quality assurance to the oversight organization’s bodies who receive 
the external peer review report under paragraph 3.68. 

b. The audit organization has an effective annual internal [Footnote 
46] quality inspection process that meets the following criteria: 

(1) The objective of the inspection process is to evaluate the adequacy 
of the audit organization’s quality control policies and procedures, 
and the extent of the audit organization’s compliance with its quality 
control policies and procedures. 

(2) The annual inspection includes the following elements: 

1. a review of selected administrative and personnel records pertaining 
to the quality control elements of independence and human capital 
management; 

2. a review of audit documentation for an appropriately sized, 
representative sample of engagements and reports by qualified 
management-level individuals and other audit personnel who are not 
directly associated with the performance of the engagement; 

3. discussions or interviews with the audit organization’s personnel; 

4. a summary of the findings from the inspection procedures in a formal 
report to top management of the audit organization; 

5. a discussion in the report of the systemic causes of any findings 
that indicate improvements are needed and recommendations for 
corrective actions to be taken or improvements to be made with respect 
to the specific engagements reviewed and the audit organization’s 
quality control policies and procedures; 

6. communication of the identified findings to the appropriate 
management officials and personnel of the audit organization; 

7. consideration of inspection findings by appropriate management 
personnel of the audit organization who are in a position to take 
actions necessary, including necessary modifications to the quality 
control system, on a timely basis; and; 

8. retention of appropriate inspection documentation at least until the 
completion of the next peer review. 

(3) The audit organization annually makes public a written assertion 
about the effectiveness of its internal quality assurance program, 
which is consistent with the results of the monitoring and inspection 
processes and is provided to the peer reviewers as part of the peer 
review process. [Footnote 47] Government audit organizations should 
also transmit their written assertions to their oversight 
organizations, councils, or
committees. 

c. The audit organization’s most recent external peer review included a 
review of the effectiveness of the audit organization’s annual 
inspection process, and the peer reviewers identified no significant 
deficiencies in the internal quality inspection process. 

d. The audit organization determines whether it qualifies for the 5-
year peer review cycle and documents the rationale for its decision if 
it believes it qualifies. The audit organization may consult with its 
external peer reviewers in making this determination. 

3.71: Information in external peer review reports and letters of 
comment may be relevant to decisions on procuring audit or attestation 
engagement services. Therefore, audit organizations seeking to enter 
into a contract to perform an assignment in accordance with GAGAS 
should provide the following to the party contracting for such 
services: 

a. the audit organization’s most recent external peer review report and 
any letter of comment, and; 

b. any subsequent peer review reports and letters of comment received 
during the period of the contract. 

3.72: Auditors who are relying on another audit organization’s work 
should request a copy of the audit organization’s latest peer review 
report and any letter of comment, and the audit organization should 
provide these documents when requested. 

[End of chapter] 

Chapter 4: Field Work Standards for Financial Audits: 

Introduction: 

4.01: This chapter establishes field work standards and provides 
guidance for financial audits conducted in accordance with generally 
accepted government auditing standards (GAGAS). For financial audits, 
GAGAS incorporate the AICPA’s field work and reporting standards and 
the related statements on auditing standards unless specifically 
excluded or modified by GAGAS. [Footnote 48] This chapter identifies 
the AICPA field work standards and prescribes additional standards for 
financial audits performed in accordance with GAGAS. 

4.02: See paragraphs 1.16 through 1.18 for a discussion about the use 
of GAGAS with other financial audit standards. 

4.03: See paragraphs 1.24 through 1.27 for an overall description of 
the nature and objectives of financial audits.

AICPA Field Work Standards: 

4.04: The three AICPA generally accepted standards of field work are as 
follows: 

a. The auditor must adequately plan the work and must properly 
supervise any assistants. 

b. The auditor must obtain a sufficient understanding of the entity and 
its environment, including its internal control [Footnote 49] to assess 
the risk of material misstatement [Footnote 50] of the financial 
statements whether due to error or fraud, and to design the nature, 
timing, and extent of further audit procedures. 

c. The auditor must obtain sufficient appropriate audit evidence by 
performing procedures to afford a reasonable basis for an opinion 
regarding the financial statements under audit. 

Additional Considerations for Financial Audits in Government: 

4.05: Additional considerations for financial audits in government 
apply in audits of a government entity or an entity that receives 
government awards. For example, auditors may need to set lower 
materiality levels than in audits in the private sector because of
the public accountability of the audited entity, various legal and 
regulatory requirements, and the visibility and sensitivity of 
government programs. In applying professional judgment when applying 
auditing standards, auditors also consider the needs of users and the 
concerns of oversight officials regarding previously identified risks, 
previously reported deficiencies in internal control of the audited 
entity, and current and emerging risks and uncertainties facing the 
government entity or program. 

4.06: An important element of financial audits in government is the 
reporting of deficiencies in internal control so that the audited 
entity can take corrective actions necessary under the circumstances. 
(See paragraphs 5.13 through 5.18.) A deficiency in internal control 
exists when the design or operation of a control does not allow
management or employees, in the normal course of performing their 
assigned functions, to prevent or detect misstatements on a timely 
basis. A deficiency in design exists when (a) a control necessary to 
meet the control objective is missing or (b) an existing control
is not properly designed so that, even if the control operates as 
designed, the control objective is not met. A deficiency in operation 
exists when a properly designed control does not operate as designed, 
or when the person performing the control does not possess the 
necessary authority or qualifications to perform the control 
effectively. 

Consideration of Potential Fraud in a Financial Statement Audit and 
Illegal Acts by Auditees: 

4.07: Under both the AICPA standards [Footnote 51] and GAGAS, auditors 
should plan and perform the audit to obtain reasonable assurance 
[Footnote 52] about whether the financial statements are free of 
material misstatement, whether caused by error or fraud. [Footnote 53] 
Auditors conduct the audit with a mindset that recognizes the 
possibility that a material misstatement due to potential fraud could 
be present. However, absolute assurance is not attainable and thus
even a properly planned and performed audit may not detect a material 
misstatement resulting from fraud. 

4.08: Auditors should design the audit to provide reasonable assurance 
of detecting material misstatements resulting from direct and material 
illegal acts. [Footnote 54] Auditors also consider the possibility that 
indirect illegal acts may have occurred. If specific information comes 
to the auditors’ attention that provides evidence concerning the 
existence of possible illegal acts that could have a material indirect 
effect on the financial statements, the auditors should apply audit 
procedures specifically directed to ascertaining (1) whether an illegal 
act has occurred [Footnote 55] and (2) the potential financial 
statement effect. 

Additional GAGAS Standards: 

4.09: GAGAS establish field work standards for financial audits in 
addition to the requirements contained in the AICPA SAS. Auditors 
should comply with these additional standards when citing GAGAS in 
their audit reports. The additional GAGAS standards relate to: 

a. auditor communication (see paragraphs 4.10 through 4.15); 

b. previous audits and attestation engagements (see paragraphs 4.16 
through 4.17); 

c. detecting material misstatements resulting from violations of 
contract provisions or grant agreements, or from abuse (see paragraphs 
4.18 through 4.20); 

d. developing elements of a finding (see paragraph 4.21); and; 

e. audit documentation (see paragraphs 4.22 through 4.41). 

Auditor Communication: 

4.10: Auditors should communicate information regarding their 
responsibilities under GAGAS and the level of assurance to those 
charged with governance and to the individuals contracting for or 
requesting the audit and document the communications. 

4.11: Under AICPA standards and GAGAS, auditors should establish a 
written understanding with those charged with governance [Footnote 56] 
and communicate with audit committees. Under GAGAS, auditors should 
communicate specific information in writing during the planning stages 
of a financial audit, including any potential restriction of the
auditors’ reports, to reduce the risk that the needs or expectations of 
the parties involved may be misinterpreted. Auditors use professional 
judgment when determining the form, content, and frequency of the 
communication. Auditors may use an engagement letter or a proposal, if 
appropriate, to communicate the information. 

4.12: When auditors perform the audit under a contract with a party 
other than the officials of the audited entity, or pursuant to a third-
party request, auditors should also communicate in writing with the 
individuals contracting for or requesting the audit, such as 
contracting officials or members or staff of legislative committees, in 
addition to communicating with the audited entity. When auditors are 
performing the audit pursuant to a law or regulation and they are 
conducting the work directly for the legislative committee who has 
oversight for the audited entity, auditors should communicate with
the members or staff of that legislative committee. Auditors should 
coordinate communications with the responsible government audit 
organization and/or management of the audited entity. If an audit is 
terminated before it is completed, auditors should write a memorandum 
for the audit documentation that summarizes the results of the work and 
explains the reasons why the audit was terminated. In addition,
depending on the facts and circumstances, auditors should consider the 
need to communicate the reason for terminating the audit to those 
charged with governance, management of the audited entity, the entity 
requesting the audit, and other appropriate officials, preferably in 
writing. 

4.13: When communicating responsibilities under GAGAS and the level of 
assurance provided, auditors should specifically address their planned 
work and reporting responsibilities related to testing internal control 
over financial reporting and compliance with laws, regulations, and 
provisions of contracts or grant agreements. During the planning stages 
of an audit, auditors should communicate their responsibilities for 
testing and reporting on internal control over financial reporting and
compliance with laws, regulations, and provisions of contracts or grant 
agreements. Auditors should also communicate the nature of any 
additional testing of internal control and compliance required by laws, 
regulations, and provisions of contracts or grant agreements, or 
otherwise requested, and whether the auditors will provide opinions on
internal control over financial reporting and compliance with laws, 
regulations, and provisions of contracts or grant agreements. 

4.14: Under financial auditing standards, tests of internal control 
over financial reporting and compliance with laws, regulations, and 
provisions of contracts or grant agreements in a financial statement 
audit contribute to the evidence supporting the auditors’ opinion
on the financial statements or other conclusions regarding financial 
data. However, such tests generally are not sufficient in scope to 
provide an opinion on the effectiveness of internal control over 
financial reporting or compliance with laws, regulations, and 
provisions of contracts or grant agreements. To meet certain audit 
report users’ needs, laws and regulations sometimes prescribe testing 
and reporting on internal control over financial reporting and 
compliance with laws, regulations, and provisions of contracts and 
grant agreements to supplement coverage of these areas. [Footnote 57]  

4.15: Even after auditors perform and report the results of additional 
tests of internal control over financial reporting and compliance with 
laws, regulations, and provisions of contracts and grant agreements, 
those charged with governance, officials of the audited entity or 
individuals contracting for or requesting the audit may desire 
additional procedures or reporting. Auditors may meet these needs by 
performing further tests of internal control and compliance with laws, 
regulations, and provisions of contracts or grant agreements as an 
attestation engagement (see chapter 6), or a performance audit (see 
chapters 7 and 8), to achieve these objectives. 

Previous Audits and Attestation Engagements: 

4.16: When planning the audit, auditors should determine whether the 
results of previous audits and attestation engagements that directly 
relate to the objectives of the audit being undertaken have an impact 
on the current engagement, including whether related recommendations 
have been implemented. 

4.17: Auditors should identify previous financial audits, attestation 
engagements, performance audits, or other studies related to the 
objectives of the audit being undertaken and ask management of the 
audited entity to identify corrective actions taken to address 
significant findings and recommendations, [Footnote 58] including those 
related to
significant deficiencies, including material weaknesses. [Footnote 59] 

Detecting Material Misstatements Resulting from Violations of Contract 
Provisions or Grant Agreements, or from Abuse: 

4.18: The standard related to violations of contract provisions or 
grant agreements or abuse for financial audits performed in accordance 
with GAGAS is: 

a. Auditors should design the audit to provide reasonable assurance of 
detecting misstatements resulting from violations of provisions of 
contracts or grant agreements that have a material effect on the 
determination of financial statement amounts or other financial data 
significant to the audit objectives. 

b. If during the course of the audit, auditors become aware of 
indications of abuse that could be quantitatively or qualitatively 
material, auditors should apply audit procedures specifically directed 
to ascertain whether material abuse has occurred and the potential
effect on the financial statements or other financial data significant 
to the audit objectives. Based on the facts and circumstances, the 
auditors may find it helpful to identify specific risks, situations, or 
transactions that are susceptible to abuse. In addition, auditors 
remain alert throughout the audit to situations or transactions that
could be indicative of abuse. However, because the determination of 
abuse is subjective, auditors are not required to provide reasonable 
assurance of detecting abuse. 

4.19: Abuse involves behavior that is deficient or improper when 
compared with behavior that a prudent person would consider reasonable 
and necessary business practice given the facts and circumstances. 
Abuse also includes misuse of authority or position for personal 
financial interests or those of an immediate or close family member or 
business partner. Abuse is distinct from fraud, illegal acts, and 
violations of provisions of contracts or grant agreements in that abuse 
does not necessarily involve violation of laws, regulations, or 
provisions of a contract or grant agreement. If auditors encounter such 
situations, they should assess the risk of whether these situations or
transactions could be indicative of qualitatively or quantitatively 
material abuse. When information comes to the auditors’ attention 
(through audit procedures, allegations received through a fraud 
hotline, or other means) indicating that material abuse may have 
occurred, auditors should perform audit procedures, as necessary, to 
(1) determine whether the abuse occurred and, if so, (2) determine its 
effect on the financial statements or other financial data. Auditors 
assess both quantitative and qualitative factors in making judgments 
regarding the materiality of possible abuse. 

4.20: In pursuing indications of potential fraud, illegal acts, 
violations of provisions of contracts or grant agreements, or abuse, 
auditors should avoid interfering with potential investigations and/or 
legal proceedings. In some circumstances, laws, regulations, or
policies require auditors to report indications of certain types of 
potential fraud, illegal acts, violations of provisions of contracts or 
grant agreements, or abuse to law enforcement or investigatory 
authorities before performing additional audit procedures. In cases 
where an investigation is initiated or in process, it may be 
appropriate for the auditors to withdraw from or defer further work on 
the engagement or a portion of the engagement to avoid interfering with 
an investigation. 

Developing Elements of a Finding: 

4.21: When deficiencies are identified, auditors should plan audit 
procedures to develop the elements of a finding necessary to achieve 
the audit objectives. Audit findings, such as deficiencies in internal 
control, potential fraud, illegal acts, violations of provisions of
contracts or grant agreements, or abuse, contain the elements of 
criteria, condition, cause, and effect or potential effect. Thus, a 
finding or set of findings is complete to the extent that the auditors 
believe that the audit objectives are satisfied. (See paragraph
5.16 for a description of the elements of a finding.) 

Audit Documentation: 

4.22: The auditor must prepare audit documentation in connection with 
each engagement in sufficient detail to provide a clear understanding 
of the work performed (including the nature, timing, extent, and 
results of audit procedures performed), the audit evidence obtained and 
its source, and the conclusions reached. Audit documentation: 

a. provides the principal support for the statement in the auditor’s 
report that the auditor performed the audit in accordance with GAGAS 
and any other standards cited, and; 

b. provides the principal support for the auditors’ conclusions. 

4.23: Audit documentation is an essential element of audit quality. 
Although documentation alone does not guarantee audit quality, the 
process of preparing sufficient and appropriate documentation 
contributes to the quality of an audit. 

4.24: The auditor should prepare audit documentation that enables an 
experienced auditor, [Footnote 60] having no previous connection to the 
audit, to understand: 

a. the nature, timing, and extent of auditing procedures performed to 
comply with GAGAS and other applicable standards and requirements; 

b. the results of the audit procedures performed and the audit evidence 
obtained; 

c. how the audit evidence relates to the audit conclusions, and; 

d. the conclusions reached on significant matters. 

4.25: In addition to the audit documentation requirements listed in the 
previous paragraph, the auditor should document the following for 
financial audits performed under GAGAS: 

a. the objectives, scope, and methodology of the audit, and; 

b. evidence of supervisory review, before the audit report is issued, 
of the work performed that supports findings, conclusions, and 
recommendations contained in the audit report. 

4.26: Auditors should document matters specific to a particular audit 
in the audit documentation file for that audit. Certain matters, such 
as auditor independence and staff training, that are not engagement 
specific, may be documented either centrally in the audit organization 
or in the documentation for the audit. 

4.27: The form, content, and extent of audit documentation depend on the
circumstances of the engagement and the audit methodology and tools 
used. Oral explanations on their own do not represent sufficient 
support for the work the auditor performed or conclusions the auditor 
reached but may be used by the auditor to clarify or explain 
information contained in the audit documentation. It is, however, 
neither necessary nor practicable to document every matter the auditor 
considers during the audit. 

4.28: The auditor should document significant findings or issues, 
actions taken to address them (including any additional evidence 
obtained), and the basis for the final conclusions reached. Judging the 
significance of a finding or issue requires an objective analysis of 
the facts and circumstances. 

4.29: The auditor should document discussions of significant findings 
or issues with management and others, including the significant 
findings or issues discussed, and when and with whom the discussions 
took place. 

4.30: If the auditor has identified information that contradicts or is 
inconsistent with the auditor’s final conclusions regarding a 
significant finding or issue, the auditor should document how the 
contradiction or inconsistency was addressed in forming the conclusion. 

4.31: In documenting the nature, timing, and extent of audit procedures 
performed, the auditor should record: 

a. who performed the audit work and the date such work was completed, 
and; 

b. who reviewed specific audit documentation and the date of such 
review. 

4.32: When the auditor does not comply with applicable unconditional or 
presumptively mandatory GAGAS requirements, the auditor should document 
the justification for the departure, the impact on the audit, and how 
alternative procedures performed in the circumstances were sufficient 
to achieve the objectives of the requirements. The auditor should also 
follow the requirements in paragraphs 1.13 through 1.15. 

4.33: The report should not be dated earlier than the date on which the 
auditor has obtained sufficient appropriate audit evidence to support 
the reported information, conclusions, or opinions. Among other things, 
sufficient appropriate audit evidence includes evidence that the audit 
documentation has been reviewed and that the entity’s financial 
statements, including disclosures, have been prepared and that 
management has asserted that it has taken responsibility for them. 

4.34: The audit organization should adopt reasonable procedures to 
retain and access audit documentation for a period of time sufficient 
to meet the needs of the audit organization and to satisfy any 
applicable legal or regulatory requirements for records
retention. Such retention period, however, should not be shorter than 
five years [Footnote 61] from the report release date. 

4.35: The auditor should complete the assembly of the final audit file 
on a timely basis, but within 60 days following the report release date 
(document completion date). [Footnote 62] Statutes, regulations, or the 
audit organization’s quality control policies may state a
specific time in which the assembly process should be completed. 

4.36: At any time prior to the documentation completion date, the 
auditor may make changes to the audit documentation to: 

a. complete the documentation and assembly of audit evidence that the 
auditor has obtained, discussed, and agreed with relevant members of 
the audit team prior to the date of the audit report; 

b. perform routine file-assembling procedures such as deleting or 
discarding superseded documentation and sorting, collating, and cross-
referencing final audit documentation; 

c. sign-off on audit documentation completion checklists prior to 
completing and archiving the audit documentation, and; 

d. add information received after the date of the report, for example, 
an original document that was previously faxed. 

4.37: After the documentation completion date, the auditors must not 
delete or discard audit documentation before the end of the specified 
retention period, as discussed in paragraph 4.34. When the auditor 
finds it necessary to make an addition (including amendments) to audit 
documentation after the documentation completion date, the auditor 
should document the addition by including the following in the 
documentation: 

a. when and by whom such additions were made and, where applicable, 
reviewed; 

b. the specific reasons for the changes, and; 

c. the effect, if any, of the changes on the auditors’ conclusions. 

4.38: Audit documentation allows for the review of audit quality by 
providing the reviewer with documentation, either in written or 
electronic formats, of the evidence supporting the auditors’ 
significant judgments and conclusions. If audit documentation is 
retained only electronically, the audit organization should safeguard 
the electronic documentation through sound computer security so that it 
is capable of being accessed throughout the specified retention period 
established for audit documentation. 

4.39: Whether audit documentation is in paper, electronic, or other 
media, the integrity, accessibility, and retrievability of the 
underlying data may be compromised if the documentation could be 
altered, added to, or deleted without the auditors’ knowledge, or
could be permanently lost or damaged. Accordingly, the auditor should 
apply appropriate controls for audit documentation to safeguard audit 
documentation from alteration, destruction, and unauthorized access. 

4.40: Underlying GAGAS audits is the premise that federal, state, and 
local government audit organizations and independent accounting firms 
engaged to perform a financial audit in accordance with GAGAS cooperate 
in auditing programs of common interest so that auditors may use 
others’ work and avoid duplication of audit efforts. Auditors should 
make appropriate audit staff and individuals, as well as audit 
documentation available, upon request, in a timely manner to other 
auditors or reviewers. It is also essential that contractual 
arrangements for GAGAS audits provide for full and timely access to 
audit staff and individuals, as well as audit documentation without 
restriction to facilitate reliance by other auditors or reviewers on 
the auditors’ work. 

4.41: Consistent with applicable laws and regulations, audit 
organizations should develop clearly defined policies and criteria to 
deal with situations where requests are made by outside parties to 
obtain access to audit documentation. The audit organization should 
include in its policies and procedures guidance for dealing with 
situations where an outside party attempts to obtain indirectly through 
the auditor information that it is unable to obtain directly from the 
audited entity and how to respond to requests for access to audit 
documentation before the audit is complete. The audit organization
should also include flexibility in its policies and procedures to 
consider the individual facts and circumstances surrounding such 
requests, for instance, cases when granting access or providing certain 
information could adversely affect the audit organization’s ability to 
successfully perform similar audits in the future. 

[End of chapter] 

Chapter 5: Reporting Standards for Financial Audits: 

Introduction: 

5.01: This chapter establishes reporting standards and provides 
guidance for financial audits conducted in accordance with generally 
accepted government auditing standards (GAGAS). For financial audits, 
GAGAS incorporate the AICPA’s field work and reporting standards and 
the related statements on auditing standards unless specifically 
excluded or modified by GAGAS. [Footnote 63] This chapter identifies 
the AICPA reporting standards and prescribes additional standards for 
financial audits performed in accordance with GAGAS. 

5.02: See paragraphs 1.16 through 1.18 for a discussion about the use 
of GAGAS with other financial audit standards. 

AICPA Reporting Standards: 

5.03: The four AICPA generally accepted standards of reporting are as 
follows: [Footnote 64] 

[AICPA is currently in the process of revising the reporting standards 
to use clarified language. GAO will monitor the status of AICPA’s 
efforts in order to include the most up-to-date AICPA standards in the 
final 2006 Revision of Government Auditing Standards.] 

a. The report shall state whether the financial statements are 
presented in accordance with generally accepted accounting principles. 

b. The report shall identify those circumstances in which such 
principles have not been consistently observed in the current period in 
relation to the preceding period. 

c. Informative disclosures in the financial statements are to be 
regarded as reasonably adequate unless otherwise stated in the report. 

d. The report shall either contain an expression of opinion regarding 
the financial statements, taken as a whole, or an assertion to the 
effect that an opinion cannot be expressed. When an overall opinion 
cannot be expressed, the reasons should be stated. In all cases where 
an auditor’s name is associated with financial statements, the report
should contain a clear-cut indication of the character of the auditor’s 
work, if any, and the degree of responsibility the auditor is taking. 

Additional GAGAS Reporting Standards for Financial Audits: 

5.04: GAGAS establish additional reporting standards for financial 
audits in addition to the requirements contained in the AICPA SAS. 
Auditors should comply with these additional standards when citing 
GAGAS in their audit reports. The additional GAGAS standards relate to: 

a. reporting auditors’ compliance with GAGAS (see paragraphs 5.05 
through 5.07); 

b. reporting on internal control and on compliance with laws, 
regulations, and provisions of contracts or grant agreements (see 
paragraphs 5.08 through 5.11); 

c. reporting deficiencies in internal control, potential fraud, illegal 
acts, violations of provisions of contracts or grant agreements, or 
abuse (see paragraphs 5.12 through 5.27); 

d. emphasizing significant matters in the auditors’ report (see 
paragraphs 5.28 through 5.31); 

e. reporting on restatement of previously-issued financial statements 
(see paragraphs 5.32 through 5.38); 

f. reporting views of responsible officials (see paragraphs 5.39 
through 5.44); 

g. reporting privileged and confidential information (see paragraphs 
5.45 through 5.47); and; 

h. issuing and distributing reports (see paragraphs 5.48 through 5.51).
Reporting Auditors’ Compliance with GAGAS 5.05 When auditors comply 
with all applicable GAGAS standards, they should include a statement in 
the audit report that they performed the audit in accordance with 
GAGAS. 

5.06: The statement of compliance with GAGAS indicates that the 
auditors have complied with all applicable GAGAS general and auditing 
standards, including the underlying AICPA standards. If the auditors 
did not follow applicable standards, or were not able to follow 
applicable standards due to access problems or other scope limitations, 
they should follow the requirements in paragraphs 1.13 through 1.15. 

5.07: An audited entity receiving a GAGAS audit report may also request 
auditors to issue a financial audit report for purposes other than 
complying with requirements calling for a GAGAS audit. For example, the 
audited entity may need audited financial statements to issue bonds or 
for other financing purposes. GAGAS do not prohibit auditors from 
issuing a separate report conforming only to the requirements of AICPA 
or other standards. When a GAGAS audit is the basis for an auditors’ 
subsequent report under the other standards, the auditors should 
consider including a reference to the GAGAS report, as that report will 
contain additional information on internal control, compliance with 
laws, regulations, and provisions of contracts or grant agreements,
potential fraud, or abuse that GAGAS require. 

Reporting on Internal Control and on Compliance with Laws, Regulations, 
and Provisions of Contracts or Grant Agreements: 

5.08: When providing an opinion or a disclaimer on financial 
statements, auditors should include in their report on the financial 
statements either a (1) description of the scope of the auditors’ 
testing of internal control over financial reporting and compliance with
laws, regulations, and provisions of contracts or grant agreements and 
the results of those tests or an opinion, if sufficient work was 
performed, or (2) reference to the separate report(s) containing that 
information. If auditors report separately, they should include a 
reference to the separate report containing this information in their 
opinion or disclaimer report and state that the separate report is an 
integral part of the audit and important for assessing the results of 
the audit. 

5.09: For audits of financial statements in which auditors provide an 
opinion, auditors should report the scope of their testing of internal 
control over financial reporting and of compliance with laws, 
regulations, and provisions of contracts or grant agreements. Auditors 
should also indicate in the report whether or not the tests they 
performed provided sufficient evidence to support an opinion on the 
effectiveness of internal control over financial reporting and on 
compliance with laws, regulations, and provisions of contracts or grant 
agreements. 

5.10: Auditors may report on internal control over financial reporting 
and on compliance with laws, regulations, and provisions of contracts 
or grant agreements in the opinion or disclaimer on the financial 
statements or in a separate report or reports. When auditors report on 
internal control over financial reporting and compliance as part of the 
opinion or disclaimer on the financial statements, they should include 
an introduction summarizing key findings in the audit of the financial 
statements and the related internal control and compliance work. 
Auditors should not issue this introduction as a standalone report. 

5.11: When auditors report separately (including separate reports bound 
in the same document) on internal control over financial reporting and 
compliance with laws and regulations and provisions of contracts or 
grant agreements, they should state in the opinion or disclaimer on the 
financial statements that they are issuing those additional reports. 
They also should state that the reports on internal control over 
financial reporting and compliance with laws and regulations and 
provisions of contracts or grant agreements are an integral part of a 
GAGAS audit and important for assessing the results of the audit. 

Reporting Deficiencies in Internal Control, Potential Fraud, Illegal 
Acts, Violations of Provisions of Contracts or Grant Agreements, or 
Abuse: 

5.12: For financial audits, including audits of financial statements in 
which auditors provide an opinion or disclaimer, auditors should 
report, as applicable to the objectives of the audit, (1) deficiencies 
in internal control considered to be material weaknesses or other 
significant deficiencies, (2) all instances of potential fraud and 
illegal acts unless clearly inconsequential, [Footnote 65] and (3) 
material violations of provisions of contracts or grant agreements or 
abuse. In some circumstances, auditors should report potential fraud,
illegal acts, violations of provisions of contracts or grant 
agreements, or abuse directly to parties external to the audited entity 
when other requirements provide for such reporting. 

Reporting Deficiencies in Internal Control: 

5.13: For all financial audits, auditors should report deficiencies in 
internal control considered to be significant deficiencies, including 
material weaknesses, as follows: 

a. A significant deficiency is a deficiency in internal control, or 
combination of deficiencies, that adversely affects the entity’s 
ability to initiate, authorize, record, process, or report financial 
data reliably in accordance with generally accepted accounting 
principles such that there is more than a remote [Footnote 66]  
likelihood that a misstatement of the entity’s financial statements 
that is more than inconsequential [Footnote 67] will not be prevented 
or detected. 

b. A material weakness is a significant deficiency, or combination of 
significant deficiencies, that results in more than a remote likelihood 
that a material misstatement of the financial statements will not be 
prevented or detected. 

5.14: If control deficiencies are identified, an important part of the 
assessment is the consideration of significance of those deficiencies. 
In addition to qualitative considerations, auditors evaluate the 
following when concluding about the significance of a deficiency in 
internal control: 

a. the likelihood that a deficiency, or combination of deficiencies, 
could result in a misstatement of an account balance or disclosure, 
and; 

b. the magnitude of the potential misstatement resulting from the 
deficiency or deficiencies. 

5.15: Auditors should include all material weaknesses and other 
significant deficiencies in the auditors’ report on internal control 
over financial reporting. (See appendix A.03 for examples of matters 
that may be significant deficiencies, including material
weaknesses.) 

5.16: To the extent necessary to achieve the audit objectives, in 
presenting audit findings such as deficiencies in internal control, 
auditors should develop the elements of criteria, condition, cause, and 
effect to assist management or oversight officials of the audited
entity in understanding the need for taking corrective action. In 
addition, if auditors are able to sufficiently develop the elements of 
a finding, they should provide recommendations for corrective action. 
Following is guidance for reporting on elements of findings: 

a. Criteria: The required or desired state or what is expected from the 
program or operation. The criteria are easier to understand when stated 
objectively, explicitly, and completely, and the source of the criteria 
is identified in the audit report. [Footnote 68[ 

b. Condition: What the auditors found regarding the actual situation. 
Reporting the scope or extent of the condition allows the report user 
to gain an accurate perspective. 

c. Cause: Evidence on the factor or factors responsible for the 
difference between condition and criteria. In reporting the cause, 
auditors may consider whether the evidence provides a reasonable and 
convincing argument for why the stated cause is the key factor or 
factors contributing to the difference as opposed to other possible 
causes, such as poorly designed criteria or factors uncontrollable by 
program management. The auditors also may consider whether the 
identified cause could serve as a basis for the recommendations. Often 
the causes of deficiencies in internal control are complex and involve 
multiple factors. In some cases, it may not be practical for auditors 
to fully develop or identify the causes of deficiencies. However, 
analyzing and identifying root causes of internal control deficiencies 
is key to making recommendations for corrective action. 

d. Effect or potential effect: A clear, logical link to establish the 
impact or potential impact of the difference between what the auditors 
found (condition) and the required or desired state (criteria). Effect 
is easier to understand when it is stated clearly, concisely, and, if 
possible, in quantifiable terms. The significance of the reported 
effect can be demonstrated through credible evidence. 

5.17: Auditors should place their findings in perspective by describing 
the nature and extent of the issues being reported and the extent of 
the work performed that resulted in the finding. To give the reader a 
basis for judging the prevalence and consequences of these findings, 
auditors may relate the instances identified to the population or the
number of cases examined and quantify the results in terms of dollar 
value, as appropriate. If the results cannot be projected, auditors 
should limit their conclusions appropriately. 

5.18: When auditors detect deficiencies in internal control that are 
not significant deficiencies (or material weaknesses) they should 
communicate those deficiencies separately in a management letter to 
officials of the audited entity unless the deficiencies are clearly 
inconsequential considering both quantitative and qualitative factors.
Auditors should refer to that management letter (or to a management 
letter to be issued) in the report on internal control. Auditors use 
professional judgment when deciding whether or how to communicate to 
officials of the audited entity deficiencies in internal control that 
are clearly inconsequential. Auditors should include in their audit
documentation evidence of communications to officials of the audited 
entity about deficiencies in internal control found during the audit. 

Reporting Potential Fraud, Illegal Acts, Violations of Provisions of 
Contracts or Grant Agreements, or Abuse: 

5.19: Under AICPA standards and GAGAS, auditors should address the 
effect potential fraud or illegal acts may have on the audit report and 
to determine that those charged with governance are adequately informed 
about the potential fraud or illegal acts. Under GAGAS, auditors should 
provide this information in writing and also include reporting on (1) 
violations of provisions of contracts or grant agreements that have a 
material effect on the determination of financial statement amounts or 
other financial data significant to the audit, and (2) abuse that is 
material, either quantitatively or qualitatively. [Footnote 69]  
Therefore, when auditors conclude, on the basis of evidence obtained, 
that any of the following either has occurred or is likely to have 
occurred, [Footnote 70] they should include in their audit report the 
relevant information about [Footnote 71]: 

a. potential fraud and illegal acts that are greater than 
inconsequential; 

b. material violations of contracts or grant agreements; or; 

c. material abuse. 

5.20: When reporting instances of potential fraud, illegal acts, 
violations of provisions of contracts or grant agreements, or abuse, 
auditors should place their findings in perspective by describing the 
extent of the work performed that resulted in the finding. To give the 
reader a basis for judging the prevalence and consequences of these 
findings, auditors may relate the instances identified to the 
population or to the number of cases examined and quantify the results 
in terms of dollar value, as appropriate. If the results cannot be 
projected, auditors should limit their conclusions appropriately. 

5.21: To the extent necessary to achieve the audit objectives, auditors 
should develop in their report the elements of criteria, condition, 
cause, and effect when potential fraud, illegal acts, violations of 
provisions of contracts or grant agreements, or abuse is found. The 
guidance for reporting deficiencies in internal control in paragraph 
5.16 is designed to assist auditors in developing the elements of their 
findings. 

5.22: When auditors detect immaterial violations of provisions of 
contracts or grant agreements or abuse, they should communicate those 
findings in a management letter to officials of the audited entity 
unless the findings are clearly inconsequential to the financial 
statements considering both qualitative and quantitative factors. 
Auditors should refer to that management letter in their audit report 
on compliance (or to a management letter to be issued). Auditors use 
professional judgment when determining whether and how to communicate 
to officials of the audited entity potential fraud, illegal acts, 
violations of provisions of contracts or grant agreements, or abuse 
that is clearly inconsequential. Auditors should include in their audit 
documentation evidence of communications to officials of the audited 
entity about potential fraud, illegal acts, violations of provisions of 
contracts or grant agreements, or abuse found during the audit. 

5.23: When auditors conclude that potential fraud, illegal acts, 
violations of provisions of contracts or grant agreements, or abuse 
either have occurred or are likely to have occurred, they may consult 
with authorities and/or legal counsel about whether publicly reporting 
certain information about the potential fraud, illegal acts, violations 
of provisions of contracts or grant agreements, or abuse would 
compromise investigative or legal proceedings. Auditors should limit 
their public reporting to matters that would not compromise those 
proceedings, such as information that is already a part of the public
record. 

Direct Reporting of Potential Fraud, Illegal Acts, Violations of 
Provisions of Contracts or Grant Agreements, or Abuse: 

5.24: Auditors should report potential fraud, illegal acts, violations 
of provisions of contracts or grant agreements, or abuse directly to 
parties outside the audited entity in two circumstances, as discussed 
below. [Footnote 72] This reporting is in addition to any legal 
requirements for direct reporting of potential fraud, illegal acts, 
violations of provisions of contracts or grant agreements, or abuse. 
Auditors should follow these requirements even if they have resigned or 
been dismissed from the audit prior to its completion. 

5.25: The audited entity may be required by law or regulation to report 
certain potential fraud, illegal acts, violations of provisions of 
contracts or grant agreements, or abuse to specified external parties, 
such as a federal inspector general or a state attorney general. When 
auditors have communicated such potential fraud, illegal acts, 
violations of provisions of contracts or grant agreements, or abuse to 
the audited entity and the audited entity fails to report them, then 
the auditors should communicate such an awareness to those charged with 
governance. When the audited entity does not make the required report 
as soon as possible after the auditors’ communication with those 
charged with governance, then the auditors should report such potential 
fraud, illegal acts, violations of provisions of contracts or grant 
agreements, or abuse directly to the external party specified in the 
law or regulation. 

5.26: When potential fraud, illegal acts, violations of provisions of 
contracts or grant agreements, or abuse involves awards received 
directly or indirectly from a government agency, auditors may have a 
duty to report directly if management fails to take remedial steps. 
When auditors conclude that such failure is likely to cause them to 
depart from the standard report on the financial statements or resign 
from the audit, they should communicate that conclusion to those 
charged with governance of the audited entity. If the audited entity 
does not report the potential fraud, illegal act, violation of 
provisions of contracts or grant agreements, or abuse in a timely 
manner to the entity that provided the government assistance, the 
auditors should report the potential fraud, illegal act, violation of 
provisions of contracts or grant agreements, or abuse directly to the
awarding entity. 

5.27: Auditors should obtain sufficient, appropriate evidence, such as 
confirmation from outside parties, to corroborate assertions by 
management that it has reported potential fraud, illegal acts, 
violations of provisions of contracts or grant agreements, or abuse.
When auditors are unable to do so, they should report such potential 
fraud, illegal acts, violations of provisions of contracts or grant 
agreements, or abuse directly as discussed above. 

Emphasizing Significant Matters in the Auditors’ Report: 

5.28: Under both the AICPA standards [Footnote 73] and GAGAS, auditors 
may emphasize a matter in the auditors’ report regarding the financial 
statements. Due to the unique roles and responsibilities of governments 
and government entities, there may be situations where users and 
oversight organizations need information that is critical for 
understanding the financial statements in relation to the government’s 
current and/or future operating environment, as well as information 
about unusual events and significant uncertainties. In addition, due to 
the unique nature of government responsibilities and operations, there 
may be situations where additional information would help facilitate 
the readers’ understanding of the information in the auditors’ report. 

5.29: Auditors use professional judgment to determine whether to 
emphasize a matter in the auditors’ report. Such explanatory material 
is presented in a separate paragraph or separate section of the 
auditors’ report. Examples of matters that auditors should consider 
emphasizing when they become aware that such issues exist include the
following: 

a. Concerns or significant uncertainties about the fiscal 
sustainability of a government or program or other matters that could 
have a significant impact on the financial condition or operations of 
the government entity. [Footnote 74] Such concerns or uncertainties may 
arise due to revenue and/or expenditure trends; economic dependency on 
other governments or other entities; the government’s current 
commitments, responsibilities, liabilities, or promises to citizens for 
future benefits that are not sustainable over the long-term; deficit 
trends; the relationship between the financial information and other key
indicators; and other significant risks and uncertainties that call 
into question the longterm sustainability of current government 
programs in relation to the resources expected to be available. 

b. Unusual or catastrophic events that will likely have a significant 
ongoing or future impact on the government’s financial condition or 
operations. 

c. Significant uncertainties surrounding projections or estimations in 
the financial statements. 

d. Any other matter that the auditors consider significant for 
communication in the auditors’ report to users and oversight bodies. 

5.30: Auditors should obtain sufficient, appropriate evidence about any 
matter emphasized. In the case of significant uncertainties where 
sufficient appropriate evidence may not be available, auditors should 
describe the significant uncertainties and the possible impact on the 
reported information. 

5.31: Auditors should consider emphasizing a matter even if management 
has disclosed the issue in the notes to the financial statements. In 
such cases, auditors refer to management’s disclosures, describe any 
deficiencies in management’s disclosures, and include additional detail 
as appropriate. In situations when management has not disclosed the 
information, the auditors should encourage management to disclose such
information. 

Reporting on Restatement of Previously-Issued Financial Statements: 

5.32: Auditors have professional responsibilities when they become 
aware of actual or potential misstatements that might have affected 
their report on previously-issued financial statements. Under both 
AICPA standards [Footnote 75] and GAGAS, auditors have the
following responsibilities related to (1) potential material 
misstatements in previously issued financial statements, and (2) 
restatement [Footnote 76] of the previously-issued financial 
statements: 

a. Auditors should determine if the previously-issued financial 
statements were materially misstated and should request management’s 
cooperation in making this determination. 

b. Auditors should determine if (a) the misstatement(s) may affect the 
auditors’ report on the previously-issued financial statements and, (b) 
persons are currently relying or likely to rely on the financial 
statements. 

c. Auditors should advise the audited entity to disclose the 
misstatement(s) and the related financial statement impact to persons 
relying or likely to rely on the financial statements and related 
auditors’ report. 

d. Auditors should determine whether the audited entity has 
appropriately disclosed the misstatement(s). 

e. When the audited entity refuses to disclose the misstatement(s), 
then: 

(1) auditors should notify those charged with governance of the 
entity’s refusal to disclose the misstatement; 

(2) auditors should notify the audited entity that the related 
auditors’ report can no longer be relied upon or associated with the 
previously-issued financial statements, and; 

(3) auditors should notify oversight or regulatory agencies that have 
jurisdiction over the audited entity and persons known to be relying on 
the financial statements that the auditors’ report can no longer be 
relied upon. 

5.33: GAGAS prescribe additional standards for reporting on restatement 
of previously issued financial statements. When performing a financial 
statement audit in accordance with GAGAS, auditors should comply with 
these additional GAGAS standards and with the AICPA standards. The 
additional GAGAS standards and guidance are included in paragraphs 5.34 
through 5.38. 

5.34: The nature or amount of known or likely misstatement(s) in 
previously-issued audited financial statements may lead auditors to 
believe that the auditors’ report would or could reasonably have been 
affected if they had known of the misstatements when they issued the 
auditors’ report. When this condition exists, auditors should advise
management to communicate the following information to those charged 
with governance, oversight bodies, funding agencies, and others who are 
relying or are likely to rely on the financial statements: 

a. The nature and cause(s) of the known or likely material 
misstatement(s). 

b. The amount(s) of known or likely material misstatement(s) and the 
related effect(s) on the previously-issued financial statements (e.g., 
disclosure of the specific financial statement(s) and line item(s) 
affected). If this information is not known, then the disclosure 
includes information that is known and a statement that management 
cannot determine the amount(s) and the related effect(s) on the 
previously-issued financial statements without further investigation. 

c. A notice that (1) previously-issued financial statements will or may 
be restated and, therefore, (2) the related auditors’ report is no 
longer reliable. 

5.35: Auditors should review the adequacy of management’s communication 
information about the known or potential material misstatement(s) to 
report users, including those charged with governance, oversight bodies 
and funding agencies. When performing this review, auditors consider 
whether: 

a. management acted timely to determine the financial statement effects 
of the potential material misstatement(s); 

b. management acted timely to communicate with appropriate parties, 
and; 

c. management disclosed the nature and extent of the known or likely 
material misstatement(s) on Internet pages where the agency’s 
previously-issued financial statements are published. 

Auditors should notify those charged with governance if they believe 
that management is unduly delaying its determination of the effect(s) 
of the misstatement(s) on previously issued financial statements. 

5.36: Also, auditors should evaluate the timeliness and appropriateness 
of management’s decision whether to issue restated financial 
statements. Management may separately issue the restated financial 
statements or may present the restated financial statements on a 
comparative basis with those of a subsequent period. Ordinarily, 
auditors would expect management to issue restated financial statements 
as soon as practicable. However, it may not be necessary for management 
to separately issue the restated financial statements and auditors’ 
report when issuance of the subsequent-period audited financial 
statements is imminent. [Footnote 77] 

5.37: When management restates previously-issued financial statements, 
auditors should perform audit procedures sufficient to reissue or 
update the auditors’ report on the restated financial statements. 
Auditors should fulfill these responsibilities whether the restated 
financial statements are separately issued or presented on a 
comparative basis with those of a subsequent period. Auditors should 
include the following information in an explanatory paragraph in the 
reissued or updated auditors’ report on the re-issued financial 
statements: 

a. a statement disclosing that the previously-issued financial 
statement(s) have been restated; 

b. a statement that the previously-issued financial statements were 
materially misstated and that the previously-issued auditors’ report 
(include report date) is withdrawn and replaced by the auditors’ report 
on the restated financial statement(s), and; 

c. a reference to the note(s) to the restated financial statements that 
discusses the restatement, including: 

(1) the nature and cause(s) of the misstatement(s) that led to the need 
for restatement, and; 
(2) the specific amount(s) of the material misstatement(s) and the 
related effect(s) on the previously-issued financial statements (e.g., 
the specific financial statement(s) affected and line items restated) 
and the impact on the current-year financial statements. 

d. A discussion of any significant internal control deficiency that 
failed to prevent or detect the misstatement and what action management 
has taken about the deficiency. 

5.38: Auditors should notify those charged with governance, oversight 
bodies, and funding agencies when management (1) does not take the 
necessary steps to promptly inform report users of the situation or (2) 
does not restate with appropriate timeliness the financial statements 
in circumstances when auditors believe they need to be restated. 
Auditors should inform these parties that the auditors will take steps 
to prevent future reliance on the auditors’ report. The steps taken 
will depend on the facts and circumstances, including legal 
considerations. 

Reporting Views of Responsible Officials: 

5.39: If the auditors’ report discloses deficiencies in internal 
control, potential fraud, illegal acts, violations of provisions of 
contracts or grant agreements, or abuse, auditors should obtain and 
report the views of responsible officials concerning the findings,
conclusions, and recommendations, as well as planned corrective 
actions. 

5.40: One of the most effective ways to provide a report that is fair, 
complete, and objective is to provide a draft report for review and 
comment by responsible officials of the audited entity and others, as 
appropriate. Including the views of responsible officials results in a 
report that presents not only the significant deficiencies in internal 
control, potential fraud, illegal acts, violations of provisions of 
contracts or grant agreements, or abuse the auditors identified, but 
also the perspectives of the responsible officials of the audited 
entity and the corrective actions they plan to take. Auditors should 
include in their report a copy of the officials’ written comments 
and/or a summary of the comments received. In cases where the audited 
entity provides technical comments in addition to its written comments 
on the report, auditors use professional judgment in determining 
whether to include such comments or disclose in the report that such 
comments were provided. 

5.41: Auditors ordinarily request that the responsible officials submit 
in writing their views on the auditors’ reported findings, conclusions, 
and recommendations, as well as management’s planned corrective 
actions. However, oral comments are acceptable, and, in some cases, may 
be the most expeditious way to obtain comments. Obtaining oral comments 
can be effective when, for example, there is a time-critical reporting 
date to meet a user’s needs; auditors have worked closely with the 
responsible officials throughout the conduct of the work and the 
parties are familiar with the findings and issues addressed in the 
draft report; or the auditors do not expect major disagreements with 
the draft report’s findings, conclusions, and recommendations, or 
perceive any major controversies with regard to the issues discussed in 
the draft report. If oral comments are provided by the responsible 
officials, auditors should prepare a summary of the oral comments and 
provide a copy of the summary to the responsible officials to verify 
that the comments are accurately stated prior to finalizing the report. 

5.42: Auditors should fairly and objectively evaluate and recognize 
comments, as appropriate, in the final report. Auditors may note 
comments, such as a plan for corrective action, but should not accept 
them as justification for dropping a finding or a related 
recommendation without sufficient and appropriate evidence. 

5.43: When the audited entity’s comments oppose the report’s findings, 
conclusions, or recommendations, and are not, in the auditors’ opinion, 
valid, or when planned corrective actions do not adequately address the 
auditors’ recommendations, the auditors should state objectively their 
reasons for disagreeing with the comments or planned corrective 
actions. Conversely, the auditors should modify their report as 
necessary if they find the comments valid. 

5.44: If the audited entity refuses to provide comments or is unable to 
provide comments within a reasonable period of time, the auditors may 
need to issue the report without receiving comments from the audited 
entity. In such cases, the auditors should describe in the report the 
reasons that comments from the audited entity are not included. 

Reporting Privileged and Confidential Information: 

5.45: If certain pertinent information is prohibited from general 
disclosure, auditors should disclose in the report that certain 
information has been omitted and the requirement that makes the 
omission necessary. 

5.46: Certain information may be classified or may be otherwise 
prohibited from general disclosure by federal, state, or local laws or 
regulations. In such circumstances, auditors may issue a separate, 
classified or limited-official-use report containing such information
and distribute the report only to persons authorized by law or  
regulation to receive it. Additional circumstances associated with 
public safety and security concerns could also justify the exclusion of 
certain information in the report. For example, detailed information 
related to computer security for a particular program may be excluded 
from publicly available reports because of the potential damage that 
could be caused by the misuse of this information. In such 
circumstances, auditors may issue a limited-official use report 
containing such information and distribute the report only to those 
parties responsible for acting on the auditors’ recommendations. The 
auditors may consult with legal counsel regarding any requirements or 
other circumstances that may necessitate the omission of certain 
information. 

5.47: Auditors consider the broad public interest in the program or 
activity under review when deciding whether to exclude certain 
information from publicly available reports. When circumstances call 
for omission of certain information, auditors should evaluate whether 
this omission could distort the audit results or conceal improper or 
unlawful practices. 

Issuing and Distributing Reports: 

5.48: Government auditors should submit audit reports to those charged 
with governance, to the appropriate officials of the audited entity and 
to appropriate officials of the organizations requiring or arranging 
for the audits, including external funding organizations [Footnote 78]  
such as legislative bodies, unless legal restrictions prevent it. 
Auditors should also send copies of the reports to other officials who 
have legal oversight authority or who may be responsible for acting on 
audit findings and recommendations and to others authorized to receive 
such reports. Auditors should clarify whether the report will be made 
available for public inspection. If the subject of the audit involves
material that is classified for security purposes or not releasable to 
particular parties or the public for other valid reasons, auditors may 
limit the report distribution. [Footnote 79] Auditors should document 
any limitation on report distribution. 

5.49: When nongovernment auditors are engaged to perform an audit under 
GAGAS, they should clarify report distribution responsibilities with 
the engaging organization. If nongovernment auditors are to make the 
distribution, they should reach agreement with the party contracting 
for the audit about which officials or organizations should receive
the report and the steps being taken to make the report available to 
the public. 

5.50: Internal auditors may follow the IIA standards for report 
distribution, which state internal auditors also follow any applicable 
statutory requirements for distribution. The head of the internal audit 
organization should disseminate results to the appropriate parties. The 
head of the internal audit organization is responsible for 
communicating the final results to parties who are in a position to 
take appropriate corrective actions. Distribution of reports outside 
the organization ordinarily is made only in accordance with applicable 
laws, rules, regulations, or policy. 

5.51: If an audit is terminated before it is completed but the auditors 
do not issue an audit report, auditors should write a memorandum for 
the record that summarizes the results of the work to the date of 
termination and explains why the audit was terminated. In addition, 
depending on the facts and circumstances, auditors should notify those
charged with governance, management of the audited entity, the entity 
requesting the audit, and other appropriate officials about the 
termination of the audit, preferably in writing. Auditors should 
document this communication. 

[End of chapter] 

Chapter 6: General, Field Work, and Reporting Standards for Attestation 
Engagements: 

Introduction: 

6.01: This chapter establishes standards and provides guidance for 
attestation engagements conducted in accordance with generally accepted 
government auditing standards (GAGAS). For attestation engagements, 
GAGAS incorporate the AICPA’s general standard on criteria, and the 
field work and reporting standards and the related statements on 
standards for attestation engagements (SSAE), unless specifically
excluded or modified by GAGAS. [Footnote 800 This chapter identifies 
the AICPA general standard on criteria,[ Footnote 81] field work and 
reporting standards for attestation engagements and prescribes 
additional standards for attestation engagements performed in 
accordance with GAGAS. 

6.02: See paragraphs 1.16 through 1.17 and 1.19 for a discussion about 
the use of GAGAS with other professional standards. 

6.03: See paragraphs 1.28 through 1.32 for an overall description of 
the nature and objectives of attestation engagements. 

AICPA General and Field Work Standards for Attestation Engagements: 

6.04: The AICPA general standard related to criteria states the 
following: 

[AICPA is currently in the process of revising the general standards to 
use clarified language. GAO will monitor the status of AICPA’s efforts 
in order to include the most up-to-date AICPA standards in the final 
2006 Revision of Government Auditing Standards.] 

The practitioner [auditor] shall perform an engagement only if he or 
she has reason to believe that the subject matter is capable of 
evaluation against criteria that are suitable and available to users. 

6.05: The two AICPA field work standards for attestation engagements 
are as follows: 

[AICPA is currently in the process of revising the field work standards 
to use clarified language. GAO will monitor the status of AICPA’s 
efforts in order to include the most up-to-date AICPA standards in the 
final 2006 Revision of Government Auditing Standards.] 

a. The work shall be adequately planned and assistants, if any, shall 
be properly supervised. 

b. Sufficient evidence shall be obtained to provide a reasonable basis 
for the conclusion that is expressed in the report. 

Additional Considerations for Attestation Engagements in Government: 

6.06: Auditors use professional judgment when applying auditing and 
attestation standards and guidance to attestation engagements of a 
government entity or an entity that receives government awards. For 
example, auditors may need to set lower materiality levels than in 
attestation engagements in the private sector because of the public 
accountability of the audited entity, various legal and regulatory 
requirements, and the visibility and sensitivity of government 
programs. Auditors also consider the needs of users and the concerns of 
oversight official regarding previously identified risks, previously 
reported deficiencies in internal control of the entity, and current and
emerging risks and uncertainties facing the government entity or 
program. 

6.07: An important element of attestation engagements in government is 
the reporting of deficiencies in internal control related to the 
subject matter or objectives of the engagement so that the entity can 
take corrective actions necessary under the circumstances. (See 
paragraphs 6.49 through 6.53.) In an attestation engagement, a
deficiency in internal control exists when the design or operation of a 
control does not allow management or employees, in the normal course of 
performing their assigned functions, to prevent errors in assertions 
made by management on a timely basis. A deficiency in design exists 
when (a) a control necessary to meet the control objective is missing 
or (b) an existing control is not properly designed so that, even if 
the control operates as designed, the control objective is not met. A 
deficiency in operation exists when a properly designed control does 
not operate as designed, or when the person performing the control does 
not possess the necessary authority or qualifications to perform the 
control effectively. 

Additional GAGAS Field Work Standards for Attestation Engagements: 

6.08: GAGAS establish attestation engagement field work standards in 
addition to the requirements contained in the AICPA SSAE. Auditors 
should comply with these additional standards when citing GAGAS in 
their attestation engagement reports. The additional GAGAS field work 
standards relate to: 

a. auditor communication (see paragraphs 6.09 through 6.11); 

b. previous audits and attestation engagements (see paragraphs 6.12 
through 6.13); 

c. internal control (see paragraphs 6.14 through 6.16); 

d. detecting potential fraud, illegal acts, violations of contract 
provisions or grant agreements, or abuse that could have a material 
effect on the subject matter (see paragraphs 6.17 through 6.22); 

e. developing elements of findings for attestation engagements 
(paragraph 6.23); and; 

f. attest documentation (see paragraphs 6.24 through 6.43). 

Auditor Communication: 

6.09: Auditors should communicate information regarding their 
responsibilities under GAGAS related to the subject matter or assertion 
about the subject matter, including the level of assurance to those 
charged with governance and to the individuals contracting for or 
requesting the attestation engagement and document the communications. 

6.10: Under AICPA standards and GAGAS, auditors should establish a 
written understanding with those charged with governance [Footnote 82] 
and communicate with audit committees. Under GAGAS, auditors should 
communicate specific information in writing during the planning stages 
of an attestation engagement, including any potential restriction of 
the attestation reports, to reduce the risk that the needs or 
expectations of the parties involved may be misinterpreted. During the 
planning stages of an attestation engagement, auditors also should 
report (1) the nature, timing, and extent of testing and reporting, and 
(2) the level of assurance provided. Auditors use professional judgment
when determining the form, content, and frequency of the communication. 
Auditors may use an engagement letter or a proposal, if appropriate, to 
communicate the information. If the attestation engagement is part of a 
larger audit, this information may be communicated as part of that 
audit. 

6.11: When auditors perform an attestation engagement under a contract 
with a party other than the officials of the audited entity, or 
pursuant to a third-party request, auditors should also communicate in 
writing with the individuals contracting for or requesting the audit, 
such as contracting officials or members or staff of legislative 
committees, in addition to communicating with the audited entity. When 
auditors are performing the audit pursuant to a law or regulation and 
they are conducting the work directly for the legislative committee who 
has oversight for the audited entity, auditors should communicate with 
the members or staff of that legislative committee. Auditors should
coordinate communications with the responsible government audit 
organization and/or management of the audited entity. If an audit is 
terminated before it is completed, auditors should write a memorandum 
for the audit documentation that summarizes the results of the work and 
explains the reasons why the audit was terminated. In addition, 
depending on the facts and circumstances, auditors should consider the 
need to communicate the reason for terminating the audit to those 
charged with governance, management of the audited entity, the entity 
requesting the audit, and other appropriate officials, preferably in 
writing. 

Previous Audits and Attestation Engagements: 

6.12: When planning the engagement, auditors should determine whether 
the results of previous audits and attestation engagements that 
directly relate to the subject matter or the assertion of the 
attestation engagement being undertaken have an impact on the current 
engagement, including whether related recommendations have been
implemented. 

6.13: Auditors should identify previous financial audits, attestation 
engagements, performance audits, or other studies related to the 
subject matter or assertions of the attestation engagement being 
undertaken and ask management of the audited entity to identify 
corrective actions taken to address significant findings and 
recommendations, [Footnote 83] including those related to significant 
deficiencies, including material weaknesses. [Footnote 84]  

Internal Control: 

6.14: In planning examination-level attestation engagements, auditors 
should obtain a sufficient understanding of internal control that is 
material to the subject matter or assertion in order to plan the 
engagement and design procedures to achieve the objectives of the 
attestation engagement. 

6.15: Auditors should obtain an understanding of internal control 
[Footnote 85] as it relates to the subject matter or assertion to which 
the auditors are attesting. The subject matter or assertion may be 
financial or nonfinancial, and internal control material to the subject 
matter or assertion the auditors are testing may relate to: 

a. effectiveness and efficiency of operations, including the use of an 
entity’s resources; 

b. reliability of financial reporting, including reports on budget 
execution and other reports for internal and external use; 

c. compliance with applicable laws and regulations, provisions of 
contract, or grant agreements; and; 

d. safeguarding of assets. 

6.16: A deficiency in internal control exists when the design or 
operation of a control does not allow management or employees, in the 
normal course of performing their assigned functions, to prevent or 
detect errors in assertions made by management on a timely basis. A 
deficiency in design exists when (a) a control necessary to meet the
control objective is missing or (b) an existing control is not properly 
designed so that, even if the control operates as designed, the control 
objective is not met. A deficiency in operation exists when a properly 
designed control does not operate as designed, or when the person 
performing the control does not possess the necessary authority or
qualifications to perform the control effectively. 

Detecting Potential Fraud, Illegal Acts, Violations of Provisions of 
Contracts or Grant Agreements, or Abuse That Could Have a Material 
Effect on the Subject Matter: 

6.17: The standard related to potential fraud, illegal acts, violations 
of provisions of contracts or grant agreements, or abuse for 
attestation engagements performed in accordance with GAGAS is: 

a. In planning examination-level attestation engagements, auditors 
should design the engagement to provide reasonable assurance of 
detecting potential fraud, illegal acts, or violations of provisions of 
contracts or grant agreements that could have a material effect on the 
subject matter or assertion of the attestation engagement. 

b. In planning review-level attestation engagements, auditors should be 
alert to situations or transactions that may be indicative of potential 
fraud, illegal acts, and violations of provisions of contracts or grant 
agreements. 

c. In agreed-upon-procedures-level engagements, auditors perform 
limited testing in order to issue a report of finding based on specific 
procedures performed on a subject matter. Therefore, auditors are not 
expected to provide assurance of detecting potential fraud, illegal 
acts, or violations of contract or grant agreements for these types of
engagements. 

d. Auditors conduct the attestation engagement with the mindset that 
recognizes the possibility that a material misstatement in management’s 
assertion could be present. However, absolute assurance is not 
attainable and thus even a properly planned and performed examination-
level attestation engagement may not detect a material misstatement 
resulting from fraud. 

e. For all types of attestation engagements, auditors remain alert to 
situations or transactions that may be indicative of material abuse and 
follow the requirements in 6.20 through 6.21. 

6.18: For examination-level attestation engagements, auditors design 
the engagement to provide reasonable assurance of detecting fraud 
[Footnote 86], illegal acts, or violations of provisions of contracts 
or grant agreements that have a material effect on the subject matter or
assertion of the attestation engagement. Auditors should assess the 
risk and possible effects of material fraud, illegal acts, or 
violations of provisions of contracts or grant agreements on the 
subject matter or assertion of the attestation engagement. Auditors
should document their assessment of risk, and when risk factors are 
identified, auditors should also document: 

a. those risk factors identified; 

b. the auditors’ response to those risk factors, individually or in 
combination, and; 

c. the auditors’ conclusions. 

6.19: For attestation engagements involving review-level reporting, 
auditors are alert to situations or transactions that may be indicative 
of potential fraud, illegal acts, or violations of provisions of 
contracts or grant agreements. When information comes to the auditors’ 
attention (through audit procedures, allegations received through fraud 
hotlines, or other means) indicating that potential fraud, illegal 
acts, or violations of provisions of contracts or grant agreements that 
could materially affect the results of the attestation engagement 
exist, auditors should apply the audit steps and procedures, as 
necessary, to (1) determine if potential fraud, illegal acts, or 
violations of provisions of contracts or grant agreements are likely to 
have occurred and, if so, (2) determine their effect on the results of 
the attestation engagement. Because the scope of review-level 
engagements is limited, auditors are not expected to provide reasonable 
assurance of detecting potential fraud, illegal acts, or violations of 
contract or grant agreements for these types of engagements. 

6.20: For all types of attestation engagements, if during the course of 
the engagement, auditors become aware of indications of abuse that 
could be quantitatively or qualitatively material, auditors should 
apply audit procedures specifically directed to ascertain whether 
material abuse has occurred and the potential effect on the engagement 
subject matter or objective. Based on the facts and circumstances, 
auditors may find it helpful to identify specific risks, situations, or 
transactions that are susceptible to abuse. In addition, auditors 
remain alert throughout the engagement to situations or transactions 
that could be indicative of abuse. However, because the determination 
of abuse is subjective, auditors are not required to provide reasonable
assurance of detecting abuse. 

6.21: Abuse involves behavior that is deficient or improper when 
compared with behavior that a prudent person would consider reasonable 
and necessary business practice given the facts and circumstances. 
Abuse also includes misuse of authority or position for personal 
financial interest or those of an immediate or close family member or 
business partner. Abuse is distinct from fraud, illegal acts, or 
violations of provisions of contracts or grant agreements in that abuse 
does not necessarily involve violation of laws, regulations, or 
provisions of a contract or grant agreement. If auditors encounter such 
situations, they should assess the risk of whether these situations or 
transactions could be indicative of qualitatively or quantitatively 
material abuse. When information comes to the auditors’ attention 
(through attest procedures, allegations received through a fraud 
hotline, or other means) indicating that material abuse may have 
occurred, auditors should perform procedures as necessary to (1) 
determine whether the abuse occurred and, if so, (2) determine its 
potential effect on the results of the attestation engagement. Auditors 
assess both qualitative and qualitative factors in making judgments 
regarding the materiality of possible abuse. 

6.22: In pursuing indications of potential fraud, illegal acts, 
violations of provisions of contracts or grant agreements, or abuse, 
auditors should avoid interfering with potential investigations, and/or 
legal proceedings. In some circumstances, laws, regulations, or 
policies require auditors to report indications of certain types of 
potential fraud, illegal acts, violations of provisions of contracts or 
grant agreements, or abuse to law enforcement or investigatory 
authorities before performing additional audit procedures. In cases 
where an investigation is initiated or in process, it may be 
appropriate for the auditors to withdraw from or defer further work on 
the engagement or a portion of the engagement to avoid interfering with 
an investigation. 

Developing Elements of Findings for Attestation Engagements: 

6.23: When deficiencies are identified, auditors should plan audit 
procedures to develop the elements of a finding necessary to achieve 
the objectives of the attestation engagement. Attest findings, such as 
deficiencies in internal control, potential fraud, illegal acts, 
violations of provisions of contracts or grant agreements, or abuse, 
contain the elements of criteria, condition, cause, and effect. The 
elements needed for a finding depend on the objectives of the 
attestation engagement. Thus, a finding or set of findings is complete 
to the extent that the objectives of the attestation engagement are 
satisfied. (See paragraphs 6.49 through 6.53 for a description of 
deficiencies in internal control and paragraph 6.51 for a description 
of the elements of a finding. 

Attest Documentation: 

6.24: The auditor must prepare attest documentation in connection with 
each engagement in sufficient detail to provide a clear understanding 
of the work performed (including the nature, timing, extent, and 
results of attest procedures performed), the attest evidence obtained 
and its source, and the conclusions reached. Attest documentation: 

a. provides the principal support for the statement in the auditor’s 
report that the auditors performed the attestation engagement in 
accordance with GAGAS and any other standards cited, and; 

b. provides the principal support for the auditors’ conclusion. 

6.25: Attest documentation is an essential element of audit quality. 
Although documentation alone does not guarantee audit quality, the 
process of preparing sufficient and appropriate documentation 
contributes to the quality of an attestation engagement. 

6.26: The auditor should prepare attest documentation that enables an 
experienced auditor, [Footnote 87] having no previous connection to the 
attestation engagement, to understand: 

a. the nature, timing, and extent of attest procedures performed to 
comply with GAGAS and other applicable standards and requirements; 

b. the results of the attest procedures performed and the attest 
evidence obtained; 

c. how the attest evidence relates to the attestation engagement’s 
conclusions, and; 

d. the conclusions reached on significant matters. 

6.27: In addition to the attest documentation requirements listed in 
the previous paragraph, the auditor should document the following for 
attestation engagements performed under GAGAS: 

a. the objectives, scope, and methodology of the attestation 
engagement; 

b. evidence of supervisory review, before the attest report is issued, 
of the work performed that supports findings, conclusions, and 
recommendations contained in the attest report; and; 

c. the auditors’ consideration that the planned attestation procedures 
are designed to achieve objectives of the attestation engagement when 
(1) evidence obtained is highly dependent on computerized information 
systems, (2) evidence is material to the objective of the engagement, 
and (3) the auditors are not relying on the effectiveness of internal 
control over those computerized systems that produced the information.
Auditors should document (1) the rationale for determining the nature, 
timing, and extent of planned audit procedures; (2) the kinds and 
competence of available evidence produced outside a computerized 
information system, and/or plans for direct testing of data produced 
from a computerized information system; and (3) the effect on the
attestation engagement report if evidence to be gathered does not 
afford a reasonable basis for achieving the objectives of the 
engagement. 

6.28: Auditors should document matters specific to a particular 
attestation engagement in the attest documentation file. Certain 
matters, such as auditor independence and staff training, that are not 
engagement specific, may be documented either centrally in the
audit organization or in the documentation for the attestation 
engagement. 

6.29: The form, content, and extent of attest documentation depend on 
the circumstances of the engagement and the attest methodology and 
tools used. Oral explanations on their own do not represent sufficient 
support for the work the auditor performed or conclusions the auditor 
reached but may be used by the auditor to clarify or explain 
information contained in the attest documentation. It is, however, 
neither necessary nor practicable to document every matter the auditor 
considers during the attestation engagement. 

6.30: The auditor should document significant findings or issues, 
actions taken to address them (including any additional evidence 
obtained), and the basis for the final conclusions reached. Judging the 
significance of a finding or issue requires an objective analysis of 
the facts and circumstances. 

6.31: The auditor should document discussions of significant findings 
or issues with management and others, including the significant 
findings or issues discussed, and when and with whom the discussions 
took place. 

6.32: If the auditor has identified information that contradicts or is 
inconsistent with the auditor’s final conclusions regarding a 
significant finding or issue, the auditor should document how the 
contradiction or inconsistency was addressed in forming the conclusion. 

6.33: In documenting the nature, timing, and extent of attest 
procedures performed, the auditor should record: 

a. who performed the attest work and the date such work was completed, 
and; 

b. who reviewed specific attest documentation and the date of such 
review. 

6.34: When the auditor does not comply with applicable unconditional or 
presumptively mandatory GAGAS requirements, the auditor should document 
the justification for the departure, the impact on the audit, and how 
alternative procedures performed in the circumstances were sufficient 
to achieve the objectives of the requirements. The auditor should also 
follow the requirements in paragraphs 1.13 through 1.15. 

6.35: The report should not be dated earlier than the date on which the 
auditor has obtained sufficient, appropriate attest evidence to support 
the reported information, conclusion, or opinion. Among other things, 
attest evidence includes evidence that the attest documentation has 
been reviewed and that the entity’s assertions have been prepared and 
that management has asserted that it has taken responsibility for them. 

6.36: The audit organization should adopt reasonable procedures to 
retain and access attest documentation for a period of time sufficient 
to meet the needs of the audit organization and to satisfy any 
applicable legal or regulatory requirements for records retention. 

6.37: The auditor should complete the assembly of the final attestation 
engagement file on a timely basis, following the report release date 
(documentation completion date). Statutes, regulations, or the audit 
organization’s quality control policies may state a specific time in 
which the assembly process should be completed. 

6.38: At any time prior to the documentation completion date, the 
auditor may make changes to the attest documentation to: 

a. complete the documentation and assembly of attest evidence that the 
auditor has obtained, discussed, and agreed with relevant members of 
the attest team prior to the date of the attestation report; 

b. perform routine file-assembling procedures such as deleting or 
discarding superseded documentation and sorting, collating, and cross-
referencing final attest documentation; 

c. sign-off on the attest documentation completion checklists prior to 
completing and archiving the attestation engagement file, and; 

d. add information received after the date of the report, for example, 
an original document that was previously faxed. 

6.39: After the documentation completion date, the auditors must not 
delete or discard attest documentation before the end of the specified 
retention period, as discussed in paragraph 6.36. When auditor finds it 
necessary to make an addition (including amendments) to attest 
documentation after the documentation completion date, the auditor 
should document the addition by including the following in the 
documentation: 

a. when and by whom such additions were made and where applicable 
reviewed; 

b. the specific reasons for the changes, and; 

c. the effect, if any, of the changes on the auditors’ conclusions. 

6.40: Attest documentation allows for the review of audit quality by 
providing the reviewer with documentation, either in written or 
electronic formats, of the evidence supporting the auditors’ 
significant judgments and conclusions. If attest documentation is only 
retained electronically, the audit organization should safeguard the 
electronic documentation through sound computer security so that it is 
capable of being accessed throughout the specified retention period 
established for attest documentation. 

6.41: Whether attest documentation is in paper, electronic, or other 
media, the integrity, accessibility, and retrievability of the 
underlying data may be compromised if the documentation could be 
altered, added to, or deleted without the auditors’ knowledge, or could 
be permanently lost or damaged. Accordingly, the auditor should apply 
appropriate controls to safeguard attest documentation from alteration, 
destruction, and unauthorized access. 

6.42: Underlying GAGAS attestation engagements is the premise that 
federal, state, and local government audit organizations and 
independent accounting firms engaged to perform attestation engagements 
in accordance with GAGAS cooperate in auditing programs of common 
interest so that auditors may use others’ work and avoid duplication of 
efforts. Auditors should make appropriate audit staff and individuals, 
as well as attest documentation available, upon request, in a timely 
manner to other auditors or reviewers. It is also essential that 
contractual arrangements for GAGAS attestation engagements provide for 
full and timely access to audit staff and individuals, as well as 
attest documentation without restriction to facilitate reliance by 
other auditors or reviewers on the auditors’ work. 

6.43: Consistent with applicable laws and regulations, audit 
organizations should develop clearly defined policies and criteria to 
deal with situations where requests are made by outside parties to 
obtain access to attest documentation. The audit organization should 
include in its policies and procedures guidance for dealing with 
situations where an outside party attempts to obtain indirectly through 
the auditor information that it is unable to obtain directly from the 
audited entity and how to respond to requests for access to audit 
documentation before the attestation engagement is complete. The audit 
organization should also include flexibility in its policies and 
procedures to consider the individual facts and circumstances 
surrounding such requests, for instance, cases when granting access or 
providing certain information could adversely affect the audit 
organization’s ability to successfully perform similar attestation 
engagements in the future. 

AICPA Reporting Standards for Attestation Engagements: 

6.44: As discussed in paragraph 1.29, the AICPA SSAE provide for 
different levels of reporting based on the type of assurance the 
auditors are providing. [Footnote 88] The four AICPA reporting 
standards for all levels of reporting under attestation engagements are 
as follows: 

[AICPA is currently in the process of revising the reporting standards 
to use clarified language. GAO will monitor the status of AICPA’s 
efforts in order to include the most up-to-date AICPA standards in the 
final 2006 Revision of Government Auditing Standards.] 

a. The report shall identify the subject matter or the assertion being 
reported on and state the character of the engagement. 

b. The report shall state the practitioner’s [auditor’s] conclusions 
about the subject matter or the assertion in relation to the criteria 
against which the subject matter was evaluated. 

c. The report shall state all of the practitioner’s [auditor’s] 
significant reservations about the engagement, the subject matter, and, 
if applicable, the assertion related thereto. 

d. The report shall state that the use of the report is restricted to 
specified parties under the following circumstances: [Footnote 89] (1) 
when the criteria used to evaluate the subject matter are determined by 
the practitioner to be appropriate only for a limited number of parties
who either participated in their establishment or can be presumed to 
have an adequate understanding of the criteria, (2) when the criteria 
used to evaluate the subject matter are available only to specified 
parties, (3) when reporting on subject matter and a written assertion 
has not been provided by the responsible party, and (4) when the report 
is on an attest engagement to apply agreed-upon procedures to the 
subject matter. 

Additional GAGAS Reporting Standards for Attestation Engagements: 

6.45: GAGAS establish reporting standards for attestation engagements 
in addition to the requirements contained in the AICPA SSAE. Auditors 
should comply with these additional standards when citing GAGAS in 
their attestation engagement reports. The additional GAGAS standards 
relate to: 

a. reporting auditors’ compliance with GAGAS (see paragraphs 6.46 
through 6.48); 

b. reporting deficiencies in internal control, potential fraud, illegal 
acts, violations of provisions of contracts or grant agreements, or 
abuse (see paragraphs 6.50 through 6.57); 

c. reporting views of responsible officials (see paragraphs 6.58 
through 6.63); 

d. reporting privileged and confidential information (see paragraphs 
6.64 through 6.66); and; 

e. issuing and distributing reports (see paragraphs 6.67 through 6.71). 

Reporting Auditors’ Compliance with GAGAS: 

6.46: When auditors comply with all applicable GAGAS standards, they 
should include a statement in the attestation report that they 
performed the engagement in accordance with GAGAS. 

6.47: The statement of compliance with GAGAS indicates that the 
auditors have complied with all applicable GAGAS general and 
attestation engagement standards, including underlying AICPA standards. 
If the auditors did not follow applicable standards, or were not able 
to follow applicable standards due to access problems or other scope 
limitations, they should follow the requirements in paragraphs 1.13 
through 1.15. 

6.48: GAGAS do not prohibit auditors from issuing a separate report 
conforming only to the requirements of other standards. When a GAGAS 
attestation engagement is the basis for an auditors’ subsequent report 
under the AICPA or other standards, auditors should consider including 
a reference to the GAGAS report, as that report will contain additional 
information on internal control, compliance with laws, regulations, and
provisions of contracts or grant agreements, potential fraud, or abuse 
that GAGAS require. 

Reporting Deficiencies in Internal Control, Potential Fraud, Illegal 
Acts, Violations of Provisions of Contracts or Grant Agreements, or 
Abuse: 

6.49: For attestation engagements, auditors should report, as 
applicable to the objectives of the engagement, (1) deficiencies in 
internal control considered to be material weaknesses or other 
significant deficiencies, (2) all instances of potential fraud and
illegal acts unless clearly inconsequential, and (3) violations of 
provisions of contracts or grant agreements or abuse that are material 
to the subject matter or assertion of the engagement. In some 
circumstances, auditors should report potential fraud, illegal acts,
violations of provisions of contracts or grant agreements, or abuse 
directly to parties external to the entity. (See paragraphs 6.54 
through 6.57.) 

Reporting Deficiencies in Internal Control: 

6.50: For all attestation engagements, auditors should report 
deficiencies in internal control considered to be significant 
deficiencies, including material weaknesses, as follows: 

a. In attestation engagements, a significant deficiency is a deficiency 
in internal control, or combination of deficiencies, that adversely 
affects the entity’s ability to initiate, authorize, record, process, 
or report data reliably in accordance with the applicable criteria or 
framework such that there is more than a remote [Footnote 90] 
likelihood that a misstatement of the subject matter or assertion that 
is more than inconsequential [Footnote 91] will not be prevented or 
detected. 

b. In attestation engagements, a material weakness is a significant 
deficiency, or combination of significant deficiencies, that results in 
more than a remote likelihood that a material misstatement will not be 
prevented or detected. 

6.51: To the extent necessary to achieve the engagement objectives, in 
presenting findings such as deficiencies in internal control, auditors 
should develop the elements of criteria, condition, cause, and effect 
to assist management or oversight officials of the audited entity in 
understanding the need for taking corrective action. In addition, if
auditors are able to sufficiently develop the elements of a finding, 
they should provide recommendations for corrective action. Following is 
guidance for reporting on elements of findings: 

a. Criteria: The required or desired state or what is expected from the 
program or operation. The criteria are easier to understand when stated 
fairly, explicitly, and completely, and the source of the criteria is 
identified in the attestation engagement report. [Footnote 92] 

b. Condition: What the auditors found regarding the actual situation. 
Reporting the scope or extent of the condition allows the report user 
to gain an accurate perspective. 

c. Cause: Evidence on the factor or factors responsible for the 
difference between condition and criteria. In reporting the cause, 
auditors may consider whether the evidence provides a reasonable and 
convincing argument for why the stated cause is the key factor or 
factors contributing to the difference as opposed to other possible 
causes, such as poorly designed criteria or factors uncontrollable by 
program management. The auditors also may consider whether the 
identified cause could serve as a basis for the recommendations. Often 
the causes of deficiencies in internal control are complex and
involve multiple factors. In some cases, it may not be practical for 
auditors to fully develop or identify the causes of deficiencies. 
However, analyzing and identifying root causes of internal control 
deficiencies is key to making recommendations for corrective action. 

d. Effect or potential effect: A clear, logical link to establish the 
impact or potential impact of the difference between what the auditors 
found (condition) and the required or desired state (criteria). Effect 
is easier to understand when it is stated clearly, concisely, and, if 
possible, in quantifiable terms. The significance of the reported 
effect can be demonstrated through credible evidence. 

6.52: Auditors should place their findings in perspective by describing 
the nature and extent of the issues being reported and the extent of 
the work performed that resulted in the finding. To give the reader a 
basis for judging the prevalence and consequences of these findings, 
auditors may relate the instances identified to the population or the
number of cases examined and quantify the results in terms of dollar 
value, as appropriate. If the results cannot be projected, auditors 
should limit their conclusions appropriately. 

6.53: When auditors detect deficiencies in internal control, potential 
fraud, illegal acts, violations of provisions of contracts or grant 
agreements, or abuse that are not material to the subject matter or 
assertion, they should communicate those findings in a management 
letter to officials of the audited entity unless they are clearly
inconsequential considering both qualitative and quantitative factors. 
Auditors use professional judgment in determining whether and how to 
communicate to officials of the audited entity deficiencies in internal 
control, potential fraud, illegal acts, violations of provisions of 
contracts or grant agreements, or abuse that are clearly 
inconsequential. Auditors should include in their attest documentation 
evidence of communications to officials of the audited entity about 
potential fraud, illegal acts, violations of provisions of contracts or 
grant agreements, or abuse. 

Direct Reporting of Potential Fraud, Illegal Acts, Violations of 
Provisions of Contracts or Grant Agreements, or Abuse: 

6.54: Auditors should report potential fraud, illegal acts, violations 
of provisions of contracts or grant agreements, or abuse directly to 
parties outside the audited entity in two circumstances, as discussed 
below. [Footnote 93] This reporting is in addition to any legal
requirements for direct reporting of potential fraud, illegal acts, 
violations of provisions of contracts or grant agreements, or abuse. 
Auditors should follow these requirements even if they have resigned or 
been dismissed from the attestation engagement prior to its
completion. 

6.55: The audited entity may be required by law or regulation to report 
certain potential fraud, illegal acts, violations of provisions of 
contracts or grant agreements, or abuse to specified external parties, 
such as a federal inspector general or a state attorney general. When 
auditors have communicated such potential fraud, illegal acts, 
violations of provisions of contracts or grant agreements, or abuse to 
the audited entity and the entity fails to report them, the auditors 
should communicate such an awareness to the governing body of the 
audited entity. When the audited entity does not make the required 
report as soon as possible after the auditors’ communication with the 
those charged with governance, the auditors should report such 
potential fraud, illegal acts, violations of provisions of contracts or 
grant agreements, or abuse directly to the external party specified in 
the law or regulation. 

6.56: When potential fraud, illegal acts, violations of provisions of 
contracts or grant agreements, or abuse involves awards received 
directly or indirectly from a government agency, auditors may have a 
duty to report directly if management fails to take remedial steps. 
When auditors conclude that such failure is likely to cause them to 
depart from the standard report on the attestation engagement or resign 
from the engagement, they should communicate that conclusion to those 
charged with governance. If the audited entity does not report the 
potential fraud, illegal acts, violations of provisions of contracts or 
grant agreements, or abuse in a timely manner to the entity that 
provided the government assistance, the auditors should report the 
potential fraud, illegal acts, violations of provisions of contracts or 
grant agreements, or abuse directly to the awarding entity. 

6.57: Auditors should obtain sufficient, appropriate evidence, such as 
confirmation from outside parties, to corroborate assertions by 
management that it has reported potential fraud, illegal acts, 
violations of provisions of contracts or grant agreements, or abuse.
When auditors are unable to do so, the auditors should report such 
potential fraud, illegal acts, violations of provisions of contracts or 
grant agreements, or abuse directly as discussed above.

Reporting Views of Responsible Officials: 

6.58: If the auditors’ report on the attestation engagement discloses 
deficiencies in internal control, potential fraud, illegal acts, 
violations of provisions of contracts or grant agreements, or abuse, 
auditors should obtain and report the views of responsible officials 
concerning the findings, conclusions, and recommendations, as well as 
planned corrective actions. 

6.59: One of the most effective ways to provide a report that is fair, 
complete, and objective is to provide a draft report for review and 
comments by responsible officials of the audited entity and others, as 
appropriate. Including the views of responsible officials results in a 
report that presents not only the significant deficiencies in internal 
control, potential fraud, illegal acts, violations of provisions of 
contracts or grant agreements, or abuse the auditors identified, but 
also the perspectives of the responsible official of the audited entity 
and the corrective actions they plan to take. Auditors should include in
their report a copy of the officials’ written comments and/or a summary 
of the comments received. In cases where the audited entity provides 
technical comments in addition to its written comments on the report, 
auditors use professional judgment in determining whether to include 
such comments or disclose in the report that such comments were
provided. 

6.60: Auditors ordinarily request that the responsible officials submit 
in writing their views on the auditors’ reported findings, conclusions, 
and recommendations, as well as management’s planned corrective 
actions. However, oral comments are acceptable, and, in some cases, may 
be the most expeditious way to obtain comments. Obtaining oral comments 
can be effective when, for example, there is a time-critical reporting 
date to meet a user’s needs; auditors have worked closely with the 
responsible officials throughout the conduct of the work and the 
parties are familiar with the findings and issues addressed in the 
draft report; or the auditors do not expect major disagreements with 
the draft report’s findings, conclusions, and recommendations, or 
perceive any major controversies with regard to the issues discussed in 
the draft report. If oral comments are provided by the responsible 
officials, auditors should prepare a summary of the oral comments and 
provide a copy of the summary to the responsible officials to verify 
that the comments are accurately stated prior to finalizing the report. 

6.61: Auditors should fairly and objectively evaluate and recognize 
comments, as appropriate, in the final report. Auditors may note 
comments, such as a plan for corrective action, but should not accept 
them as justification for dropping a finding or a related 
recommendation without sufficient and appropriate evidence. 

6.62: When the entity’s comments oppose the report’s findings, 
conclusions, or recommendations, and are not, in the auditors’ opinion, 
valid, or when planned corrective actions do not adequately address the 
auditors’ recommendations, the auditors should state objectively their 
reasons for disagreeing with the comments or planned corrective 
actions. Conversely, the auditors should modify their report as
necessary if they find the comments valid. 

6.63: If the audited entity refuses to provide comments or is unable to 
provide comments within a reasonable period of time, auditors may need 
to issue the report without receiving comments from the audited entity. 
In such cases, auditors should describe in the report the reasons that 
comments from the audited entity are not included. 

Reporting Privileged and Confidential Information: 

6.64: If certain pertinent information is prohibited from general 
disclosure, auditors should disclose in the report that certain 
information has been omitted and the requirement that makes the 
omission necessary. 

6.65: Certain information may be classified or may be otherwise 
prohibited from general disclosure by federal, state, or local laws or 
regulations. In such circumstances, auditors may issue a separate, 
classified or limited-official-use report containing such information
and distribute the report only to persons authorized by law or 
regulation to receive it. Additional circumstances associated with 
public safety and security concerns could also justify the exclusion of 
certain information in the report. For example, detailed information 
related to computer security for a particular program may be excluded 
from publicly available reports because of the potential damage that 
could be caused by the misuse of this information. In such 
circumstances, auditors may issue a limited-official use report 
containing such information and distribute the report only to those 
parties responsible for acting on the auditors’ recommendations. The 
auditors may consult with legal counsel regarding any requirements or 
other circumstances that may necessitate the omission of certain 
information. 

6.66: Auditors consider the broad public interest in the program or 
activity under review when deciding whether to exclude certain 
information from publicly available reports. When circumstances call 
for omission of certain information, auditors should evaluate whether 
this omission could distort the engagement results or conceal improper 
or unlawful practices. 

Issuing and Distributing Reports: 

6.67: Government auditors should submit attest reports to those charged 
with governance, to the appropriate officials of the entity and to 
appropriate officials of the organizations requiring or arranging for 
the engagement, including external funding organizations such as 
legislative bodies, unless legal restrictions prevent it. Auditors
should also send copies of the reports to other officials who have 
legal oversight authority or who may be responsible for acting on the 
findings and recommendations and to others authorized to receive such 
reports. Auditors should clarify whether the report will be made 
available for public inspection. If the subject matter of the
attestation engagement involves material that is classified for 
security purposes or not releasable to particular parties or the public 
for other valid reasons, auditors may limit the report distribution. 
[Footnote 94] Auditors should document any limitation on report 
distribution. 

6.68: Although AICPA standards require that a report on an engagement 
to evaluate an assertion based on agreed-upon criteria or on an 
engagement to apply agreed-upon procedures should contain a statement 
indicating it is intended to be used solely by the parties who have 
agreed upon such criteria or procedures, such a statement does not
necessarily limit the report distribution in a government environment. 

6.69: When nongovernment auditors are engaged to perform an attestation 
engagement under GAGAS, they should clarify report distribution 
responsibilities with the engaging organization. If nongovernment 
auditors are to make the distribution, they should reach agreement with 
the party contracting for the attestation engagement about which 
officials or organizations should receive the report and the steps 
being taken to make the report available to the public. 

6.70: Internal auditors may follow the IIA’s standards for report 
distribution, which state internal auditors also follow any applicable 
statutory requirements for distribution. The head of the internal audit 
organization should disseminate results to the appropriate parties. The 
head of the internal audit organization is responsible for 
communicating the final results to parties who are in a position to 
take appropriate corrective actions. Distribution of reports outside 
the organization ordinarily is made only in accordance with applicable 
laws, rules, regulations, or policy. 

6.71: If an attestation engagement is terminated before it is completed 
but the auditors do not issue a report on the attestation engagement, 
auditors should write a memorandum for the record that summarizes the 
results of the work to the date of termination and explains why the 
attestation engagement was terminated. In addition, depending on the 
facts and circumstances, auditors should notify those charged with
governance, management of the entity, the entity requesting the 
attestation engagement, and other appropriate officials, about the 
termination of the engagement, preferably in writing. Auditors should 
document this communication. 

[End of chapter] 

Chapter 7: Field Work Standards for Performance Audits: 

Introduction: 

7.01: This chapter establishes field work standards and provides 
guidance for performance audits conducted in accordance with generally 
accepted government auditing standards (GAGAS). The field work 
standards for performance audits relate to planning the audit; 
supervising staff; obtaining sufficient, appropriate evidence; and
preparing audit documentation. 

7.02: See paragraphs 1.16 through 1.17 and 1.20 for a discussion about 
the use of GAGAS with other standards. 

7.03: See paragraphs 1.33 through 1.42 for an overall description of 
the nature and objectives of performance audits and paragraphs 3.36 
through 3.45 for a description for professional judgment in these 
audits. 

Significance in a Performance Audit: 

7.04: Auditors use the concept of significance [Footnote 95] throughout 
a performance audit. Auditor consider significance when deciding the 
type and extent of audit work to perform, when evaluating results of 
audit work, and when developing the report. Significance is defined
as the relative importance of a matter within the context in which it 
is being considered, including quantitative and qualitative factors. 
Such factors include relative magnitude, the nature and effect of the 
matter, and the needs and interests of intended users or recipients. 
Auditors use professional judgment when considering whether a matter is 
significant within the context of the audit objectives. The auditors’ 
consideration is influenced by the relationship of the matter to the 
audit objectives and the auditors’ perception of the needs of users of 
the audit reports. 

7.05: When making judgments about significance within the context of 
the audit objectives, auditors consider the quantitative or qualitative 
factors that make it probable that the auditors’ findings, conclusions 
or recommendations would be affected by the matter if the matter had 
been omitted from the auditors’ analysis. When making judgments about 
significance to the needs of report users, auditors consider whether it 
is probable that the judgment of a reasonable person relying on the 
auditors’ report would have been changed or influenced if the matter 
was omitted from the auditors’ analysis and disclosed in the audit 
report. This includes the probability that the matter would change or 
influence the decisions of intended users of the auditors’ report; or, 
as another example, where the context is a judgment about whether to 
report a matter to those charged with governance, whether the matter 
would be regarded as important by those charged with governance in 
carrying out their duties. When reporting on the results of their work, 
auditors should disclose material or significant facts relevant to the
objectives of their work and known to them which, if not disclosed, 
could mislead knowledgeable users, misrepresent the results, or conceal 
significant improper or unlawful practices. 

Audit Risk: 

7.06: Auditors must plan the audit so that the auditors reduce audit 
risk to a level that is sufficiently low for the auditors to provide 
reasonable assurance that the evidence is sufficient and appropriate to 
achieve the audit objectives and support the conclusions reached. This 
determination is a matter of professional judgment. Audit risk is the 
risk that auditors may provide improper findings, conclusions, 
recommendations, or assurance because, for example, the information 
obtained is not sufficient or not appropriate, the audit process was 
inadequate, or intentional omissions or misleading information existed 
due to misrepresentation or fraud. Factors such as the time frames, 
complexity, or sensitivity of the work, size of the program in terms of 
dollar amounts and number of citizens served, and access to records are 
considered in the risk determination. Audit risk involves qualitative 
and quantitative considerations. A component of audit risk is the risk 
that auditors will not detect a mistake, inconsistency, or significant 
error in the evidence supporting the audit. Auditors can reduce the 
audit risk by using additional evidence, higher quality evidence and/or 
alternative forms of evidence. When auditors cannot obtain alternative 
forms of evidence, they should clearly describe the scope of work and 
any limitations in the underlying information, so that (1) readers of 
the auditors’ report are provided with a clear understanding as to what 
the auditors did or did not do and (2) the findings, conclusions and
recommendations are not misleading. In such cases, auditors should also 
follow the guidance in paragraphs 1.06 through 1.15. 

Sufficient, Appropriate Evidence: 

7.07: The concept of sufficient, appropriate evidence is integral to a 
performance audit. Appropriateness is the measure of the quality of 
information which encompasses its relevance, reliability, and validity 
in providing support for achieving audit objectives. In assessing the 
overall appropriateness of information, auditors should assess whether 
the information is relevant, valid, and reliable. Sufficiency is a 
measure of the quantity of evidence used to support the findings, 
conclusions, and recommendations related to the audit objectives. In 
determining the sufficiency of evidence, auditors should determine
whether enough evidence exists to persuade a knowledgeable person of the
reasonableness of the findings. Paragraphs 7.53 through 7.69 describe 
the auditors’ assessment of appropriateness and sufficiency of 
evidence. 

Planning: 

7.08: Auditors must adequately plan and document the planning of the 
work necessary to achieve the audit objectives. 

7.09: In planning the audit, auditors should assess significance and 
risk in defining the audit objectives, and the scope and methodology to 
achieve those objectives. Audit objectives, scope, and methodology are 
not determined independently. Auditors determine these three elements 
of the audit plan together, as the considerations in determining each 
often overlap. Planning is a continuous process throughout the audit.
Therefore, auditors may need to make adjustments to the audit 
objectives, scope, and methodology as work is being completed. 

7.10: The objectives are what the audit is intended to accomplish. They 
identify the audit subject matter and performance aspects to be 
included, as well as the potential findings and reporting elements that 
the auditors expect to develop. [Footnote 96] Audit objectives can be 
thought of as questions about the program [Footnote 97] that auditors 
seek to answer based on evidence obtained and assessed against criteria 
or best practices. 

7.11: Scope is the boundary of the audit and is directly tied to the 
audit objectives. The scope defines the subject matter that the 
auditors will assess and report on, such as a particular program or 
aspect of a program, the period of time reviewed, and the locations
that will be included. 

7.12: The methodology describes the nature and extent of audit 
procedures for gathering and analyzing information to achieve the 
objectives and address the relevant risks. Audit procedures are the 
specific steps and tests auditors will carry out to address the audit
objectives. Auditors should design the methodology to provide 
sufficient, appropriate evidence to achieve the audit objectives and 
reduce audit risk to an acceptable level. Methodology includes both the 
nature and extent of audit procedures used to achieve the audit 
objectives. Auditors should also evaluate possible issues surrounding 
the appropriateness of available information in planning the audit. 

7.13: Auditors should plan and conduct performance audits to address 
the relevant risks and to provide reasonable assurance that the 
auditors have sufficient, appropriate evidence to achieve the audit 
objectives while addressing the relevant risks. Thus, the levels of 
evidence and tests of evidence will vary based on the audit objectives 
and conclusions. Objectives for performance audits range from narrow 
issues requiring specific evidence and answers, to broad issues 
requiring extensive evidence to general questions which sometimes 
require general answers. In some engagements, sufficient, appropriate 
evidence is easily obtained, and in others, information may have 
limitations. Auditors use professional judgment in determining the 
audit scope and methodology needed to answer the audit’s objectives, 
while providing the appropriate level of assurance that the obtained 
evidence is sufficient and appropriate to meet the audit’s objectives. 

7.14: During planning auditors should assess risk and significance by 
considering: 

a. the nature and profile of the programs and the needs of potential 
users of the audit report (see paragraph 7.16 and 7.17); 

b. internal control as it relates to the specific objectives and scope 
of the audit (see paragraphs 7.18 through 7.24); 

c. information systems controls for purposes of assessing audit risk 
and planning the audit (see paragraphs 7.25 through 7.27); 

d. legal and regulatory requirements, contract provisions, or grant 
agreements, potential fraud, or abuse that are significant within the 
context of the audit objectives (see paragraphs 7.28 through 7.34); 
and; 

e. the results of previous audits and attestation engagements that 
directly relate to the current audit objectives (see paragraph 7.35). 

7.15: During planning, the auditors also should: 

a. identify the potential criteria needed to evaluate matters subject 
to audit (see paragraph 7.36 through 7.37); 

b. identify potential sources of audit evidence and consider the amount 
and type of evidence needed given risk and significance (see paragraph 
7.38 through 7.39); 

c. consider whether the work of other auditors and experts may be used 
to satisfy some of the audit objectives (see paragraphs 7.40 through 
7.42); 

d. assign sufficient staff and specialists with adequate collective 
professional competence and identify other resources needed to perform 
the audit (see paragraphs 7.43 through 7.44); 

e. communicate about planning and performance of the audit to 
management officials, those charged with governance, and others as 
applicable (see paragraphs 7.45 and 7.46); and; 

f. prepare an audit plan (see paragraphs 7.47 through 7.48). 

Nature and Profile of the Program: 

7.16: Auditors should obtain an understanding of the nature and profile 
of the program or program component under audit and the potential use 
that will be made of the audit results or report as they plan a 
performance audit. The nature and profile of a program include: 

a. visibility, sensitivity, and risks associated with the program under 
audit; 

b. newness of the program or changes in its conditions; 

c. the size of the program in terms of total dollars and/or number of 
citizens impacted; 

d. role of the audit in providing information that can improve public 
accountability and decision making (see paragraphs 1.01 and 1.02), and; 

e. level and extent of review or other forms of independent oversight. 

7.17: Auditors obtain an understanding of the program under audit to 
help assess the risks associated with the program and the impact on the 
audit objectives, scope and methodology. The auditors’ understanding 
may come from knowledge they already have about the program or 
knowledge they gain from inquiries and observations they make in
planning the audit. The extent and breadth of those inquiries and 
observations will vary among audits based on the audit objectives, as 
will the need to understand individual aspects of the program, such as 
the following: 

a. Laws, regulations, and provisions of contracts or grant agreements: 
Government programs usually are created by law and are subject to 
specific laws and regulations. For example, laws and regulations 
usually set forth what is to be done, who is to do it, the purpose to 
be achieved, the population to be served, and related funding 
guidelines or restrictions. Government programs may also be subject to 
provisions of contracts and grant agreements. Thus, understanding the 
laws and the legislative history establishing a program and the 
provisions of any contracts or grant agreements can be essential to
understanding the program itself. Obtaining that understanding is also 
a necessary step in identifying provisions of laws, regulations, 
contracts, or grant agreements that are significant within the context 
of the audit objectives. 

b. Purpose and goals: Purpose is the result or effect that is intended 
or desired from a program’s operation. Legislatures usually establish 
the program purpose when they provide authority for the program. Entity 
officials may provide more detailed information on program purpose to 
supplement the authorizing legislation. Entity officials are sometimes 
asked to set goals for program performance and operations, including 
both output and outcome goals. Auditors may use the stated program 
purpose and goals as criteria for assessing program performance or may 
develop additional criteria or best practices to use when assessing 
performance. 

c. Internal control: Internal control, often referred to as management 
controls, in the broadest sense includes the plan, methods, and 
procedures adopted by management to meet its missions, goals, and 
objectives. Internal control includes the processes for planning, 
organizing, directing, and controlling program operations. It includes 
the systems for measuring, reporting, and monitoring program 
performance. Internal control also serves as a defense in safeguarding 
assets and preventing and detecting errors; potential fraud; violations 
of laws, regulations, and provisions of contracts and grant agreements; 
or abuse. Paragraphs 7.18 through 7.24 contain guidance pertaining to
internal control. 

d. Efforts: Efforts are the amount of resources (in terms of money, 
material, personnel, etc.) that are put into a program. These resources 
may come from within or outside the entity operating the program. 
Measures of efforts can have a number of dimensions, such as cost, 
timing, and quality. Examples of measures of efforts are dollars, 
employee-hours, and square feet of building space. 

e. Program operations: Program operations are the strategies, 
processes, and activities management uses to convert efforts into 
outputs. Program operations are subject to internal control. 

f. Outputs: Outputs represent the quantity of goods or services 
produced by a program. For example, an output measure for a job 
training program could be the number of persons completing training, 
and an output measure for an aviation safety inspection program could 
be the number of safety inspections completed. 

g. Outcomes: Outcomes are accomplishments or results of programs. For 
example, an outcome measure for a job training program could be the 
percentage of trained persons obtaining a job and still in the work 
place after a specified period of time. Examples of outcome measures 
for an aviation safety inspection program could be the percentage
reduction in safety problems found in subsequent inspections and/or the 
percentage of problems deemed corrected in follow-up inspections. Such 
outcome measures show progress in achieving the stated program purposes 
of helping unemployable citizens obtain and retain jobs, and improving 
the safety of aviation operations. Outcomes may be influenced by 
cultural, economic, physical, or technological factors outside the 
program. Auditors may use approaches drawn from other disciplines, such 
as program evaluation, to isolate the effects of the program from these 
other influences. An especially important type of outcome is unexpected 
effects which may be negative such as adverse drug reactions, or 
positive such as increased private investment in an area of service. 

Internal Control: 

7.18: Auditors should obtain an understanding of internal control 
significant within the context of the audit objectives. For those 
internal control objectives that are significant within the context of 
the audit objectives, auditors should assess whether specific internal 
control procedures have been properly designed and placed in operation 
and conduct specific tests of the effectiveness of the internal control 
procedures. Based on the test results and the auditors’ assessment, the 
auditors consider whether to modify the nature, timing, or extent of 
their audit procedures. [Footnote 98] Officials of the audited entity 
are responsible for establishing effective internal control. The lack 
of administrative continuity in government units because of changes in 
elected legislative bodies and in other government officials increases 
the need for effective internal control. 

7.19: The following discussion of the principal types of internal 
control objectives is intended to help auditors better understand 
internal controls and determine their significance to the audit 
objectives: 

a. Effectiveness and efficiency of program operations: Controls over 
program operations include policies and procedures that officials of 
the audited entity have implemented to provide reasonable assurance 
that a program meets its objectives and that unintended actions do not 
result. Understanding these controls can help auditors understand the
program operations that convert efforts to outputs or outcomes. 

b. Validity and reliability of information: Controls over the validity 
and reliability of information include policies and procedures that 
officials of the audited entity have implemented to provide themselves 
reasonable assurance that operational information they use and report 
is valid and reliable and fairly disclosed in reports. These controls
help assure management that it is getting valid and reliable 
information about whether programs are operating properly on an ongoing 
basis. Understanding these controls can help auditors (1) assess the 
risk that the information gathered by the entity may not be valid or 
reliable and (2) design appropriate tests of the information 
considering the audit objectives. 

c. Compliance with applicable laws and regulations and provisions of 
contracts or grant agreements: Controls over compliance include 
policies and procedures that officials of the audited entity have 
implemented to provide reasonable assurance that program implementation 
is consistent with laws, regulations, and provisions of contracts or 
grant agreements. Understanding the relevant controls concerning 
compliance with those laws and regulations and provisions of contracts 
or grant agreements that the auditors have determined are significant 
can help auditors assess the risk of illegal acts, [Footnote 99] 
violations of provisions of contracts or grant agreements, or abuse. 

7.20: A subset of these categories of internal control objectives is 
the safeguarding of assets and resources. Controls over the 
safeguarding of assets and resources include policies and procedures 
that officials of the audited entity have implemented to reasonably 
prevent or promptly detect unauthorized acquisition, use, or 
disposition of assets and resources. 

7.21: Auditors can obtain an understanding of internal control[ 
Footnote 100] through inquiries, observations, inspection of documents 
and records, review of other auditors’ reports, or direct tests. The 
procedures auditors perform to obtain an understanding of internal 
control will vary among audits based on audit objectives and risk. For 
instance, poorly controlled or internally risky aspects of a program 
have a higher risk of failure, so auditors may want to focus their 
efforts in these areas. The extent of these procedures will vary based 
on the audit objectives, known or potential internal control risks or 
problems, and the auditors’ knowledge about internal control gained in 
prior audits. 

7.22 For those internal controls that are deemed significant within the 
context of the audit objectives, auditors should plan to obtain 
sufficient, appropriate evidence to support their assessment about the 
effectiveness of those controls. (See paragraph 1.39 for examples of 
internal control objectives.) 

7.23: In performance audits, a deficiency in internal control exists 
when the design or operation of a control does not allow management or 
employees, in the normal course of performing their assigned functions, 
to prevent or detect (1) impairments of effectiveness or efficiency of 
operations (2) misstatements in financial or performance information, 
or (3) violations of laws and regulations, on a timely basis. 

7.24: Internal auditing is an important part of overall governance, 
accountability, and internal control. [Footnote 101] A key role of many 
internal audit organizations is to provide assurance that internal 
controls in place are adequate to mitigate risks and achieve program 
goals and objectives. When an assessment of internal control is called 
for, the work of the internal auditors may be used in assessing whether 
internal controls are effectively designed and functioning properly, 
and to prevent duplication of effort. 

Information Systems Controls: 

7.25: Auditors should obtain a sufficient understanding of information 
systems controls [Footnote 102] necessary to assess audit risk and plan 
the audit. This assessment can be done in conjunction with the 
auditors’ consideration of internal control as it relates to the 
specific objectives and scope of audit (see paragraphs 7.18 through 
7.24), or as a separate audit objective or audit procedure, depending 
on the nature of the audit. Depending on the significance of 
information systems controls to the audit objectives, the extent of 
audit procedures to obtain such an understanding may be limited or
extensive. In addition, the nature and extent of audit risk is impacted 
by the nature of the hardware and software used, the configuration of 
the entity’s systems and networks, and the entity’s information systems 
strategy, and the significance of information systems controls to the 
audit objectives. 

7.26: Auditors should determine the extent of audit procedures related 
to information systems controls that are necessary to obtain 
sufficient, appropriate evidence to support the audit findings, 
conclusions, and recommendations. If auditors determine that it is
necessary to assess the effectiveness of information systems controls 
in order to obtain sufficient, appropriate evidence, then such 
information systems controls are significant to the audit. In making 
this determination, auditors consider the following: 

a. The extent to which internal controls that are significant to the 
audit are processed by information systems or are dependent on the 
reliability of information generated by information systems. As part of 
assessing the effectiveness of such controls, auditors also should 
assess the effectiveness of information systems controls that impact the
effectiveness of controls that are significant to the audit. 

b. The availability of other evidence to support the findings, 
conclusions, and recommendations. It may not be possible for auditors 
to obtain sufficient, appropriate evidence without assessing the 
effectiveness of relevant information systems controls. For example, if 
information supporting the findings, conclusions, and recommendations
is generated by information systems or its reliability is dependent on 
information systems controls there may not be sufficient supporting or 
corroborating information or documentary evidence that is available 
other than that produced by the information systems. 

c. The relationship of information systems controls to data reliability 
testing. To obtain evidence about the reliability of computer-generated 
information, auditors may elect to assess the effectiveness of 
information systems controls as part of testing the reliability
of the data. If information systems controls are determined to be 
effective, the extent of direct testing of supporting documentation may 
be reduced. 

d. Assessing the effectiveness of information systems controls as an 
audit objective. When assessing the effectiveness of information 
systems controls is directly a part of an audit objective, auditors 
should perform the testing of information systems controls necessary to 
achieve the audit objectives. For example, the audit may involve the
effectiveness of information systems controls related to certain 
systems, facilities, or organizations. 

7.27: If information systems controls are considered to be significant 
to the audit, auditors should assess the effectiveness of such 
significant controls, including other information systems controls that 
impact their effectiveness or the reliability of information used in 
performing the significant control. Generally, if information systems
controls are considered significant to the audit, the auditors’ 
assessment of the effectiveness of information systems controls will 
include both application controls and general controls, because 
weaknesses in general controls can result in unauthorized changes to 
applications and data that can circumvent or impair the effectiveness of
application controls. Application controls, sometimes referred to as 
business process controls, are those controls that help ensure the 
validity, completeness, accuracy, and confidentiality of transactions 
and data during application processing. Examples of application 
controls include controls over input, processing, output, master data,
application interfaces, and data management system interfaces. 
Information systems general controls are the policies and procedures 
that apply to all or a large segment of an entity’s information systems 
and help ensure their proper operation. Examples of general controls 
include security management, logical and physical access, configuration
management, segregation of duties, and contingency planning. Weaknesses 
in general controls can result in unauthorized changes to applications 
and data that can circumvent or impair the effectiveness of application 
controls. 

Legal and Regulatory Requirements, Contract Provisions, or Grant 
Agreements, Potential Fraud, or Abuse: 

7.28: In pursuing indications of possible fraud, illegal acts, 
violations of provisions of contracts or grant agreements, or abuse, 
auditors should avoid interfering with potential investigations, and/or 
legal proceedings. In some circumstances, laws, regulations, or 
policies require auditors to report and/or refer indications of certain 
types of fraud, illegal acts, violations of provisions of contracts or 
grant agreements, or abuse to law enforcement or investigatory 
authorities before performing procedures. In cases where an 
investigation is initiated or in process, it may be appropriate for 
auditors to withdraw from or defer further work on the audit or a 
portion of the audit in order not to interfere with an investigation. 

Legal and Regulatory Requirements, Contracts, and Grants: 

7.29: Auditors should determine which laws, regulations, and provisions 
of contracts or grant agreements are significant within the context of 
the audit objectives and assess the risk that illegal acts or 
violations of provisions of contracts or grant agreements could occur. 
Based on that risk assessment, the auditors should design and perform
procedures to provide reasonable assurance of detecting instances of 
illegal acts or violations of provisions of contracts or grant 
agreements that are significant within the context of the audit 
objectives. 

7.30: The auditors’ assessment of risk may be affected by such factors 
as the complexity or newness of the laws, regulations, and provisions 
of contracts or grant agreements. The auditors’ assessment of risk also 
may be affected by whether the entity has controls that are effective 
in preventing or detecting violations of laws, regulations, and
provisions of contracts or grant agreements. If auditors obtain 
sufficient, appropriate evidence of the effectiveness of these 
controls, they can reduce the extent of their tests of compliance. 

Fraud: 

7.31: In planning the audit, auditors should assess risks of potential 
significant fraud [Footnote 103] within in the context of the audit 
objectives. Auditors should discuss with management and the audit team 
potential fraud risks, including potential fraud factors such as
individuals’ incentives or pressures to commit fraud, the opportunity 
for fraud to occur, and rationalizations or attitudes that could allow 
individuals to commit fraud. Auditors gather and assess information 
necessary to identify potential fraud risks that are within the scope 
of the audit objectives or could affect the results of their audit. For 
example, auditors may obtain information through discussion with 
officials of the audited entity or through other means to determine the 
susceptibility of the program to potential fraud, the status of 
internal controls the entity has established to detect and prevent 
fraud, or the risk that officials of the audited entity could override 
internal control. An attitude of professional skepticism in assessing 
these risks will assist auditors in determining which factors or risks 
could significantly impact the audit objectives and/or the audit
procedures needed to answer the audit objectives if fraud has occurred 
or is likely to have occurred. 

7.32: When auditors identify factors or risks related to potential 
fraud that they believe are significant within the context of the audit 
objectives, they should design procedures to provide reasonable 
assurance of detecting potential fraud significant within the context 
of the audit objectives. Assessing the risk of potential fraud is an 
ongoing process throughout the audit and relates not only to planning 
the audit but also to evaluating evidence obtained during the audit. 

7.33: When information comes to the auditors’ attention (through audit 
procedures, allegations received through fraud hotlines, or other 
means) indicating that potential fraud may have occurred, auditors 
should determine whether the potential fraud is significant within the 
context of the audit objectives. If the potential fraud is significant
within the context of the audit objectives, auditors should extend the 
audit steps and procedures, as necessary, to (1) determine if fraud 
likely has occurred and (2) if so, determine its effect on the audit 
findings. If the potential fraud is not significant within the context 
of the audit objectives, the auditors should consider whether to conduct
additional audit work as a separate engagement, or refer the potential 
fraud to other parties with oversight responsibility or jurisdiction 
over such matters. 

Abuse: 

7.34: Abuse involves behavior that is deficient or improper when 
compared with behavior that a prudent person would consider reasonable 
and necessary business practice given the facts and circumstances. 
[Footnote 104] Abuse also includes misuse of authority or position for 
personal financial interests or those of an immediate or close family 
member or business partner. Abuse is distinct from fraud, illegal acts, 
or violations of provisions of contracts or grant agreements in that 
abuse does not necessarily involve violation of laws, regulations, or 
provisions of a contract or grant agreement. If during the course of
the audit, auditors become aware of indications of abuse that could be 
quantitatively or qualitatively significant to the program under audit, 
auditors should apply audit procedures specifically directed to 
ascertain whether significant abuse has occurred and the potential 
effect within the context of the audit objectives. Based on the facts 
and circumstances, auditors may find it helpful to identify specific 
risks or situations that are susceptible to abuse. In addition, 
auditors remain alert throughout the audit to situations that could be 
indicative of abuse. When information comes to the auditors’ attention
(through audit procedures, allegations received through a fraud 
hotline, or other means) indicating that significant abuse may have 
occurred, they should perform audit procedures, as necessary, to (1) 
determine whether the abuse occurred and, if so, (2) determine its 
potential effect on the audit findings. If the abuse is not significant 
within the context of the audit objectives, the auditors should 
consider whether to expand the scope of the current audit, conduct 
additional audit work as a separate engagement, or refer the potential 
abuse to other parties with oversight responsibility or jurisdiction
over such matters. Auditors assess both quantitative and qualitative 
factors in making judgments regarding the significance of possible 
abuse and whether they need to extend the audit steps and procedures. 
However, because of the subjectivity involved in determining abuse, 
auditors are not required to provide reasonable assurance of
detecting abuse. 

Previous Audits and Attestation Engagements: 

7.35: Auditors should determine whether the results of previous audits 
and attestation engagements that directly relate to the audit 
objectives have an impact on the current engagement, including whether 
recommendations have been implemented. Auditors should identify 
previous financial audits, attestation engagements, performance audits,
or other studies significant within the context of the audit objectives 
and ask management of the audited entity to identify corrective actions 
taken to address relevant findings, conclusions and recommendations. 

Identifying Audit Criteria: 

7.36: Auditors should identify audit criteria including the standards, 
measures, expectations of what should exist, best practices, and 
benchmarks against which performance is compared or evaluated. Criteria 
provide a context for evaluating evidence and understanding the 
findings, conclusions, and recommendations included in the report. 
Auditors should use criteria that are objective, measurable, complete, 
and relevant to the objectives of the performance audit. 

a. Objectivity –free from bias. 

b. Measurability –permit reasonably consistent assessments, 
qualitative105 or quantitative, of subject matter. 

c. Completeness –include relevant factors that could change a 
conclusion about the subject matter. 

d. Relevant –related to the subject matter. 

7.37: The following are some examples of possible criteria: 

a. purpose or goals prescribed by law or regulation or set by officials 
of the audited entity; 

b. policies and procedures established by officials of the audited 
entity; 

c. technically developed standards or norms; 

d. expert opinions; 

e. prior periods’ performance; 

f. performance of similar entities; 

g. performance in the private sector, or; 

h. best practices of leading organizations. 

Identifying Sources of Audit Evidence and the Amount and Type of 
Evidence Required: 

7.38: Auditors should identify potential sources of information that 
could be used as audit evidence. Auditors should determine the amount 
and type of evidence required to obtain sufficient, appropriate 
evidence to meet the audit objectives and adequately plan audit work. 

7.39: If auditors believe that it is likely that sufficient, 
appropriate evidence will not be available, they should consider 
revising the audit objectives or modifying the scope and methodology 
and determine alternative procedures to meet the current audit 
objectives. Auditors should disclose in the audit report revisions made 
to the audit objectives due to the lack of sufficient, appropriate 
evidence. Auditors should also evaluate whether the lack of sufficient, 
appropriate evidence is due to internal control deficiencies or other
program weaknesses, and whether the lack of sufficient, appropriate 
evidence is the basis for audit findings. (See paragraphs 7.53 through 
7.69 for standards concerning evidence. 

Considering Work of Others: 

7.40: Auditors should determine whether other auditors have conducted, 
or are conducting, audits of the program that could be relevant to the 
current audit objectives. The results of other auditors’ work may be 
useful sources of information for planning and performing the audit. If 
other auditors have identified areas that warrant further audit work or 
follow-up, their work may influence the auditors’ selection of 
performance audit objectives, scope, and methodology. 

7.41: If other auditors have completed audit work related to the 
objectives of the auditors’ current audit, the current auditors may 
wish to rely on the work of the other auditors to support findings, 
recommendations or conclusions for the current audit and thereby, avoid 
duplication of audit efforts. If auditors rely on the work of other 
auditors, they should perform procedures regarding the specific work to 
be relied on that provide a sufficient basis for that reliance. 
Auditors should obtain evidence concerning the other auditors’ 
qualifications and independence and should determine whether the scope 
and quality of the audit work performed by the other auditors is 
adequate for reliance in the context of the current audit objectives. 
Auditors can accomplish this by reviewing the report, audit plan, or 
audit documentation, or by performing supplemental tests of the other 
auditors’ work. The nature and extent of evidence needed will depend on 
the significance of the other auditors’ work, on the extent to which 
the auditors will rely on that work, and whether auditors plan to refer 
to that work in their work. 

7.42: If the audit objectives necessitate the use of specialized 
techniques or methods that require skills or competence that the 
auditors do not possess, they may need to rely on the work of 
specialists. [Footnote 106] If auditors intend to rely on the work of 
specialists, they should obtain an understanding of the qualifications 
of the specialists. (See paragraph 3.05 for independence considerations 
when relying on the work of others.) Auditors consider the following in 
evaluating the professional qualifications of the specialist: 

a. the professional certification, license, or other recognition of the 
competence of the specialist in his or her field, as appropriate; 

b. the reputation and standing of the specialist in the views of peers 
and others familiar with the specialist’s capability or performance; 
and; 

c. the specialist’s experience and published work in the subject 
matter. 

Assigning Staff and Other Resources: 

7.43: Audit management should assign sufficient staff and specialists 
with adequate collective professional competence to perform the audit. 
Staffing an audit includes, among other things: 

a. assigning staff and specialists with the appropriate collective 
knowledge, skills, and experience for the job; 

b. assigning an adequate number of staff and supervisors to the audit; 

c. providing for on-the-job training of staff; and; 

d. engaging specialists when necessary. 

7.44: If planning to use the work of a specialist, auditors should 
determine and articulate nature and scope of the work to be performed 
by the specialist, including: 

a. the objectives and scope of the specialist’s work; 

b. the intended use of the specialist’s work to support the audit 
objectives; 

c. documentation of the specialist’s procedures and findings so they 
can be evaluated and related to other planned audit procedures; 

d. the assumptions and methods used; and; 

e. a comparison of how the methods and assumptions used compare with 
those used in prior, related work. 

Communicating with Management, Those Charged with Governance, and 
Others: 

7.45: Auditors should communicate information about the objectives, 
scope and methodology, and timing of the performance audit and planned 
reporting to the following individuals: 

a. the head of the audited entity; 

b. those charged with governance; [Footnote 107] 

c. the individual who possesses a sufficient level of authority and 
responsibility to implement corrective actions in the program or 
activity being audited; and; 

d. the individuals contracting for or requesting audit services, such 
as contracting officials or legislative members or staff, if 
applicable. 

7.46: Auditors use professional judgment to determine the form, 
content, and frequency of the communication, although written 
communication is preferred. Auditors may use an engagement letter to 
communicate the information. If an audit is terminated before it is 
completed, auditors should write a memorandum for the audit 
documentation that summarizes the results of the work and explains the 
reasons why the audit was terminated. In addition, depending on the 
facts and circumstances, auditors should consider the need to 
communicate the reason for terminating the audit to those charged
with governance, management of the audited entity, the entity 
requesting the audit, and other appropriate officials, preferably in 
writing. 

Preparing the Audit Plan: 

7.47: Auditors must prepare a written audit plan for each audit. The 
form and content of the written audit plan will vary among audits but 
may include an audit strategy, audit program or project plan, a 
memorandum, design matrix or paper, or other appropriate documentation 
of key decisions about the audit objectives, scope, and methodology and
of the auditors’ basis for those decisions. Auditors should update the 
plan, as necessary, to reflect any significant changes to the plan made 
during the audit. 

7.48: A written audit plan provides an opportunity for the audit 
organization management to supervise audit planning and to determine 
whether: 

a. the proposed audit objectives are likely to result in a useful 
report; 

b. the audit plan adequately addresses relevant risks,

c. the proposed audit scope and methodology are adequate to satisfy the 
audit objectives; 

d. available evidence is likely to be sufficient and appropriate for 
purposes of the audit, and: 

e. sufficient staff with adequate collective professional competence 
and other resources are available to perform the audit and to meet 
expected time frames for completing the work. 

Supervision: 

7.49: Audit supervisors must properly supervise audit staff. 

7.50: Audit supervisors should provide sufficient guidance and 
supervision of staff assigned to the audit to accomplish the audit 
objectives and follow applicable standards. Audit supervisors should 
stay informed about significant problems encountered, review the work 
performed, and provide effective on-the-job training. 

7.51: Supervision involves clearly communicating to staff members so 
they understand what work they are to do, why the work is to be 
conducted, and what the work is expected to accomplish. With 
experienced staff, supervisors may outline the scope of the work and 
leave details to the staff. With less experienced staff, supervisors 
may have to specify audit procedures to be performed as well as 
techniques for gathering and analyzing data. 

7.52: The nature and extent of the review of audit work may vary 
depending on a number of factors, such as the size of the audit 
organization, the significance of the work, and the experience of the 
staff. 

Obtaining Sufficient, Appropriate Evidence: 

7.53: Auditors must obtain sufficient, appropriate evidence to provide 
a reasonable basis for their findings, conclusions, and 
recommendations. 

7.54: In assessing information, auditors should conclude whether the 
evidence taken as a whole is sufficient and appropriate for satisfying 
the audit objectives. As audit objectives may vary widely, the level of 
work necessary to assess sufficiency and appropriateness may likewise 
vary widely. For example, in establishing the appropriateness of 
evidence, auditors may test the reliability by obtaining supporting
information, using statistical testing or by obtaining corroborating 
evidence. Auditors consider the concepts of audit risk and significance 
in evaluating the audit evidence. 

7.55: Auditors use professional judgment in determining sufficiency and 
appropriateness of evidence. Auditors typically interpret, summarize, 
or analyze information in the process of determining its 
appropriateness and sufficiency and in reporting the results of
the work. When appropriate, auditors may use statistical methods to 
analyze and interpret information to assess its sufficiency and 
appropriateness. 

Appropriateness: 

7.56: Appropriateness is the measure of the quality of evidence, which 
encompasses its relevance, reliability, and validity in providing 
support for achieving audit objectives. [Footnote 108] In assessing the 
overall appropriateness of evidence, auditors consider the relevance, 
validity, and reliability of the evidence. 

a. Relevance refers to the extent to which the information has a 
logical relationship with, and importance to, the issue being 
addressed. 

b. Validity refers to how well the information actually represents what 
the auditors are trying to evaluate. 

c. Reliability refers to the consistency of results achieved and 
includes the concepts of being verifiable or supported. 

7.57: To assess the appropriateness of information, auditors consider 
the different types of information and the source of the information. 
Evidence may be obtained by observation, inquiry, or inspection. Each 
type of evidence [Footnote 109] has its own strengths and weaknesses. 
The following contrasts are useful in judging the appropriateness of 
information. In each contrast, the first item generally provides a 
higher quality of evidence. However, these contrasts are not to be 
considered adequate in themselves to determine appropriateness. The 
nature and types of evidence required to support auditors’ findings, 
conclusions, and recommendations is a matter of the auditors’ 
professional judgment based on the audit objectives. 

a. Evidence obtained when internal control is effective versus 
information obtained when internal control is weak or nonexistent. 

b. Information obtained through the auditors’ direct physical 
examination, observation, computation, and inspection versus 
information obtained indirectly. 

c. Examination of original documents versus copies. 

d. Testimonial information obtained under conditions where persons may 
speak freely versus information obtained where the persons may be 
intimidated given the circumstances. 

e. Testimonial information obtained from an individual who is not 
biased and has direct knowledge about the area versus testimonial 
information obtained from an individual who is biased or has indirect 
or partial knowledge about the area. 

f. Information obtained from a knowledgeable, credible, and unbiased 
third party versus from management or other officials of the audited 
entity. 

7.58: Testimonial evidence is often useful in interpreting or 
corroborating documentary or physical information. Auditors should 
evaluate the objectivity, credibility and reliability of the 
testimonial evidence. (See 7.57 d and e above.) Similarly, documentary
evidence is used to help verify, support or challenge testimonial 
information. 

7.59: Evidence from surveys is generally self-reported information that 
is frequently used to obtain information about existing conditions or 
programs. Auditors should evaluate the objectivity, credibility, and 
reliability of the self-reported information as well as the survey 
design and administration. 

7.60: When sampling is used, the method of selection that is most 
appropriate will depend on the audit objectives. For example, when a 
representative sample is appropriate, the use of statistical sampling 
approaches would result in stronger evidence than that obtained from 
non-statistical techniques. In cases where a representative sample is 
not appropriate, a targeted selection may be more effective if the 
auditors have isolated certain risk factors or other criteria used to 
target the selection. 

7.61: Auditors may use data gathered by officials of the audited entity 
as part of their evidence. Before auditors use this type of 
information, they should determine what the officials of the audited 
entity or other auditors did to provide assurance over the reliability 
of the information. If the procedures completed by officials of the 
audited entity were adequate to support using the information in 
relation to the audit objectives and if the results of such work are 
current, auditors may be able to use the work to reduce their audit 
procedures if, based on testing the work done by agency officials, the
data is sufficient and appropriate, in combination with other evidence. 

7.62: When computer-processed information is used to support findings, 
conclusions, and recommendations, auditors should perform procedures 
for assessing the appropriateness of the information. Auditors should 
assess the sufficiency and appropriateness of this type of data 
regardless of whether computer-processed information is provided to 
auditors or auditors independently extract them. The nature, timing and 
extent of audit procedures to assess sufficiency and appropriateness is
affected by the effectiveness of the entity’s internal controls over 
the information, including information system controls, and the 
significance of the information and the level of detail presented in 
the auditors’ findings, conclusions, and recommendations in light of 
the audit objectives. Audit procedures to evaluate the effectiveness of 
selected system controls includes (1) gaining a detailed understanding 
of the system as it relates to the information and (2) identifying and 
evaluating the general controls and application controls that are 
critical to ensuring the reliability of the information required for the
audit. 

The nature and extent of audit procedures to evaluate the effectiveness 
of information system controls will vary based on the following: 

a. the extent to which the information systems controls are significant 
to the auditors’ overall assessment of appropriateness of information; 
and; 

b. the availability of other evidence to support the auditors’ 
findings, conclusions, and recommendations. 

Sufficiency: 

7.63: Sufficiency is a measure of the quantity of evidence used to 
support the findings, conclusions, and recommendations related to the 
audit objectives. Sufficiency is also dependent on the appropriateness 
of the evidence. In determining the sufficiency of evidence, auditors 
should determine whether enough evidence exists to support the 
findings, conclusions, and recommendations. 

7.64: The following presumptions are useful in judging the sufficiency 
of evidence. The sufficiency of evidence required to support the 
auditors’ findings, conclusions, and recommendations is a matter of the 
auditors’ professional judgment. 

a. The greater the audit risk, the greater the quantity of evidence 
required. 

b. Stronger evidence may allow less evidence to be used. The 
appropriateness test (see 7.56 through 7.62) is closely interrelated 
with decisions about sufficiency. 

c. Having a large volume of audit evidence does not compensate for a 
lack of relevance, validity and/or reliability. 

Overall Assessment of Evidence: 

7.65: Auditors use professional judgment to determine whether evidence 
is sufficient and appropriate and the nature and extent of testing 
necessary, in relation to the objectives of the audit. Professional 
judgments about the sufficiency and appropriateness of evidence are 
closely intertwined, as auditors interpret the results of audit testing 
and evaluate whether the nature and extent of the evidence obtained is
sufficient and appropriate given the audit objectives. Auditors perform 
an overall assessment of the collective evidence used to support 
findings, conclusions, or recommendations. This overall assessment also 
includes the results of any specific assessments conducted to conclude 
on the validity and reliability of specific evidence. 

7.66: Appropriateness and sufficiency of evidence are relative 
concepts, which may be thought of in terms of a continuum, rather than 
as absolutes. However, it may be helpful for auditors to consider the 
overall appropriateness and sufficiency in terms of: 

(1) sufficient and appropriate (2) not sufficient and appropriate, or 
(3) of undetermined sufficiency and appropriateness in relation to the 
audit objectives. Auditors consider sufficiency and appropriateness in 
the context of the findings, conclusions, and recommendations. For 
example, even though the auditors may have some uncertainty about the 
sufficiency or appropriateness of the evidence, the auditors may 
nonetheless determine that there is sufficient and appropriate evidence 
given the findings, conclusions, or recommendations. (See paragraph 
7.77 through 7.92 for documentation requirements.) 

a. Evidence is considered to be sufficient and appropriate when using 
the evidence provides the basis for an analysis that achieves the audit 
objectives and provides a reasonable basis for their findings, 
conclusions, or recommendations. 

b. Evidence is considered to be not sufficient and appropriate when (1) 
using the evidence carries an unacceptably high risk that it could lead 
to an incorrect or improper conclusion or (2) the information has 
significant or potentially significant limitations, given the 
objectives and intended use of the information. 

c. Evidence is considered to be of undetermined sufficiency and 
appropriateness when (1) the auditors do not have an adequate basis to 
conclude whether it achieves the audit objectives and provides a 
reasonable basis for the findings, conclusions, and recommendations or 
(2) the information has significant or potentially significant
limitations of unknown impact, given the objectives and the intended 
use. 

7.67: Auditors should assess the appropriateness and sufficiency of 
evidence, in the aggregate, to provide a reasonable basis for the 
findings, conclusions, and recommendations. When assessing the 
appropriateness and sufficiency of evidence, auditors should evaluate 
the expected significance within the context of the audit objectives 
and conclusions, available corroborating evidence, and the level of 
risk. The steps required to assess information may depend on the nature 
of the information, how the information is used in the audit, and the 
audit objectives. 

7.68: When the auditors’ tests disclose errors in the information, or 
when auditors use information of undetermined appropriateness, they 
should apply additional procedures, as appropriate. Such procedures 
include: 

a. seeking independent, corroborating evidence from other sources so 
that the evidence is sufficient and appropriate; 

b. clearly indicating in the report the limitations of the information, 
while refraining from using the information to make unwarranted 
findings, conclusions or recommendations, and considering whether to 
report the limitations of the information as an audit finding; or; 

c. redefining the audit objectives or limiting the audit scope to 
eliminate the need to use the information and fully disclosing in the 
audit report revisions made to the audit objectives due to the lack of 
sufficient, appropriate evidence. 

7.69: How the use of information of undetermined sufficiency and 
appropriateness affects the auditors’ report depends on the 
significance of the information to the auditors’ findings, conclusions, 
or recommendations in light of the audit objectives. For example, 
auditors may use such information to provide background information. In
cases where auditors use information of undetermined sufficiency and 
appropriateness to support audit findings conclusions, or 
recommendations, auditors should fully disclose the fact that such 
information is being used, assess the impact of using such information, 
and use professional judgment to determine whether and to what extent to
qualify the audit findings and conclusions. Auditors use professional 
judgment in determining the impact on the audit objectives and 
compliance with GAGAS. (See paragraphs 1.13 through 1.15.) 

Audit Findings: 

7.70: The elements needed for developing a finding depend on the 
objectives of the audit. A finding or set of findings is complete to 
the extent that the audit objectives are satisfied and the report 
clearly relates those objectives to the elements of a finding. Audit
findings often have been regarded as containing the elements of 
criteria, condition, cause, and effect. Criteria are discussed in 
paragraph 7.36 through 7.37, and the other elements of a finding--
condition, effect, and cause--are discussed in the following
paragraphs: 

7.71: Condition: Condition is a situation that exists. The auditors 
determine and document condition during the audit. Generally, a 
description of the condition is necessary to convey the nature and 
extent of the finding to the reader. 

7.72: Effect or Potential Effect: The effect or potential effect 
identifies the outcomes or consequences of the condition. When the 
auditors’ objectives include identifying the actual or potential 
consequences of a condition that varies (either positively or
negatively) from the criteria identified in the audit, “effect” is a 
measure of those consequences. Auditors often use effect or potential 
effect to demonstrate the need for corrective action in response to 
identified problems or risks. When the auditors’ objectives include 
estimating the extent to which a program has caused changes in 
physical, social, or economic conditions, “effect” is a measure of the 
impact achieved by the program. In this case, effect is the extent to 
which positive or negative changes in actual physical, social, or 
economic conditions can be identified and attributed to program 
operations. 

7.73: Cause: The cause identifies the reason or explanation for the 
condition. When the auditors’ objectives include explaining why a 
particular type of positive or negative program performance, output, or 
outcome identified in the audit occurred, they are referred to as 
“cause.” Identifying the cause of problems can assist auditors in making
constructive recommendations for correction. Because problems can 
result from a number of plausible factors or multiple causes, the 
recommendation can be more persuasive if auditors can clearly 
demonstrate and explain with evidence and reasoning the link between 
the problems and the factor or factors they have identified as the 
cause. When the auditors’ objectives include estimating the program’s 
effect on changes in physical, social, or economic conditions, auditors 
seek evidence of the extent to which the program itself is the “cause” 
of those changes. Auditors may identify deficiencies in internal 
control that are significant to the subject matter of the performance 
audit as the cause of deficient performance. In reporting this type of 
finding, the deficiencies in internal control would be described as the 
“cause.” Often the causes of deficiencies in internal control are 
complex and involve multiple factors, including fundamental, systemic 
root causes. In some cases, it may not be practical or possible for 
auditors to fully develop or identify the causes of deficiencies. 
However, analyzing and identifying root cause of deficiencies is key to 
making recommendations for corrective actions. 

Audit Documentation: 

7.74: The auditor must prepare audit documentation in connection with 
each engagement in sufficient detail to provide a clear understanding 
of the work performed (including the nature, timing, extent, and 
results of audit procedures performed), the audit evidence obtained and 
its source, and the conclusions reached. Audit documentation: 

a. provides the principal support for the statement in the auditors’ 
report that the auditors performed the audit in accordance with GAGAS 
and any other standards cited, and; 

b. provides the principal support for the auditors’ conclusions. 

7.75: Audit documentation is an essential element of audit quality. 
Although documentation alone does not guarantee audit quality, the 
process of preparing sufficient and appropriate documentation 
contributes to the quality of an audit. 

7.76: The auditor should prepare audit documentation that enables an 
experienced auditor, [Footnote 110] having no previous connection to 
the audit, to understand: 

a. the nature, timing, and extent of auditing procedures performed to 
comply with GAGAS and other applicable legal and regulatory 
requirements; 

b. the results of the audit procedures performed and the audit evidence 
obtained; 

c. how the audit evidence supports the audit findings and conclusions, 
and; 

d. the conclusions reached on significant matters. 

7.77: In addition to the audit documentation requirements listed in the 
previous paragraph, auditors should document the following for 
performance audits: 

a. the planning, objectives, scope, and methodology of the audit, 
including sampling and other selection criteria used; 

b. the auditors’ risk assessment; 

c. the auditors’ determination that certain standards did not apply or 
that an applicable standard was not followed, the reasons supporting 
their determinations, and the known effect that not following the 
applicable standard had, or could have had, on the audit; 

d. the work performed to support significant judgments, findings, 
conclusions and recommendations, including descriptions of transactions 
and records examined; [Footnote 111] 

e. evidence of supervisory reviews, before the audit report is issued, 
of the work performed that supports findings, conclusions, and 
recommendations contained in the audit report; 

f. work performed as part of the appropriateness assessment, including 
the following items, as applicable: testing, information review, 
analysis, and knowledge gained related to the quality of the 
information; 

g. decisions made during the overall assessment of evidence, including 
the auditors’ final assessment of whether the information is sufficient 
and appropriate for the purposes of the audit; 

h. communications with management and others; 

i. evidence of communications about deficiencies in internal control 
found during the audit; 

j. evidence of communications to officials of the audited entity about 
instances of potential fraud, illegal acts, violations of provisions of 
contracts or grant agreements, or abuse; 

k. the availability of the report for public inspection; and; 

l. if the audit does not result in a report, a memorandum for the 
record that summarizes the results of the work and explains the reason 
the audit was terminated, and any communications regarding the 
termination of the audit. 

7.78: Certain matters, such as auditor independence and staff training, 
that are not engagement specific, may be documented either centrally in 
the audit organization or in the documentation for the audit. 
Documentation of matters specific to a particular audit are included in 
the audit documentation file for the specific audit. 

7.79: The form, content, and extent of audit documentation depend on the
circumstances of the engagement and the audit methodology and tools 
used. Oral explanations on their own do not represent sufficient 
support for the work the auditor performed or conclusions the auditor 
reached but may be used by the auditor to clarify or explain 
information contained in the audit documentation. It is, however, 
neither necessary nor practicable to document every matter the auditor 
deals with during the audit. 

7.80: The auditor should document significant findings or issues, 
actions taken to address them (including any additional evidence 
obtained), and the basis for the final conclusions reached. Judging the 
significance of a finding or issue requires an objective analysis of 
the facts and circumstances. 

7.81: The auditor should document discussions of significant findings 
or issues with management and others, including the significant 
findings or issues discussed, and when and with whom the discussions 
took place. 

7.82: If the auditor has identified information that contradicts or is 
inconsistent with the auditor’s final conclusions regarding a 
significant finding or issue, the auditor should document how the 
contradiction or inconsistency was addressed in forming the
conclusion. 

7.83: In documenting the nature, timing, and extent of audit procedures 
performed, the auditor should record: 

a. who performed the audit work and the date such work was completed, 
and; 

b. who reviewed specific audit documentation and the date of such 
review. 

7.84: When documenting procedures performed, such as tests of specific 
transactions that involve inspection of documents, auditors should 
include the identifying characteristics of the specific items tested. 

7.85: When the auditor does not comply with applicable unconditional or 
presumptively mandatory GAGAS requirements, the auditor should document 
the justification or reason for the departure, the impact of the 
departure, and whether alternative procedures performed in the 
circumstances were sufficient to achieve the objectives of the
requirement. The auditor should also follow the requirements in 
paragraphs 1.13 through 1.15. 

7.86: Underlying GAGAS audits is the premise that federal, state, and 
local government audit organizations and independent accounting firms 
engaged to perform performance audits in accordance with GAGAS 
cooperate in auditing programs of common interest so that the auditors 
may use others’ work and avoid duplication of effort. Auditors should
make appropriate audit staff and individuals, as well as audit 
documentation available, upon request, in a timely manner to other 
auditors or reviewers. It is also essential that contractual 
arrangements for GAGAS audits provide for full and timely access to 
audit staff and individuals, as well as audit documentation to 
facilitate reliance by other auditors or reviewers on the auditors’ 
work. 

7.87: Consistent with applicable laws and regulations, audit 
organizations should develop clearly defined policies and criteria to 
deal with situations where requests are made by outside parties to 
obtain access to audit documentation. Audit organizations should 
develop clearly defined policies and criteria for responding to 
requests made by outside parties to obtain access indirectly through 
the auditor information that it is unable to obtain directly from the 
audited entity and how to respond to requests for access to audit 
documentation before the audit is complete. The audit organization
should also include flexibility in its policies and procedures to 
consider the individual facts and circumstances surrounding a request, 
for instance, cases when granting access or providing certain 
information would serve to adversely affect the ability of the audit
organization to successfully perform similar audits in the future. 

7.88: The audit organization should adopt reasonable procedures to 
retain and access audit documentation for a period of time sufficient 
to meet the needs of the audit organization and to satisfy any 
applicable legal or regulatory requirements for records retention. 

7.89: The auditor should complete the assembly of the final audit file 
on a timely basis, following the report release date (documentation 
completion date). Statutes, regulations, or the audit organization’s 
quality control policies may state a specific time in which the 
assembly process should be completed. 

7.90: At anytime prior to the documentation completion date, the 
auditor may make changes to the audit documentation to: 

a. complete the documentation and assembly of audit evidence that the 
auditor has obtained, discussed, and agreed with relevant members of 
the audit team prior to the date of the audit report; 

b. perform routine file-assembling procedures such as deleting or 
discarding superseded documentation and sorting, collating, and cross-
referencing final audit documentation; 

c. sign-off on file completion checklists prior to completing and 
archiving the audit file, and; 

d. add information received after the date of the report, for example, 
an original document that was previously faxed. 

7.91: After the documentation completion date, the auditors should not 
delete or discard audit documentation before the end of the specified 
retention period, as discussed above in paragraph 7.88. When the 
auditor finds it necessary to make an addition (including amendments) 
to audit documentation after the documentation completion date, the
auditor should document the addition by including the following in the 
documentation: 

a. when and by whom such additions were made and, where applicable, 
reviewed; 

b. an audit trail that clearly shows the specific changes; 

c. the specific reasons for the changes, and; 

d. the effect, if any, of the changes on the auditors’ conclusions. 

7.92: Whether audit documentation is in paper, electronic, or other 
media, the integrity, accessibility, and retrievability of the 
underlying data may be compromised if the documentation could be 
altered, added to, or deleted without the auditors’ knowledge, or if 
the documentation could be permanently lost or damaged. Accordingly, 
auditors should apply appropriate controls to protect audit 
documentation from alteration, destruction, and unauthorized access. 

[End of chapter] 

Chapter 8: Reporting Standards for Performance Audits: 

Introduction: 

8.01: This chapter establishes reporting standards and provides 
guidance applicable to performance audits conducted in accordance with 
generally accepted government auditing standards (GAGAS). The reporting 
standards for performance audits relate to the form of the report, the 
report contents, and report issuance and distribution. 

8.02: See paragraphs 1.16 through 1.17 and 1.20 for a discussion about 
the use of GAGAS with other standards. 

Reporting: 

8.03: Auditors must prepare audit reports communicating the results of 
each audit. 

8.04: Auditors should utilize a form of the audit report that is 
appropriate for its intended use, and should prepare reports in writing 
or in some other retrievable form. For example, audit reports also may 
be presented on electronic media that are retrievable by report users 
and the audit organization, such as video or compact disc formats. The
users’ needs, likely demand, and distribution will influence the form 
of the audit report used. In addition to a more traditional 
presentation of audit results, such as a chapter report or a letter 
report, briefing slides and/or other presentation materials that are
complete and retrievable are considered to be audit reports. Regardless 
of form, auditors should comply with all applicable reporting 
standards. 

8.05: The purpose of audit reports is to (1) communicate the results of 
audits to those charged with governance, the appropriate officials of 
the audited entity, and the appropriate oversight officials (2) make 
the results available to the public, and (3) facilitate follow-up to 
determine whether appropriate corrective actions have been taken. The 
need to maintain public accountability for government programs demands
that audit reports be retrievable. 

8.06: If an audit is terminated before it is completed, auditors should 
notify those charged with governance, appropriate officials of the 
audited entity, and the entity requesting the audit, and other 
appropriate officials about the termination of the audit, preferably in 
writing. 

Report Contents: 

8.07: Auditors should prepare audit reports which include (1) the 
objectives, scope, and methodology of the audit; (2) the audit results, 
including findings, conclusions, and recommendations, as appropriate; 
(3) a reference to compliance with generally accepted government 
auditing standards; (4) the views of responsible officials; and (5) if
applicable, the nature of any privileged and confidential information 
omitted. 

Objectives, Scope, and Methodology: 

8.08: Auditors should include in the report a description of the audit 
objectives and the scope and methodology used for achieving the audit 
objectives. This information is essential for report users to 
understand the purpose of the audit and the nature and extent of the 
audit work performed, context and perspective as to what is reported, 
and any significant limitations in audit objectives, scope, or 
methodology. 

8.09: Audit objectives for performance audits may vary widely and may 
encompass a variety of objectives, as discussed in 1.34. Auditors 
should communicate audit objectives in the audit report in a clear, 
specific, neutral and unbiased manner that includes relevant 
assumptions, including why the audit organization undertook the 
assignment and state what the report is expected to accomplish. The 
reported audit objectives provide more meaningful information to report 
users if they are measurable and feasible and are not presented in a 
broad or general manner. To reduce misunderstanding in cases where the 
objectives are particularly limited and broader objectives can be
inferred, auditors may state objectives that were not part of the 
audit. 

8.10: Auditors should clearly describe the scope of the work performed 
and any limitations; any applicable standards that were not followed, 
the reasons for not following the applicable standards, and how not 
following the applicable standards affected or could affect the results 
of the work. For example, if the auditors are unable to determine the 
appropriateness of evidence, and such evidence is critical to achieving 
the audit objectives, auditors should clearly state in the report the 
limitations associated with the evidence and refrain from making 
unwarranted findings, conclusions or recommendations. Auditors should 
address issues that a reasonable person would need to know to 
reasonably interpret the findings, conclusions and recommendations in 
the report and not be misled. 

8.11: To report the methodology used, auditors should clearly explain 
the audit work completed to address the audit objectives, including the 
evidence gathering and analysis techniques used, in sufficient detail 
to allow knowledgeable users of their reports to understand how the 
auditors addressed the audit objectives. In situations when extensive 
and/or multiple sources of information are used by auditors, the 
auditors should consider whether to include a description of the 
procedures performed as part of the auditors’ assessment of the 
appropriateness of information used as audit evidence. Auditors should 
identify any significant assumptions made in conducting the audit;
describe any comparative techniques applied; describe the criteria 
used; and, when sampling significantly supports auditors’ findings, 
conclusions or recommendations, describe the sample design and state 
why it was chosen, including whether the results can be projected to 
the intended population. 

8.12: In describing the work conducted to accomplish the audit’s 
objectives, auditors should, as applicable, explain the relationship 
between the population of items sampled and what was audited; identify 
organizations, geographic locations, and the period covered; report the 
kinds and sources of evidence; and explain any significant limitations
or uncertainties based on the auditors’ overall assessment of the 
sufficiency and appropriateness of the evidence in the aggregate. 
Auditors should also report any significant constraints imposed on the 
audit approach by information limitations or scope impairments, 
including demands of access to certain records or individuals. 

8.13: How the use of information of undetermined sufficiency and 
appropriateness affects the auditors’ report depends on the 
significance of the information to the auditors’ findings, conclusions, 
or recommendations in light of the audit objectives. For example, 
auditors may use such information to provide background information. In
cases where auditors use information of undetermined sufficiency and 
appropriateness to support audit findings conclusions, or 
recommendations, auditors should fully disclose the fact that such 
information is being used, assess the impact of using such
information, and use professional judgment to determine whether and to 
what extent to qualify the audit findings and conclusions. If the use 
of such information is significant to the auditors’ findings and 
conclusions, auditors should determine the impact on the audit
objectives and compliance with GAGAS. (See paragraphs 1.13 through 
1.15.) 

Findings: 

8.14: In the audit report, auditors should present sufficient, 
appropriate evidence to support the findings, conclusions and 
recommendations in relation to the audit objectives. Auditors should 
present findings in a manner to promote adequate understanding of the 
matters reported and to provide convincing but fair presentations
in proper perspective that are compelling. Auditors consider the 
significance of evidence as they develop the report findings, 
conclusions and recommendations. In making judgments about 
significance, auditors consider whether the judgment of a reasonable
person relying on the auditors’ report would have been changed or 
influenced if the matter had been disclosed in the audit report. This 
includes the probability that the matter would change or influence the 
decisions of intended users of the auditors’ report; or, as another 
example, where the context is a judgment about whether to report a
matter to those charged with governance, whether the matter would be 
regarded as important by those charged with governance in carrying out 
their duties. Auditors may provide selective background information to 
provide the context for the overall message and to help the reader 
understand the findings and significance of the issues discussed. 
[Footnote 112] 

8.15: If information necessary to achieve the audit objectives is not 
available or is determined to be not appropriate, auditors may report 
the issue as a finding and make related recommendations, if such 
information is significant to the performance of the program being 
audited. If the limitations of the information are partially or wholly a
result of internal control deficiencies, auditors should recommend 
actions necessary to address the deficiencies. 

8.16: As discussed in chapter 7, audit findings have often been 
regarded as containing the elements of criteria, condition, cause, and 
effect. (See 7.36 through 7.37 and 7.70 through 7.73). However, the 
elements needed for a finding depend on the audit objectives. For 
example, an audit objective may be limited to determining the current
status or condition of implementing legislative requirements, and not 
the related cause or effect. Thus, a finding or set of findings is 
complete to the extent that the auditors achieve the audit objectives 
and the report clearly relates those objectives to the elements of the 
finding. 

8.17: To the extent necessary to achieve the audit objectives, in 
presenting findings, auditors should develop the elements of criteria, 
condition, cause, and effect to assist management or oversight 
officials of the audited entity in understanding the need for taking 
corrective action. In addition, if auditors are able to sufficiently 
develop the elements of a finding, they should provide recommendations 
for corrective action if they are significant within the context of the 
audit objectives. Following is guidance for reporting on elements of 
findings: 

a. Criteria: The required or desired state and/or what is expected from 
the program or operation. The criteria are easier to understand when 
stated objectively, explicitly, and completely and when the source of 
the criteria is identified in the audit report. [Footnote 113] 

b. Condition: What the auditors found regarding the actual situation. 
Reporting the scope or extent of the condition allows the report user 
to gain an accurate perspective. 

c. Cause: Evidence on the factor or factors responsible for the 
difference between condition and criteria. In reporting the cause, 
auditors may consider whether the evidence provides a reasonable and 
convincing argument for why the stated cause is the key factor or 
factors contributing to the difference as opposed to other possible 
causes, such as poorly designed criteria or factors uncontrollable by 
program management. The auditors also may consider whether the 
identified cause could serve as a basis for the recommendations. Often 
the causes of deficiencies in internal control are complex and involve 
multiple factors. In some cases, it may not be practical for auditors 
to fully develop or identify all of the causes of deficiencies. 
However, analyzing and identifying root causes of internal control 
deficiencies are key to making recommendations for corrective action. 

d. Effect or potential effect: A clear, logical link to establish the 
impact or potential impact of the difference between what the auditors 
found (condition) and the required or desired state (criteria). Effect 
is easier to understand when it is stated clearly, concisely, and, if 
possible, in quantifiable terms. The significance of the reported 
effect can be demonstrated through credible evidence. 

8.18: Auditors should place their findings in perspective by describing 
the nature and extent of the issues being reported and the extent of 
the work performed that resulted in the finding. To give the reader a 
basis for judging the prevalence and consequences of these findings, 
auditors may relate the instances identified to the population or the
number of cases examined and quantify the results in terms of dollar 
value, as appropriate. If the results cannot be projected, auditors 
should limit their conclusions appropriately. 

8.19: Auditors should report deficiencies [Footnote 114] in internal 
control that are significant within the context of the objectives of 
the performance audit, all instances of potential fraud and illegal 
acts unless they are clearly inconsequential, [Footnote 115] 
significant violations of provisions of contracts or grant agreements, 
and significant abuse. 

Reporting Deficiencies in Internal Control: 

8.20: Auditors should include in the audit report (1) the scope of 
their work on internal control and (2) deficiencies in internal control 
that are significant within the context of the audit objectives. When 
auditors detect deficiencies in internal control that are not
significant to the objectives of the performance audit, they should 
communicate those deficiencies in a separate letter to officials of the 
audited entity unless the deficiencies are clearly inconsequential 
considering both qualitative and quantitative factors. If the auditors 
have communicated deficiencies to officials of the audited entity 
during the course of the audit, they should refer to that communication 
in the audit report. Whether or how to communicate deficiencies that 
are clearly inconsequential to officials of the audited entity is a 
matter of the auditors’ professional judgment. 

8.21: In a performance audit, auditors may conclude that identified 
deficiencies in internal control that are significant within the 
context of the audit objectives are the cause of the deficient 
performance. In reporting this type of finding, the internal control
deficiency would be described as the cause. 

Reporting Potential Fraud, Illegal Acts, Violations of Provisions of 
Contracts or Grant Agreements, or Abuse: 

8.22: When auditors conclude, based on evidence obtained, that 
potential fraud, illegal acts, significant violations of provisions of 
contracts or grant agreements, or significant abuse either has occurred 
or may have occurred, they should report the matter as a finding. 
[Footnote 116] 

8.23: When reporting instances of potential fraud, illegal acts, 
violations of provisions of contracts or grant agreements, or abuse, 
auditors should place the findings in perspective by describing the 
extent of work performed that resulted in the finding. To give the 
reader a basis for judging the prevalence and consequences of these 
findings, the auditors may relate the instances identified to the 
population or the number of cases examined and quantify the instances 
in terms of dollar value, as appropriate. If the results cannot be 
projected, auditors should limit their conclusions appropriately. 

8.24: When auditors detect potential violations of provisions of 
contracts or grant agreements, or abuse that is not significant, they 
should communicate those findings in a separate letter to officials of 
the audited entity unless the findings are clearly inconsequential, 
considering both qualitative and quantitative factors. Auditors should 
refer to that letter in the audit report. Whether or how to communicate 
potential fraud, illegal acts, violations of provisions of contracts or 
grant agreements, or abuse that are clearly inconsequential to 
officials of the audited entity is a matter of the auditors’ 
professional judgment. Auditors should include in their audit 
documentation evidence of communications to officials of the audited 
entity about deficiencies in potential fraud, illegal acts, violations 
of provisions of contracts or grant agreements, or abuse. 

8.25: When auditors conclude that potential fraud, illegal acts, 
violations of provisions of contracts or grant agreements, or abuse 
either have occurred or are likely to have occurred, they may consult 
with authorities and/or legal counsel about whether publicly reporting 
certain information about the potential fraud, illegal acts, violations 
of provisions of contracts or grant agreements, or abuse would 
compromise investigative or legal proceedings. Auditors should limit 
their public reporting to matters that would not compromise those 
proceedings, such as information that is already a part of the public
record. 

Direct Reporting of Potential Fraud, Illegal Acts, Violations of 
Provisions of Contracts or Grant Agreements, or Abuse: 

8.26: Auditors should report potential fraud, illegal acts, violations 
of provisions of contracts or grant agreements, or abuse directly to 
parties outside the audited entity in two circumstances, as discussed 
below. [Footnote 117] This reporting is in addition to any legal
requirements for direct reporting of potential fraud, illegal acts, 
violations of provisions of contracts or grant agreements, or abuse. 
Auditors should follow these requirements even if they have resigned or 
been dismissed from the audit prior to its completion. 

8.27: The audited entity may be required by law or regulation to report 
certain potential fraud, illegal acts, violations of provisions of 
contracts or grant agreements, or abuse to specified external parties, 
such as a federal inspector general or a state attorney general.
When auditors have communicated such potential fraud, illegal acts, 
violations of provisions of contracts or grant agreements, or abuse to 
the audited entity and the audited entity fails to report them, then 
the auditors should communicate such an awareness to the governing body 
of the audited entity. When the audited entity does not make the 
required report as soon as possible after the auditors’ communication 
with those charged with governance, then the auditors should report 
such potential fraud, illegal acts, violations of provisions of 
contracts or grant agreements, or abuse directly to the external party 
specified in the law or regulation. 

8.28: When potential fraud, illegal acts, violations of provisions of 
contracts or grant agreements, or abuse involves awards received 
directly or indirectly from a government agency, auditors may have a 
duty to report directly if management fails to take remedial steps. 
When auditors conclude that such failure is likely to cause them to 
report such findings or resign from the audit, they should communicate 
that conclusion to those charged with governance of the audited entity. 
If the audited entity does not report the potential fraud, illegal act, 
violation of provisions of contracts or grant agreements, or abuse in a 
timely manner to the entity that provided the government assistance, the
auditors should report the potential fraud, illegal act, violation of 
provisions of contracts or grant agreements, or abuse directly to that 
entity. 

8.29: Auditors should obtain sufficient, appropriate evidence to 
corroborate assertions by management that it has reported potential 
fraud, illegal acts, violations of provisions of contracts or grant 
agreements, or abuse. When auditors are unable to do so, then they 
should report such potential fraud, illegal acts, violations of 
provisions of contracts or grant agreements, or abuse directly as 
discussed above. 

Conclusions: 

8.30: Auditors should report conclusions related to the audit 
objectives and the audit findings and recommendations. Report 
conclusions are logical inferences about the program based on the 
auditors’ findings, not merely a summary of the findings. The
strength of the auditors’ conclusions depends on the sufficiency, and 
appropriateness of the evidence supporting the findings and the 
soundness of the logic used to formulate the conclusions. Conclusions 
are stronger if they lead to the auditors’ recommendations and convince 
the knowledgeable user of the report that action is necessary. 

Recommendations: 

8.31: Auditors should recommend actions to correct problems identified 
during the audit and to improve programs and operations when the 
potential for improvement in programs, operations, and performance is 
substantiated by the reported findings and conclusions. Auditors should 
make recommendations that logically flow from the findings and 
conclusions that clearly state the recommended actions. 

8.32: Constructive recommendations can encourage improvements in the 
conduct of government programs and operations. For recommendations to 
be most constructive, auditors should make recommendations that are 
directed at resolving the cause of identified problems, action oriented 
and specific, and addressed to parties that have the authority to act. 

Statement on Compliance with GAGAS: 

8.33: When auditors comply with all applicable GAGAS standards, they 
should include a statement in the audit report that they performed the 
audit in accordance with GAGAS and include the following language in 
the report: 

We conducted this performance audit in accordance with Generally 
Accepted Government Auditing Standards. Those standards require that we 
plan and perform the audit to obtain sufficient, appropriate evidence 
that provides a reasonable basis for our findings and conclusions based 
on our audit objectives. We believe that the evidence obtained provides 
a reasonable basis for our findings and conclusions based on our audit
objectives. 

8.34: The statement of compliance with GAGAS indicates that the 
auditors have complied with all applicable GAGAS general and auditing 
standards. When the auditors did not follow applicable standards, or 
were not able to follow applicable standards due to access problems or 
other scope limitations, they should follow the requirements in
paragraphs 1.13 through 1.15. 

Reporting Views of Responsible Officials: 

8.35: Auditors should obtain and report the views of responsible 
officials [Footnote 118] of the audited program concerning auditors’ 
findings, conclusions, and recommendations, and planned corrective 
actions. Auditors should also include an evaluation of those views in 
the report. 

8.36: One of the most effective ways to develop a report that is fair, 
complete, and objective is to provide a draft report for review and 
comment by responsible officials of the audited entity and others, as 
appropriate. Including the views of responsible officials results in a 
report that presents not only the auditors’ findings, conclusions, and
recommendations, but also the perspectives of the responsible officials 
of the audited entity and the corrective actions they plan to take. 
Auditors should include in their report a copy of the officials’ 
written comments or a summary of the comments received along with the 
auditors’ evaluation of the comments. In cases when the audited entity 
provides technical comments in addition to its written comments on the 
report, auditors should use professional judgment in determining 
whether to include such comments or disclose in the report that such 
comments were provided. 

8.37: Auditors ordinarily request that the responsible officials submit 
in writing their views on the auditors’ reported findings, conclusions, 
and recommendations, as well as management’s planned corrective 
actions. However, oral comments are acceptable and, in some cases, may 
be the most expeditious way to obtain comments. Obtaining oral comments 
can be effective when, for example, there is a time-critical reporting 
date to meet a user’s needs; auditors have worked closely with the 
responsible officials throughout the conduct of the work and the 
parties are familiar with the findings and issues addressed in the 
draft report; or the auditors do not expect major disagreements with 
the draft report’s findings, conclusions, and recommendations, or 
perceive any major controversies with regard to the issues discussed in 
the draft report. If oral comments are provided by the responsible 
officials, auditors should prepare a summary of the oral comments and 
provide a copy of the summary to the responsible officials to verify 
that the comments are accurately stated prior to finalizing the report.
8.38 Auditors should fairly and objectively evaluate and recognize 
comments, as appropriate, in the final report. Auditors may note 
comments, such as a plan for corrective action, but should not accept 
them as justification for dropping a finding or a related 
recommendation without sufficient and appropriate evidence. 

8.39: When the audited entity’s comments are inconsistent or in 
conflict with the report’s findings, conclusions, or recommendations 
and are not, in the auditors’ opinion, valid, or when planned 
corrective actions do not adequately address the auditors’ 
recommendations, the auditors should evaluate the validity of the 
audited entity’s comments. If the auditors disagree with the comments, 
they should state in the report their reasons for disagreeing with the 
comments or planned corrective actions. Conversely, the auditors should 
modify their report as necessary if they find the officials’ comments 
to be valid. 

8.40: If the audited entity refuses to provide comments or is unable to 
provide comments within a reasonable period of time, auditors may need 
to issue the report without receiving comments from the audited entity. 
In such cases, auditors should describe in the report the reasons that 
comments from the audited entity are not included. 

Reporting Privileged and Confidential Information: 

8.41: If information related to the audit objectives is prohibited from 
general disclosure, auditors should disclose in the report that certain 
information has been omitted and the requirement that makes the 
omission necessary. 

8.42: Certain information may be classified or may be otherwise 
prohibited from general disclosure by federal, state, or local laws or 
regulations. In such circumstances, auditors may issue a separate, 
classified or limited-official-use report containing such information 
and distribute the report only to persons authorized by law or 
regulation to receive it. Additional circumstances associated with 
public safety and security concerns could also justify the exclusion of 
certain information in the report. For example, detailed information 
related to computer security for a particular program may be excluded 
from publicly available reports because of the potential damage that 
could be caused by the misuse of this information. In such 
circumstances, auditors may issue a limited-official use report 
containing such information and distribute the report only to those 
parties responsible for acting on the auditors’ recommendations. The 
auditors may consult with legal counsel regarding any requirements or 
other circumstances that may necessitate the omission of certain 
information. 

8.43: Auditors consider the broader public interest in the program or 
activity under review when deciding whether to exclude certain 
information from publicly available reports. When circumstances call 
for omission of certain information, auditors should evaluate whether 
this omission could distort the audit results or conceal improper or
unlawful practices. 

Report Issuance and Distribution: 

8.44: Government auditors should submit audit reports to those charged 
with governance, to the appropriate officials of the audited entity and 
to the appropriate officials of the organizations requiring or 
arranging for the audits, including external funding organizations, 
such as legislative bodies, unless legal restrictions prevent it. 
Auditors should also send copies of the reports to other officials who 
have legal oversight authority or who may be responsible for acting on 
audit findings and recommendations, and to others authorized to receive 
such reports. Auditors should clarify whether the report will be made 
available for public distribution. 

8.45: If the subject of the audit involves material that is classified 
for security purposes or is not releasable to particular parties or the 
public for other valid reasons, auditors may limit the report 
distribution. [Footnote 119] Auditors should document any limitation on 
report distribution. 

8.46: When nongovernment auditors are engaged to perform the audit 
under GAGAS, they should clarify report distribution responsibilities 
with the engaging organization. If the nongovernment auditors are to 
make the distribution, they should reach agreement with the party 
contracting for the audit about which officials or organizations should
receive the report and the steps being taken to make the report 
available to the public. 

8.47: Internal auditors may follow the IIA standards for report 
distribution, which state internal auditors also follow any applicable 
statutory requirements for distribution. The head of the internal audit 
organization should disseminate results to the appropriate parties. The 
head of the internal audit organization is responsible for 
communicating the final results to parties who are in a position to 
take appropriate corrective actions. Distribution of reports outside 
the organization ordinarily is made only in accordance with applicable 
laws, rules, regulations, or policy. 

[End of chapter] 

Appendix: 

Introduction: 

A.01: The following sections provide supplemental guidance for auditors 
and the audited entities to assist in the implementation of GAGAS. The 
guidance is not intended to establish additional auditor requirements 
but instead is to facilitate auditor implementation of the standards 
contained in chapters 1 through 8. The supplemental guidance in the 
first section may be of assistance for all types of audits and 
engagements covered by GAGAS. Subsequent sections provide supplemental 
guidance for specific chapters of GAGAS, as indicated. 

Overall Supplemental Guidance: 

A.02: Chapters 4 through 8 discuss the field work and reporting 
standards for financial audits, attestation engagements, and 
performance audits. The identification of significant deficiencies in 
internal control, significant abuse, fraud risks, and significant laws, 
regulations, or provisions of contract or grant agreements are 
important aspects of government auditing. The following discussion is 
provided to assist auditors with identifying significant deficiencies 
in internal control, abuse, and indicators of fraud risk and to assist 
auditors with determining whether laws, regulations, or provisions of
contracts or grant agreements are significant to the audit objectives. 

Examples of Significant Deficiencies in Internal Control: 

A.03: Auditor requirements for reporting significant deficiencies in 
internal control are discussed in paragraphs 5.13 through 5.18, 6.49 
through 6.53, and 8.20 through 8.21. The following are examples of 
matters that may be significant deficiencies, including material 
weaknesses, depending on the facts and circumstances: 

a. Ineffective oversight by those charged with governance of the 
entity’s financial reporting, performance reporting, or internal 
control, or an ineffective overall governance structure. 

b. Restatement of previously issued financial statements to reflect the 
correction of a material misstatement or significant corrections made 
to previously reported performance or operational results. 

c. Identification by the auditor of a material misstatement in the 
financial statements for the period under audit that was not initially 
identified by the entity’s internal control. This includes 
misstatements involving estimation and judgment for which the auditor
identifies potential material adjustments and corrections of the 
recorded amounts. (This is a strong indicator of a material weakness 
even if management subsequently corrects the misstatement.) 

d. An ineffective internal audit function or risk assessment function 
at an entity for which such functions are important to the monitoring 
or risk assessment component of internal control, such as for a very 
large or highly complex entity. 

e. Identification of fraud of any magnitude on the part of senior 
management. 

f. Failure by management or those charged with governance to assess the 
effect of a significant deficiency previously communicated to them and 
either correct it or conclude that it will not be corrected. 

g. An ineffective control environment. Control deficiencies in various 
other components of internal control could lead the auditor to conclude 
that a significant deficiency or material weakness exists in the 
control environment. 

h. Inadequate provisions for the safeguarding of assets. 

i. Evidence of intentional override of internal control by those in 
authority to the detriment of the overall objectives of the system. 

j. Deficiencies in the design or operation of internal control that 
could result in violations of laws, regulations, provisions of 
contracts or grant agreements; fraud; or abuse having a direct and 
material effect on the financial statements or the audit objective. 

Examples of Abuse: 

A.04: [Placeholder for discussion of examples of abuse.] 

Examples of Indicators of Fraud Risk: 

A.05: In some circumstances, conditions such as the following might 
indicate a heightened risk of fraud: 

a. the entity’s financial stability, viability, or budget is threatened 
by economic, programmatic, or entity operating conditions; 

b. the nature of the audited entity’s operations provide opportunities 
to engage in fraud; 

c. inadequate monitoring by management for compliance with policies, 
laws, and regulations; 

d. the organizational structure is unstable or unnecessarily complex; 

e. lack of communication and/or support for ethical standards by 
management; 

f. management has a willingness to accept unusually high levels of risk 
in making significant decisions; 

g. a history of impropriety, such as previous issues with fraud, waste, 
abuse, or questionable practices, or past audits or investigations with 
findings of questionable or criminal activity; 

h. operating policies and procedures have not been developed or are 
outdated; 

i. key documentation is often lacking or does not exist; 

j. lack of asset accountability or safeguarding procedures; 

k. improper payments; 

l. false or misleading information; or; 

m. a pattern of large procurements in any budget line with remaining 
funds at year end, in order to “use up all of the funds available.” 

Determining Whether Laws, Regulations, or Provisions of Contracts or 
Grant Agreements Are Significant to Audit Objectives: 

A.06: Government programs are subject to many laws, regulations, and 
provisions of contracts or grant agreements. At the same time their 
significance to audit objectives vary widely, depending on the 
objectives of the audit. Auditors may find the following approach 
helpful in assessing whether laws, regulations, or provisions of 
contracts or grant agreements are significant to audit objectives: 

a. Reduce each audit objective to questions about specific aspects of 
the program being audited (that is, purpose and goals, internal 
control, inputs, program operations, outputs, and outcomes). 

b. Identify laws, regulations, and provisions of contracts or grant 
agreements that directly relate to specific aspects of the program 
included in questions that reflect the audit objectives. 

c. Determine if the audit objectives or the auditors’ conclusions could 
be significantly affected if violations of those laws, regulations, or 
provisions of contracts or grant agreements occurred. If the audit 
objectives or audit conclusions could be significantly affected, then 
those laws, regulations, and provisions of contracts or grant agreements
are likely to be significant to the audit objectives. 

A.07: Auditors may consult with legal counsel to (1) determine those 
laws and regulations that are significant to the audit objectives, (2) 
design tests of compliance with laws and regulations, or (3) evaluate 
the results of those tests. Auditors also may consult with legal 
counsel when audit objectives require testing compliance with 
provisions of contracts or grant agreements. Depending on the 
circumstances of the audit, auditors may consult with others, such as 
investigative staff, other audit organizations or government entities 
that provided assistance to the audited entity, or applicable law 
enforcement authorities, to obtain information on compliance matters. 

Information to Accompany Chapter 1: 

A1.01: Chapter 1 discusses the use and application of GAGAS and the 
role of auditing in government accountability. Those charged with 
governance and management of audited organizations also have roles in 
government accountability. The discussion which follows is provided to 
assist auditors in understanding the roles of others in accountability. 
The following section also contains background information on the laws,
regulations and guidelines which require the use of GAGAS. This 
information is provided to place the requirements contained in GAGAS 
within the context of overall government accountability. 

The Role of Those Charged with Governance in Accountability: 

A1.02: Those charged with governance are responsible for overseeing the 
strategic direction of the entity and obligations related to the 
accountability of the entity. This includes overseeing the financial 
reporting process, subject matter, or program under audit including 
related internal controls. In certain entities covered by GAGAS, those
charged with governance also may be part of the entity’s management. In 
some audit entities, multiple parties may be charged with governance, 
including oversight bodies, members or staff of legislative committees, 
boards of directors, audit committees, or parties contracting for the 
audit. 

Because the governance structures of government entities and 
organizations can vary widely, it may not always be clearly evident who 
is charged with key governance functions. In these situations, auditors 
evaluate the organizational structure for directing and controlling 
operations to achieve the entity’s objectives. This evaluation also
includes how the government entity delegates authority and establishes 
accountability for its management personnel. 

Management’s Role in Accountability: 

A1.03: Officials of the audited entity (for example, managers of a 
state or local governmental entity or a nonprofit entity that receives 
federal awards) are responsible for: 

a. using government resources efficiently, economically, effectively, 
equitably, and legally to achieve the purposes for which the resources 
were furnished or the program was established; [Footnote 120] 

b. complying with applicable laws and regulations, including 
identifying the requirements with which the entity and the official 
must comply and implementing systems designed to achieve that 
compliance; 

c. establishing and maintaining effective internal control to help 
ensure that appropriate goals and objectives are met; using resources 
efficiently, economically, effectively, and equitably, and safeguarding 
resources; following laws and regulations; and ensuring that management 
and financial information is reliable and properly reported; 

d. providing appropriate reports to those who oversee their actions and 
to the public in order to be accountable for the resources and 
authority used to carry out government programs and the results of 
these programs; 

e. addressing the findings and recommendations of auditors, and for 
establishing and maintaining a process to track the status of such 
findings and recommendations; and; 

f. following sound procurement practices when contracting for audits 
and attestation engagements, including ensuring procedures are in place 
for monitoring contract performance. 

A1.04: Management of the audited entity is responsible for resolving 
audit findings and recommendations and for having a process to track 
progress in resolving the findings and recommendations. 

A1.05: Management of the audited entity is responsible for taking 
timely and appropriate steps to remedy fraud, illegal acts, violations 
of provisions of contracts or grant agreements, or abuse that auditors 
report to it. 

Laws, Regulations, and Guidelines that Require Use of GAGAS: 

A1.06: The following are among the laws, regulations, and guidelines 
that require use of GAGAS: 

a. The Inspector General Act of 1978, as amended, 5 U.S.C. App. (2000) 
requires that the statutorily appointed federal inspectors general 
comply with GAGAS for audits of federal establishments, organizations, 
programs, activities, and functions. The act further states that the 
inspectors general shall take appropriate steps to assure that any work
performed by nonfederal auditors complies with GAGAS. 

b. The Chief Financial Officers Act of 1990 (Public Law 101-576), as 
expanded by the Government Management Reform Act of 1994 (Public Law 
103-356), requires that GAGAS be followed in audits of executive branch 
departments’ and agencies’ financial statements. 

c. The Single Audit Act Amendments of 1996 (Public Law 104-156) require 
that GAGAS be followed in audits of state and local governments and 
nonprofit entities that receive federal awards. [Footnote 121] Office 
of Management and Budget (OMB) Circular A-133, Audits of States, Local 
Governments, and Non-Profit Organizations, which provides the 
governmentwide guidelines and policies on performing audits to comply 
with the Single Audit Act, also requires the use of GAGAS. 

d. The Accountability of Tax Dollars Act of 2002 extends the 
requirement to prepare and submit audited financial statements to most 
executive agencies not subject to the Chief Financial Officers Act 
unless they are exempted by OMB. These covered agencies are required to 
follow GAGAS in their financial statement audits, but are not required 
to have systems that are compliant with FFMIA. 

A1.07: Other laws, regulations, or other authoritative sources could 
require the use of GAGAS. For example, auditors at the state and local 
levels of government may be required by state and local laws and 
regulations to follow GAGAS. Also, auditors may be required by the 
terms of an agreement or contract to comply with GAGAS. Auditors may
also be required by federal audit guidelines pertaining to program 
requirements, such as those issued for Housing and Urban Development 
programs and Student Financial Aid programs. 

A1.08: Even if not required to do so, auditors may find it useful to 
follow GAGAS in performing audits of federal, state, and local 
government programs as well as in performing audits of government 
awards administered by contractors, nonprofit entities, and other 
nongovernment entities. Many audit organizations not formally required 
to do so, both in the United States of America and in other countries, 
voluntarily follow GAGAS. 

Information to Accompany Chapters 3: 

A3.01: Chapter 3 discusses the general standards applicable when 
performing financial audits, attestation engagements, and performance 
audits under GAGAS. Auditors may also provide professional services, 
other than audits and attestation engagements which are sometimes 
referred to as consulting services. GAGAS do not cover nonaudit services
since such services are not audits or attestation engagements. If an 
audit organization decides to perform nonaudit services, their 
independence for performing audits or attestation engagements may be 
impacted. Nonaudit services which may impair or do impair auditor 
independence are discussed in chapter 3. The following supplemental 
guidance is provided to assist auditors and audited entities in 
identifying nonaudit services that are often provided by government 
audit organizations without impairing their independence with respect 
to entities for which they provide audit or attest services by 
providing examples of such services. 

Nonaudit Services: 

A3.02: Government audit organizations frequently are requested to 
provide or are required to provide nonaudit services that differ from 
the traditional professional services provided to or for an 
audit/attest entity. These types of nonaudit services are often 
performed in response to a statutory requirement, under the authority 
of the audit organization, or for a legislative oversight body or an 
independent external organization and generally do not impair auditor 
independence. (The requirements for evaluating whether nonaudit 
services impair auditor independence are in chapter 3, paragraphs 3.24
through 3.35.) 

A3.03: Examples of the types of services under this category include 
the following: 

a. Providing information or data to a requesting party without auditor 
evaluation or verification of the information or data; 

b. Developing standards, methodologies, audit guides, audit programs, 
or criteria for use throughout the government or for use in certain 
specified situations; 

c. Collaborating with other professional organizations to advance 
auditing of government organizations; 

d. Developing question and answer documents to promote understanding of 
technical issues or standards; 

e. Providing assistance and technical expertise to legislative bodies 
or independent external organizations and assisting legislative bodies 
by developing questions for use at a hearing; 

f. Providing training, speeches, and technical presentations; 

g. Developing surveys, collecting responses on behalf of others, and 
reporting results as “an independent third party;” 

h. Providing oversight assistance in reviewing budget submissions; 

i. Contracting for audit services on behalf of an audited entity and 
overseeing the audit contract, as long as the overarching principles 
are not violated and the auditor under contract reports to the audit 
organization and not to management; 

j. Assessing the advantages and disadvantages of legislative proposals; 

k. Identifying best practices for users in evaluating program or 
management system approaches, including financial and information 
management systems; and; 

l. Audit, investigative, and oversight-related services that do not 
involve a full-scope GAGAS audit (but which could be performed as an 
audit, if the audit organization elects to do so), such as: 

(1) Investigations of alleged fraud, violation of contract provisions 
or grant agreements, or abuse; 

(2) Review-level work such as sales tax reviews that are designed to 
ensure the governmental entity receives from businesses, merchants and 
vendors all of the sales taxes to which it is entitled; 

(3) Periodic audit recommendation follow-up engagements and reports; 

(4) Identifying best practices or leading practices for use in 
advancing the practices of government organizations; 

(5) Analyzing cross-cutting and emerging issues; and; 

(6) Providing forward-looking analysis involving programs. 

Information to Accompany Chapter 7: 

A7.01: Chapter 7 discusses the field work standards for performance 
audits. An integral concept for performance auditing is the use of 
sufficient, appropriate evidence based on the audit objectives to 
support a sound basis for audit findings, conclusions, and 
recommendations. The following discussion is provided to assist 
auditors in identifying the various types of evidence and assessing the 
appropriateness of information or evidence in relation to the audit 
objectives. 

Types of Evidence: 

A7.02: In terms of its form and how it is collected, evidence may be 
categorized as physical, documentary, or testimonial. Physical evidence 
is obtained by auditors’ direct inspection or observation of people, 
property, or events. Such evidence may be documented in memoranda, 
photographs, videos, drawings, charts, maps, or physical samples. 
Documentary evidence is obtained in the form of already existing 
information such as letters, contracts, accounting records, invoices, 
spreadsheets, database extracts, electronically stored information, and 
management information on performance. Testimonial evidence is obtained 
through inquiries, interviews, focus groups, public forums, or 
questionnaires. Auditors frequently use analytical processes including
computations, comparisons, separation of information into components, 
and rational arguments to analyze any information gathered to determine 
whether it is sufficient and appropriate. [Footnote 122] 

Appropriateness of Information in Relation to the Audit Objectives: 

A7.03: One of the primary factors influencing the assurance associated 
with a performance audit is the appropriateness of the information in 
relation to the audit objectives. For example: 

a. The audit objectives might focus on verifying specific quantitative 
results presented by the audited entity. In these situations, the 
performance audit would likely provide reasonable assurance about the 
accuracy of the specific amounts in question. This work may include the 
possible use of statistical sampling. 

b. The audit objectives might focus on the performance of a specific 
program or activity in the agency being audited. In this situation, the 
auditor may have to use specific information compiled by the agency 
being audited in order to answer the audit objectives. In this 
situation, the auditor may find it necessary to test the quality of the
information, which includes both its validity and reliability. 

c. The audit objectives might focus on information that is used for 
widely-accepted purposes and obtained from sources generally recognized 
as appropriate. For example, economic statistics issued by government 
agencies for purposes such as adjusting for inflation, or other such 
information issued by authoritative organizations, may be the best 
information available. In such cases, it may not be practical or 
necessary for auditors to conduct procedures to verify the information. 
These decisions call for professional judgment based on the nature of 
the information, its common usage or acceptance, and how it is being 
used in the audit. Paragraphs 7.56 through 7.62 in chapter 7 discuss 
the factors the auditor should consider. 

d. The audit objectives might focus on comparisons or benchmarking 
between various government functions or agencies. These types of audits 
are especially useful for analyzing the outcomes of various public 
policy decisions. In these cases, auditors may perform analyses, such 
as comparative statistics of different jurisdictions or changes in
performance over time, where it would be cost prohibitive and/or 
impractical to do a verification of the detailed data underlying the 
statistics. Clear disclosure as to what extent the comparative 
information or statistics were evaluated or corroborated will place the 
information in proper context for report users. 

e. The audit objectives might focus on trend information. In this 
situation, auditors may use overall analytical tests, combined with a 
knowledge and understanding of the systems or processes used for 
compiling information. 

f. The audit objectives might focus on the auditor identifying emerging 
and cross-cutting issues using information compiled or self-reported by 
agencies. In such cases, it may be helpful for the auditor to consider 
the overall appropriateness of the compiled information with other 
information available about the program. Other sources of information, 
such as Inspector General reports or other external audits may provide 
the auditors with information regarding whether any unverified or self-
reported information is consistent with or can be corroborated by these 
other external sources of information. 

[End of appendix] 

Members of the Comptroller General’s Advisory Council on Government 
Auditing Standards: 

Mr. Jack R. Miller, Chair: 
KMPG LLP (Retired): 
(member 1997-1998; chair 2001-2008): 

The Honorable Ernest A. Almonte: 
Office of the Auditor General: 
State of Rhode Island: 
(member 2001-2008): 

Dr. Paul A. Copley: 
James Madison University: 
(member 2005-2008): 

Mr. David Cotton: 
Cotton & Co. LLP: 
(member 2006-2009): 

The Honorable Debra K. Davenport: 
Office of the Auditor General: 
State of Arizona: 
(member 2002-2005): 

Ms. Kristine Devine: 
Deloitte & Touche, LLP: 
(member 2005-2008): 

Dr. John H. Engstrom: 
Northern Illinois University: 
(member 2002-2005): 

The Honorable Richard L. Fair: 
Office of the State Auditor: 
State of New Jersey: 
(member 2002-2005): 

Dr. Ehsan Feroz: 
University of Minnesota Duluth: 
(member 2002-2009): 

The Honorable Phyllis Fong: 
U.S. Department of Agriculture: 
(member 2004-2006): 

Mr. Alex Fraser: 
Standard & Poor’s: 
(member 2006-2009): 

The Honorable Gregory H. Friedman: 
U.S. Department of Energy: 
(member 2002-2005): 

Mr. Mark Funkhouser: 
Office of City Auditor: 
Kansas City, Missouri: 
(member 2005-2008): 

Dr. Michael H. Granof: 
University of Texas at Austin: 
(member 2005-2008): 

Mr. Jerome Heer: 
Office of the County Auditor: 
Milwaukee, Wisconsin: 
(member 2004-2006): 

Ms. Marion Higa: 
Office of State Auditor: 
State of Hawaii: 
(member 2006-2009): 

The Honorable John P. Higgins, Jr.: 
U.S. Department of Education: 
(member 2005-2008): 

Mr. Russell Hinton: 
Office of the State Auditor: 
State of Georgia: 
(member 2004-2006): 

Mr. Richard A. Leach: 
United States Navy: 
(member 2005-2008): 

Mr. Patrick L. McNamee: 
PricewaterhouseCoopers, LLP: 
(member 2005-2008): 

Mr. Rakesh Mohan: 
Office of Performance Evaluations: 
Idaho State Legislature: 
(member 2004-2006): 

The Honorable Samuel Mok: 
U.S. Department of Labor: 
(member 2006-2009): 

Mr. Harold L. Monk: 
Davis Monk & Company, CPAs: 
(member 2002-2009): 

Mr. William Monroe: 
Office of Auditor General: 
State of Florida: 
(member 2004-2006): 

Mr. Stephen L. Morgan: 
Office of the City Auditor: 
Austin, Texas: 
(member 2001-2008): 

Mr. Robert M. Reardon, Jr.: 
State Farm Insurance Companies: 
(member 2002-2005): 

Mr. Brian A. Schebler: 
McGladrey & Pullen, LLP: 
(member 2005-2008): 

Mr. Gerald Silva: 
Office of the City Auditor: 
San Jose, California: 
(member 2002-2009): 

Mr. Barry R. Snyder: 
Federal Reserve Board: 
(member 2001-2008): 

Mr. James R. Speer: 
JP Associates, Inc.: 
(member 2004-2006): 

Dr. Daniel Stufflebeam: 
Western Michigan University: 
(member 2002-2009): 

The Honorable Nikki Tinsley: 
U. S. Environmental Protection Agency: 
(member 2002-2005): 

Mr. George Willie: 
Bert Smith & Co.: 
(member 2004-2006): 

GAO Project Team: 

Jeffrey C. Steinhoff, Managing Director: 
Jeanette M. Franzel, Project Director: 
Marcia B. Buchanan, Assistant Director: 
Gail F. Vallieres, Assistant Director: 
Michael C. Hrapsky, Senior Project Manager: 
Heather I. Keister, Senior Auditor: 
Maxine L. Hattery, Communications Analyst: 
Jennifer V. Allison, Council Administrator: 

[End of section] 

Footnotes: 

[1] The term equity in this context refers to the approaches used by a 
government organization to provide services to citizens in a fair 
manner within the context of the statutory parameters of the specific
government programs. 

[2] For additional information on management’s responsibility, see 
appendix paragraphs A1.01-A1.05. 

[3] The term “auditor“ throughout this document includes individuals 
performing work under GAGAS, and therefore, individuals who may have 
the titles auditor, analyst, evaluator, inspector, or other similar 
titles. 

[4] The term “audit organizations“ is used throughout the standards to 
refer to government audit organizations as well as independent public 
accounting firms that perform audits using GAGAS. 

[5] The terminology used in GAGAS to designate professional 
requirements and explanatory material is consistent with the AICPA’s 
Statement on Auditing Standard No. 102, Defining Professional 
Requirements in Statements on Auditing Standards. 

[6] Under the Sarbanes-Oxley Act of 2002 (Public Law 107-204), issuers 
(generally, publicly traded companies with securities registered under 
the Securities and Exchange Act of 1934) and their public accounting
firms are subject to rules and standards of the Public Company 
Accounting Oversight Board. Nonissuer refers to any entity other than 
an issuer under Federal securities laws, such as privately held 
companies, not-for-profit entities, and government entities. 

[7] Because GAGAS incorporate the field work and reporting standards of 
the AICPA for financial audits performed in which U.S. auditing 
standards are to be followed, auditors are not required to cite 
compliance with the AICPA standards when citing compliance with GAGAS, 
although both sets of standards may be cited. 

[8] The three U.S.-based authoritative bodies for establishing 
accounting principles and financial reporting standards are the Federal 
Accounting Standards Advisory Board (federal government), the 
Governmental Accounting Standards Board (state and local governments), 
and the Financial Accounting Standards Board (nongovernmental 
entities). 

[9] Special reports apply to auditors‘ reports issued in connection 
with the following: (1) financial statements that are prepared in 
conformity with a comprehensive basis of accounting other than 
generally accepted accounting principles; (2) specified elements, 
accounts, or items of a financial statement; (3) compliance with 
aspects of contractual agreements or regulatory requirements related to 
audited financial statements; (4) financial presentations to comply 
with contractual agreements or regulatory requirements; or (5)
financial information presented in prescribed forms or schedules that 
require a prescribed form of auditors‘ report. (See AICPA Professional 
Standards, AU 623.) 

[10] For consistency within GAGAS, the word “auditor“ is used to 
describe individuals conducting and reporting on attestation 
engagements. 

[11] As stated in the AICPA SSAEs, auditors should not perform review-
level work for reporting on internal control or compliance with laws 
and regulations. 

[12] Data gathering without auditor evaluation or verification of the 
data is not a performance audit, but a nonaudit service. 

[13] The term “program“ is used in this document to include government 
entities, organizations, programs, activities, and functions. 

[14] The term “internal control“ in this document is synonymous with 
the term management control and, unless otherwise stated, covers all 
aspects of an entity‘s operations (programmatic, financial, and 
compliance). 

[15] These objectives focus on combining cost information with 
information about outputs or the benefit provided and outcomes or the 
results achieved. 

[16] Compliance requirements can be either financial or nonfinancial in 
nature. 

[17] Independence requirements are discussed in chapter 3. 

[18] Individual auditors who are members of professional organizations 
or are licensed or certified professionals may also be subject to 
ethical requirements of those professional organizations or licensing
bodies. Auditors in government audit organizations may also be subject 
to government ethics laws and regulations. 

[19] See chapter 6 for an additional general standard applicable to an 
attestation engagement. 

[20] When applicable, auditors also follow the AICPA code of 
professional conduct and the code of professional conduct of the state 
board with jurisdiction over the practice of the public accountant and 
the audit organization. Auditors have a responsibility to be aware of 
and comply with any applicable government ethics laws and regulations 
and any other ethics requirements (such as those of the state
boards of accountancy) associated with their activities. 

[21] Specialists to whom this section applies include, but are not 
limited to, actuaries, appraisers, attorneys, engineers, environmental 
consultants, medical professionals, statisticians, and geologists. 

[22] This includes those who review the work or the report, and all 
others within the audit organization who can directly influence the 
outcome of the audit. The period covered includes the period covered by 
the audit, and the period in which the audit is being performed and 
reported. 

[23] Immediate family member is a spouse, spouse equivalent, or 
dependent (whether or not related). A close family member is a parent, 
sibling, or nondependent child. 

[24] Auditors are not precluded from auditing pension plans that they 
participate in if (1) the auditor has no control over the investment 
strategy, benefits, or other management issues associated with the 
pension plan and (2) the auditor belongs to such pension plan as part 
of his/her employment with the audit organization, provided that the 
plan is normally offered to all employees in equivalent employment
positions. 

[25] Legislative bodies may exercise their confirmation powers through 
a variety of means so long as they are involved in the approval of the 
individual to head the audit organization. This involvement can be
demonstrated by approving the individual after the appointment or by 
initially selecting or nominating an individual or individuals for 
appointment by the appropriate authority. 

[26] Statutory authority to issue a subpoena to obtain the needed 
records is one way to meet the requirement for statutory access to 
records. 

[27] GAO has issued further guidance in the form of questions and 
answers to assist in implementation of the standards associated with 
nonaudit services. This guidance, Government Auditing Standards: 
Answers to Independence Standard Questions, GAO-02-870G (Washington, 
DC: June 2002), can be found on GAO‘s Government Auditing Standards Web 
page [hyperlink, http://www.gao.gov/govaud/ybk01.htm]. 

[28] See appendix, paragraphs A3.02 through A3.03 for examples of 
nonaudit services that are generally unique to government audit 
organizations. 

[29] The concepts of significance and materiality includes quantitative 
as well as qualitative measures in relation to the subject matter of 
the audit. 

[30] The requestor of nonaudit services could be the management of the 
audited entity or a third party such as a legislative oversight body. 

[31] See appendix, paragraphs A3.02 through A3.03 for examples of 
nonaudit services that are generally unique to government audit 
organizations. 

[32] If the audit organization has prepared draft financial statements 
and notes and performed the financial statement audit, the auditor 
obtains documentation from management in which management acknowledges 
the audit organization’s role in preparing the financial statements and 
related notes and management’s review, approval, and responsibility for 
the financial statements and related notes in the management 
representation letter. The management representation letter that is 
done as part of the audit may be used for this type of documentation. 

[33] The Office of Management and Budget prohibits an auditor who 
prepared the entity’s indirect cost proposal from conducting the 
required audit when indirect costs recovered by the entity during the 
prior year exceeded $1 million under OMB Circular A-133, Audits of 
States, Local Governments, and Non-Profit Organizations, Subpart 
C.305(b), revised June 27, 2003. 

[34] An audit organization’s independence for performing financial 
statement audits would not be impaired by representing the audited 
entity in IRS matters or in obtaining IRS rulings or other agreements. 
However, these nonaudit services would impair auditor independence with 
respect to performance audits of tax compliance since the audit 
organization would be auditing its own work. 

[35] Entity assets are intended to include all of the entity’s property 
including bank accounts, investment accounts, inventories, equipment or 
other assets owned, leased, or otherwise in the entity’s possession,
and financial records, both paper and electronic. 

[36] Personnel who provided the nonaudit service are permitted to 
convey to the audit assignment team the documentation and knowledge 
gained about the audited entity and its operations. 

[37] Auditors who are only involved in performing field work but not 
involved in planning, directing, or reporting on the audit or 
attestation engagement and who charge less than 20 percent of their time
annually to GAGAS audits and attestation engagements are subject to the 
24 hour requirement for government related CPE in each 2-year period 
but do not have to comply with the remainder of the 80-hour CPE 
requirement. 

[38] This guidance, Government Auditing Standards: Guidance on GAGAS 
Requirements for Continuing Professional Education, GAO-05-586G 
(Washington, D.C.: Apr. 2005), can be found on GAO‘s Government
Auditing Standards Web page [hyperlink, 
http://www.gao.gov/govaud/ybk01.htm]. 

[39] See paragraphs 3.06 through 3.09, and 3.35c for specific quality 
control requirements related to personal impairments and performing 
nonaudit services, respectively. 

[40] The external peer review requirement is effective within 3 years 
from the date an audit organization begins field work on its first 
assignment in accordance with GAGAS. This 3-year period refers to the 
cutoff (“as of“) date for the peer review. Generally, peer reviews are 
completed within 6 months of the cut-off date. Extensions of these time 
frames beyond 3 months after the peer review completion deadline are
granted by GAO, and in cooperation with the cognizant peer review 
program, to meet the external peer review requirements for 
extraordinary circumstance. 

[41] For audit organizations that perform only a small number of GAGAS 
audits in relation to other types of audits, at least one or more GAGAS 
audits is selected for review. In these cases, one or more GAGAS
audits may represent more than what would be selected when looking at a 
cross-section of the audit organization’s work as a whole. 

{42] If the audit organization does not have a website, then it uses 
the same mechanism it uses to make other information public. 

[43] The transparency requirement in paragraph 3.68 does not include 
the letter of comment. 

[44] Independent public accountants and audit organizations may be 
subject to requirements of other professional organizations or 
licensing bodies. 

[45] This high-level description includes the major policies regarding 
ethical requirements, initiation and continuance of audit work, human 
capital management, engagement performance and reporting, and 
monitoring, as discussed in paragraph 3.61. 

[46] The audit organization can use internal or third-party resources 
to conduct the inspection. If a third party is used to conduct the 
inspection, that party is not independent to conduct the peer review. 

[47] Peer reviewers read the assurance statements for each year since 
the previous peer review and compare them with the inspection results 
for those years. Peer reviewers evaluate management’s assertion and the
underlying monitoring and inspection processes for the year under 
review. 

[48]  To date, the Comptroller General has not excluded any field work 
standards or SASs. 

[49] The AICPA standards incorporate the concepts contained in Internal 
Control - Integrated Framework, published by the Committee of 
Sponsoring Organizations of the Treadway Commission (COSO). As
discussed in the COSO framework, internal control consists of five 
interrelated components, which are (1) control environment, (2) risk 
assessment, (3) control activities, (4) information and communication, 
and (5) monitoring. The objectives of internal control relate to (1) 
financial reporting, (2) operations, and (3) compliance. Safeguarding 
of assets is a subset of these objectives. In that respect, management 
designs internal control to provide reasonable assurance that 
unauthorized acquisition, use, or disposition of assets will be 
prevented or timely detected and corrected. In addition to the COSO 
document, the publication, Standards for Internal Control in the 
Federal Government, GAO/AIMD-00-21.3.1 (Washington, D.C.: Nov. 1999), 
which incorporates the relevant guidance developed by COSO, provides 
definitions and fundamental concepts pertaining to internal control at 
the federal level and may be useful to other auditors at any level of 
government. The related Internal Control Management and Evaluation 
Tool, GAO-01-1008G (Washington, D.C.: Aug. 2001), based on the federal 
internal control standards, provides a systematic, organized, and 
structured approach to assessing the internal control structure. 

[50] In accordance with AICPA Statement on Auditing Standards No. 107, 
Audit Risk and Materiality in Conducting an Audit, the auditor’s 
consideration of materiality is a matter of professional judgment and is
influenced by the auditor’s perception of the needs of users of 
financial statements. Materiality is defined as “the magnitude of an 
omission or misstatement of accounting information that, in the light of
surrounding circumstances, makes it probable that the judgment of a 
reasonable person relying on the information would have been changed or 
influenced by the omission or misstatement.“ This definition is
from Financial Accounting Standards Board Statement of Financial 
Accounting Concepts No. 2. Qualitative Characteristics of Accounting 
Information. 

[51] See AICPA Professional Standards, AU 316 (Statement on Auditing 
Standards No. 99, Consideration of Fraud in a Financial Statement 
Audit). 

[52] In accordance with AICPA Statement on Auditing Standard No. 104, 
Amendment to Statement on Auditing Standard No. 1, Codification of 
Auditing Standards and Procedures (“Due Professional Care in the
Performance of Work“), paragraph 2, “the high, but not absolute, level 
of assurance that is intended to be obtained by the auditor is 
expressed in the auditor’s report as obtaining reasonable assurance 
about whether the financial statements are free of material 
misstatement (whether caused by error or fraud). 

[53] Two types of misstatements are relevant to the auditors‘ 
consideration of fraud in an audit of financial statements--
misstatements arising from fraudulent financial reporting and 
misstatements arising from misappropriation of assets. The primary 
factor that distinguishes fraud from error is whether the
underlying action that results in the misstatement in the financial 
statements is intentional or unintentional. 

[54] See AICPA Professional Standards, AU 317 (Statement on Auditing 
Standards No. 54, Illegal Acts by Clients). Direct and material illegal 
acts are violations of laws and regulations having a direct and material
effect on the determination of financial statement amounts. 

[55] Whether a particular act is, in fact, illegal may have to await 
final determination by a court of law or other adjudicative body. Thus, 
auditors may disclose matters that have led them to conclude that an 
illegal act is likely to have occurred; they do not make a 
determination of illegality. 

[56] Those charged with governance are those responsible for overseeing 
the strategic direction of the entity and the entity’s fulfillment of 
its accountability obligations. In situations in which those charged 
with governance are not clearly evident, the auditor documents the 
process followed and conclusions reached for identifying the 
appropriate individuals to receive the required auditor communications. 
(See appendix, paragraph A1.02 for additional information.) 

[57] For example, when engaged to perform audits under the Single Audit 
Act, as amended, for state and local government entities and nonprofit 
entities that receive federal awards, auditors follow Office of
Management and Budget (OMB) Circular No. A-133 on single audits. The 
act and circular include specific audit requirements, mainly in the 
areas of internal control and compliance with laws and regulations, that
go beyond the requirements in chapters 4 and 5 of GAGAS. Audits 
performed pursuant to the Chief Financial Officers Act of 1990, as 
expanded by the Government Management Reform Act of 1994 and the
Accountability of Tax Dollars Act of 2002, also have specific audit 
requirements prescribed by OMB in the areas of internal control and 
compliance. In addition, some state and local governments may have
additional audit requirements that the auditors would need to follow in 
planning the audit. 

[58] Significant findings and recommendations are those matters that, 
if not corrected, could affect the results of the auditors‘ work and 
the auditors‘ conclusions and recommendations about those results. 

[59] See paragraph 5.13 for definitions of significant deficiency and 
material weakness. 

[60] An experienced auditor means an individual (whether internal or 
external to the audit organization) who possesses the competencies and 
skills that would have enabled him or her to perform the audit. These
competencies and skills include an understanding of (a) audit 
processes, (b) GAGAS and applicable legal and regulatory requirements, 
(c) the environment in which the entity operates, and (d) auditing and
financial reporting issues relevant to the audited entity’s 
environment. 

[61] The five-year requirement is from AICPA Statement on Auditing 
Standards No. 103, Audit Documentation. 

[62] The 60-day requirement is from AICPA Statement on Auditing 
Standards No. 103, Audit Documentation. 

[63] To date, the Comptroller General has not excluded any reporting 
standards or SASs. 

[64] See AICPA Professional Standards, AU 410 - 431 and 504. 

[65] If the auditor is performing an audit in accordance with OMB 
Circular No. A-133, Audits of States, Local Governments, and Non-Profit 
Organizations, the thresholds for reporting are defined in the 
circular. Those reporting thresholds are sufficient to meet the 
requirements of GAGAS. 

[66] The term “more than remote“ used in the definitions for 
significant deficiency and material weakness means “at least reasonably 
possible.“ The following definitions apply. (1) Remote—The chance of the
future events or their occurrence is slight. (2) Reasonably 
possible—The chance of the future events or their occurrence is more 
than remote but less than likely. (3) Probable—The future events are 
likely to occur. 

[67] “More than inconsequential“ indicates an amount that is less than 
material, yet has significance. A misstatement is “inconsequential“ if 
a reasonable, objective person would conclude that the misstatement,
either individually or when aggregated with other misstatements, would 
clearly be immaterial to the financial statements. If a reasonable, 
objective person could not reach such a conclusion, that misstatement 
is “more than inconsequential.“ 

[68] Common sources for criteria include laws, regulations, policies, 
procedures, and best or standard practices. The Standards for Internal 
Control in the Federal Government, GAO/AIMD-00-21.3.1 (Washington, 
D.C.: Nov. 1999) and Internal Control--Integrated Framework, published 
by the Committee of Sponsoring Organizations of the Treadway Commission 
(COSO) are two sources of established criteria auditors can use to 
support their judgments and conclusions about internal control. The 
related Internal Control Management and Evaluation Tool (GAO-01-1008G, 
Aug. 2001), based on the federal internal control standards, provides a 
systematic, organized, and structured approach to assessing internal 
control. 

[69] See paragraph 4.19 for a discussion of abuse. 

[70] Whether a particular act is, in fact, illegal may have to await 
final determination by a court of law or other adjudicative body. Thus, 
when auditors disclose matters that have led them to conclude that an
illegal act is likely to have occurred, they do not make a final 
determination of illegality. 

[71] Auditors include information about fraud or abuse in the audit 
reports required by paragraph 5.08 as applicable to internal control 
and compliance with laws, regulations, and provisions of contracts and 
grant agreements. 

[72] Internal audit organizations do not have a duty to report outside 
that entity unless required by law, rule, regulation, or policy. See 
paragraph 3.19 for reporting requirements for internal audit 
organizations when reporting externally. 

[73] See AICPA Professional Standards, AU 508.19. 

[74] These types of matters go beyond the auditors’ responsibility in 
AU 341 to consider an entity’s ability to continue as a going concern. 

[75] See AICPA Professional Standards, AU 561, “Subsequent Discovery of 
Facts Existing at the Date of the Auditor’s Report.“ 

[76] As used in this standard, restatement means the correction of an 
error(s) in previously-issued financial statement(s). 

[77] For purposes of this standard, imminent means within 90 days of 
determining the effect of the misstatement(s) on the previously-issued 
financial statements. 

[78] See the Single Audit Act, as amended, and Office of Management and 
Budget (OMB) Circular No. A-133 on single audits for the distribution 
of reports on single audits of state and local governmental entities and
nonprofit organizations that receive federal awards. 

[79] See paragraphs 5.45 through 5.47 for additional guidance on 
limited report distribution when reports contain privileged or 
confidential information. 

[80] To date, the Comptroller General has not excluded any field work 
standards, reporting standards, or SSAEs. 

[81] GAGAS incorporate only one of the AICPA general standards for 
attestation engagements. 

[82] Those charged with governance are those responsible for overseeing 
the strategic direction of the entity and the entity’s fulfillment of 
its accountability obligations. In situations in which those charged 
with governance are not clearly evident, the auditor documents the 
process followed and conclusions reached for identifying the 
appropriate individuals to receive the required auditor communications. 
(See appendix, paragraph A1.02 for additional information.) 

[83] Significant findings and recommendations are those matters that, 
if not corrected, could affect the results of the auditors‘ work and 
the auditors‘ conclusions and recommendations about those results. 

[84] See paragraph 6.50 for definitions of significant deficiency and 
material weakness. 

[85] Although not applicable to attestation engagements, the AICPA SASs 
may provide useful guidance related to internal control for auditors 
performing attestation engagements in accordance with GAGAS. In 
addition, auditors performing attestation engagements may wish to refer 
to the internal control guidance published by the Committee of 
Sponsoring Organizations of the Treadway Commission (COSO). The 
Standards for Internal Control in the Federal Government, GAO/AIMD-00-
21.3.1 (Washington, D.C.: Nov. 1999), which incorporates the relevant 
guidance developed by COSO, provides definitions and fundamental
concepts pertaining to internal control at the federal level and may be 
useful to auditors at any level of government. The related Internal 
Control Management and Evaluation Tool, GAO-01-1008G (Washington,
D.C.: Aug. 2001) based on the federal internal control standards, 
provides a systematic, organized, and structured approach to assessing 
internal control. 

[86] Fraud is a type of illegal act involving the obtaining of 
something of value through willful misrepresentation. Although not 
applicable to attestation engagements, the AICPA SASs may provide
useful guidance related to fraud for auditors performing attestation 
engagements in accordance with GAGAS. 

[87] An experienced auditor means an individual (whether internal or 
external to the audit organization) who possesses the competencies and 
skills that would have enabled him or her to perform the attestation
engagement. These competencies and skills include an understanding of 
(a) attestation engagement processes, (b) GAGAS and applicable legal 
and regulatory requirements, (c) the subject matter that the auditor is 
engaged to report on, (d) the suitability and availability of criteria, 
and (e) issues related to the audited entity’s environment. 

[88] See AT sections 101.63 - 101.83. 

[89] For application of this standard in the government environment, 
see paragraphs 6.67 through 6.71. 

[90] The term “more than remote“ used in the definitions for 
significant deficiency and material weakness means “at least reasonably 
possible.“ The following definitions apply. (1) Remote—The chance of the
future events or their occurrence is slight. (2) Reasonably 
possible—The chance of the future events or their occurrence is more 
than remote but less than likely. (3) Probably—The future events are 
likely to occur. 

[91] “More than inconsequential“ indicates an amount that is less than 
material, yet has significance. A misstatement is “inconsequential“ if 
a reasonable, objective person would conclude that the misstatement,
either individually or when aggregated with other misstatements, would 
clearly be immaterial to the financial statements. If a reasonable, 
objective person could not reach such a conclusion, that misstatement 
is “more than inconsequential.“ 

[92] Common sources for criteria including laws, regulations, policies, 
procedures, best or standard practices. The Standards for Internal 
Control in the Federal Government, GAO/AIMD-00-21.3.1 (Washington, 
D.C.: Nov. 1999) and Internal Control--Integrated Framework, published 
by the Committee of Sponsoring Organizations of the Treadway Commission 
(COSO) are two sources of established criteria auditors can
use to support their judgments and conclusions about internal control. 
The related Internal Control Management and Evaluation Tool (GAO-01-
1008G, Aug. 2001), based on the federal internal control standards, 
provides a systematic, organized, and structured approach to assessing 
internal control. 

[93] Internal audit organizations do not have a duty to report outside 
that entity unless required by law, rule, regulation, or policy. See 
paragraph 3.19 for reporting requirements for internal audit 
organizations when reporting externally. 

[94] See paragraphs 6.64 through 6.66 for additional guidance on 
limited report distribution when reports contain privileged or 
confidential information. 

[95] In the performance audit standards, the term “significant“ is 
synonymous with “material.“ “Material“ is used in the AICPA standards 
for financial audits. The term “significant“ is used in performance 
audits where the term “material“ is generally not used.  

[96] See discussion of the elements of a finding in paragraphs 7.36 
through 7.37 and paragraphs 7.70 through 7.73.  

[97] The term “program“ is used in this document to include government 
entities, organizations, programs, activities, and functions. 

[98] Refer to the internal control guidance contained in Internal 
Control--Integrated Framework, published by the Committee of Sponsoring 
Organizations of the Treadway Commission (COSO). As discussed in the 
COSO framework, internal control consists of five interrelated 
components, which are (1) control environment, (2) risk assessment, (3) 
control activities, (4) information and communication, and (5)
monitoring. The objectives of internal control relate to (1) financial 
reporting, (2) operations, and (3) compliance. Safeguarding of assets 
is a subset of these objectives. In that respect, management designs
internal control to provide reasonable assurance that unauthorized 
acquisition, use, or disposition of assets will be prevented or timely 
detected and corrected. In addition to the COSO document, the
publication, Standards for Internal Control in the Federal Government, 
GAO/AIMD-00-21.3.1 (Washington, D.C.: Nov. 1999), which incorporates 
the relevant guidance developed by COSO, provides definitions and
fundamental concepts pertaining to internal control at the federal 
level and may be useful to other auditors at any level of government. 
The related Internal Control Management and Evaluation Tool, GAO-01-
1008G (Washington, D.C.: Aug. 2001), based on the federal internal 
control standards, provides a systematic, organized, and structured 
approach to assessing the internal control structure.  

[99] Violations of laws or regulations are illegal acts.  

[100] The term “internal control“ in this document is synonymous with 
the term management control and, unless otherwise stated, covers all 
aspects of an entity‘s operations (programmatic, financial, and
compliance).  

[101] Many government entities have these activities identified by 
other names, such as inspection, appraisal, investigation, organization 
and methods, or management analysis. These activities assist management 
by reviewing selected functions.  

[102] Information systems controls consist of those internal controls 
that are dependent on information systems processing.  

[103] Fraud is a type of illegal act involving the obtaining something 
of value through willful misrepresentation. Whether an act is, in fact, 
fraud is a determination to be made through the judicial or other 
adjudicative system and is beyond auditors‘ professional expertise and 
responsibility.  

[104] For example, in a performance audit of management‘s efficient use 
of funds for office building maintenance, auditors might find abuse if 
renovation of senior management‘s offices far exceed usual office space 
specifications. While auditors might not view the renovation costs as 
quantitatively significant to the audit results, these expenses could 
be considered qualitatively significant to this audit objective.  

[105] Qualitative assessments can include expert judgment and 
reasonableness judgments about program performance, for example, 
whether program objectives reflect the needs of targeted beneficiaries 
and whether program performance adequately meets objectives.  

[106] See paragraph 3.51 for a discussion of using specialists in a 
GAGAS audit.  

[107] Those charged with governance are those responsible for 
overseeing the strategic direction of the entity and the entity’s 
fulfillment of its accountability obligations. In situations in which 
those charged with governance are not clearly evident, the auditor 
documents the process followed and conclusions reached for identifying 
those charged with governance. (See appendix paragraphs A1.02 through 
A1.05.)  

[108] See appendix paragraph A7.03 for additional guidance regarding 
assessing the appropriateness of information in relation to the audit 
objectives.  

[109] See appendix paragraph A7.02 for additional guidance regarding 
the types of evidence.  

[110] An experienced auditor means an individual (whether internal or 
external to the audit organization) who possesses the competencies and 
skills that would have enabled him or her to perform the performance
audit. These competencies and skills include an understanding of (a) 
the performance audit processes, (b) GAGAS and applicable legal and 
regulatory requirements, and (c) the subject matter associated with
achieving the audit objectives.  

[111] Auditors may meet this requirement by listing file numbers, case 
numbers, or other means of identifying specific documents they 
examined. They are not required to include copies of documents they 
examined as part of the audit documentation, nor are they required to 
list detailed information from those documents.  

[112] Appropriate background information may include information on how 
programs and operations work; the significance of programs and 
operations (e.g., dollars, impact, purposes, and past audit work if
relevant); a description of the audited entity‘s responsibilities; and 
explanation of terms, organizational structure, and the statutory basis 
for the program and operations.  

[113] Common sources for criteria include laws, regulations, policies, 
procedures, and best or standard practices. The Standards for Internal 
Control in the Federal Government, GAO/AIMD-00-21.3.1 (Washington, 
D.C.: Nov. 1999) and Internal Control--Integrated Framework, published 
by the Committee of Sponsoring Organizations of the Treadway Commission 
(COSO) are two sources of established criteria auditors can use to 
support their judgments and conclusions about internal control. The 
related Internal Control Management and Evaluation Tool, GAO-01-1008G 
(Washington, D.C.: Aug. 2001), based on the federal internal control 
standards, provides a systematic, organized, and structured approach to 
assessing internal control.  

[114[ As discussed in paragraph 7.23, in performance audits a 
deficiency in internal control exists when the design or operation of a 
control does not allow management or employees, in the normal course of
performing their assigned functions, to prevent or detect (1) 
misstatements in financial or performance information, (2) violations 
of laws and regulations, or (3) impairments of effectiveness or 
efficiency of operations, on a timely basis.  

[115] Whether a particular act is, in fact, illegal may have to await 
final determination by a court of law. Thus, when auditors disclose 
matters that have led them to conclude that an illegal act is likely to 
have occurred, they should take care not to unintentionally imply that 
a final determination of illegality has been made.  

[116] See paragraphs 8.26 through 8.28 for additional reporting 
considerations.  

[117] Internal audit organizations do not have a duty to report outside 
the entity unless required by law, rule, regulation, or policy. See 
paragraph 3.19 for reporting requirements for internal audit 
organizations when reporting externally.  

[118] Some audits may address audit objectives which cover cross-
cutting issues that transcend specific government agencies. In these 
situations, auditors use professional judgment to identify appropriate
officials for the issues addressed by the audit objectives and include 
the views of those officials in the audit report.  

[119] See paragraphs 8.41 through 8.43 for additional guidance on 
limited report distribution.  

[120] This responsibility applies to all resources, both financial and 
physical, as well as informational resources, whether entrusted to 
public officials or others by their own constituencies or by other 
levels of government.  

[121] Under the Single Audit Act, as amended, federal awards include 
federal financial assistance (grants, loans, loan guarantees, property, 
cooperative agreements, interest subsidies, insurance, food commodities,
direct appropriations, or other assistance) and cost-reimbursement 
contracts.  

[122] See paragraphs 7.56 and 7.63 for definitions of appropriate and 
sufficient.  

[End of section]  

GAO's Mission:  

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability.  

Obtaining Copies of GAO Reports and Testimony:  

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "Subscribe to Updates."  

Order by Mail or Phone:  

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to:  

U.S. Government Accountability Office: 
441 G Street NW, Room LM: 
Washington, D.C. 20548:  

To order by Phone: 
Voice: (202) 512-6000: 
TDD: (202) 512-2537: 
Fax: (202) 512-6061:  

To Report Fraud, Waste, and Abuse in Federal Programs:  

Contact:  

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470:  

Congressional Relations:  

Gloria Jarmon, Managing Director, JarmonG@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548:  

Public Affairs:  

Paul Anderson, Managing Director, AndersonP1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: