This is the accessible text file for GAO report number GAO-04-1015G
entitled 'GAO/PCIE: Financial Audit Manual: Update' which was released
on July 01, 2004.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
July 2004:
Dear Colleague:
The U.S. Government Accountability Office (GAO) and the President's
Council on Integrity and Efficiency (PCIE) maintain the GAO/PCIE
Financial Audit Manual (FAM). The FAM provides guidance for performing
financial statement audits of federal entities. The FAM is a key tool
for enhancing accountability over taxpayer-provided resources.
GAO and the PCIE are committed to keeping the FAM current. With this
goal in mind, a GAO/PCIE task force prepared the attached update of the
FAM, primarily to incorporate the provisions of Statement on Auditing
Standards 99, Consideration of Fraud in a Financial Statement Audit.
The updated sections are highlighted in the table of contents. This
update was issued as an exposure draft on the internet in April 2004
and includes changes based on comments received. The FAM, as amended
for this and other updates, is available on the internet at either the
GAO web site (www.gao.gov) or the PCIE web site (www.ignet.gov/pande/
audit1.html#guide).
If you have comments or suggestions for future FAM updates, please send
an email to FAM_Comments@oig.doi.gov.
We thank the individuals and organizations that provided comments and
insights to enhance the FAM. The task force assembled by GAO and the
PCIE also deserves much credit for its dedication to completing this
project.
Signed by:
Jeffrey C. Steinhoff:
Managing Director:
Financial Management and Assurance:
U.S. Government Accountability Office:
Signed by:
The Honorable Everett L. Mosley:
Chair:
President's Council on Integrity and Efficiency Audit Committee:
Attachment:
United States Government Accountability Office:
President's Council on Integrity and Efficiency:
GAO/PCIE:
Financial Audit Manual: Update:
GAO-04-1015G:
July 2004:
CONTENTS:
100: INTRODUCTION:
200: PLANNING PHASE:
210: Overview:
220: Understand the Entity's Operations:
225: Perform Preliminary Analytical Procedures:
230: Determine Planning, Design, and Test Materiality:
235: Identify Significant Line Items, Accounts, Assertions, and RSSI:
240: Identify Significant Cycles, Accounting Applications, and
Financial Management Systems:
245: Identify Significant Provisions of Laws and Regulations:
250: Identify Relevant Budget Restrictions:
260: Identify Risk Factors:
270: Determine Likelihood of Effective Information System Controls:
275: Identify Relevant Operations Controls to Evaluate and Test:
280: Plan Other Audit Procedures:
* Inquiries of Legal Counsel:
* Management Representations:
* Related Party Transactions:
* Sensitive Payments:
* Reaching an Understanding with Management and Requesters:
* Other Audit Requirements:
285: Plan Locations to Visit:
290: Documentation:
Appendixes to Section 200:
295 A: Potential Inherent Risk Conditions:
295 B: Potential Control Environment, Risk Assessment, Communication,
and Monitoring Weaknesses:
295 C: An Approach for Multiple-Location Audits:
295 D: Interim Substantive Testing of Balance Sheet Accounts:
295 E: Effect of Risk on Extent of Audit Procedures:
295 F: Types of Information System Controls:
295 G: Budget Controls:
295 H: Laws Identified in OMB Audit Guidance and Other General Laws:
295 I: Examples of Auditor Responses to Fraud Risks:
295 J: Steps in Assessing Information System Controls:
300: INTERNAL CONTROL PHASE:
310: Overview:
320: Understand Information Systems:
330: Identify Control Objectives:
340: Identify and Understand Relevant Control Activities:
350: Determine the Nature, Timing, and Extent of Control Tests and of
Tests for Systems' Compliance with FFMIA Requirements:
360: Perform Nonsampling Control Tests and Tests for Systems'
Compliance with FFMIA Requirements:
370: Assess Controls on a Preliminary Basis:
380: Other Considerations:
390: Documentation:
Appendixes to Section 300:
395 A: Typical Relationships of Accounting Applications to Line Items/
Accounts:
395 B: Financial Statement Assertions and Potential Misstatements:
395 C: Typical Control Activities:
395 D: Selected Statutes Relevant to Budget Execution:
395 E: Budget Execution Process:
395 F: Budget Control Objectives:
395 F Sup: Budget Control Objectives - Federal Credit Reform Act
Supplement:
395 G: Rotation Testing of Controls:
395 H: Specific Control Evaluation Worksheet:
395 I: Account Risk Analysis Form:
400: TESTING PHASE:
410: Overview:
420: Consider the Nature, Timing, and Extent of Tests:
430: Design Efficient Tests:
440: Perform Tests and Evaluate Results:
450: Sampling Control Tests:
460: Compliance Tests:
470: Substantive Tests - Overview:
475: Substantive Analytical Procedures:
480: Substantive Detail Tests:
490: Documentation:
Appendixes to Section 400:
495 A: Determining Whether Substantive Analytical Procedures Will Be
Efficient and Effective:
495 B: Example Procedures for Tests of Budget Information:
495 C: Guidance for Interim Testing:
495 D: Example of Audit Matrix with Statistical Risk Factors:
495 E: Sampling:
495 F: Manually Selecting a Dollar Unit Sampling:
500: REPORTING PHASE:
510: Overview:
520: Perform Overall Analytical Procedures:
530: Determine Adequacy of Audit Procedures and Audit Scope:
540: Evaluate Misstatements:
550: Conclude Other Audit Procedures:
* Inquiries of Attorneys:
* Subsequent Events:
* Management Representations:
* Related Party Transactions:
560: Determine Conformity with Generally Accepted Accounting
Principles:
570: Determine Compliance with GAO/PCIE Financial Audit Manual:
580: Draft Reports:
* Financial Statements:
* Internal Control:
* Financial Management Systems:
* Compliance with Laws and Regulations:
* Other Information in the Accountability Report:
590: Documentation:
Appendixes to Section 500:
595 A: Example Auditor's Report - Unqualified:
595 B: Suggested Modifications to Auditor's Report:
595 C: Example Summary of Possible Adjustments:
595 D: Example Summary of Unadjusted Misstatements:
APPENDIXES:
A: Consultations:
B: Instances Where the Auditor "Must" Comply with the FAM:
GLOSSARY:
ABBREVIATIONS:
INDEX:
CONTENTS - PART II - TOOLS:
600: PLANNING AND GENERAL:
601: Introduction to Part II - Tools:
650: Using the Work of Others:
650 A: Summary of Audit Procedures and Documentation for Review of
Other Auditors' Work:
650 B: Example Audit Procedures for Using the Work of Others:
650 C: Example Reports When Using the Work of Others:
660: Agreed-Upon Procedures:
660 A: Example Agreed-Upon Procedures Engagement Letter:
660 B: Example Representation Letter from Responsible Entity on Agreed-
Upon Procedures Engagement:
660 C: Agreed-Upon Procedures Completion Checklist:
660 D: Example Agreed-Upon Procedures Report:
700: INTERNAL CONTROL (See also section 900):
701: Assessing Compliance of Agency Systems with the Federal Financial
Management Improvement Act (FFMIA):
701 A: Example Audit Procedures for Testing Compliance with FFMIA:
701 B: Summary Schedule of Instances of Noncompliance with FFMIA:
800: COMPLIANCE:
801: Reserved:
802: General Compliance Checklist:
803: Antideficiency Act:
804: Reserved:
805: Reserved:
806: Reserved:
807: Reserved:
808: Federal Credit Reform Act of 1990:
809: Provisions Governing Claims of the U.S. Government (31 U.S.C.
3711-3720E) (Including the Debt Collection Improvement Act of 1996)
(DCIA):
810: Prompt Payment Act:
811: Reserved:
812: Pay and Allowance System for Civilian Employees, as Provided
Primarily in Chapters 51-59 of Title 31, U.S. Code:
813: Civil Service Retirement Act:
814: Federal Employees Health Benefits Act:
815: Reserved:
816: Federal Employees' Compensation Act:
817: Federal Employees' Retirement System Act of 1986:
900: SUBSTANTIVE TESTING:
901: Reserved:
902: Related Parties, Including Intragovernmental Activity and
Balances:
902 A: Example Account Risk Analysis for Intragovernmental Activity and
Balances:
902 B: Example Specific Control Evaluation for Intragovernmental
Accounts:
902 C: Example Audit Procedures for Intragovernmental and Other Related
Parties' Activity and Balances:
903: Auditing Cost Information:
921: Auditing Fund Balance with Treasury (FBWT):
921 A: Treasury Processes and Reports Related to FBWT Reconciliation:
921 B: Example Account Risk Analysis for Fund Balance with Treasury:
921 C: Example Specific Control Evaluation for Fund Balance with
Treasury:
921 D: Example Audit Procedures for Fund Balance with Treasury:
1000: REPORTING:
1001: Management Representations:
1001 A: Example Management Representation Letter:
1002: Inquiries of Legal Counsel:
1002 A: Example Audit Procedures for Inquiries of Legal Counsel:
1002 B: Example Legal Letter Request:
1002 C: Example Legal Representation Letter:
1002 D: Example Management Summary Schedule:
1003: Financial Statement Audit Completion Checklist:
1004: Reserved (see section 1050 for Checklist previously in section
1004):
1005: Subsequent Events Review:
1006: Reserved (see section 902 for Related Parties):
1050: Checklist for Federal Accounting, Reporting, and Disclosures:
[End of section]
Planning Phase:
225 - PERFORM PRELIMINARY ANALYTICAL PROCEDURES:
.01: During the planning phase, preliminary analytical procedures are
performed to help the auditor:
* understand the entity's business, including current-year transactions
and events;
* identify account balances, transactions, ratios, or trends that may
signal inherent or control risks, including any risks related to fraud
(see section 260);
* identify and understand the significant accounting policies;
* determine planning, design, and test materiality (see section 230);
and:
* determine the nature, timing, and extent of audit procedures to be
performed.
.02: GAAS requires the auditor to perform preliminary analytical
procedures (AU 329). The resources spent in performing these procedures
should be commensurate with the expected reliability of comparative
information. For example, in a first-year audit, comparative
information might be unreliable; therefore, preliminary analytical
procedures generally should be limited.
.03: The auditor generally should perform the following steps to
achieve the objectives of preliminary analytical procedures:
a. Compare current-year amounts with relevant comparative financial
information: The financial data used in preliminary analytical
procedures generally are summarized at a high level, such as the level
of financial statements. If financial statements are not available, the
budget or financial summaries that show the entity's financial position
and results of operations may be used.
The auditor compares current-year amounts with relevant comparative
financial information. Use of unaudited comparative data might not
allow the auditor to identify significant fluctuations, particularly if
an item consistently has been treated incorrectly. Also, the auditor
may identify fluctuations that are not really fluctuations due to
errors in the unaudited comparative data.
A key to effective preliminary analytical procedures is to use
information that is comparable in terms of the time period presented
and the presentation (i.e., same level of detail and consistent
grouping of detail accounts into summarized amounts used for
comparison).
The auditor may perform ratio analysis on current-year data and compare
the current year's ratios with those derived from prior periods or
budgets. The auditor does this to study the relationships among
components of the financial statements and to increase knowledge of the
entity's activities. The auditor uses ratios that are relevant
indicators or measures for the entity. Also, the auditor should
consider any trends in the performance indicators prepared by the
entity.
b. Identify significant fluctuations: Fluctuations are differences
between the recorded amounts and the amounts expected by the auditor,
based on comparative financial information and the auditor's knowledge
of the entity. Fluctuations refer to both unexpected differences
between current-year amounts and comparative financial information as
well as the absence of expected differences. The identification of
fluctuations is a matter of the auditor's judgment.
The auditor establishes parameters for identifying significant
fluctuations. When setting these parameters, the auditor generally
considers the amount of the fluctuation in terms of absolute size and/
or the percentage difference. The amount and percentage used are left
to the auditor's judgment. An example of a parameter is "All
fluctuations in excess of $10 million and/or 15 percent of the prior-
year balance or other unusual fluctuations will be considered
significant."
c. Inquire about significant fluctuations: The auditor discusses the
identified fluctuations with appropriate entity personnel. The focus of
the discussion is to achieve the purposes of the procedures described
in paragraph 225.01. For preliminary analytical procedures, the auditor
does not need to corroborate the explanations since they will be tested
later. However, the explanations should appear reasonable and
consistent to the auditor. The inability of entity personnel to explain
the cause of a fluctuation may indicate the existence of control,
fraud, and/or inherent risks.
.04: In performing preliminary analytical procedures, the auditor
develops expectations about plausible relationships that are expected
to exist. Because these procedures generally use data aggregated at a
high level, their results typically provide only a broad initial
indication about a potential misstatement. The auditor should consider
any unusual relationships, together with other information gathered, in
identifying the risk of material misstatement due to fraud (see section
260).
[End of section]
Planning Phase:
260 - IDENTIFY RISK FACTORS:
.01: The auditor's consideration of inherent risk, fraud risk, control
environment, risk assessment, communication, and monitoring (parts of
internal control) affects the nature, timing, and extent of substantive
and control tests. This section describes (1) the impact of risk
factors identified during this consideration on substantive and control
tests, (2) the process for identifying these risk factors, and (3) the
auditor's consideration of the entity's process for reporting under
FMFIA (both for internal control (section 2 of FMFIA) and for financial
management systems' conformance with system requirements (section 4 of
FMFIA) and for formulating the budget.
IMPACT ON SUBSTANTIVE TESTING:
.02: AU 312 provides guidance on the consideration of audit risk and
defines "audit risk" as the risk that the auditor may unknowingly fail
to appropriately modify an opinion on financial statements that are
materially misstated. Audit risk can be thought of in terms of the
following three component risks:
* Inherent risk is the susceptibility of an assertion to a material
misstatement, assuming that there are no related internal controls.
* Control risk is the risk that a material misstatement that could
occur in an assertion will not be prevented or detected and corrected
on a timely basis by the entity's internal control. Internal control
consists of five components: (1) the control environment, (2) risk
assessment, (3) monitoring, (4) information and communication, and (5)
control activities (defined in paragraph 260.08 below). This section
will discuss the first three of the components and communication, which
is part of the fourth component. Section 300 (Internal Control Phase)
will discuss the information systems and control activities.
* Detection risk is the risk that the auditor will not detect a
material misstatement that exists in an assertion.
AU 316 requires the auditor to consider fraud risk, which is a part of
audit risk, making up a portion of inherent and control risk. Fraud
risk consists of the risk of fraudulent financial reporting and the
risk of misappropriation of assets that cause a material misstatement
of the generated may be too voluminous to allow effective manual
review.
[Pages 260-2 to 260-8 remain unchanged. Revised pages follow.]
For example, one posting to the general ledger may result from the
computer summarization of information from hundreds of locations.
e. Nature of the hardware and software used in IS: The nature of the
hardware and software can affect inherent risk, as illustrated below:
* The type of computer processing (on-line, batch-oriented, or
distributed) presents different levels of inherent risk. For example,
the inherent risk of unauthorized transactions and data entry errors
may be greater for on-line processing than for batch-oriented
processing.
* Peripheral access devices or system interfaces can increase inherent
risk. For example, Internet and dial-up access to a system increases
the system's accessibility to additional persons and therefore
increases the risk of unauthorized access to computer resources.
* Distributed networks enable multiple computer processing units to
communicate with each other, increasing the risk of unauthorized access
to computer resources and possible data alteration. On the other hand,
distributed networks may decrease the risk of conflicting computerized
data between multiple processing units.
* Applications software developed in-house may have higher inherent
risk than vendor-supplied software that has been thoroughly tested and
is in general commercial use.
f. Unusual or nonroutine transactions: As with manual systems, unusual
or nonroutine transactions increase inherent risk. Programs developed
to process such transactions may not be subject to the same procedures
as programs developed to process routine transactions. For example, the
entity may use a utility program to extract specified information in
support of a nonroutine management decision.
FRAUD RISKS:
.18: The auditor has a responsibility to plan and perform the audit to
obtain reasonable assurance about whether the financial statements are
free of material misstatement, whether caused by error or fraud.
Accordingly, the auditor is concerned with the risk of material
misstatement due to fraud (fraud risk). The primary factor that
distinguishes fraud from error is that the action causing the
misstatement in fraud is intentional. (See section 230 related to
materiality, including quantitative and qualitative considerations.)
.19: Two types of misstatements are relevant to the auditor's
consideration of fraud in an audit of financial statements--
misstatements arising from fraudulent financial reporting and
misstatements arising from misappropriation of assets. Misstatements
arising from fraudulent financial reporting are intentional
misstatements or omissions of amounts or disclosures in financial
statements to deceive financial statement users. They could involve
intentional alteration of accounting records, misrepresentation of
transactions, intentional misapplication of accounting principles, or
other means. Misstatements arising from misappropriation of assets
involve theft of an entity's assets that result in misstatements in the
financial statements. They could involve theft of property,
embezzlement of receipts, fraudulent payments, or other means. (See
section 310 for internal control over safeguarding assets. Safeguarding
controls relate to protecting assets against loss from unauthorized
acquisition, use, or disposition.)
.20: In considering misstatements arising from misappropriation of
assets, the auditor should consider fraud risks associated with
improper payments. Some of the improper payments made by federal
government entities could involve fraud. The Improper Payments
Information Act of 2002 (P.L. 107-300) defines improper payments as any
payment that should not have been made or that was made in an incorrect
amount (including overpayments and underpayments) under statutory,
contractual, administrative, or other legally applicable requirements.
The act requires agency heads to annually review all programs and
activities that they administer, identify those that might be
susceptible to significant improper payments, [Footnote 1] estimate
annual improper payments for those identified programs, and--for
programs for which estimated improper payments exceed $10 million--
report certain information to the Congress. Although the act has this
reporting threshold, the auditor might consider improper payments
amounting to $10 million or less quantitatively or qualitatively
material.
.21: As discussed in paragraph .18, the auditor is responsible for
obtaining reasonable, but not absolute, assurance about whether the
financial statements are free of material misstatement. Absolute
assurance cannot be attained, and the auditor's report does not provide
absolute assurance. A properly planned and performed audit might not
detect a material misstatement, and the subsequent discovery of a
material misstatement does not, in and of itself, provide evidence that
the auditor did not conform with auditing standards.
.22: In addition, the auditor should be alert to situations or
transactions that could be indicative of abuse. Abuse is distinct from
fraud and illegal acts. Abuse involves behavior that is deficient or
improper (but not necessarily fraudulent or illegal) when compared with
behavior that a prudent person would consider reasonable and necessary
business practice given the facts and circumstances. The auditor is not
required to detect abuse. However, if indications of abuse that could
result in material misstatement of the financial statements or other
financial data come to the auditor's attention, the auditor should
apply audit procedures specifically directed to determine whether abuse
has occurred and the effect, if any, on the financial statements. The
auditor should consider both quantitative and qualitative factors in
making judgments about the materiality of possible abuse and about
related audit procedures. The determination of abuse is subjective, and
the auditor does not provide reasonable assurance of detecting abuse.
(See GAGAS, paragraphs 4.19-.20.)
Characteristics of Fraud:
.23: Three conditions generally are present when fraud occurs:
* Incentive/Pressure--Management, other employees, or external parties
(for example, for some improper payments) have an incentive or are
under pressure, which provides a motive to commit fraud.
* Opportunity--Circumstances exist, such as the absence of controls,
ineffective controls, or the ability of management to override
controls, that provide an opportunity to commit fraud.
* Attitude/Rationalization--Individuals involved are able to
rationalize committing fraud. Some individuals possess an attitude,
character, or ethical values that allow them to knowingly and
intentionally commit a dishonest act.
Generally, the greater the incentive or pressure, the more likely an
individual will be able to rationalize the acceptability of committing
fraud.
.24: Management is in a position that could permit it to perpetrate
fraud by directly or indirectly manipulating accounting records;
overriding controls, sometimes in unpredictable ways; or committing
other fraudulent or improper acts.
Fraud Risk Factors:
.25: Although fraud is usually concealed, the presence of fraud risk
factors that indicate incentive/pressure, opportunity, or attitude/
rationalization might alert the auditor to a significant risk of fraud.
However, fraud risk factors do not necessarily indicate that fraud
exists. Examples of fraud risk factors, classified by the two types of
fraudulent misstatements and then by these three conditions, include
the following:
a. Examples related to misstatements arising from fraudulent financial
reporting:
* Incentive/Pressure--Incentive exists for management to report reduced
program costs or costs that are consistent with budgeted amounts, or
excessive pressure exists to meet unrealistic deadlines or other
requirements.
* Opportunity--Key financial statement amounts are based on significant
estimates that involve subjective judgments or uncertainties that are
difficult to corroborate, or management is in a position to override
controls for processing adjustments or unusual transactions.
* Attitude/Rationalization--Employees perceive that penalties exist
for reporting honest results, or employees consider requirements such
as performance targets unrealistic.
b. Examples related to misstatements arising from misappropriation of
assets:
* Incentive/Pressure--Employees who are disgruntled because of
impending layoffs have an incentive to misappropriate assets, or
pressure to meet programmatic objectives such as for rapid benefit
payments increases the risk of fraudulent improper payments.
* Opportunity--Employees have access to assets that are small in size
and valuable or the authority to disburse funds, or a program has
weaknesses in internal control related to fraudulent improper payments.
* Attitude/Rationalization--Employees believe that management is
unethical, or individuals believe they are entitled to the entity's
assets.
Fraud risk factors represent inherent or control risk factors. As
discussed in paragraph .02, the auditor should consider fraud risk
factors in assessing inherent and control risk. Sections 295A and 295B
include additional examples of fraud risk factors.
Professional Skepticism:
.26: The auditor should exercise professional skepticism--an attitude
that includes a questioning mind and a critical assessment of audit
evidence--throughout the audit. The auditor should maintain a mindset
that recognizes the possibility that a material misstatement due to
fraud might be present, regardless of any past experience with the
entity and regardless of the auditor's belief about management's
honesty and integrity.
Brainstorming Meeting(s) about Potential Fraud Risks:
.27: Audit team members should exchange ideas in one or more
"brainstorming" meeting(s) to identify potential fraud risks. They
should discuss how and where the financial statements could be
susceptible to material fraudulent misstatement, how management could
perpetrate and conceal fraudulent financial reporting, how assets could
be misappropriated (including through fraudulent improper payments),
how management could override controls, and how the auditor might
respond to these risks. They also should consider known internal and
external fraud risk factors (including any related to fraudulent
improper payments) and categorize these factors by type of misstatement
and by incentive/pressure, opportunity, and attitude/rationalization.
The brainstorming discussion should emphasize the need to exercise
professional skepticism in gathering and evaluating evidence throughout
the audit.
.28: The Audit Director, Assistant Director, and all other team members
who have significant responsibilities in planning and performing the
audit should participate in brainstorming, which may be performed in a
single meeting or in multiple meetings. While different members may
participate in different meetings, each brainstorming meeting should
include at least one experienced team member, and all team members
should be familiar with the collective results of the brainstorming
meeting(s). Determining the brainstorming participants (for example, it
might be useful to include stakeholders and specialists, such as IS
auditors) and the number of brainstorming meeting(s) are matters of
auditor judgment.
.29: The auditor's consideration of fraud risks should be ongoing
throughout the audit. Near the completion of fieldwork, the auditor
should evaluate whether the audit test results indicate the need for a
change in the assessment of the fraud risks made earlier or the need
for additional or different audit procedures (see paragraphs 540.18-
.19). Accordingly, communications with the audit team members about
fraud should occur as needed throughout the audit, and the auditor may
hold multiple, periodic brainstorming meetings.
Information to Identify Fraud Risks:
.30: Fraud risks might be identified as a result of replies to
inquiries. To obtain information about fraud risks, the auditor should
inquire of management about:
* any knowledge of fraud or suspected fraud (including fraudulent
improper payments), or related allegations;
* management's understanding of fraud risks, including any specific
risks the entity has identified and any account balances or classes of
transactions having likely fraud risks (including information about any
fraudulent improper payments that the agency identified in making
assessments related to the Improper Payments Information Act of 2002);
* any antifraud programs and controls the entity has established;
[Footnote 2]
* the nature and extent that locations or business segments, if any,
are monitored, and whether there are particular locations or segments
for which fraud risks might be more likely;
* whether and how management communicates to employees its views on
business practices and ethical behavior; and:
* whether management has reported to the audit committee (referred to
as "financial management advisory committee" in some federal entities)
or others with equivalent authority and responsibility on how the
entity's internal control prevents, deters, or detects fraud.
.31: In addition to inquiring of management, inquiring of others might
provide a different perspective or provide other important information.
Accordingly, the auditor should perform the following inquiries and
related procedures:
a. Obtain information about instances of fraud (including any related
to fraudulent improper payments) reported by the inspector general,
ordinarily by asking the Special Investigator Unit to summarize how
cases of reported fraud were committed, and then ask management or the
Office of Inspector General whether related controls have been
strengthened.
b. Inquire of the audit committee or others with equivalent authority
and responsibility about fraud risks and any fraud or suspected fraud,
and obtain an understanding of how they exercise oversight.
c. Inquire of internal audit personnel about fraud risks, any
procedures to detect fraud during the reporting period, management's
response to any such findings, and any fraud or suspected fraud.
d. Inquire of other personnel about fraud or suspected fraud. The
auditor should use judgment to determine whom to ask and the extent of
inquiries. For example, the auditor may make inquiries of employees
with varying levels of authority, operating personnel not directly
involved in the financial reporting process, employees familiar with
complex or unusual transactions or with improper payments, and in-house
legal counsel.
e. If inconsistencies arise from the auditor's inquiries of management
and others, obtain additional evidence to resolve the inconsistencies.
.32: The auditor also should perform the following procedures:
a. Obtain and review the agency's (1) plan to identify improper
payments and (2) report, if any, on improper payments (or information
about any findings) that resulted from the agency's review under the
Improper Payments Information Act of 2002.
b. Determine whether preliminary analytical procedures disclosed any
unusual or unexpected relationships that might indicate fraud risks.
Where revenue is (or is expected to be) material, analytical procedures
should include those related to revenue--for example, trend analysis--
to identify unusual or unexpected relationships that might indicate
fraudulent financial reporting of revenue (see section 225 related to
preliminary analytical procedures).
c. Consider whether any fraud risk factors exist (see paragraph .25).
d. Consider other information that might help identify fraud risks,
such as information that resulted from previous audits, the
brainstorming meeting(s), procedures related to accepting and
continuing engagements, any reports on interim financial statements,
and inherent risks identified at the account or transaction level.
Identification and Assessment of Fraud Risks:
.33: To identify fraud risks (including any related to fraudulent
improper payments), the auditor should perform the following
procedures:
a. Evaluate the information obtained in the procedures described in
paragraphs .28-.32, in the context of the three conditions that
generally are present when fraud occurs--incentive/pressure,
opportunity, and attitude/rationalization. While fraud risk might be
greatest when all three of these conditions are evident, observation of
one or more of these conditions might indicate a fraud risk.
b. Where revenue is (or is expected to be) material, evaluate whether
there are fraud risks related to revenue recognition (for example,
through premature recognition or fictitious revenue). If the auditor
concludes that improper revenue recognition does not represent a fraud
risk, the auditor should document the reasons supporting that
conclusion (see paragraph 290.04 h).
c. Evaluate the possibility that management could override controls,
even if specific fraud risks have not been identified.
.34: For each identified fraud risk, the auditor should determine
whether it relates to (1) specific financial statement account balances
or classes of transactions and related assertions or (2) more
pervasively to the financial statements as a whole. Generally, relating
fraud risks to the individual accounts, classes of transactions, and
assertions helps in designing audit procedures in response to these
risks.
.35: As part of understanding internal control sufficient to plan the
audit, the auditor should (1) evaluate whether programs and controls
that address identified fraud risks have been suitably designed and
placed in operation and (2) determine whether these programs and
controls mitigate these risks or whether specific control deficiencies
exacerbate these risks. See section 350 regarding testing the operating
effectiveness of controls that are determined to mitigate these risks.
.36: The auditor should assess the identified fraud risks, taking into
consideration the results of the procedures described in the preceding
paragraph. In making this assessment, using professional judgment, the
auditor should consider all significant aspects of each of these risks
, including the type of misstatement, the significance and
pervasiveness of the risk, and the likelihood that it could result in a
material misstatement.
Response to Assessed Fraud Risks:
.37: The auditor must respond to the assessed risks of material
misstatement due to fraud. The nature and significance of these fraud
risks, as well as programs and controls that address identified fraud
risks, influence the auditor's response. The auditor should use
professional judgment in determining the appropriate response for the
circumstances and exercise professional skepticism in gathering and
evaluating audit evidence. The response should (1) have an overall
effect on the conduct of the audit (see paragraph .39), (2) address
fraud risks that relate to management override of controls (see
paragraph .40), and, (3) for any of these risks that relate to specific
financial statement account balances or classes of transactions and
related assertions, involve the nature, timing, and extent of audit
procedures (see paragraph .41). If it is not practicable, as part of a
financial statement audit, to design audit procedures that sufficiently
respond to the fraud risks, the auditor should consider requesting
assistance from the Special Investigator Unit.
.38: In some instances, the audit plan could, for reasons other than
responding to fraud risk, include procedures and personnel and
supervisory assignments that are sufficient to respond to a fraud risk.
In these instances, the auditor may conclude that no further response
is required. For example, with respect to timing, audit procedures
could be planned as of the date that the reporting period ends, both as
a response to a fraud risk and for other reasons.
.39: The auditor should respond to the fraud risks in ways that have an
overall effect on the conduct of the audit, as follows:
a. Assignment of personnel and supervision--Assign audit team staffing
and/or supervision so that the knowledge, skill, and ability of
personnel assigned significant responsibilities are commensurate with
the auditor's assessment of the fraud risks--for example, the auditor
may assign a fraud specialist or more experienced personnel or may
increase supervision in response to identified fraud risks (also see
section 270 related to IS auditors).
b. Review of accounting principles--Review management's selection and
collective application of significant accounting principles,
particularly those related to subjective measurements and complex
transactions.
c. Unpredictability of audit procedures--Incorporate an element of
unpredictability in the selection of audit procedures from reporting
period to reporting period--for example, perform substantive tests of
selected account balances and assertions not otherwise tested due to
their materiality and risk, adjust the timing of audit tests, use a
different method to select items for testing, or perform procedures at
different locations or at locations on an unannounced basis.
Statistical sampling selection usually provides an element of
unpredictability as to the specific items tested (see section 480).
Generally, the auditor should not inform entity personnel of specific
audit procedures prior to performing them.
.40: The auditor should perform the following procedures to
specifically address the risk that management can perpetrate fraud by
overriding controls:
a. Examination of journal entries and other adjustments--Examine
journal entries and other adjustments for evidence of possible material
misstatement due to fraud. These include reclassifications,
consolidating entries, and other routine and nonroutine journal entries
and adjustments. The auditor should obtain an understanding of the
financial reporting process and the controls over journal entries and
other adjustments; identify and select journal entries and other
adjustments for testing; determine the nature, timing, and extent of
the testing (ordinarily including tests of journal entries and other
adjustments at the end of the reporting period); and inquire of
individuals involved in the financial reporting process about
inappropriate or unusual activity related to the processing of journal
entries and other adjustments.
b. Review of accounting estimates--Review accounting estimates for
biases that could result in material misstatement due to fraud. In
preparing financial statements, management is responsible for making
judgments or assumptions that affect significant accounting estimates
and for monitoring the reasonableness of these estimates on an ongoing
basis. The auditor should consider whether differences between (1)
estimates best supported by the evidence and (2) the estimates included
in the financial statements, even if the estimates are individually
reasonable, indicate possible bias by management, in which case the
auditor should reconsider the estimates taken as a whole. The auditor
also should perform a retrospective review of significant accounting
estimates used in the prior year's financial statements, focusing on
sensitive or subjective aspects, to determine whether they indicate
possible bias by management. Further, the auditor should be alert for
aggressive or inconsistently applied estimates.
c. Evaluation of business rationale for significant unusual
transactions--Evaluate the business rationale for any significant
unusual transactions, considering whether (1) the form of these
transactions is overly complex, (2) management has discussed the nature
of and accounting for these transactions with the audit committee or
others with equivalent authority and responsibility or the board of
directors, if any, (3) management is placing more emphasis on
particular accounting treatments than on the underlying economics of
the transactions, (4) transactions that involve related parties have
been properly reviewed and approved by the audit committee or others
with equivalent authority and responsibility or the board of directors,
if any, and (5) the transactions involve previously unidentified
related parties (see section 902) or related parties that do not have
the substance or financial strength to support the transaction without
assistance from the entity.
.41: For fraud risks related to specific financial statement account
balances or classes of transactions and related assertions, the
specific response will depend on the types of risks and the specific
balances or classes and assertions, but it generally should involve
both substantive and control tests. The response should involve the
following:
a. Nature of audit procedures--for example, obtaining related evidence
from independent external sources rather than internal sources;
b. Timing of audit procedures--for example, performing substantive
testing at or near the end of the reporting period rather than at an
interim date; and:
c. Extent of audit procedures--for example, increasing audit sample
sizes.
Section 295 I provides additional examples of responses.
[Subsequent sections of FAM 260, beginning at "Control Environment
Factors," remain unchanged, and the numbering of paragraphs and pages
will be conformed.}:
Footnotes:
[1] Agencies first need to determine which programs and activities are
susceptible (at high risk) to improper payments. In determining this,
OMB has issued guidance defining significant improper payments as those
that exceed both 2.5 percent of program payments and $10 million. See
OMB Memorandum M-03-13, Improper Payments Information Act of 2002,
Public Law 107-300 (May 21, 2003).
[2] An example document, Management Antifraud Programs and Controls,
commissioned by the Fraud Task Force of the Auditing Standards Board of
the AICPA, is available at the AICPA's web site, www.aicpa.org.
[End of section]
Planning Phase:
280 - PLAN OTHER AUDIT PROCEDURES:
.01: The auditor should consider the following areas during the
planning phase, even though many related audit procedures will be
applied during the other phases.
INQUIRIES OF LEGAL COUNSEL:
.02: As discussed in AU 337 and section 550, the auditor should make
inquiries of the entity's counsel and perform other audit procedures
regarding litigation, claims, and assessments. Because of the amount of
the time needed by management and the legal counsel to gather and
report the necessary information (including the potential need for
management to inquire of Department of Justice legal counsel on a case-
specific basis), the auditor should plan the following procedures
(which are described in more detail in AU 337) for an appropriate time
in the audit:
* making inquiries of management regarding their policies and
procedures used for identifying, evaluating, and accounting for
litigation, claims, and assessment;
* obtaining a description and evaluation of all such matters existing
as of the balance sheet date and through the date of management's
response (which should be near the end of fieldwork);
* obtaining evidence regarding legal counsel used by the entity and
matters handled; and:
* sending letters of audit inquiry to legal counsel (the auditor may
limit the inquiry to matters that are considered individually or
collectively material to the financial statements, provided the entity
and the auditor have reached an understanding and agreement on the
materiality level).
MANAGEMENT REPRESENTATIONS:
.03: As discussed in section 550, the auditor is required to obtain a
representation letter from management on specific matters prior to
completion of the audit. Particularly during first year audits and when
standards change, the auditor may want to discuss these required
representations with management early in the audit to identify and
resolve any difficulties related to obtaining these representations.
Note that for federal government auditors, these representations
include (1) the effectiveness of internal control, (2) compliance with
laws and regulations, and, (3) for CFO Act agencies, financial
management systems' substantial compliance with FFMIA requirements.
Additional guidance on management representations is provided in AU
333, AU 801, AT 101, AT 201, AT 501, AT 601, and section 1001 (Part
II). Also, a summary of uncorrected misstatements aggregated by the
auditor is to be included or attached to the letter, which should state
management's belief that the effects of the misstatements are
immaterial to the financial statements taken as a whole, both
individually and in the aggregate. (See section 595 D for an example
summary of uncorrected misstatements.)
RELATED PARTY TRANSACTIONS:
.04: AU 334 and sections 550 and 902 provide guidance on audit
procedures that should be performed to identify related parties and
related party transactions as well as examining these transactions for
appropriate disclosure in the financial statements. During the planning
phase, the auditor should perform procedures to identify and document
related parties and the nature of related party transactions that might
need to be disclosed in the financial statements and related notes.
Such information should be distributed to all members of the audit team
for use in summarizing and testing related party transactions and
identifying any additional related parties.
SENSITIVE PAYMENTS:
.05: In the planning phase, the auditor should consider the audit
procedures that will be applied to sensitive payments. Sensitive
payments encompass a wide range of functions, including executive
compensation, travel, official entertainment funds, unvouchered
expenditures, consulting services, speaking honoraria and gifts, and
executive perquisites. See GAO's Guide for Evaluating and Testing
Controls Over Sensitive Payments, GAO/AFMD-8.1.2, Washington, D.C.: May
1993.
REACHING AN UNDERSTANDING WITH OFFICIALS OF THE ENTITY AND REQUESTERS:
.06: During planning, the auditor should reach an understanding with
officials of the entity, including management and individuals
contracting for or requesting the audit, about the work to be
performed, as required by AU 310 and GAGAS (chapter 4). If the audit is
done based on the request of a committee or member of Congress, the
auditor should communicate with that committee or member as well as
management. If the audit is required by law or is self-initiated, the
auditor should communicate with the committee members or staff who have
oversight of the auditee as well as management.
.07: The auditor should communicate with officials of the entity and
the committee or member in writing (preferred) or orally and document
the understanding reached. "Commitment" letters may be used to
communicate with Congress about the auditor's planned work. In drafting
commitment letters, the auditor should consider the matters required to
be communicated by the auditing standards. If the audit organization
has a general ongoing working relationship with Congress and prior
audit reports, there may already be an understanding with the
applicable committee or other requester.
.08: Because of an ongoing working relationship with either a requester
or management, the auditor may affirm the contents of the prior audit
report, since the types of information included in the understanding
are generally included in the objectives, scope, and methodology
section of the audit report.
.09: Examples of the matters that are generally included in the
understanding are the objectives and limitations of the audit and
management's and the auditor's responsibilities. These are described in
AU 310. GAGAS also require the understanding to relate to the auditor's
responsibility for testing and reporting on compliance and internal
control.
OTHER AUDIT REQUIREMENTS:
.10: Under GAGAS, chapter 4, the auditor should consider the results of
previous audits and attestation engagements and follow up on known
significant findings and recommendations that relate directly to the
objectives of the current audit. Generally, a financial audit should
cover areas that had findings and recommendations in previous audits.
However, the auditor should consider whether any findings and
recommendations from the prior year financial audit need follow-up that
would not otherwise be covered (for example, findings at locations that
would not otherwise be revisited).
.11: During planning, the auditor also should consider the additional
requirements in OMB audit guidance for legal letters, management
representation letters, and certain agreed-upon procedures. OMB audit
guidance has specific dates by which interim and updated legal letters
for CFO Act agencies and covered executive agencies subject to the
Accountability of Tax Dollars Act of 2002 [Footnote 1] are to be
requested and received, specific formats for summarizing the
information in the letters, and a list of specific officials to whom
copies of the letters and summaries should be forwarded. The guidance
also has an example of a management representation letter. In addition,
the guidance requires that certain agreed-upon procedures be applied to
agency payroll offices and requires that reports be submitted to OPM by
a specific date.
Footnotes:
[1] OMB issued guidance implementing the act by applying its guidance
for CFO Act agencies to covered executive agencies.
[End of section]
Planning Phase:
290 - DOCUMENTATION:
[Pages 290-1 to 290-2 remain unchanged. Revised pages follow.]
associates them with significant financial statement line items and
assertions. For each risk identified, the auditor documents the (1)
nature and extent of the risk, (2) condition(s) that gave rise to that
risk, and (3) specific cycles, accounts, line items, and related
assertions affected (if not pervasive). The auditor also documents
conclusions on the overall effectiveness of the control environment,
risk assessment, communication, and monitoring. In addition, the
auditor generally should document the entity's basis for its
determination of substantial compliance of its systems with FFMIA
requirements.
h. Fraud risks (section 260). The auditor should document (also see
paragraph 290.07):
* specific fraud risks (categorized by type of misstatement and by
incentive/pressure, opportunity, and attitude/rationalization) that
were identified and the assessment of those risks;
* if the auditor did not consider improper revenue recognition to
represent a fraud risk, the reasons supporting that conclusion;
* consideration of the risk of management override of controls; and:
* the auditor's response to the assessed fraud risks. (Also see section
590.)
i. Effects of IS (section 270): The auditor should document:
* a basic understanding of the IS aspects of the financial management
system, including the significance of IS to the entity (section 220);
* the inherent risks arising from IS (paragraph 260.17);
* the impact of IS on the control environment, risk assessment,
communication, and monitoring (paragraphs 260.41-.42); and:
* tentative conclusions on the likelihood that IS controls are
operating effectively (section 270).
When the auditor prepares documentation of the above information, the
IS auditor generally should review and agree with the content.
Tentative conclusions on the likelihood that IS controls are operating
effectively should also be reviewed and concurred to by the Audit
Director and Assistant Director as part of their reviews of the General
Risk Analysis or equivalent. If IS controls are not likely to be
effective, the auditor should document supporting evidence and
generally should report such findings as discussed in section 580.
j. Operations controls to be tested, if any (section 275).
k. Other planned audit procedures (section 280).
l. Locations to be visited (section 285): This information includes:
* the locations selected,
* the basis for selections,
* the general nature of procedures planned for each location,
* the determination of the number of items for testing,
* the allocation of those items among the selected locations, and:
* other procedures applied.
m. Staffing requirements.
n. Audit timing, including milestones.
o. Assistance from entity personnel.
.05: The Cycle Matrix or equivalent links each of the entity's accounts
(in the chart of accounts) to a cycle, an accounting application, and a
financial statement line item or RSSI (paragraph 240.06). This
information may instead be incorporated into the Account Risk Analysis
or equivalent.
.06: The Account Risk Analysis or equivalent contains the audit plan
for each:
significant line item and account and should identify significant line
items, accounts, assertions, and cycles/accounting applications
(sections 235 and 240, respectively). The auditor also summarizes and
documents the specific risks, other than pervasive risks, as well as
the inherent, fraud, and control risk factors, for use in determining
the nature, timing, and extent of the audit procedures. The auditor may
also include insignificant accounts in each line item ARA or
equivalent, indicating their insignificance and the consequent lack of
audit procedures applied to them. In such instances, the cycle matrix
or equivalent need not be prepared.
.07: The auditor also should document (section 260):
* the brainstorming meeting(s) about potential fraud risks, including
how and when the discussion(s) occurred, the audit team members who
participated, and the general matters discussed;
* the procedures performed to obtain information about, identify, and
assess fraud risks; and:
* any other significant procedures performed or other significant
matters related to the auditor's consideration of fraud (and any
significant abuse).
.08: The auditor should document the understanding reached with
officials of the entity and requesters about the work to be performed,
as described in section 280.
.09: The auditor also should consider the needs of, and consult in a
timely manner with, other auditors who plan to use the work being
performed, especially in areas where the auditor makes decisions
requiring significant auditor judgment. Where the auditor deviates from
a policy or procedure expressed by use of the term "must" or "should"
in the FAM, he or she should provide an opportunity for the other
auditors to review the documentation of the reasons explaining these
deviation decisions.
[End of section]
Planning Phase:
295 I - EXAMPLES OF AUDITOR RESPONSES TO FRAUD RISKS INVOLVING THE
NATURE, TIMING, AND EXTENT OF AUDIT PROCEDURES:
.01: As discussed in section 260, the auditor's response to assessed
fraud risks should (1) have an overall effect on the conduct of the
audit, (2) address fraud risks that relate to management override of
controls, and (3)--for any fraud risks that relate to specific
financial statement account balances or classes of transactions and
related assertions--involve the nature, timing, and extent of audit
procedures. This section provides examples of auditor responses in this
third category--changing the nature, timing, and extent of audit
procedures.
EXAMPLES OF AUDITOR RESPONSES TO FRAUD RISKS INVOLVING THE NATURE,
TIMING, AND EXTENT OF AUDIT PROCEDURES:
.02: Examples of auditor responses to fraud risks involving the nature,
timing, and extent of audit procedures include the following:
* Inquire of management and other personnel involved in areas having
fraud risks, such as risks related to any improper payments, to obtain
their insights about those risks and whether and how controls mitigate
those risks.
* Inquire of additional members of management, such as program
directors or center directors, or other nonaccounting personnel to
assist in identifying issues and corroborating other evidential matter.
* Use data mining or other computer-assisted audit techniques (such as
Interactive Data Extraction and Analysis) to gather more extensive
evidence about data contained in significant accounts. Such techniques
can be used to select audit sample items from electronic files, sort
items with specific characteristics (to perform substantive analytical
procedures or make a nonrepresentative selection), or test an entire
population.
* Inspect, or observe physical counts of, tangible assets, such as
property, plant, and equipment and certain inventories, for which other
procedures might otherwise have been sufficient.
* Conduct surprise or unannounced procedures, such as inventory
observations or cash counts on unexpected dates or at unexpected
locations.
* Make inquiries of major suppliers or customers in addition to
obtaining written confirmations, request confirmations of a specific
individual within an organization, or request confirmation of
additional or different information.
* Where a specialist's (see section 650 and AU 336) work is
particularly significant, perform additional procedures related to some
or all of the specialist's methods, assumptions, or findings to
evaluate whether the findings are unreasonable, or engage another
specialist to do that.
* Perform additional or more focused tests of budget to actual
variances and their underlying causes.
* Perform targeted tests of the timing of cost/expense recognition.
* Request that physical inventory counts be made on, or closer to, the
date that the reporting period ends.
* If fraud risks relate to an interim period, perform audit tests that
are focused on transactions that occurred in that interim period (or
throughout the reporting period).
* Test a larger sample of disbursement transactions for validity.
* Perform substantive analytical procedures that are more detailed by
location, program, month, or other category (for example, analyzing
specific credit lines in an allowance for loan losses, rather than the
portfolio as a whole) or that use more precise techniques (for example,
regression analysis).
* Discuss with other auditors who are auditing the financial statements
of one or more agency components the extent of work necessary to
address fraud risks resulting from intragovernmental transactions and
activity among those components.
ADDITIONAL EXAMPLES OF AUDITOR RESPONSES TO FRAUD RISKS RELATED TO
MISSTATEMENTS ARISING FROM FRAUDULENT FINANCIAL REPORTING:
.03: The following paragraphs provide additional examples of auditor
responses to fraud risks related to misstatements arising from
fraudulent financial reporting in the areas of (1) management's
estimates, (2) revenue recognition, and (3) inventory quantities. These
example responses involve the nature, timing, and extent of audit
procedures.
Management's Estimates:
.04: Fraud risks might relate to management's development of accounting
estimates. These risks might affect various accounts and assertions,
such as valuation and completeness of liabilities related to insurance
and credit programs, pensions, postretirement benefits, and
environmental cleanup. These risks might also relate to significant
changes in assumptions for recurring estimates. Further, because
estimates are based on both subjective and objective factors, bias
might exist in the subjective factors.
.05: Examples of procedures that the auditor might perform in response
to fraud risks related to management estimates include the following:
* Gather additional information about the entity and its environment to
assist in evaluating more extensively the reasonableness of
management's estimates and underlying judgments and assumptions,
focusing on more sensitive or subjective aspects.
* Perform a more extensive retrospective review of management judgments
and assumptions applied in estimates made for prior periods, such as
analyzing each significant judgment and assumption in light of the
events that occurred subsequently and identifying reasons for any
differences. Consider whether these reasons should affect the current
period's estimates.
* Use the work of a specialist to evaluate management's estimate, or
develop an independent estimate to compare to management's estimate.
Revenue Recognition:
.06: Revenue recognition is affected by the particular facts and
circumstances and sometimes--for example, for certain government
corporations--by accounting principles that can vary by type of
operations. Hence, where revenue is (or is expected to be) material,
the auditor should be familiar with the applicable criteria for revenue
recognition by a federal government entity, and the audit procedures
should reflect the auditor's understanding of the entity and its
environment, including the composition of revenue, specific attributes
of the revenue transactions, and specific entity considerations.
.07: Examples of procedures that the auditor might perform in response
to fraud risks related to improper revenue recognition include the
following:
* Perform substantive analytical procedures related to revenue that are
based on more precisely developed expectations, such as comparing
revenue between the current year and expectations based on prior fiscal
years, by location, program, and month, or that establish the limit
(see paragraphs 475.04-.05) at a lower percent of test materiality.
Audit techniques such as regression analysis might be helpful in
performing these procedures.
* Inquire of the entity's personnel, including its general counsel,
about any revenue-related transactions near the end of the reporting
period and their knowledge of any unusual terms or conditions that
might be related to those transactions.
* Confirm with customers and other appropriate parties the relevant
contract terms and the absence of side agreements that might influence
the appropriate accounting.
* Physically observe goods being shipped or readied for shipment (or
returns awaiting processing) at one or more locations at the end of the
reporting period and perform appropriate sales and inventory cutoff
procedures.
* Where revenue transactions are electronically initiated, processed,
and recorded, expand control tests related to these transactions.
Inventories:
.08: Examples of procedures that the auditor might perform in response
to fraud risks related to inventories include the following:
* Review the entity's inventory records to identify locations, items,
or issues that warrant specific attention during or after the physical
inventory count. As a result, the auditor might decide to observe
inventory counts at some locations on an unannounced basis or to
request that physical inventory counts be made at all locations on the
same date and on a date that is on, or closer to, the date that the
reporting period ends.
* Perform additional inventory observation procedures, such as more
rigorously examining the contents of boxed items, the manner in which
the inventory is stacked (to identify hollow squares or other issues)
or labeled, and--using the work of a specialist, if needed--the purity,
grade, and concentration of inventory substances such as specialty
chemicals.
* Perform additional tests of physical inventory count sheets or tags,
and retain copies of these documents to minimize the risk of subsequent
alteration or inappropriate extension and summarization of the
inventory.
* Perform additional procedures focused on the quantities included in
the priced inventory to further test the count quantities--such as
comparing quantities for the current period with those for prior
periods by inventory category, location, or other criteria, or
comparing count quantities with perpetual records.
* Use computer-assisted audit techniques (such as Interactive Data
Extraction and Analysis) to test the extension and summarization of the
physical inventory counts--such as sorting by tag number to test tag
controls or by item number to test for item omission or duplication--
and to test for unusual quantities and cost amounts.
* When performing substantive analytical procedures related to
inventories, establish the limit (see paragraphs 475.04-.05) at a lower
percent of test materiality.
ADDITIONAL EXAMPLES OF AUDITOR RESPONSES TO FRAUD RISKS RELATED TO
MISSTATEMENTS ARISING FROM MISAPPROPRIATION OF ASSETS:
.09: Additional examples of auditor responses to fraud risks related to
misstatements arising from misappropriation of assets involving the
nature, timing, and extent of audit procedures include the following:
* Use information on any improper payments, including information
resulting from the agency's review of programs and activities under the
Improper Payments Information Act of 2002, to develop and perform audit
procedures that are focused on specific vulnerable areas.
* For benefit programs, expand the extent of participant eligibility
testing, including unannounced visits to intake centers or work sites
to test the existence and identity of participants, or observe benefit
payment distribution to identify "ghost" participants or use
confirmation requests to test the existence of program participants.
Data mining can be used to search for duplicate payments, ineligible or
ghost participants, and other issues.
* For particular assets that are highly susceptible to
misappropriation, obtain a more comprehensive understanding of internal
controls related to preventing and detecting such a misappropriation
and expand the tests of those controls, and physically inspect those
assets at or near the end of the reporting period.
* Assign higher levels of control risk to specific locations that have
higher fraud risks (such as when large quantities of assets that are
particularly susceptible to such risks are present at some locations)
and modify audit procedures at those locations.
* When performing substantive analytical procedures related to assets
that are particularly susceptible to misappropriation, establish the
limit (see paragraphs 475.04-.05) at a lower percent of test
materiality.
[End of section]
Reporting Phase:
540 - Evaluate Misstatements:
[Pages 540-1 to 540-6 remain unchanged. Revised pages follow.]
* The auditor may believe that sufficient evidence has already been
obtained and may form his/her opinion on the financial statements based
on his/her estimate.
* The auditor may want to increase assurance in the likely
misstatements in order to convince entity management of the amount or
to support the report on the financial statements. For example, the
auditor may choose to increase his/her assurance in the likely
misstatement by testing additional items. These additional procedures
will most likely increase the auditor's assurance in the previous
findings but generally will not materially affect the amount of the
likely misstatement. Before deciding to perform additional procedures,
the auditor should obtain agreement from entity management on the
extent of additional evidence needed to be persuasive to them. The
auditor also should consult with the Reviewer before beginning any of
these additional procedures.
* The Audit Director may decide not to expend additional resources to
resolve the disagreement, for example, because additional testing is
unlikely to provide different conclusions. If the auditor believes the
estimate is sufficiently accurate, he or she would express a qualified
or adverse opinion, depending on the materiality of the item to the
financial statements taken as a whole. If the auditor believes the
estimate is not sufficiently accurate, he or she would qualify or
disclaim an opinion for a scope limitation, depending on the
materiality of the item to the financial statements taken as a whole.
RECONSIDERATION OF FRAUD RISK:
.18: The auditor's consideration of fraud risks should be ongoing
throughout the audit, and evidence gathered during fieldwork could
change or support an earlier judgment about fraud risks. For example,
during fieldwork, the auditor might identify discrepancies in the
accounting records or conflicting or missing evidence.
.19: Near the completion of fieldwork, the auditor should evaluate
whether the audit test results indicate the need for a change in the
assessment of the fraud risks made earlier or the need for additional
or different audit procedures. The auditor should (1) perform overall
analytical procedures related to revenue, if revenue is (or is expected
to be) material, (2) consider whether substantive or overall analytical
procedures indicate a previously unrecognized fraud risk, (3) consider
whether responses to inquiries during the audit have been vague,
implausible, or inconsistent with other evidence, and (4) consider
other evidence gathered during the audit. Further, the Audit Director
should determine that appropriate communications have occurred among
the audit team members regarding fraud risks.
.20: When audit test results identify misstatements, the auditor should
consider whether these might be indicative of fraud. If, preliminarily,
the auditor believes that a misstatement is or might be the result of
fraud, the auditor should (1) consult with the Audit Director and the
Reviewer, who will determine whether to seek assistance from the
Special Investigator Unit or OGC, and, (2) if performing the audit
under contract, consult with the Assistant Inspector General for Audit,
or the GAO Managing Director, having responsibility for the audit.
Then, if, on the basis of evidence obtained, the auditor believes that
an instance of fraud (or significant abuse) has occurred or is likely
to have occurred, the auditor should (1) consult with the Special
Investigator Unit and OGC, (2) include relevant information in the
audit report unless the instance is clearly inconsequential, and (3)
determine that the audit committee or others with equivalent authority
and responsibility are adequately informed. In some circumstances, the
auditor may be required by law or regulation to report directly to
outside parties about fraud (or significant abuse). However, the
auditor should limit public reporting to matters that would not
compromise any related investigative or legal proceedings. (See GAGAS,
paragraphs 5.12 and 5.17-.25.)
.21: If a misstatement is or might be the result of fraud and the
effect is not material to the financial statements, the auditor should
evaluate the implications, especially those regarding the
organizational position and responsibilities of the individual
involved. If the matter involves a relatively low-level employee who is
not responsible for significant activities (for example, a
misappropriation from a small petty cash fund by a nonmanagement
employee), the auditor may conclude that the matter has little
significance to the audit. However, if the matter involves higher-level
management, even though the amount of misstatement is not material to
the financial statements, the auditor should consider whether (1) it is
qualitatively material and (2) it might indicate a more pervasive
problem. Accordingly, the auditor should reevaluate the assessment of
fraud risk, as well as the assessment of inherent and control risk, and
the resulting effects on the nature, timing, and extent of substantive
testing. Regardless of the level of the employee, the auditor should
report the misstatement to at least the next level of management. In
addition, the auditor should reach an understanding with the audit
committee or others with equivalent authority and responsibility
regarding the nature and extent of communications with them about
misappropriations perpetrated by lower-level employees.
.22: If a misstatement is or might be the result of fraud and either
the effect could be material or the auditor is unable to determine
whether the effect is material, the auditor should, (1) if applicable,
attempt to obtain additional evidential matter to demonstrate whether
material fraud has occurred or is likely to have occurred and its
effect on the financial statements and the related audit report, (2)
consider the implications for other aspects of the audit, including
reevaluating the assessment of risks and the resulting effects on
testing as described in the preceding paragraph, (3) discuss the matter
and the approach for further investigation with at least the next
higher level of entity management and with senior management and the
audit committee or others with equivalent authority and responsibility,
and (4) consider whether to advise entity management to consult with
its general counsel.
.23: Fraud involving senior management and fraud that causes a material
misstatement of the financial statements should be discussed in the
audit report. Depending on circumstances, it could affect the report on
compliance with laws and regulations, the report on the financial
statements, and/or the significant matters section. The auditor should
consult with the Audit Director and the Reviewer and should report the
matter to the audit committee or others with equivalent authority and
responsibility.
.24: If the auditor has identified fraud risk factors that have control
implications, the auditor should consider whether these risk factors
represent reportable conditions that should be included in the audit
report in the internal control section. Further, the auditor should
consider whether the absence of, or deficiencies in, antifraud programs
and controls also represent reportable conditions.
FINANCIAL MANAGEMENT SYSTEMS:
.25: For audits of the CFO Act agencies and components identified by
OMB in its audit guidance, the auditor should determine whether the
entity's financial management systems substantially comply with the
three requirements of FFMIA. Federal financial management systems
requirements and the SGL at the transaction level were considered in
sections 350 and 360. At this point, the auditor should reassess those
preliminary conclusions and conclude on the federal accounting
standards based on the results of control, compliance, and substantive
testing and evaluation of misstatements found. If the auditor concludes
that the systems do not substantially comply with the requirements, he
or she should report the noncompliance. In addition, if the auditor
concluded the systems were not in substantial compliance with FFMIA
based on limited testing, he or she should report that the work on
FFMIA would not necessarily disclose all instances of lack of
substantial compliance with FFMIA requirements. (See section 580.)
[End of section]
Reporting Phase:
590 - DOCUMENTATION:
.01: The auditor should document the nature and extent of work
performed in the reporting phase and the related conclusions. Such
documentation should include:
* evaluation of misstatements,
* inquiries of legal counsel,
* subsequent events,
* management representations,
* related party transactions, and:
* procedures performed to determine consistency of the other
information in the Accountability Report with the financial statements
and on conformity with OMB guidelines on form and content of financial
statements.
SPECIFIC DOCUMENTATION CONSIDERATIONS:
Audit Summary Memorandum:
.02: At the completion of the audit, an audit summary memorandum should
be prepared that summarizes the audit results and demonstrates the
adequacy of the audit procedures and the reasonableness of the
conclusions on the financial statements, internal control, substantial
compliance of the financial management systems with the FFMIA
requirements, the entity's compliance with laws and regulations, MD&A
(the overview of the entity), required supplementary information
(including RSSI), and other accompanying information.
.03: The audit summary memorandum generally should refer to other
documentation where this information is described in more detail. The
memorandum should briefly summarize and allow the reader to easily
refer in the documentation to:
* any significant changes from the auditor's original assessment of the
control environment, risk assessment, communication, and monitoring or
inherent or control risk and significant revisions of audit procedures;
* any additional fraud risks or other conditions beyond those
considered in planning (section 260), including analytical
relationships, identified during the audit that caused the auditor to
believe additional audit procedures or any other response was required,
as well as any further response the auditor concluded was appropriate;
* the results of the procedures performed to specifically address the
risk of management override of controls;
* the auditor's considerations about any misstatement that the auditor
believes is or might be the result of fraud;
* the nature of any communications about fraud or possible fraud (and
any significant abuse) made to management, the audit committee or
others with equivalent authority and responsibility, the Special
Investigator Unit or others in the Office of Inspector General, and
others;
* the auditor's summary conclusions related to the consideration of
fraud;
* significant accounting, auditing, or reporting issues;
* any limitations on the audit scope and the auditor's assessment of
whether the audit procedures were adequate to support conclusions on
the financial statements, internal control, the systems' substantial
compliance with FFMIA requirements, compliance with laws and
regulations, MD&A, required supplementary information (including
RSSI), and other accompanying information;
* the auditor's conclusions on whether the audit evidence obtained
supports the conclusions on the financial statements, internal control,
the systems' substantial compliance with FFMIA requirements, compliance
with laws and regulations, MD&A, required supplementary information
(including RSSI), and other accompanying information;
* the auditor's conclusion on whether the audit was done in compliance
with GAGAS, OMB audit guidance, and the GAO/PCIE Financial Audit Manual
and whether the report is appropriate;
* the auditor's conclusion on whether the entity's financial statements
comply with U.S. generally accepted accounting principles;
* significant subsequent events, if any;
* the Summary of Unadjusted Misstatements;
* a summary of internal control weaknesses and a comparison of those
the auditor found to the weaknesses reported in management's assertion
about the effectiveness of internal control;
* a summary of instances of the systems' lack of substantial compliance
with FFMIA requirements, including areas in which there is substantial
but not full compliance;
* a summary of instances of noncompliance with laws and regulations;
and:
* the documentation of overall analytical procedures.
Overall Analytical Procedures:
.04: The following items should be documented for overall analytical
procedures:
* Data used and sources of data: The documentation on the specific
financial data used for the current-year amounts and the data used for
comparison should include the amounts of the financial items; the dates
or periods covered by the data; whether the data were audited or
unaudited; the persons from whom the data were obtained, if applicable;
and the source of the information (e.g., the general ledger trial
balance, prior-year audit documentation, or prior-year financial
statements).
* Parameters for identifying significant fluctuations: These parameters
are left to the auditor's judgment.
* Explanations for significant fluctuations and sources of these
explanations: Explanations obtained should be consistent with
corroborating evidence in the documentation and should be referenced to
this work.
* Auditor's conclusions on the results of the procedures: The auditor's
conclusions on the results of overall analytical procedures should be
documented.
Considering Weaknesses in Internal Control:
.05: The basis for considering internal control weaknesses as material
weaknesses, other reportable conditions, or as not reportable, should
be documented. Any oral communications of control weaknesses that are
not included in a written report should be documented. Procedures
performed to determine the effects of misstatements and weaknesses in
internal control on other reports prepared and used by the entity also
should be documented.
Reporting Lack of Systems' Substantial Compliance With FFMIA
Requirements:
.06: The basis for considering whether systems' noncompliances with
FFMIA requirements represent lack of substantial compliance should be
documented.
Reporting Instances of Noncompliance:
.07: The basis for classification of instances of noncompliance as
material noncompliance, other reportable noncompliance, or not
reportable should be documented. Any oral communications of
noncompliance that are not included in a written report should be
documented.
[End of section]
Appendix B:
INSTANCES WHERE THE AUDITOR "MUST" COMPLY WITH THE FAM:
.01: In the paragraphs listed below the word "must" is used to indicate
a situation in which the auditor is required to comply with the FAM:
100.04 (footnote): In opining on internal control, the opinion must be
on internal control and not management's assertion if material
weaknesses are present.
100.17: The audit must be designed to achieve the objectives of OMB
audit guidance.
100.23: The auditor must exercise judgment properly, assuring that, at
a minimum, the work meets professional standards.
260.37: The auditor must respond to the assessed fraud risks.
295 C.07: The auditor must apply analytical or other substantive
procedures to locations not tested in using nonrepresentative sample
selection, unless immaterial.
310.06: The auditor must evaluate and test certain controls.
310.08: The auditor must test the effectiveness of controls if the
controls have been determined to be effective in design.
340.09: The auditor must test controls that are likely to be effective.
395 G.02: In using rotation testing of controls, the auditor must
annually perform some work in areas not selected for testing.
475.07: In order to rely on a substantive analytical procedure, a
difference that exceeds the limit must be explained.
475.12: In performing a substantive analytical procedure, if the
explanation is not adequate to explain the difference, the auditor must
do additional substantive testing.
475.13: Additional procedures must provide adequate assurance that
misstatements that exceed test materiality are identified.
475.15: The auditor must obtain an overall understanding of current-
year financial statements in using overall analytical procedures at the
financial statement level.
480.06: When using nonrepresentative selection, the auditor must not
project results to the portion of the population not tested and must
apply other procedures to the remaining items unless immaterial.
480.07: In representative sampling, each item in the population must
have the opportunity to be selected.
480.14: In sampling, sample items must be selected from all items so
that each item has an opportunity to be selected.
480.47: The auditor must evaluate the quantitative and qualitative
effects of known and projected misstatements in relation to the
financial statements as a whole.
490.03: The auditor must consider the implications of misstatements
detected in applying supplemental analytical procedures.
495 A.11: In using analytical procedures, if an account is compared
with another current year amount, that amount must be audited by means
other than an analytical procedure using its relationship to this
account.
495 A.12: In analytical procedures, the auditor must document why a
prior year amount has a plausible and predictable relationship with the
current year amount, and adjustments must be supported by reliable data
and corroborated. (Four "musts" in paragraph.)
495 A.21: In using computer-produced data in performing analytical
procedures, the auditor must either test the IS controls in the system
or test the reliability of the data produced. (Two "musts" in
paragraph.)
495 C.04: The auditor must perform additional procedures to extend the
results of interim testing to year-end.
510.01: The auditor must conclude on the financial statements, internal
control, FFMIA requirements, compliance, and other information
included.
520.01: The auditor must perform overall analytical procedures.
520.07: (First bullet.) In overall analytical procedures, the auditor
must use audited, final current-year amounts.
540.07: The auditor must bring all misstatements found to management's
attention (except those below the auditor-designated amount at which
misstatements need not be accumulated).
570.01, 580.14: The auditor must determine whether the audit was
conducted in accordance with GAGAS, OMB audit guidance, and the GAO/
PCIE financial audit methodology, and document the conclusion on
compliance.
580.22: The auditor must consider whether the financial statements are
materially affected by a departure from U.S. generally accepted
accounting principles.
580.39: In order to express an opinion on internal control, the auditor
must have a management assertion about the effectiveness of internal
control and must be able to perform all the procedures considered
necessary. (Two "musts" in paragraph.)
[End of section]
INDEX:
Abuse, Indications of: 260.22;
Account Risk Analysis (ARA): Control risk and combined risk,
Preliminary assessment of: 370.10;
Account Risk Analysis (ARA): Documentation of internal control phase:
390.07;
Account Risk Analysis (ARA): Documentation of planning phase: 235.06,
290.06;
Account Risk Analysis (ARA): Sample completed form: 395 I;
Accounting application: Audit requirements for internal controls:
310.06;
Accounting application: Description: 240.02;
Accounting application: Documentation: 390.04;
Accounting application: Potential misstatements: 330.06;
Accounting application: Relation to line items/accounts: 330.05, 395 A;
Accounting application: Walkthrough procedures: 320.02;
Accounting principles and policies: Determining compliance with:
560.01;
Accounting systems: Understanding: 320.01;
Analytical procedures: Overall: 520.01;
Analytical procedures: Preliminary: 225.01;
Analytical procedures: Substantive: 470.04, 475.01;
Analytical procedures: Supplemental: 470.05, 475.17, 520.03;
Application controls: See IS controls;
Assertions: Audit requirements for internal controls: 310.06;
Assertions: Combined risk, Preliminary assessment of: 370.09;
Assertions: Control risk, Preliminary assessment of: 370.07;
Assertions: Control activities, Effectiveness of: 340.02;
Assertions: Definition: 235.02;
Assertions: Management, about internal control; See Internal control;
Assertions: Relation to potential misstatements and control objectives:
330.02;
Assertions: Significant: 235.04;
Audit assurance: Guidelines: 260.04;
Audit assurance: Audit matrix: 470.10;
Audit assurance: With statistical risk factors: 495 D;
Audit reports: See Report on Accountability Report (annual financial
statement); See Report on financial statements;
Audit risk: Definition: 260.02;
Audit risk: Guidelines: 260.04;
Audit sampling; See Sampling;
Audit scope: 530.01, 580.14, 580.39, 580.66, 580.73;
Audit summary memorandum: 590.02;
Auditing standards and related OMB guidance: Audit requirements beyond
"yellow book" (GAGAS): 100.16;
Auditing standards and related OMB guidance: Determine compliance with:
570.01;
Auditing standards and related OMB guidance: Relevant standards:
100.13;
Auditing standards and related OMB guidance: Standards and other
policies not addressed: 100.18;
Budget: Audit requirements: 310.05;
Budget: Controls: 260.06, 295 G, 310.04;
Budget: Budget accounting system: 320.05;
Budget: Control objectives: 330.09, 395 F;
Budget: Execution statutes: 395 D;
Budget: Execution steps: 395 E;
Budget: Formulation, understanding: 260.61;
Budget: Definition: 260.06;
Budget: Documentation: 390.05;
Budget: Preliminary assessment of effectiveness: 370.11;
Budget: Reporting: 370.11, 580.32;
Budget: Restrictions, identifying: 250.01;
Budget: Tests of budget information, example: 495 B;
Combined risk: Assurance level for substantive tests, Relationship to:
370.10, 470.02;
Combined risk: Definition: 370.09;
Combined risk: Effect on audit procedures: 295 E;
Combined risk: Reevaluation of assessment: 370.14;
Compliance with laws and regulations: Checklist, General compliance:
802;
Compliance with laws and regulations: Identifying significant laws and
regulations: 245.01;
Compliance with laws and regulations: Laws identified in OMB audit
guidance: 295 H;
Compliance with laws and regulations: Material noncompliance,
definition: 580.68;
Compliance with laws and regulations: Reportable noncompliance,
definition: 580.68;
Compliance with laws and regulations: Reporting on: 580.71;
Compliance with laws and regulations: Scope of procedures: 580.73;
Compliance with laws and regulations: Supplements, Compliance: 803 -
816; See Compliance controls; See Compliance tests;
Compliance controls: Audit programs: 803 - 816;
Compliance controls: Audit requirements: 310.07;
Compliance controls: Compliance system: 320.06;
Compliance controls: Control objectives: 330.10;
Compliance controls: Definition: 260.06;
Compliance controls: Documentation: 390.05;
Compliance controls: Effect on compliance tests: 370.11, 460.02,
460.06;
Compliance controls: Preliminary assessment of effectiveness: 370.11;
Compliance controls: Reporting requirements: 370.11, 580.32;
Compliance tests: Definition: 410.01;
Compliance tests: Evaluation of results: 460.07;
Compliance tests: Procedural-based provisions: 460.06;
Compliance tests: Quantitative-based provisions: 460.03;
Compliance tests: Tests of budget information for use in: 495 B;
Compliance tests: Transaction-based provisions: 460.02;
Control activities: Definition: 260.08;
Control activities: Documentation: 340.01, 390.06;
Control activities: Effectiveness of: 340.02;
Control activities: Efficiency of testing: 350.06;
Control activities: Factors for evaluating design effectiveness:
340.03;
Control activities: Identification: 340.01;
Control activities: IS controls, Identification of: 350.10;
Control activities: Segregation of duties: 330.08;
Control activities: Specific control evaluation: 340.01, 390.06;
Control activities: Typical, List of: 395 C;
Control activities: Understanding: 340.02;
Control environment: Documentation: 290.04;
Control environment: Factors for consideration: 260.42;
Control environment: IS effects on: 260.51;
Control environment: Potential weaknesses: 295 B;
Control environment: Weaknesses: 260.09;
Control objectives: Identifying: 330.01;
Control objectives: Potential misstatements, Relationship to: 330.02;
See Budget controls;
See Compliance controls;
See Financial reporting controls;
See Operations controls;
See Safeguarding controls;
Control risk: Assessment of: 370.06, 370.14;
Control risk: Combined risk, Component of: 370.09;
Control risk: Definition: 260.02;
Control risk: Documentation of assessment: 370.10;
Control tests: Attribute sampling: 450.01;
Control tests: Control Assessment, Relation to: 370.01;
Control tests: Documentation: 390.06, 395 H, 450.02, 490.06;
Control tests: Efficiency considerations: 350.18;
Control tests: Evaluation of results, nonsampling tests: 360.14;
Control tests: Evaluation of results, sampling tests: 450.13;
Control tests: Evidence, Documentary: 350.16;
Control tests: Inquiry: 350.13;
Control tests: IS controls, Performing tests of: 360.03;
Control tests: IS controls, Evaluating results of: 370.03;
Control tests: Inspection: 350.14;
Control tests: Multiple locations, Impact on sampling control tests of:
450.04;
Control tests: Nature: 350.11;
Control tests: Nonsampling tests: 350.19;
Control tests: Observation: 350.12;
Control tests: Partial year controls: 380.02;
Control tests: Planned changes in controls: 380.03;
Control tests: Population, sampling control tests: 450.04;
Control tests: Rotation testing of controls: 380.01, 395 G;
Control tests: Sample size: 450.06;
Control tests: Samples, Design of: 450.02;
Control tests: Sampling control tests: 410.01, 450.01;
Control tests: Segregation of duties: 330.08, 360.12, 395 C;
Control tests: Selection of: 350.18;
Control tests: Timing: 350.11;
Control tests: Tolerable rate of deviations, sampling control tests:
450.08;
Cycle: Audit requirements for internal controls: 310.06;
Cycle: Documentation: 390.04;
Cycle: Identification: 240.01;
Cycle matrix: 240.06, 290.05;
Detail tests: 470.07, 480.01;
Detection risk: 260.02;
Differences in estimates: 540.05;
Discussion and analysis; See Management's discussion and analysis;
Dual purpose tests; See Multipurpose testing;
Entity profile: 290.03;
Errors; See Misstatements;
FFMIA: Conclude: 460.07;
FFMIA: Determine nature, timing, and extent of tests: 350.02, 350.21;
FFMIA: Documentation: 590.02, 590.06;
FFMIA: Planning: 260.58;
FFMIA: Reporting: 580.63;
FFMIA: Requirements: 100.09, 320.04;
FFMIA: Testing: 360.02, 360.16;
FFMIA: Understanding accounting systems: 320.04;
Financial reporting controls: Accounting system: 320.03;
Financial reporting controls: Audit requirements: 310.06;
Financial reporting controls: Control objectives: 330.01;
Financial reporting controls: Definition: 260.06;
Financial reporting controls: Documentation: 390.04;
Financial reporting controls: Preliminary assessment of control risk:
370.06;
Financial reporting controls: Reporting requirements: 580.32;
Financial reporting controls: Sampling control tests: 450;
Flowcharts, Use of: 390.04;
FMFIA: Assessing: 260.53, 580.61;
FMFIA: Material weakness: 580.35;
FMFIA: Reliance on management's process: 260.57, 320.01;
FMFIA: Reporting on management's reports: 580.61;
Fraud risk: Auditor responses: 260.37, 295 I;
Fraud risk: Brainstorming meeting: 260.27;
Fraud risk: Consideration: 260.18;
Fraud risk: Continuing assessment: 440.03;
Fraud risk: Documentation: 290.04, 590.03;
Fraud risk: Factors: 260.25;
Fraud risk: Reassessment: 540.18;
GAO/PCIE Financial Audit Manual, Compliance with: 570.01;
General Controls; See IS controls;
General Risk Analysis (GRA): 290.04;
Information and communication: 260.08, 320.01;
Information systems (IS) controls; See IS controls;
Inherent risk: Definition: 260.02;
Inherent risk: Documentation: 290.04;
Inherent risk: Identifying: 260.09;
Inherent risk: IS effects on: 260.17;
Inherent risk: Risk factors: 260.16, 295 A;
Inquiries of attorneys: 280.02, 550.02;
Interim testing: 295 D, 495 C;
Internal control: Audit requirements: 310.06;
Internal control: Classifying control weaknesses: 580.33;
Internal control: Components: 260.08;
Internal control: Effects of control weaknesses on internal control
opinion: 580.42;
Internal control: Management assertion about: 550.08, 580.38;
Internal control: Material weakness: 580.33;
Internal control: Nonopinion report: 580.49;
Internal control: Opinion report: 580.38;
Internal control: Reportable condition: 580.33;
Internal control: Reporting on: 580.32;
Internal control: Reporting on management's FMFIA reports: 580.35,
580.61;
Internal control: Reporting weaknesses: 580.51;
Internal control: Scope of procedures: 580.39;
See Budget controls;
See Compliance controls;
See Control activities;
See Control environment;
See Financial reporting controls;
See Information and communication;
See Monitoring;
See Operations controls;
See Risk assessment;
IS controls: Application controls: 295 F;
IS controls: Assessing: 295 J;
IS controls: Control activities, Identification for testing: 350.10;
IS controls: Determining likelihood of effective: 270.01;
IS controls: Develop high-level understanding: 220.07;
IS controls: Documentation: 290.04, 370.05;
IS controls: Effects on inherent risk: 260.17;
IS controls: Effects on the control environment, risk assessment, IS
controls: communication, and monitoring: 260.51;
IS controls: General controls: 295 F;
IS controls: Information system (IS): 320.01;
IS controls: IS auditor, Use of: 100.27, 220.07, 260.17, 260.52,
270.01, 320.01, 340.01, 350.10, 360.03;
IS controls: Testing: 360.03;
IS controls: Types of: 295 F;
IS controls: User controls: 295 F;
Laws and regulations; See Compliance with laws and regulations;
Management's discussion and analysis (MD&A): 100.12, 220.07, 520.06,
580.76, 590.06;
Management's discussion and analysis (MD&A): Coordination with overall
analytical procedures: 520.06;
Management's discussion and analysis (MD&A): Reporting on: 580.79;
Management letter: 580.54, 580.69;
Management representations: 280.03, 550.07, 1001;
Materiality: Base, Definition and use of: 230.08;
Materiality: Definition of: 230.01;
Materiality: Design: 230.05, 230.12;
Materiality: Disclosure: 230.06;
Materiality: FMFIA: 230.06;
Materiality: Guidelines: 230.07;
Materiality: Planning: 230.05, 230.08, 230.11;
Materiality: Reporting: 230.06;
Materiality: Test: 230.05, 230.13;
Misstatements: Budgetary amounts: 370.12;
Misstatements: DUS sample: 480.43;
Misstatements: Effects on auditor's report: 540.09;
Misstatements: Effects on financial statements: 480.47, 540.04;
Misstatements: Evaluation of misstatements: 540.01;
Misstatements: Known and likely: 540.03;
Misstatements: Results of other samples: 480.46;
Misstatements: Review with management: 540.07;
Misstatements: Substantive analytical procedures: 475.12;
Misstatements: Summary of Possible Adjustments: 540.04, 595 C;
Misstatements: Summary of Unadjusted Misstatements: 540.09, 595 D;
Monitoring: 260.08, 260.48;
Monitoring: Documentation: 290.04;
Monitoring: Factors for consideration: 260.48;
Monitoring: IS effects on: 260.51;
Monitoring: Potential weaknesses: 295 B;
Monitoring: Weaknesses: 260.09;
Multipurpose testing, Definition of: 430.01;
Multiple location audits; Locations to visit: 285.01, 295 C, 285.01,
295 C;
Operations, Understanding the entity's; See Understanding the entity's
operations;
Operations controls: Audit requirements: 310.06;
Operations controls: Control objectives: 330.11;
Operations controls: Definition: 260.06;
Operations controls: Documentation: 390.05;
Operations controls: Identify for evaluation and testing: 275.01;
Operations controls: Operations system: 320.07;
Operations controls: Preliminary assessment of effectiveness: 370.13;
Operations controls: Reporting requirements: 370.13, 580.32;
Other accompanying information: 100.12, 580.76, 590.02;
Other auditors, Using the work of: 100.02, 100.24, 100.28, 210.03,
285.01, 290.09, 295 B, 295 I, 395 G, 580.26, 650;
Overall analytical procedures: Documentation: 590.04;
Overall analytical procedures: Performance: 520.01;
Overview; See Management's discussion and analysis;
Performance measures controls: 275.09;
See Operations controls;
Positions, References to: 100.25;
Potential misstatements: Accounting applications, Relation to: 330.04;
Potential misstatements: Assertions, Relation to: 330.02;
Potential misstatements: Control objectives, Relation to: 395 B;
Potential misstatements: Line item/account, Relation to: 330.04;
Potential misstatements: Typical, List of: 395 B;
Preliminary analytical procedures: 225.01;
Professional judgment: 100.23;
Professional skepticism: 260.26;
Related party transactions: 280.04, 550.12, 1006;
Report on Accountability Report (annual financial statement):
Compliance with laws and regulations: 580.71;
Report on Accountability Report (annual financial statement): Dating:
580.03;
Report on Accountability Report (annual financial statement): Example,
unqualified: 595 A;
Report on Accountability Report (annual financial statement): Example,
various modifications: 595 B;
Report on Accountability Report (annual financial statement): Financial
statements: 580.10;
Report on Accountability Report (annual financial statement): Internal
controls: 580.32;
Report on Accountability Report (annual financial statement): Other
information (MD&A [overview], RSSI, required supplementary
information, and other accompanying information): 580.76;
Report on Accountability Report (annual financial statement): Report
format: 580.04;
Report on Accountability Report (annual financial statement):
Significant matters section: 580.06;
Report on financial statements: Adverse: 580.30;
Report on financial statements: Consistency: 580.20;
Report on financial statements: Departure from established accounting
principles: 580.22;
Report on financial statements: Disclaimer: 580.31;
Report on financial statements: Explanatory paragraphs: 580.26;
Report on financial statements: Qualified: 580.28;
Report on financial statements: Scope limitations: 580.15;
Report on financial statements: Uncertainties: 580.19;
Report on financial statements: Unqualified: 580.24;
Representation letter from management; See Management representations;
Representation letter, Legal; See Inquiries of attorneys;
Representative sampling; See Sampling;
Required supplementary stewardship information (RSSI): 100.12, 220.06;
580.76, 590.02;
Risk;
See Audit risk;
See Combined risk;
See Control risk;
See Detection risk;
See Fraud risk;
See Inherent risk;
Risk assessment (as part of an entity's internal control): 260.08,
260.44;
Risk assessment (as part of an entity's internal control):
Documentation: 290.04;
Risk assessment (as part of an entity's internal control):
Identification: 260.09;
Risk assessment (as part of an entity's internal control): IS effects
on: 260.17;
Risk assessment (as part of an entity's internal control): Factors for
consideration: 260.44;
Risk assessment (as part of an entity's internal control): Potential
weaknesses: 295 B;
Rotation testing of controls: 380.01, 395 G;
Safeguarding controls: 260.06, 310.04;
See Financial reporting controls;
Sampling: Attribute sampling: 450.01, 450.06;
Sampling: Classical variables estimation sampling: 480.32, 480.45;
Sampling: Control tests: 410.01, 450.01;
Sampling: Dollar unit sampling (DUS): 480.21, 480.43;
Sampling: Evaluation of sample results: 450.13, 480.39;
Sampling: Flowcharts and example documentation: 495 E;
Sampling: Other sampling methods: 480.13, 480.34;
Sampling: Population: 450.04, 480.01;
Sampling: Representative selections (sampling): 480.10;
Sampling: Selection methods for detail tests: 480.04;
Sensitive payments: 280.05;
Significant cycles/accounting applications: Audit requirements for
internal controls: 310.06;
Significant cycles/accounting applications: Documentation: 290.04 g,
290.05, 390.04;
Significant cycles/accounting applications: Identifying: 240.01;
Significant cycles/accounting applications: Relationship to line
items/accounts: 240.03, 330.03;
Significant line items, accounts, assertions, and RSSI: Documentation:
290.04 g;
Significant line items, accounts, assertions, and RSSI: Identifying:
235.01;
Specific control evaluation worksheet (SCE): Control objectives,
Documentation of: 330.07;
Specific control evaluation worksheet (SCE): Control activities,
Documentation of: 340.01, 350.07;
Specific control evaluation worksheet (SCE): Sample completed
worksheet: 395 H;
Statistical risk factors: 480.24, 495 D;
Stewardship information: Reporting: 580.77;
See Required supplementary stewardship information (RSSI);
Subsequent events: 550.04, 1005;
Substantive analytical procedures: 475.01;
Substantive analytical procedures: Considerations for use: 495 A;
Substantive analytical procedures: Documentation: 490.06;
Substantive analytical procedures: Establishment of limit, guidelines:
475.05;
Substantive analytical procedures: Increasing effectiveness of:
475.14;
Substantive analytical procedures: Investigation of differences:
475.06;
Substantive analytical procedures: Levels of: 470.05;
Substantive analytical procedures: Performance of: 475.04;
Substantive tests: Definition: 410.01;
Substantive tests: Determining mix: 470.10;
Substantive tests: Directional testing: 470.14;
Substantive tests: Levels of assurance: 470.02;
Substantive tests: Types of tests: 470.03;
Substantive tests: See Detail tests;
See Substantive analytical procedures;
Summary of Possible Adjustments: 540.04, 595 C;
Summary of Unadjusted Misstatements: 540.09, 595 D;
Supplemental analytical procedures: 470.05, 475.17, 520.03;
Understanding the entity's operations: 220.01;
Understanding the entity's operations: Accounting issues and policies:
220.05;
Understanding the entity's operations: Documentation: 290.03;
Understanding the entity's operations: IS: 220.07;
Understanding the entity's operations: Sources of information: 220.08;
User controls; See IS controls;
Walkthrough procedures: Control techniques, Operation of: 350.09;
Walkthrough procedures: Processing systems, Understanding of: 320.01;
Walkthrough procedures: Use as limited control test: 340.02;
Yellow book; See Auditing standards and related OMB guidance;
[End of section]
Planning and General:
650 - USING THE WORK OF OTHERS:
[Pages 650-1 to 650-7 remain unchanged. Revised pages follow.]
Type of reporting: Report concurs with the other auditors' report or
does not mention the other auditors' work (paragraph 650.09 d and e):
Evaluate the other auditors' independence and objectivity (paragraphs
650.11-.24): Yes.
Evaluate the other auditors' qualifications (paragraphs 650.25-.35):
Yes.
Level of Review (paragraphs 650.36-.42): High, moderate, or low.
Hold discussions and/or perform supplemental tests (paragraphs 650.43-
.47): Yes for internal auditors' work (should include supplemental
tests); Yes for auditors' work for high level of review; No for
auditor's work for moderate or low level of review.
[End of table]
EVALUATING THE OTHER AUDITORS' OR SPECIALISTS' INDEPENDENCE AND
OBJECTIVITY:
.11: Unless the auditor has no association with the report, the auditor
should evaluate the other auditors' or specialists' independence and
objectivity. Where the auditor has previously used the work of the same
other auditors, the auditor generally should update the previous
evaluation. Under GAGAS, chapter 3, audit organizations and individual
auditors should be free both in fact and appearance from personal,
external, and organizational impairments to independence. The auditor
should first evaluate organizational independence. Different standards
apply to CPA firms, other organizationally independent auditors,
internal auditors, and specialists.
.12: For CPA firms and specialists, the contracting process is designed
to select a firm that is independent and objective. The statement of
work or request for proposal should ask the firms to represent that
they are independent and objective with respect to the auditee and
should request the firms to describe in their proposals all work,
including nonaudit services, they have done for the auditee in the last
several years (see GAGAS, chapter 3, and Government Auditing Standards:
Answers to Independence Questions (GAO-02-870G, July 2002)). The
technical evaluation panel should evaluate whether the nature and
extent of this work or other factors cause an independence or
objectivity issue. In this evaluation, the panel may consider, for
example, whether (1) the other auditors will need to audit their own
work or (2) whether the other auditors made management decisions or
performed management functions.
.13: If possible, [Footnote 1] the auditor should have a role in
contracting for the CPA firm or specialist. When the auditor does not
participate in contracting for the CPA firm or specialist, the auditor
generally should obtain an overview of the contracting process; this
generally should include reading the statement of work or request for
proposal and the proposal of the firm selected, and understanding the
evaluations of the panel selecting the firm. The auditor should
determine whether the firm provided a representation as to independence
and objectivity (usually in its proposal). If the firm has not provided
a representation as to independence and objectivity, the auditor should
obtain a representation from the firm. If the auditor is not familiar
with the firm, the auditor should inquire of professional organizations
(such as the American Institute of Certified Public Accountants or the
Public Company Accounting Oversight Board established by the Sarbanes-
Oxley Act of 2002) as to the firm's professional reputation and
standing.
.14: For government auditors, the auditor should decide whether the
other audit organization is organizationally independent to report
externally or whether it should be considered an internal audit
organization. The auditor may refer to the work of organizationally
independent government auditors but should not refer to the work of
internal audit organizations in the audit report; generally more
extensive review and supervision are necessary when dealing with
internal auditors. The auditor should obtain written representations
from the head of the government audit organization that to the best of
his or her knowledge, the organization and the individual auditors
doing the work are independent of the entity being audited. This means
that the individual auditors are free of personal impairments to
independence and maintain an independent attitude and appearance; it
also means that the organization is free from external impairments and
is organizationally independent (see GAGAS, chapter 3). The
representation letter may indicate the general criteria for determining
independence, such as "under the criteria in GAGAS." The
representations should be for the period of the financial statements to
the date of the other auditors' report. Since the decision on the
independence and objectivity of the other auditors is needed to plan
the auditor's work, the auditor generally should obtain oral
representations early in the audit, with written representations at the
end of the audit. [Footnote 2]
.15: Government auditors may be presumed to be free from organizational
impairments to independence when reporting externally to third parties
if their audit organization is organizationally independent of the
audited entity. Government audit organizations may meet the requirement
for organizational independence in a number of ways. There is a
presumption that a government audit organization is organizationally
independent (GAGAS, chapter 3) if the audit organization is:
a. assigned to a level of government other than the one to which the
audited entity is assigned (federal, state, or local), for example, a
federal auditor auditing a state government program, or:
b. assigned to a different branch of government within the same level
of government as the audited entity, for example, a legislative auditor
auditing an executive branch program.
.16: There is also a presumption of organizational independence if the
head of the audit organization (GAGAS, chapter 3) meets one of the
following:
a. directly elected by voters of the jurisdiction being audited,
b. elected or appointed by a legislative body, subject to removal by a
legislative body, and reports the results of audits to and is
accountable to a legislative body,
c. appointed by someone other than a legislative body, so long as the
appointment is confirmed by a legislative body and removal from the
position is subject to oversight or approval by a legislative body, and
reports the results of audits to and is accountable to a legislative
body, or:
d. appointed by, accountable to, reports to, and can only be removed by
a statutorily created governing body, the majority of whose members are
independently elected or appointed and come from outside the
organization being audited.
.17: If the other audit organization or its head meets one of the above
criteria, the auditor need not perform any procedures concerning
organizational independence other than to obtain a representation
letter from the head of the audit organization as noted in paragraph
650.14 (see paragraph 650.23 for tests of personal independence).
However, if the auditor encounters evidence that the audit organization
might not be organizationally independent, the auditor should consider
the need for inquiries and other procedures; the auditor should then
evaluate the results of these procedures.
.18: In addition to the presumptive criteria, GAGAS recognize that
there may be other organizational structures under which a government
audit organization could be free from organizational impairments. These
other structures should provide sufficient safeguards to prevent the
audited entity from interfering with the audit organization's ability
to perform the work and report the results impartially. For the audit
organization to be considered free from organizational impairments to
report externally under a structure different from the ones listed
above, the audit organization (GAGAS, chapter 3) should have all of the
following safeguards:
a. statutory protections that prevent the abolishment of the audit
organization by the audited entity,
b. statutory protections that require that if the head of the audit
organization is removed from office, the head of the agency should
report this fact and the reasons for the removal to the legislative
body,
c. statutory protections that prevent the audited entity from
interfering with the initiation, scope, timing, and completion of any
audit,
d. statutory protections that prevent the audited entity from
interfering with the reporting on any audit, including the findings,
conclusions, and recommendations, or the manner, means, or timing of
the audit organization's reports,
e. statutory protections that require the audit organization to report
to a legislative body or other independent governing body on a
recurring basis,
f. statutory protections that give the audit organization sole
authority over the selection, retention, and dismissal of its staff,
and:
g. statutory access to records and documents that relate to the agency,
program, or function being audited.
.19: If the head of the audit organization concludes that the
organization has all the safeguards listed above, the audit
organization may be considered free from organizational impairments to
independence when reporting externally. The audit organization should
document the statutory provisions in place that provide these
safeguards. The external quality assurance reviewer will review these
provisions to determine whether the necessary safeguards are present.
.20: When using the work of other auditors who meet these requirements,
the auditor should request a representation letter (see paragraph
650.14) from the head of the audit organization. The auditor should
review the above documentation and discuss it with the head of the
audit organization. He or she also may discuss the matter with the
external quality assurance reviewer, legal counsel for the audit
organization, and his or her own legal counsel.
.21: If the auditor decides that the government audit organization is
not organizationally independent to report externally (either because
it does not meet the criteria in GAGAS or for another reason), the
auditor should determine whether the other auditors are
organizationally independent to report internally. These auditors are
internal auditors. The Institute of Internal Auditors' (IIA)
International Standards for the Professional Practice of Internal
Auditing defines internal auditing as "an independent, objective
assurance and consulting activity designed to add value and improve an
organization's operations. It helps an organization accomplish its
objectives by bringing a systematic, disciplined approach to evaluate
and improve the effectiveness of risk management, control, and
governance processes." GAGAS contain guidance on organizational
independence for government internal auditors. For example, internal
auditors should be outside the staff or line management function of the
unit under audit. They should report their results and be accountable
to the head or deputy of their agency. IIA standards require internal
auditors to be objective for the activities they audit. These GAGAS and
IIA standards of independence for internal auditors differ from
independence under the AICPA Code of Professional Conduct or
independence for external auditors under GAGAS. The auditor generally
should determine whether the internal auditors whose work is to be used
are independent of the activities they audit. The auditor also should
consider the organizational status of the head of the audit
organization. For the audit organization to be considered free from
organizational impairments to report internally to management, the head
of the audit organization (GAGAS, chapter 3) should meet all of the
following criteria:
a. accountable to the head or deputy head of the government entity,
b. required to report the results of the audit organization's work to
the head or deputy head of the government entity, and:
c. located organizationally outside the staff or line management
function of the unit under audit.
[Subsequent sections of FAM 650, beginning at paragraph .22, remain
unchanged.}:
Footnotes:
[1] Under the CFO Act, if the IG is not doing the audit, he or she is
required to determine the independent external auditor (CPA firm) that
will do the work.
[2] Obtaining a representation from the head of the audit organization
is similar to the procedure for CPA firms under AU 543.10b.
[End of section]
Planning and General:
660 C - AGREED-UPON PROCEDURES COMPLETION CHECKLIST:
Entity:
Job code:
Principal report:
.01: This checklist is a tool to help auditors comply with the
requirements for agreed-upon procedures engagements. No specific
signatures are required on the checklist in the planning phase.
.02: Several of the last questions include steps in GAO's quality
control process, including the GAO Audit Documentation Set, second
partner review, and review by the Technical Accounting and Auditing
Expert (Chief Accountant at GAO) when that person is not the second
partner. GAO auditors should complete these questions and forms. IG
auditors and other auditors may use these questions and forms or may
substitute questions and forms that consider their reporting style and
quality control.
Step:
1. Has the audit team documented an understanding with the individuals
requesting the audit and officials of the entity?
2. Does the documentation cover the following?
* The nature of the engagement.
* Identification of the subject matter, the responsible entity, and the
criteria.
* Identification of the users of the report.
* Auditor's responsibilities.
* Reference to GAGAS and the attestation standards.
* Agreement on the nature, timing, and extent of procedures.
* Anticipated reporting, including disclaimers.
* Any involvement of a specialist.
* Materiality limits.
3. Was an entrance conference held with the responsible entity?
4. Has the auditor determined whether a letter of representation from
the responsible entity is necessary? (Note: This is not a
requirement.)
5. Were applicable laws and regulations documented if part of the
procedures?
6. Were review responsibilities communicated to individuals on the
assignment?
7. Does the documentation contain the following?
a. The scope and methodology, including any sampling criteria used and
consideration of the results of any previous agreed-upon procedures and
follow up on any known significant findings that directly relate to the
agreed-upon procedures engagement.
b. Any indication of fraud, illegal acts, violations of provisions of
contracts or grant agreements, or abuse, and--if there was such
indication--the directed procedures performed, results obtained, and
related communications.
c. Descriptions of transactions and records examined.
d. Documentation of the work performed to support reported results.
e. Evidence of supervisory review.
8. Does the documentation record that the applicable standards were
followed (AT 101, AT 201, and GAGAS, chapter 6)?
9. Does the documentation record a reasonable basis for the results of
the agreed-upon procedures?
10. Does the summary memorandum summarize the results of the procedures
and refer to the documentation?
11. Were any deviations from the standard reporting elements documented
and the basis approved by the assistant director with copies of the
documentation sent to the audit director and Reviewer (AT 201.31)?
12. Was the report referenced?
13. Did the assistant director review the following?
a. Documentation of the understanding with the individuals requesting
the audit and officials of the entity.
b. Memorandum of entrance conference with the responsible entity.
c. Completed work programs.
d. Memorandums on key engagement issues.
e. Summary of the results of the procedures.
f. Memorandum of exit conference with the responsible entity.
g. Deviations from standard reporting language.
h. Financial schedules/statements.
i. Agreed-upon procedures report.
j. GAO Audit Documentation Set (or equivalent).
14. Did the audit director review the following?
a. Documentation of the understanding with the individuals requesting
the audit and officials of the entity.
b. Summary of results of the procedures.
c. Memorandum of exit conference with responsible entity.
d. Deviations from standard reporting language.
e. Agreed-upon procedures report.
f. GAO Audit Documentation Set (or equivalent).
15. Did the assistant director or the auditor in charge determine that
all significant review notes were resolved appropriately?
16. Did the assistant director initial all documentation bundle covers
to indicate that all documentation was sufficiently reviewed?
17. Is the report appropriate as to the following?
a. Wording.
b. Scope of work.
c. GAGAS.
d. Explanatory paragraphs.
18. Was the report reviewed by the following?
a. Office of the General Counsel.
b. Technical Accounting and Auditing Expert.
c. Second partner (or equivalent), if not Technical Accounting and
Auditing Expert.
19. Is the agreed-upon procedures report dated appropriately or does
the report indicate when the auditor completed fieldwork? (AT 201):
Note: All "No" answers should be discussed in attached documentation.
If the reason that a question is "Not Applicable" is not obvious, the
auditor should document the reason on the checklist or in an
attachment.
Date of completion of fieldwork:
Audit Manager:
Date:
Assistant Director:
Date:
Audit Director:
Date:
SECOND PARTNER'S (OR EQUIVALENT) CONCURRENCE ON AGREED-UPON PROCEDURES
WORK:
Objective of second partner (or equivalent) review: To objectively
review significant engagement matters to conclude, based on all facts
the second partner (or equivalent) has knowledge of, that no matters
were found that caused the second partner (or equivalent) to believe
that (1) the procedures were not performed in accordance with GAGAS,
which incorporate financial audit and attestation standards established
by the American Institute of Certified Public Accountants (AICPA), and
(2) the report does not meet professional standards and audit
organization policies.
Procedures: Before the report was issued, I performed the following
procedures:
* as necessary, discussed significant engagement issues with the audit
director;
* read documentation of key decisions and consultations;
* read the agreed-upon procedures report; and:
* confirmed with the audit director that there are no unresolved
issues.
Conclusions: Based on all the relevant facts of which I have knowledge,
I found no matters that caused me to believe that (1) the agreed-upon
procedures were not performed in accordance with GAGAS and the AICPA's
attestation standards related to agreed-upon procedures engagements and
(2) the report is not in accordance with professional standards and
audit organization policies.
In signing this form, I acknowledge that there have been no personal or
external impairments to independence regarding my work on this
engagement.
Title:
Signature:
Date:
TECHNICAL ACCOUNTING AND AUDITING EXPERT'S CONCURRENCE ON AGREED-UPON
PROCEDURES WORK:
Objective of review: When the Technical Accounting and Auditing Expert
is not the second partner (or equivalent), the Technical Accounting and
Auditing Expert should read the report. The Technical Accounting and
Auditing Expert should then sign the conclusions below.
Conclusions: Based on my reading of the report, I found no matters that
caused me to believe that (1) the agreed-upon procedures were not
performed in accordance with GAGAS and the AICPA's attestation
standards related to agreed-upon procedures engagements and (2) the
report is not in accordance with professional standards and audit
organization policies.
In signing this form, I acknowledge that there have been no personal or
external impairments to independence regarding my work on this
engagement.
Title:
Signature:
Date:
[End of section]
Reporting:
1001 - MANAGEMENT REPRESENTATIONS:
.01: This section deals with the management representations that the
auditor is required to obtain from current management as part of the
audit, as described in sections 280 and 550. It covers the four general
areas of representations: representations about the financial
statements, internal control, financial management systems'
substantial compliance with the requirements of the Federal Financial
Management Improvement Act of 1996 (FFMIA), and compliance with laws
and regulations. In the AICPA standards, these representations are
discussed in sections AU 333, AT 501, and AU 801. OMB audit guidance
also contains guidance on management representations letters.
.02: Written representations from management ordinarily confirm oral
representations given to the auditor, indicate and document the
continuing appropriateness of those representations, and reduce the
possibility of misunderstanding. Management representations are not a
substitute for audit procedures. If a representation is contradicted by
other audit evidence, the auditor should investigate the circumstances
and consider the reliability of the representation. Also, the auditor
should then consider whether it is appropriate to rely on other
management representations. Management's refusal to furnish written
representations is a scope limitation sufficient to preclude an
unqualified opinion.
.03: The specific representations obtained will depend on the
circumstances of the engagement and the nature and basis of
presentation of the financial statements. These representations apply
to all the financial statements and all periods covered by the audit
report. In addition to the representations given in the AICPA
standards, the auditor generally should consider the need to obtain
representations on other matters based on the circumstances of the
audited entity. Also, the representations given in the example
representation letter in section 1001 A should be deleted if
inapplicable or customized to the situation of the entity being
audited.
.04: The management representation letter should be obtained from the
highest level of the audited entity. The officials who sign the
management representation letter should be those who, in the auditor's
view, are responsible for and knowledgeable, directly or through
others, about the matters in the representation letter. These officials
generally should be the head of the entity and the CFO, or equivalent.
Additional management representation letters should be obtained from
any component units for which separate reports are to be issued.
.05: The management representation letter should be on the audited
entity's letterhead. The representations should be as of a date no
earlier than the date of the auditor's report--the end of fieldwork. To
ensure the letter is ready in time, a draft letter generally should be
provided to and discussed with management early in the audit and
updated for circumstances found throughout the audit. Where management
signs the letter after the end of fieldwork, the letter should state
that the representations are as of the date of the audit report. If
management signs the letter before the end of fieldwork, the auditor
generally should obtain a separate letter to update the representations
to the end of fieldwork. However, where the time difference is short,
the auditor may update the representations orally and document the
update.
.06: Although the management representation letter generally should be
addressed to the Comptroller General (at GAO) or the agency IG (and
also to the independent external auditor, when appropriate), the audit
team should consider having the entity deliver it directly to a member
of the team to avoid any delays in receiving the letter.
.07: Especially for large audited entities, management may need to
specify a materiality threshold in the management representation
letter, below which items would not be considered exceptions. The
auditor should be satisfied that such a materiality threshold is so far
below design materiality that even many items below this level would
not, in the aggregate, approach design materiality. For example, a
threshold that is 5 percent (or less) of design materiality may be
sufficiently low. The materiality level may be different for different
representations and would not apply to those representations not
directly related to amounts in the financial statements (such as
responsibility for the statements).
REPRESENTATIONS RELATING TO THE FINANCIAL STATEMENTS:
.08: Paragraph AU 333.06 lists management representations that are
ordinarily included in a GAAS audit if applicable. These generally
relate to management acknowledging its responsibility for the financial
statements and its belief that the financial statements are fairly
presented in conformity with U.S. generally accepted accounting
principles; completeness of financial information; recognition,
measurement, and disclosure; and subsequent events. Examples of
additional representations that may be appropriate depending on an
entity's business or industry are given in appendix B to AU 333. The
auditor may review section AU 333 for items that could be added to the
representations, many of which would have to be modified in the federal
government environment. (OMB has added a representation dealing with
intragovernmental transactions and their reconciliations for
intragovernmental transactions and their reconciliations for agencies
and components that are covered under the OMB audit requirements for
federal agencies.)
.09: Appendix B of AU 333 gives example language for the following
situations (note: tailor for the circumstances applicable to the
federal audit entity, as appropriate):
General:
* Unaudited interim information accompanies the financial statements.
* The impact of a new accounting principle is not known.
* There is justification for a change in accounting principles.
* Financial circumstances are strained, with disclosure of management's
intentions and the entity's ability to continue as a going concern.
* The possibility exists that the value of specific significant long-
lived assets or certain identifiable intangibles may be impaired.
* The entity engages in transactions with special purpose entities.
* The work of a specialist has been used by the entity.
Cash:
* Disclosure is required of compensating balances or other arrangements
involving restrictions on cash balances, line of credit, or similar
arrangements.
Financial instruments:
* The value of debt or equity securities has declined.
* Management has determined the fair value of significant financial
instruments that do not have readily determinable market values.
* There are financial instruments with off-balance-sheet risk and
financial instruments with concentrations of credit risk.
Receivables:
* Receivables have been properly stated in the financial statements
(for example, at estimated net realizable value).
Inventories:
* Excess or obsolete inventories exist.
Deferred charges:
* Material expenditures have been deferred.
Debt:
* Short-term debt could be refinanced on a long-term basis, and
management intends to do so.
Contingencies:
* Estimates and disclosures have been made of environmental remediation
liabilities and related loss contingencies.
* Agreements may exist to repurchase assets previously sold.
Pension and postretirement benefits:
* An actuary has been used to measure pension liabilities and costs.
* There is involvement with a multiemployer plan.
* Postretirement benefits have been eliminated.
* Employee layoffs that would otherwise lead to a curtailment of a
benefit plan are intended to be temporary.
* Management intends to either continue to make or not make frequent
amendments to its pension or other postretirement benefit plans, which
may affect the amortization period of prior service cost, or management
has expressed a substantive commitment to increase benefit obligations.
Sales:
* There may be losses from sales commitments.
* There may be losses from purchase commitments.
* Nature of the product or industry indicates the possibility of
undisclosed sales terms.
.10: The auditor generally should consider the need for additional
customizing of the example representation letter given in section 1001
A and for the additional representations in paragraph 1001.09. Many of
the representations may have to be qualified, especially in an initial
audit or in later audits where significant problems remain. For
instance, where the example representation letter states that there are
no violations of laws or regulations, the entity may need to add at the
end of the statement, "except as follows:" and describe the violations.
.11: In addition, the auditor generally should consider whether
circumstances may require that additional descriptive items be included
in the representation letter, especially as support for conclusions the
auditor makes in the audit. This is important where the corroborating
information that can be obtained by procedures other than inquiry is
limited. For example, the letter should include descriptions of (1) the
reasons for audited-entity-imposed scope limitations, such as lack of
availability of certain records, (2) the basis for material liability
estimates, key asset valuations, or the probability of contingencies,
and (3) significant plans or intentions for the entity. For example, if
the entity has a pension plan outside of the Civil Service Retirement
System or the Federal Employees' Retirement System, an item should
state that the entity does not plan to terminate the plan and that
management believes the actuarial assumptions and methods used to
measure pension liabilities and costs for financial reporting purposes
are appropriate in the circumstances.
REPRESENTATIONS RELATING TO INTERNAL CONTROL:
.12: Internal control representations, when the auditor opines on
internal control, are found in AT 501.44 and, for those related to
fraud, in AU 316. These representations, where applicable, relate to
management's (1) acknowledging its responsibility for internal control,
(2) stating that management has assessed the effectiveness of its
internal control and specifying the control criteria used, (3) stating
management's assertion about the effectiveness of its internal control
based on the control criteria, (4) stating that management has
disclosed to the auditor all significant deficiencies in the design or
operation of internal control that could adversely affect the entity's
ability to meet the internal control objectives and pointing out those
that are material weaknesses (using the definition in the
representation letter, which is the definition in AU 325), (5) stating
whether there were any changes to internal control subsequent to the
end of the reporting period, (6) acknowledging its responsibility for
the design and implementation of programs and controls to prevent and
detect fraud, (7) knowledge of any fraud or suspected fraud affecting
the entity involving management, employees who have significant roles
in internal control, or others where the fraud could have a material
effect on the financial statements, and (8) knowledge of any
allegations of fraud or suspected fraud affecting the entity received
in communications from employees, former employees, analysts,
regulators, or others.
.13: For items 2 and 3, entities may use criteria established under
FMFIA and OMB Circular A-123 in their FMFIA internal control
assessment. Standards in GAO's green book Standards for Internal
Control in the Federal Government were established as standards for
federal entities to follow. The November 1999 update to these standards
(GAO/AIMD-00-21.3.1) incorporates concepts from the private sector
guidance Internal Control--Integrated Framework issued by the Committee
of Sponsoring Organizations (COSO) of the Treadway Commission. Entities
should summarize in the representation letter any material weaknesses
relating to financial reporting (including safeguarding), compliance
(including budget), and performance measures controls. Example wording
for the representations is given in section 1001 A for the case where
management asserts that its internal control as of the date of the
financial statements provided reasonable assurance that misstatements,
losses, or noncompliance material in relation to the financial
statements or required supplementary stewardship information would be
prevented or detected on a timely basis. If there are material
weaknesses, management should include a brief description of them in
its representation letter and modify its assertion accordingly.
REPRESENTATIONS RELATING TO FINANCIAL MANAGEMENT SYSTEMS' SUBSTANTIAL
COMPLIANCE WITH FFMIA REQUIREMENTS:
.14: FFMIA requires the auditor who audits a CFO Act agency to report
whether the entity's financial management systems substantially comply
with (1) federal financial management systems requirements, (2)
applicable federal accounting standards (U.S. generally accepted
accounting principles), and (3) the SGL at the transaction level. In
order to report in accordance with FFMIA, the auditor should obtain
representations from management as to the entity's systems' substantial
compliance with these requirements.
.15: The auditor should obtain representations that management takes
responsibility for having its systems substantially comply with the
FFMIA requirements, stating that it has assessed the systems'
compliance, stating the criteria used, and asserting the systems'
substantial compliance (or lack thereof). The criteria should be the
requirements in OMB Circular A-127, Financial Management Systems (which
incorporates the SGL, the JFMIP Federal Financial Management Systems
Requirements documents, and other OMB circulars). These requirements
are further described, including indicators of substantial compliance,
in OMB's FFMIA implementation guidance for CFOs and IGs, referenced in
OMB's audit guidance.
REPRESENTATIONS RELATING TO COMPLIANCE WITH LAWS AND REGULATIONS:
.16: AU 801.07 suggests that a representation relating to compliance
with laws and regulations state that management has identified and
disclosed to the auditor all laws and regulations that have a direct
and material effect on the financial statements.
.17: In addition, AT 601 deals with compliance attestation. The auditor
is not required to follow AT 601 because it does not apply to an audit
of financial statements. However, in situations in which the auditor
believes additional representations regarding compliance may be needed,
examples are given in AT 601.68.
EFFECT OF CHANGE IN MANAGEMENT ON REPRESENTATION LETTER:
.18: Sometimes management is reluctant to sign representations for
periods when it did not manage the entity. The auditor should explain
to management that by issuing the financial statements, it is making
the assertions implicit in the financial statements. Management may
wish to understand the transactions and controls supporting the
financial statements, and the auditor should help it do so. Where a
change in management is expected, the auditor may advise the new
management to obtain representations from the old management about the
period prior to the change.
[End of section]
Reporting:
1001 A: EXAMPLE MANAGEMENT REPRESENTATION LETTER:
[Entity Letterhead]
[Date of auditor's report and completion of fieldwork]
The Honorable [name of Inspector General or Comptroller General]
[Inspector or Comptroller] General [of the United States]
[Name of agency] [or U.S. General Accounting Office]
Washington, D.C.
[Also, include the independent external auditor as an addressee, when
appropriate.]
Dear [name(s)]:
This letter is in connection with your audits of the [entity's] balance
sheet as of September 30, 20X2 and 20X1, [or dates of audited financial
statements] and the related statements of net costs, changes in net
position, budgetary resources, financing, and custodial activity [if
applicable], for the years then ended for the purposes of (1)
expressing an opinion as to whether the financial statements are
presented fairly, in all material respects, in conformity with U.S.
generally accepted accounting principles, (2) reporting [or expressing
an opinion] on the entity's internal control as of September 30, 20X2
[or date of latest audited financial statements], (3) reporting whether
the [entity's] financial management systems substantially comply with
federal financial management systems requirements, applicable federal
accounting standards (U.S. generally accepted accounting principles),
and the U.S. Government Standard General Ledger at the transaction
level as of September 30, 20X2, and (4) testing for compliance with
applicable laws and regulations.
Certain representations in this letter are described as being limited
to matters that are material. For purposes of this letter, matters are
considered material if they involve $X or more. Items also are
considered material, regardless of size, if they involve an omission or
misstatement of accounting information that, in the light of
surrounding circumstances, makes it probable that the judgment of a
reasonable person relying on the information would be changed or
influenced by the omission or misstatement.
We confirm, to the best of our knowledge and belief, the following
representations made to you during the audits (these representations
are as of [date of completion of fieldwork], pertain to both years'
financial statements, and update the representations we provided in the
prior year):
1. We are responsible for the fair presentation of the financial
statements and stewardship information in conformity with U.S.
generally accepted accounting principles.
2. The financial statements are fairly presented in conformity with
U.S. generally accepted accounting principles.
3. We have made available to you all:
a. financial records and related data;
b. where applicable, minutes of meetings of the Board of Directors [or
other similar bodies, such as congressional oversight committees] or
summaries of actions of recent meetings for which minutes have not been
prepared; and:
c. communications from the Office of Management and Budget (OMB)
concerning noncompliance with or deficiencies in financial reporting
practices.
4. There are no material transactions that have not been properly
recorded in the accounting records underlying the financial statements
or disclosed in the notes to the financial statements.
5. We believe that the effects of the uncorrected financial statement
misstatements summarized in the accompanying schedule are immaterial,
both individually and in the aggregate, to the financial statements
taken as a whole. [An example accompanying schedule is included in
section 595 C.] [If management believes that certain of the identified
items are not misstatements, management's belief may be acknowledged by
adding to the representation, for example, "We believe that items XX
and XX do not constitute misstatements because [description of
reason]."]
6. The [entity] has satisfactory title to all owned assets, including
stewardship property, plant, and equipment; such assets have no liens
or encumbrances; and no assets have been pledged.
7. We have no plans or intentions that may materially affect the
carrying value or classification of assets and liabilities.
8. Guarantees under which the [entity] is contingently liable have been
properly reported or disclosed.
9. Related party transactions and related accounts receivable or
payable, including assessments, loans, and guarantees, have been
properly recorded and disclosed.
10. All intraentity transactions and balances have been appropriately
identified and eliminated for financial reporting purposes, unless
otherwise noted. All intragovernmental transactions and balances have
been appropriately recorded, reported, and disclosed. We have
reconciled intragovernmental transactions and balances with the
appropriate trading partners for the four fiduciary transactions
identified in Treasury's Intra-governmental Fiduciary Transactions
Accounting Guide, and other intragovernmental asset, liability, and
revenue amounts as required by the applicable OMB Bulletin.
11. There are no:
a. possible violations of laws or regulations whose effects should be
considered for disclosure in the financial statements or as a basis for
recording a loss contingency,
b. material liabilities or gain or loss contingencies that are required
to be accrued or disclosed that have not been accrued or disclosed, or:
c. unasserted claims or assessments that are probable of assertion and
must be disclosed that have not been disclosed.
12. We have complied with all aspects of contractual agreements that
would have a material effect on the financial statements in the event
of noncompliance.
13. No material events or transactions have occurred subsequent to
September 30, 20X2 [or date of latest audited financial statements],
that have not been properly recorded in the financial statements and
stewardship information or disclosed in the notes.
14. We are responsible for establishing and maintaining internal
control.
15. We acknowledge our responsibility for the design and implementation
of programs and controls to prevent and detect fraud (intentional
misstatements or omissions of amounts or disclosures in financial
statements and misappropriation of assets that could have a material
effect on the financial statements).
16. We have no knowledge of any fraud or suspected fraud affecting the
[entity] involving:
a. management,
b. employees who have significant roles in internal control, or:
c. others where the fraud could have a material effect on the financial
statements.
[If there is knowledge of any such instances, they should be
described.]
17. We have no knowledge of any allegations of fraud or suspected fraud
affecting the [entity] received in communications from employees,
former employees, or others. [If there is knowledge of any such
allegations, they should be described.]
18. Pursuant to 31 U.S.C. 3512(c), (d) (commonly known as the Federal
Managers' Financial Integrity Act), we have assessed the effectiveness
of the [entity's] internal control in achieving the following
objectives:
a. reliability of financial reporting--transactions are properly
recorded, processed, and summarized to permit the preparation of
financial statements and stewardship information in accordance with
U.S. generally accepted accounting principles, and assets are
safeguarded against loss from unauthorized acquisition, use or
disposition;
b. compliance with applicable laws and regulations--transactions are
executed in accordance with (i) laws governing the use of budget
authority and with other laws and regulations that could have a direct
and material effect on the financial statements and (ii) any other
laws, regulations, and governmentwide policies identified by OMB in its
audit guidance; and,
c. reliability of performance reporting--transactions and other data
that support reported performance measures are properly recorded,
processed, and summarized to permit the preparation of performance
information in accordance with criteria stated by management.
[This item is not required if the auditor is not opining on internal
control. Also, if the entity bases its internal control assessment on
suitable criteria other than 31 U.S.C. 3512(c), (d), this item should
cite the criteria used (for example, Internal Control--Integrated
Framework issued by the Committee of Sponsoring Organizations (COSO) of
the Treadway Commission).]
19. Those controls in place on September 30, 20X2 [or date of latest
audited financial statements], and during the years ended 20X2 and
20X1, provided reasonable assurance that the foregoing objectives are
met. [This item is not required if the auditor is not opining on
internal control.]
[If there are material weaknesses, the foregoing representation should
be modified to read:
Those controls in place on September 30, 20X2, and during the years
ended 20X2 and 20X1, provided reasonable assurance that the foregoing
objectives are met except for the effects of the material weaknesses
discussed below or in the attachment.
or: Internal controls are not effective.
or: Internal controls do not meet the foregoing objectives.]
20. We have disclosed to you all significant deficiencies in the design
or operation of internal control that could adversely affect the
entity's ability to meet the internal control objectives and identified
those we believe to be material weaknesses. [This item is not required
if the auditor is not opining on internal control.]
21. There have been no changes to internal control subsequent to
September 30, 20X2 [or date of latest audited financial statements], or
other factors that might significantly affect it. [If there were
changes, describe them, including any corrective actions taken with
regard to any significant deficiencies or material weaknesses.] [This
item is not required if the auditor is not opining on internal
control.]
22. We are responsible for implementing and maintaining financial
management systems that substantially comply with federal financial
management systems requirements, federal accounting standards (U.S.
generally accepted accounting principles), and the U.S. Government
Standard General Ledger at the transaction level. [This item is not
required if the entity is not subject to the Federal Financial
Management Improvement Act of 1996.]
23. We have assessed the financial management systems to determine
whether they substantially comply with these federal financial
management systems requirements. Our assessment was based on guidance
issued by OMB. [This item is not required if the entity is not subject
to the Federal Financial Management Improvement Act of 1996.]
24. The financial management systems substantially complied with
federal financial management systems requirements, federal accounting
standards, and the U.S. Government Standard General Ledger at the
transaction level as of [date of the latest financial statements].
[This item is not required if the entity is not subject to the Federal
Financial Management Improvement Act of 1996.]
[If the financial management systems substantially comply with only one
or two of the above elements, this representation should be modified as
follows:
As of [date of financial statements], the [entity's] financial
management systems substantially comply with [specify which of the
three elements for which there is substantial compliance (e.g., federal
accounting standards and the SGL at the transaction level)], but did
not substantially comply with [specify which of the elements for which
there was a lack of substantial compliance (e.g., federal financial
management systems requirements)], as described below (or in an
attachment).]
[If the financial management systems do not substantially comply with
any of thee three elements, the following paragraph should be used
instead:
As of [date of financial statements], the [entity's] financial
management systems do not substantially comply with the federal
financial management systems requirements.]
[If there is a lack of substantial compliance with one or more of the
three requirements, identify herein or in an attachment all the facts
pertaining to the noncompliance, including the nature and extent of the
noncompliance and the primary reason or cause of the noncompliance.]
25. We are responsible for the [entity's] compliance with applicable
laws and regulations.
26. We have identified and disclosed to you all laws and regulations
that have a direct and material effect on the determination of
financial statement amounts.
27. We have disclosed to you all known instances of noncompliance with
laws and regulations.
[Name of Head of Entity]:
[Title]:
[Name of Chief Financial Officer]:
[Title]:
[End of section]
Reporting:
1003 - FINANCIAL STATEMENT AUDIT COMPLETION CHECKLIST:
Entity:
Job Code:
Principal Report:
Other Reports (including management letters and testimonies):
INSTRUCTIONS:
.01: This checklist is a tool to help auditors of financial statements
conform with U.S. generally accepted government auditing standards
(GAGAS), OMB audit guidance, and provisions of the FAM. This checklist
should be completed before the report is issued and should be prepared
by the audit manager and reviewed by the assistant director and audit
director. If the audit is conducted at multiple sites, the site
supervisor may complete parts of the checklist for each site (with the
audit manager completing an overall checklist). While parts of the
checklist are useful in audit planning, no specific signatures are
required on the checklist in the planning phase.
.02: The detailed questions in this checklist are to be answered "no,"
"N/A" (not applicable), or "yes." For some questions, "no" answers
might indicate departures from professional standards or from policies.
The auditor should explain all "no" answers at the end of this
checklist and should consider the effects and significance of "no"
answers, including any effect on the auditor's report. Check "N/A" when
the item does not exist or when the item exists but is judged to be not
material. Because the checklist is designed for the wide range of
financial statement audits, there sometimes might be many "N/A"
answers. If the reason why a question is not applicable is not obvious,
the auditor should document the reason on the checklist or in an
attachment. It is not necessary to create additional documentation to
support the "yes" answers, but a column is provided to insert a
reference to related documentation ("ref."). The questions are
summarized; for most questions, there is a reference to professional
literature that provides more detail.
.03: Section V has questions on GAO's report considerations; section VI
has questions on GAO's quality control. GAO auditors should complete
these sections. IG auditors and other auditors may use these sections
or may substitute forms that consider their reporting style and quality
controls.
.04: See section 650 related to reviewing this checklist (or
equivalent) when using the work of others.
.05: The FAM includes a separate "Checklist for Federal Accounting,
Reporting, and Disclosures" (section 1050) that covers accounting,
financial reporting, and disclosure requirements related to financial
statements prepared using U.S. generally accepted accounting principles
promulgated by FASAB. The AICPA has published a disclosure checklist
for requirements related to financial statements prepared using U.S.
generally accepted accounting principles promulgated by FASB. The
auditor should prepare (or review, if prepared by the entity) either
the Checklist for Federal Accounting, Reporting, and Disclosures or the
AICPA disclosure checklist, as applicable, or an equivalent checklist
that addresses the applicable accounting, financial reporting, and
disclosure requirements. These checklists may be tailored for the needs
of the individual agency financial statements.
.06: GAO auditors should prepare the "GAO Audit Documentation Set" that
provides guidance on documentation. IG and other auditors may develop
similar tools.
.07: For GAO's financial audits, a second partner review should be
performed and the Chief Accountant should read the report. These
reviews by the second partner and/or Chief Accountant are documented on
the last two pages of this checklist. IG auditors and other auditors
should consider the need for similar reviews.
CONTENTS;
Section;
I: Planning and Concluding the Audit:
II: Key Audit Areas:
III: Consultation:
IV: Report:
V: GAO's Report Considerations:
VI: GAO's Quality Control:
VII: Explanation of "No" Answers and Other Comments:
VIII: Conclusions:
IX: Second Partner's concurrence:
X: Chief Accountant's concurrence:
References:
AICPA Professional Standards (vol. 1): AU;
GAO/PCIE Financial Audit Manual: FAM;
Government Auditing Standards: GAGAS;
Section I: Planning and Concluding the Audit:
1: Has the audit team documented that it has established an
understanding with the individuals requesting the audit and officials
of the entity as to the objectives of the work; management's
responsibilities; auditors' responsibilities; the nature, timing, and
extent of planned testing and reporting; the planned level of
assurance; and any limitations of the work? (FAM 280 and GAGAS, par.
4.06);
2: Were entrance conferences held?
3: Does the entity profile (or equivalent) document an understanding of
the entity sufficient to plan the audit? (FAM 290.03);
4: Does the documentation contain an adequate general risk analysis or
the equivalent? (FAM 290.04);
5: Did the audit team adequately perform and document the following
planning steps? (FAM 290.04);
a: Perform preliminary analytical procedures (FAM 225);
b: Determine planning, design, and test materiality (FAM 230);
c: Identify significant laws and regulations (FAM 245);
d: Identify relevant budget restrictions (FAM 250);
e: Understand the budget formulation process (FAM 260.51);
f: Assess inherent risk and the overall effectiveness of the control
environment, risk assessment, communication, and monitoring, including
whether weaknesses in the control environment, risk assessment,
communication, and monitoring preclude the effectiveness of specific
control activities (FAM 260);
g: Conduct brainstorming meeting(s), obtain information to identify
fraud risks, and identify and assess fraud risks (FAM 260);
h: Respond to fraud risks, including any related to revenue and to
management override of controls, and exercise professional skepticism
throughout the audit (FAM 260);
i: Design the audit to achieve an acceptable level of audit assurance
that the financial statements are not materially misstated (GAO uses 95
percent) (FAM 260.04);
j: Consider the effects of information technology, including service
centers (FAM 220, 260.17, 260.41-42, and 270);
k: Assess the FMFIA process (FAM 260.43);
l: Consider operations controls to be tested (FAM 275);
m: Understand performance measures controls (FAM 275);
n: Plan other procedures (representation letters, related party
transactions, sensitive payments) (FAM 280);
o: Consider locations to be visited (FAM 285);
p: Plan procedures to test whether the entity's financial management
systems substantially comply with the requirements of FFMIA (FAM
350.02);
q: Consider staffing requirements;
r. Consider timing of procedures and milestones (FAM 295 D);
s. Consider assistance from entity personnel;
6: Does the general risk analysis or the equivalent reflect appropriate
consideration of findings and recommendations from previous audits that
could affect the current audit objectives? (GAGAS, par. 4.14);
7: Did the audit team identify budget controls for each relevant budget
restriction and perform sufficient work to support the conclusions on
internal control? (FAM 250, 310.05, 330.09);
8: Did the audit team identify compliance controls and perform
sufficient work to support the conclusions on internal control? (FAM
245, 310.05, 330.09);
9: If the audit team used the work of others (CPA firms, IGs, internal
auditors, or specialists), did the audit team meet the requirements of
FAM 650?
10: Did the audit team perform overall analytical procedures, including
documentation of the following?
a: Expectations;
b: Data/sources;
c: Parameters;
d: Explanations/corroboration;
e: Conclusions (FAM 590.04);
11: Does the documentation indicate that the audit team properly
performed the following procedures in the reporting phase of the audit?
(FAM 590.01);
a: Evaluate misstatements, including considering whether any
misstatements are indicative of fraud (FAM 540);
b: Bring all misstatements to the attention of entity management (FAM
540.07):
c. Obtain attorneys' representations (FAM 550.02);
d: Review subsequent events (FAM 550.04 and 1005);
e: Obtain management representations (FAM 550.08 and 1001);
f: Identify and test related party transactions (FAM 550.12 and 1006);
g: Review the consistency of other information accompanying the
financial statements (FAM 580.76);
12: Does the audit summary memorandum or equivalent properly summarize
or refer to documentation addressing the following? (FAM 590.02-.03);
a: Changes from original risk assessments;
b: Additional fraud risks or other conditions identified during the
audit calling for an additional response and the additional response;
c: The basis for conclusions on significant auditing, accounting, and
reporting issues;
d: Conclusions on adequacy of procedures;
e: Unadjusted misstatements;
f: Conclusions on financial statements;
g: Conclusions on internal control;
h: Conclusions on whether the entity's financial management systems
meet the requirements of FFMIA;
i: Conclusions on compliance with laws and regulations;
j: Conclusions on the consistency of accompanying information with the
principal statements;
13: Has the Audit Director determined that appropriate communications
have occurred among the audit team members regarding fraud risks? (FAM
540.19);
14: Is there documentation that the following occurred?
a: Deviations from the "should" procedures in the FAM and the basis
therefore were approved by the assistant director with copies of the
documentation sent to the audit director and the Reviewer;
b: Deviations from the "must" procedures in the FAM were approved by
the Reviewer (FAM 100.28);
Answer these questions for each key audit area or cycle. Indicate the
key audit areas and cycles to which these questions:
1: Did the audit team prepare the following documentation summarizing
considerations in planning and performing the work in the key audit
areas and cycles?
a: Cycle Matrix or an equivalent (or documentation in Account Risk
Analysis or an equivalent) showing links between accounts, cycles,
applications and line items (FAM 290.05);
b: Account Risk Analysis or an equivalent (FAM 290.06);
c: Cycle Memorandum and/or flowchart or equivalents (FAM 390.04-.05);
d: Specific Control Evaluation or an equivalent (FAM 390.06);
e: Written audit program (AU 311.05);
2: If conditions changed during the course of the audit, was the audit
program modified as appropriate in the circumstances? (AU 311.05);
3: When the audit team performed sampling, did it properly determine
and document the following?
a: The method used in relation to test objectives;
b: Sample size and the method of determining it;
c: Tests performed;
d: Results (misstatements and deviations found);
e: Evaluation (including projection to the population);
f: Conclusions (FAM 490.07);
4: When the audit team performed substantive analytical procedures, did
it properly document the following?
a: Expectations and the method used to develop them;
b: Data sources/reliability;
c: Limit/criteria;
d: Client explanations and corroborating evidence;
e: Additional steps needed;
f: Conclusions (FAM 490.07);
5: When the audit team performed interim testing, did it do the
following?
a: Test the rollforward period;
b: Properly document:
i: The basis for using interim testing;
ii: The procedures performed;
iii: The effects of any misstatements found (FAM 495C.06);
6: Did the audit team evaluate the reasonableness of significant
accounting estimates made by management? (AU 342);
7: Were known and likely misstatements identified in the testing of the
key area carried forward to the summary of possible adjustments? (FAM
540.04);
8: Did an information systems auditor review the specific control
evaluation to evaluate the audit team's decision on which controls are
computer-related (including controls relating to service-center-
produced records)? (FAM 350.10);
9: Based on the inherent and control risk, did the audit team perform
adequate substantive tests of the following? (If not a key area, check
the N/A box.);
Fund Balance with Treasury (FBWT):
Consider these issues:
* Did the audit team test the agency's year-end reconciliation of Fund
Balances with Treasury to Treasury account ledgers and trial balance
reports (Financial Management Service (FMS) Forms 6653, 6655)?
* Did the audit team determine whether the auditee did the following?
a: Researched and resolved differences before making adjustments;
b: Recorded any necessary adjustments in the agency's FBWT accounts;
c: Reported the adjustments to Treasury;
d: Disclosed in the notes to the financial statements material
unreconciled differences and budget clearing account differences at
year-end, and material unreconciled differences written off by the
agency during the year?
* Did the audit team assess (at absolute value) the materiality of
unreconciled differences, such as those reported on the Statement of
Differences (FMS form 6652) and those included in budget clearing
accounts (such as budget accounts F3875, F3878, F3879)? (GAO/AIMD-97-
104R);
Receivables:
Consider these issues:
* Where practical, were accounts receivable confirmed and appropriate
follow-up steps taken, including second requests and alternate
procedures? (AU 330.30-.31);
* If substantive test were performed prior to year-end, was there an
adequate review of transactions from the interim date to the balance
sheet date? (AU 313.08-.09);
* If a significant number and amount of accounts receivable were not
confirmed, were other appropriate auditing procedures performed? (AU
330.31-.32);
Inventories:
Consider these issues:
* Were physical inventories observed at all locations where material
amounts were located? (AU 331);
* If perpetual inventory records are maintained, does the documentation
indicate that differences disclosed by the physical inventory (or cycle
counts) are properly reflected in the financial statements? (AU 331);
* When the physical inventory is taken at a date other than the balance
sheet date (or where rotating procedures are used), did the auditor
consider inventory transactions between the inventory date(s) and the
balance sheet date? (AU 313.08-.09);
* Does the documentation contain evidence that counts were correctly
made and recorded (was control over inventory tags or count sheets
maintained) and test count quantities were reconciled with the counts
reflected in the final inventory? (AU 331.09);
Inventories (continued);
* Were there adequate tests of the following?
a: Clerical accuracy of the inventory;
b: Costing methods and substantiation of costs used in pricing all
elements of the inventory;
c: Cutoff:
* Were analytical procedures used to test the overall valuation of
inventories?
Investments:
Consider these issues:
* Was a summary schedule prepared (or obtained) and details tested with
respect to the description, purchase price and date, changes during the
period, income, market value, etc. of investments?
* Were securities either examined or confirmed? (AU 332.04);
Property, Plant, and Equipment:
Consider these issues:
* Was a summary schedule prepared (or obtained) to show beginning
balances, changes during the period, and ending balances for the
following?
a: Property, plant, and equipment;
b: Accumulated depreciation;
* If samples were used to determine opening balances, were the samples
appropriate?
* Did the audit team perform tests of completeness, such as by testing
from disbursements to property records?
* Do the tests appear adequate and were proper conclusions drawn?
Liabilities:
Consider these issues:
* Did the audit team perform an adequate search for unrecorded
liabilities?
* Did the audit team consider expenses that might require accrual
(e.g., pensions, compensated absences, other postretirement benefits,
or postemployment benefits provided to former or inactive employees
prior to retirement), and whether accrued expenses were reasonably
stated?
Revenue and Expenses:
Consider these issues:
* Did the audit team compare revenue and expenses for the period to
expectations, based on the budget and the results of the preceding
period? (AU 329);
* Were significant variances and fluctuations from expectations
explained? (AU 329);
* Did the audit team consider the following?
a: The entity's revenue recognition policy;
b: Unusual transactions;
c: Fraud risks;
* Do tests appear adequate and were proper conclusions drawn?
Statement of Budgetary Resources:
Consider these issues:
* Were appropriate procedures applied, such as the following?
a: Understanding and testing the budget execution controls;
b: Tests of the process of preparing the statement;
c: Tests of undelivered orders;
d: Review of reconciliation to the President's Budget;
1: Where warranted by the complexity or unusual nature of an issue (for
example, issues where the FAM requires consultation, issues not
discussed in FAM or professional standards, going concern issues,
economic dependency issues, issues arising after report issuance), was
there appropriate consultation with specialists, including the
following?
* The Reviewer (FAM Appendix A);
* The Statistician (FAM Appendix A);
* The Office of General Counsel (FAM Appendix A);
* The Technical Accounting and Auditing Expert? (FAM 100.25);
2: Were significant consultations appropriately documented? (FAM
100.24);
3: Were the persons consulted made aware of all relevant facts and
circumstances?
1: Does the auditor's report include the following?
a: Introduction;
b: Significant matters (if applicable);
c: Conclusions on:
i: Financial statements;
ii: Internal control;
iii: Whether the entity's financial management systems substantially
complied with the requirements of the Federal Financial Management
Improvement Act of 1996 (FFMIA);
iv: Compliance with laws and regulations;
v: Consistency of other information with financial statements;
d: Objectives, scope, and methodology, including description of all
instances where GAGAS and OMB audit guidance were not followed;
e: Agency comments (FAM 580.04, 580.81);
2: Is the auditor's report appropriate as to the following?
a: Wording;
b: Scope of work;
c: U.S. generally accepted accounting principles;
d: Explanatory paragraphs;
e: Opinion on financial statements;
f: Conclusions on internal control;
g: Conclusions on whether the entity's financial management systems
substantially comply with the requirements of FFMIA;
h: Reporting on compliance with laws and regulations (FAM 580);
3: Is background material (purpose, authority, and functions of
programs/activities) limited to what is necessary?
4: Is the auditor's report dated in conformity with professional
standards? (AU 530, FAM 1601);
5: Does the auditor's report cover all periods for which financial
statements are presented? (AU 508.65);
6: If the financial statements of a prior period are presented and have
been audited by a predecessor auditor whose report is not presented,
does the auditor's report refer to the predecessor auditor's report?
(AU 508.74);
7: Does the auditor's report describe the responsibility the auditor is
taking for supplementary information, including stewardship
information? (AU 551; FAM 580.76-.79);
8: a: When illegal acts involve funds received from other governmental
entities, did the audit team satisfy itself that the audited entity
notified the proper officials of those entities within a reasonable
time?
b: If the entity did not, or was unable to do so because the top
official was involved, did the audit team report these acts to the
officials of those other governmental entities? (GAGAS, par. 5.23);
9: Does the auditor's report include the following?
a: Identification of which matters are reportable conditions and which
of the reportable conditions are material weaknesses (GAGAS, par.
5.14);
b: Reference to a separate letter, if applicable, describing
nonreportable conditions (GAGAS, par. 5.16);
c: Presentation of all identified (1) instances of fraud and illegal
acts unless clearly inconsequential, (2) significant violations of
provisions of contracts or grant agreements, and (3) significant abuse
(GAGAS, par. 5.12);
10: When appropriate, did the audit team report directly to outside
parties on fraud, illegal acts, violations of provisions of contracts
or grant agreements, or significant abuse? (GAGAS, par. 5.21);
11: Did the auditor consider the status of all known significant
findings and recommendations from prior audits that affect current
audit objectives, including whether any failure to follow up and
correct previously identified deficiencies in internal control
represent reportable conditions? (GAGAS pars. 4.16, 5.12, and 5.13j.);
12: Is a reasonable basis documented for the following?
a: The opinion about whether the financial statements and disclosures
comply in all material respects with U.S. generally accepted accounting
principles (FAM 560);
b: The conclusions on internal control;
c: The conclusions on whether the entity's financial management systems
substantially comply with the requirements of FFMIA;
d: The conclusions about compliance with laws and regulations;
13: Is a reasonable basis documented for reported findings, including
the following? (FAM 590.05-.06);
a: Internal control weaknesses;
b: Instances of the entity's financial management systems lack of
substantial compliance with the requirements of FFMIA;
c: Instances of noncompliance with laws and regulations;
14: Do the findings include (where appropriate) the following?
a: Condition (describe the existing situation);
b: Criteria (state what we are comparing to);
c: Cause (reflect reason or reasons why the condition and criteria
differ);
d: Effect (describe the result of the difference between the condition
and criteria);
15: Are recommendations and suggestions reasonable, doable, and cost-
effective?
16: Does the presentation of agency comments include the following?
a: Type of comments obtained (oral, written);
b: Title of the most senior official(s) involved;
c: Accurate characterization of general agreement or disagreement with
the report;
d: Description of the substance of the comments;
e: Resolution of all substantive comments;
1: Overall, does the report have the following characteristics?
a: Professional (the work reflects an understanding of the issues, an
awareness of the external environment, including sensitivity to
relevant trends, and a practical approach to what can be done to deal
with the problems noted);
b: Accurate (presents information or findings accurately; contains no
notable errors in logic or reasoning);
c: Objective (presentation is fair and impartial; tone is constructive
and objective);
d: Fact-based (states information and findings completely, includes all
necessary facts and/or explanations, distinguishes between fact and
unproven or uncorroborated material, and resolves conflicting
evidence);
e: Balanced (presents sound and logical evidence to support
conclusions, does not use adjectives or adverbs to characterize
evidence in a way that implies criticism or conclusions by innuendo,
and appropriately recognizes positive aspects of the programs or issues
reviewed);
f: Timely and useful (provides relevant and timely information);
g: Clear and concise (presentation is clear, concise, and well
organized; message is presented logically; and writing style is adapted
to the audience);
Section VI: GAO's Quality Control:
1: Was the report reviewed by the following?
a: Audit Director;
b: Office of the General Counsel;
c: Chief Accountant;
d: Second Partner;
2: Did the audit director review the following? (FAM 1301.17);
a: General risk analysis or equivalent, including sampling approach;
b: Account risk analyses or equivalent for material areas with high or
moderate combined risk;
c: Memoranda on key accounting and auditing issues;
d: Summary memoranda for material areas with high or moderate combined
risk;
e: Management representation letter;
f: Legal representation letter;
g: Summary of unadjusted misstatements;
h: Exit conference summary memorandum;
i: Audit summary memorandum;
j: Financial statements;
k: Referencing/Quality Assurance Review Sheet;
l: GAO Audit Documentation Set;
3: Did the assistant director review the following? (FAM 1301.17);
a: Entity profile or equivalent;
b: General risk analysis or equivalent, including sampling approach;
c: Account risk analyses or equivalent;
d: Initial audit programs;
e: Lead schedules;
f: Completed audit programs;
g: Memoranda on key accounting and auditing issues;
h: Summary memoranda;
i: Checklist for Federal Accounting Reporting, and Disclosures (for
statements using GAAP promulgated by FASAB);
j: Financial reporting and disclosure checklist (for statements using
GAAP promulgated by FASB);
k: Management representation letter;
l: Legal representation letter;
m: Summary of unadjusted misstatements;
n: Exit conference memorandum;
o: Audit summary memorandum;
p: Financial statements;
q: Referencing/Quality Assurance Review Sheet;
r: GAO Audit Documentation Set;
4: Did the assistant director or audit manager determine that all
significant review notes were resolved appropriately? (FAM 1301.28);
5: Did an assistant director initial all bundle covers to indicate that
all documentation was sufficiently reviewed? (FAM 1301.05);
6: Were review notes, superseded versions of documentation , and draft
reports (except the referenced draft and the draft sent to the agency
for comment), including review notes and superseded versions in
electronic form, placed in a separate folder to be retained until the
report is issued (unless the audit director decides to retain them
until the next audit)? (FAM 1301.28);
7: Were review responsibilities communicated to all individuals on the
assignment? (FAM 1301.23);
8: Was documentation prepared by an information systems auditor
reviewed by an information systems auditor for technical content and by
a member of the audit team to determine that related audit objectives
were achieved? (FAM 1301.24);
9: For areas that are both material and have high combined risk, did
the audit director or assistant director perform secondary reviews of
the documentation? (FAM 1301.12);
10: Was all documentation prepared by the audit director or assistant
directors read by audit managers or auditors in charge to determine its
consistency with any related documentation? (FAM 1301.15);
11: If the documentation indicated a difference of opinion between
engagement personnel or between engagement personnel and a specialist
or other person consulted, was the difference resolved appropriately
and was the basis of the resolution documented? (FAM 1302);
Section VII: Explanation of "NO" Answers* and Other Comments:
The following pages are provided for comments on all "no" answers* or
to expand upon any of the "yes" and "N/A" answers.
* For some questions, "no" answers might indicate departures from
professional standards or from policies. The auditor should explain all
"no" answers below and should consider the effects and significance of
"no" answers, including any effect on the auditor's report.
Page no.:
Question no.:
Explanatory comments:
Disposition of comments:
Section VIII: Conclusions: Based on your review and knowledge, do you
believe the following?**;
1: The audit team performed the engagement, in all material respects,
in accordance with U.S. generally accepted government auditing
standards (which include U.S. generally accepted auditing standards)
and applicable OMB guidance, or the auditor's report was appropriately
modified;
2: The financial statements conformed, in all material respects, with
U.S. generally accepted accounting principles, or the auditor's report
was appropriately modified;
3: The auditor's report was appropriate in the circumstances;
4: The documentation on this engagement supports:
* The auditor's opinion on the financial statements;
* The auditor's conclusions on internal control;
* The auditor's conclusions on whether the entity's financial
management systems substantially comply with the requirements of FFMIA;
* The auditor's conclusions on compliance with laws and regulations;
5: The audit team complied, in all material respects, with the audit
organization's policies and procedures;
**If any of the above 5 statements have "no" responses, please describe
the response in a memorandum to the Reviewer.
Date of completion of fieldwork:
Audit Manager:
Date:
Assistant Director:
Date:
Audit Director:
Date:
Section IX: Second Partner's Concurrence:
Objective of second partner review: To objectively review significant
auditing, accounting, and reporting matters and to conclude, based on
all facts the second partner has knowledge of, that, except as
discussed in the report, no matters were found that caused the second
partner to believe that (1) the audit was not performed in accordance
with GAGAS and OMB audit guidance (if applicable), (2) the financial
statements are not, in all material respects, in conformity with U.S.
generally accepted accounting principles, and (3) the report does not
meet professional standards and GAO's policies and core values.
Procedures: Before the report was issued, I performed the following
procedures:
* Discussed significant auditing, accounting, and reporting issues with
the Audit Director;
* Discussed the audit team's identification of high-risk balances and
transactions and the audit of those balances and transactions;
* Reviewed documentation on the resolution of significant auditing,
accounting, and reporting issues, including documentation of
consultation with specialists such as the Chief Accountant, Chief
Statistician, and IS professionals;
* Reviewed the summary of unadjusted misstatements;
* Read the audit summary memorandum;
* Read the financial statements and audit report; and;
* Confirmed with the Audit Director that there are no unresolved
issues.
Conclusion:
Based on all the relevant facts of which I have knowledge, I found no
matters, except as discussed in the report, that cause me to believe
that (1) the audit was not performed in accordance with GAGAS and OMB
audit guidance (if applicable), (2) the financial statements are not,
in all material respects, in conformity with U.S. generally accepted
accounting principles, and (3) the report is not in accordance with
professional standards and GAO's policies and core values.
In signing this form, I acknowledge that there have been no personal or
external impairments to independence regarding my work on this
engagement.
Second Partner Name and Title:
Signature:
Date:
Section X: Chief Accountant's Concurrence:
When the Chief Accountant is not the second partner, the Chief
Accountant should read the report. The Chief Accountant should then
sign the conclusion below.
Conclusion:
Based on my reading of the report, I found no matters, except as
discussed in the report, that cause me to believe that (1) the audit
was not performed in accordance with GAGAS and OMB audit guidance (if
applicable), (2) the financial statements are not, in all material
respects, in conformity with U.S. generally accepted accounting
principles, and (3) the report is not in accordance with professional
standards and GAO policies and core values.
In signing this form, I acknowledge that there have been no personal or
external impairments to independence regarding my work on this
engagement.
Chief Accountant's Signature:
Date:
[End of section]
GAO's Mission:
The Government Accountability Office, the investigative arm of
Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office
441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director,
NelliganJ@gao.gov
(202) 512-4800
U.S. Government Accountability Office,
441 G Street NW, Room 7149
Washington, D.C. 20548: