This is the accessible text file for GAO report number GAO-03-673G entitled 'Government Auditing Standards: 2003 Revision' which was released on June 01, 2003. This text file was formatted by the U.S. General Accounting Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. By the Comptroller General of the United States: June 2003: Government Auditing Standards: 2003 Revision: GAO-03-673G: By the Comptroller General of the United States: June 2003: Government Auditing Standards: 2003 Revision: This revision of the standards supersedes the 1994 revision, including amendments 1 through 3. Its provisions are effective for financial audits and attestation engagements of periods ending on or after January 1, 2004, and for performance audits beginning on or after January 1, 2004. Early application is permissible. Letter: The concept of accountability for public resources is key in our nation's governing process and a critical element for a healthy democracy. Legislators, government officials, and the public want to know whether government services are being provided efficiently, effectively, economically, and in compliance with laws and regulations. They also want to know whether government programs are achieving their objectives and desired outcomes, and at what cost. Government managers are accountable to legislative bodies and the public for their activities and related results. Government auditing is a key element in fulfilling the government's duty to be accountable to the people. Auditing allows those parties and other stakeholders to have confidence in the reported information on the results of programs or operations, as well as in the related systems of internal control. Government auditing standards provide a framework to auditors so that their work can lead to improved government management, decision making, oversight and accountability. These standards are broad statements of auditors' responsibilities. They provide an overall framework for ensuring that auditors have the competence, integrity, objectivity, and independence in planning, conducting, and reporting on their work. Auditors will face many situations in which they could best serve the public by doing work exceeding the standards' minimum requirements. As performance and accountability professionals, we should not strive just to comply with minimum standards, which represent the floor of acceptable behavior, but we need to do the right thing according to the facts and circumstances of each audit situation. I encourage auditors to seek opportunities to do additional work when and where it is appropriate, particularly in connection with testing and reporting on internal control. This is the fourth revision of the overall standards since they were first issued in 1972. This revision of the standards supersedes the 1994 revision, including amendments 1 through 3. This revision makes changes to these standards in the following 3 areas: * redefining the types of audits and services covered by the standards, including an expansion of the definition of performance auditing to incorporate prospective analyses and other studies and adding attestation as a separate type of audit, * providing consistency in the field work and reporting requirements among all types of audits defined under the standards, and: * strengthening the standards and clarifying the language in areas that, by themselves, do not warrant a separate amendment to the standards. These standards contain requirements for auditor reporting on internal control, but they do not require the auditor to render an opinion on internal control. Nevertheless, I encourage auditors to evaluate those situations where they are reporting on internal control to determine whether providing an opinion on internal control would add value and be cost beneficial based on related risks. The Sarbanes-Oxley Act requires private sector auditors to attest to and report on the assessment made by management of each publicly traded company on the effectiveness of internal control over financial reporting. GAO strongly believes that auditor reporting on internal control is a critical component of monitoring the effectiveness of an organization's risk management and accountability systems. Auditors can better serve their clients and other financial statement users and better protect the public interest by having a greater role in providing assurances over the effectiveness of internal control in deterring fraudulent financial reporting, protecting assets, and providing an early warning of emerging problems. We believe auditor reporting on internal control is appropriate and necessary for publicly traded companies and major public entities. We also believe that such reporting is appropriate in other cases where management assessment and auditor examination and reporting on the effectiveness of internal control add value and mitigate risk in a cost beneficial manner. In this regard, GAO seeks to lead by example in establishing the appropriate level of auditor reporting on internal control for federal agencies, programs, and entities receiving significant amounts of federal funding. In fact, we already provide opinions on internal control for all our major federal audit clients, including the consolidated financial statements of the U.S. Government. Because of the breadth of the fourth revision to the overall standards, any new standards are applicable for financial audits and attestation engagements of periods ending on or after January 1, 2004, and for performance audits beginning on or after January 1, 2004. Early application is permissible and encouraged. An electronic version of these standards can be accessed on the Web at www.gao.gov/govaud/ ybk01.htm. We have also posted a listing of the major changes from the 1994 Revision to this Web site. Printed copies can be obtained from the U.S. Government Printing Office. This revision of the standards currently incorporates the field work and the reporting standards issued by the American Institute of Certified Public Accountants (AICPA). The Sarbanes-Oxley Act gives the Public Company Accounting Oversight Board (PCAOB) the authority to set auditing standards to be used by registered public accounting firms in the preparation and issuance of audit reports for publicly traded companies. As the PCAOB promulgates auditing standards for audits of these entities, GAO will continue to closely monitor the actions of both standard setting bodies and will issue clarifying guidance as necessary on the incorporation of future standards set by either standard setting body. This revision has gone through an extensive deliberative process including extensive public comments and input from the Comptroller General's Advisory Council on Government Auditing Standards, which includes 21 experts in financial and performance auditing and reporting drawn from all levels of government, academia, private enterprise, and public accounting. The views of all parties were thoroughly considered in finalizing the standards. I thank those who commented and suggested improvements to the standards. I especially commend the Advisory Council on Government Auditing Standards and the GAO project team for important contributions to this revision. David M. Walker Comptroller General of the United States: Signed by David M. Walker: June 2003: [End of section] Contents: Chapter 1: Introduction: Purpose: Applicability: Relationship between GAGAS and Other Professional Standards: Accountability: Roles and Responsibilities: Chapter 2: Types of Government Audits and Attestation Engagements: Introduction: Financial Audits: Attestation Engagements: Performance Audits: Nonaudit Services Provided by Audit Organizations: Chapter 3: General Standards: Introduction: Independence: Professional Judgment: Competence: Quality Control and Assurance: Chapter 4: Field Work Standards for Financial Audits: Introduction: AICPA Field Work Standards: Additional GAGAS Standards: Auditor Communication: Considering the Results of Previous Audits and Attestation Engagements: Detecting Material Misstatements Resulting from Violations of Contract Provisions or Grant Agreements, or from Abuse: Developing Elements of a Finding: Audit Documentation: Chapter 5: Reporting Standards for Financial Audits: Introduction: AICPA Reporting Standards: Additional GAGAS Reporting Standards for Financial Audits: Reporting Auditors' Compliance with GAGAS: Reporting on Internal Control and on Compliance with Laws, Regulations, and Provisions of Contracts or Grant Agreements: Reporting Deficiencies in Internal Control, Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant Agreements, and Abuse: Reporting Views of Responsible Officials: Reporting Privileged and Confidential Information: Report Issuance and Distribution: Chapter 6: General, Field Work, and Reporting Standards for Attestation Engagements: Introduction: AICPA General and Field Work Standards for Attestation Engagements: Additional GAGAS Field Work Standards for Attestation Engagements: Auditor Communication: Considering the Results of Previous Audits and Attestation Engagements: Internal Control: Detecting Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant Agreements, and Abuse That Could Have a Material Effect on the Subject Matter: Developing Elements of Findings for Attestation Engagements: Attest Documentation: AICPA Reporting Standards for Attestation Engagements: Additional GAGAS Reporting Standards for Attestation Engagements: Reporting Auditors' Compliance with GAGAS: Reporting Deficiencies in Internal Control, Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant Agreements, and Abuse: Reporting Views of Responsible Officials: Reporting Privileged and Confidential Information: Report Issuance and Distribution: Chapter 7: Field Work Standards for Performance Audits: Introduction: Planning: Supervision: Evidence: Audit Documentation: Chapter 8: Reporting Standards for Performance Audits: Introduction: Form: Report Contents: Report Quality Elements: Report Issuance and Distribution: Appendix: Appendix I Advisory Council on Government Auditing Standards: GAO Project Team: Index: Abbreviations: AICPA: American Institute of Certified Public Accountants: COSO: Committee of Sponsoring Organizations of the Treadway Commission: CPA: certified public accountant: CPE: continuing professional education: GAAP: generally accepted accounting principles: GAAS: generally accepted auditing standards: GAGAS: generally accepted government auditing standards: GAO: U.S. General Accounting Office: MD&A: Management's Discussion and Analysis: OMB: U.S. Office of Management and Budget: SAS: AICPA Statements on Auditing Standards: SSAE: AICPA Statements on Standards for Attestation Engagements: Chapter 1 Introduction: Purpose: 1.01: The standards and guidance contained in this document, often referred to as generally accepted government auditing standards (GAGAS), are intended for use by government auditors[Footnote 1] to ensure that they maintain competence, integrity, objectivity, and independence in planning, conducting, and reporting their work, and are to be followed by auditors and audit organizations when required by law, regulation, contract, agreement, or policy.[Footnote 2] The work performed in accordance with GAGAS, which is described in this chapter and more fully in chapter 2, includes financial audits, attestation engagements, and performance audits. Users of government audits and attestation engagements that are performed in accordance with GAGAS should have confidence that the work is objective and credible. 1.02: GAGAS pertain to auditors' professional qualifications and the quality of their work, the performance of field work, and the characteristics of meaningful reporting. Adherence to GAGAS can help ensure that audits and attestation engagements provide credibility to the information reported by or obtained from officials of the audited entity through objectively acquiring and evaluating evidence. When auditors perform their work in this manner and comply with GAGAS in reporting the results, their work can lead to improved government management, decision making, and oversight. Government auditing is also a key element in fulfilling the government's duty to be accountable to the public. 1.03: This chapter describes the applications of GAGAS by auditors and audit organizations. This chapter also describes the concept of accountability for public resources and discusses the responsibilities of managers of government programs, auditors, and audit organizations in the audit process. Applicability: 1.04: The standards and guidance in this document apply to audits and attestation engagements of government entities, programs, activities, and functions, and of government assistance administered by contractors, nonprofit entities, and other nongovernmental entities. A number of statutes and other mandates require that auditors follow GAGAS. Where a statute or other mandate does not exist, auditors will find it useful to follow GAGAS in work regarding the use of government funds. If auditors hold themselves out as following GAGAS, regardless of whether the auditors are required to follow such standards, the auditors need to justify any departures from GAGAS. 1.05: The following are among the laws, regulations, and guidelines that require use of GAGAS: a. The Inspector General Act of 1978, as amended, 5 U.S.C. App. (2000) requires that the statutorily appointed federal inspectors general comply with GAGAS for audits of federal establishments, organizations, programs,[Footnote 3] activities, and functions. The act further states that the inspectors general shall take appropriate steps to assure that any work performed by nonfederal auditors complies with GAGAS. b. The Chief Financial Officers Act of 1990 (Public Law 101-576), as expanded by the Government Management Reform Act of 1994 (Public Law 103-356), requires that GAGAS be followed in audits of executive branch departments' and agencies' financial statements. c. The Single Audit Act Amendments of 1996 (Public Law 104-156) require that GAGAS be followed in audits of state and local governments and nonprofit entities that receive federal awards.[Footnote 4] The Office of Management and Budget (OMB) Circular A-133, Audits of States, Local Governments, and Non-Profit Organizations, which provides the government-wide guidelines and policies on performing audits to comply with the Single Audit Act, also requires the use of GAGAS. 1.06: Auditors need to be alert to other laws, regulations, or other authoritative sources that could require the use of GAGAS. For example, state and local laws and regulations may require auditors at the state and local levels of government to follow GAGAS. Also, the terms of an agreement or contract may require auditors to comply with GAGAS. Federal audit guidelines pertaining to program requirements, such as those issued for Housing and Urban Development programs and Student Financial Aid programs, may also require that GAGAS be followed. 1.07: Even if not required to do so, auditors may find it useful to follow GAGAS in performing audits of federal, state, and local government programs as well as in performing audits of government awards administered by contractors, nonprofit entities, and other nongovernment entities. Many audit organizations not formally required to do so, both in the United States of America and in other countries, voluntarily follow GAGAS. 1.08: Auditors may provide professional services, other than audits and attestation engagements, that consist solely of gathering, providing, and explaining information requested by decision makers or by providing advice or assistance to officials of the audited entity. GAGAS are not applicable to nonaudit services, which are described more fully in chapter 2. However, providing nonaudit services may affect an audit organization's independence to conduct audits, which is discussed in chapter 3. Relationship between GAGAS and Other Professional Standards: 1.09: GAGAS may be used in conjunction with professional standards issued by other authoritative bodies. For example, the American Institute of Certified Public Accountants (AICPA) has issued professional standards that apply in financial audits and attestation engagements performed by certified public accountants (CPA). GAGAS incorporate the AICPA's field work and reporting standards and the related statements on auditing standards for financial audits unless specifically excluded, as discussed in chapters 4 and 5. GAGAS incorporate the AICPA's general standard on criteria, and the field work and reporting standards and the related statements on the standards for attestation engagements, unless specifically excluded, as discussed in chapter 6. To meet the needs of users of government audits and attestation engagements, GAGAS also prescribe requirements in addition to those provided by the AICPA for these types of work. 1.10: Other professional standards that may be used by auditors are issued by such bodies as the Institute of Internal Auditors (Codification of the Standards for the Professional Practice of Internal Auditing, The Institute of Internal Auditors, Inc.) and the American Evaluation Association (Guiding Principles for Evaluators, a report from the American Evaluation Association Task Force on Guiding Principles for Evaluators; The Program Evaluation Standards, Joint Committee on Standards for Education Evaluation; and Standards for Educational and Psychological Testing, American Psychological Association.) These other professional standards are not incorporated into GAGAS, but can be used in conjunction with GAGAS. To the extent of any inconsistencies between the standards, GAGAS should prevail as the controlling (authorative) source if GAGAS are cited in the report. Accountability: 1.11: The concept of accountability for public resources is key in our nation's governing processes. Legislators, other government officials, and the public want to know whether (1) government resources are managed properly and used in compliance with laws and regulations, (2) government programs are achieving their objectives and desired outcomes, and (3) government services are being provided efficiently, economically, and effectively. Managers of these programs are accountable to legislative bodies and the public. Auditors of these programs, when they adhere to GAGAS, provide reports that enhance the credibility and reliability of the information that is reported by or obtained from officials of the audited entity. 1.12: Financial audits contribute to making governments more accountable for the use of public resources. The auditors, in providing an independent report on whether an entity's financial information is presented fairly in accordance with recognized criteria, provide users with statements concerning the reliability of the information. Financial audits performed in accordance with GAGAS also provide information about internal control, compliance with laws and regulations, and provisions of contracts and grant agreements as they relate to financial transactions, systems, and processes. 1.13: Attestation engagements also contribute to governments' accountability for the use of public resources and the delivery of services. In an attestation engagement, auditors issue an examination, a review, or an agreed-upon procedures report on a subject matter or on an assertion about a subject matter, based on or in conformity with criteria that is the responsibility of another party. Attestation engagements can cover a broad range of financial or nonfinancial objectives and provide various levels of assurance about the subject matter or assertion dependent upon the user's needs. 1.14: Performance audits also contribute to governments' accountability for the use of public resources and the delivery of services. The term performance audit is used to include a variety of objectives to meet users' needs. Performance audits provide an independent assessment of the performance and management of government programs against objective criteria or an assessment of best practices and other information. Performance audits provide information to improve program operations, facilitate decision making by parties with responsibility to oversee or initiate corrective action, and contribute to public accountability. The term performance audit is used generically to include work classified by some audit organizations as program evaluations, program effectiveness and results audits, economy and efficiency audits, operational audits, and value-for-money audits. 1.15: Given the importance and complexity of government programs in providing a variety of public services, auditors are increasingly being called on by legislative bodies and government agencies to expand the variety of performance audits to include work that has a prospective focus or provides guidance, best practice information, or information on issues that affect multiple programs or entities already studied or under study by an audit organization. This work may also include an assessment of policy alternatives, identification of risks and risk mitigation efforts, and a variety of analytical services to aid government officials in performing their responsibilities and carrying out their stewardship of government resources. Such work, like other performance audits, (1) involves a level of analysis, research, or evaluation, (2) may provide conclusions and recommendations, and (3) results in a report. 1.16: Audit organizations may also seek to achieve improvement through cooperative engagements with affected agencies while continuing to maintain independence under the standards. Such "constructive engagement" approaches, where appropriate, can facilitate management improvements on a real-time basis without compromising the audit organization's independence and objectivity. Efforts to provide technical advice and expertise to agencies for use in responding to current risks, correcting internal control deficiencies, or responding to the audit organization's recommendations are examples of constructive engagements. Constructive engagement approaches will not impair independence when conducted within the framework of an audit or as technical advice to agencies. However, audit organizations need to take care to avoid making management decisions or to avoid situations that would result in the audit organization auditing its own work, such as directing agencies to undertake a specific activity in a specific manner as discussed more fully in chapter 3 of these standards. By limiting the audit organization's role in this way, the overarching principles of independence are not violated. Roles and Responsibilities: 1.17: Officials of the audited entity entrusted with handling public resources and auditors of government programs fulfill essential roles and responsibilities in ensuring that public resources are used efficiently, economically, effectively, and legally. Audit organizations also have the important responsibility of ensuring that auditors can meet their responsibilities. These unique roles involve using sound management practices and providing professional audits and attestation engagements. Management's Role: 1.18: Officials of the audited entity (for example, managers of a state or local governmental entity or a nonprofit entity that receives federal awards) are responsible for: a. applying those resources efficiently, economically, effectively, and legally to achieve the purposes for which the resources were furnished or the program was established;[Footnote 5] b. complying with applicable laws and regulations, including identifying the requirements with which the entity and the official must comply and implementing systems designed to achieve that compliance; c. establishing and maintaining effective internal control to help ensure that appropriate goals and objectives are met; resources are used efficiently, economically, and effectively, and are safeguarded; laws and regulations are followed; and reliable data are obtained, maintained, and fairly disclosed; d. providing appropriate reports to those who oversee their actions and to the public in order to be accountable for the resources used to carry out government programs and the results of these programs; e. addressing the findings and recommendations of auditors, and for establishing and maintaining a process to track the status of such findings and recommendations; and: f. following sound procurement practices when contracting for audits and attestation engagements, including ensuring procedures are in place for monitoring contract performance. The objectives and scope of the audit or attestation engagement need to be made clear. In addition to price, other factors that may be considered in evaluating bid proposals include the responsiveness of the bidder to the request for proposal; the prior performance and experience of the bidder; the availability of the bidder's staff who have the appropriate professional qualifications and technical abilities; and the results of the bidder's peer reviews. Auditors' Responsibilities: 1.19: In discharging their professional responsibilities, auditors need to observe the principles of serving the public interest and maintaining the highest degree of integrity, objectivity, and independence. The public interest is defined as the collective well- being of the community of people and entities the auditors serve. These principles are fundamental to the responsibilities of auditors. 1.20: Auditors should act in a way that will serve the public interest, honor the public trust, and uphold their professionalism. A distinguishing mark of a profession is acceptance of its responsibility to the public. This responsibility is critical when auditing in the government environment. GAGAS embody the concept of accountability, which is fundamental to serving the public interest. 1.21: Auditors need to make decisions that are consistent with the public interest in the program or activity under audit. In discharging their professional responsibilities, auditors may encounter conflicting pressures from management of the audited entity, various levels of government, and others who rely on the objectivity and independence of the auditors. In resolving those conflicts, auditors are responsible for acting with integrity, guided by the precept that when auditors fulfill their responsibilities to the public, these individuals' and organizations' interests are best served. 1.22: To maintain and broaden public confidence, auditors need to perform all professional responsibilities with the highest degree of integrity. Auditors need to be professional, objective, fact-based, nonpartisan, and non-ideological in their relationships with audited entities and users of the auditors' reports. Auditors should be honest and candid with the audited entity and users of the auditors' work in the conduct of their work, within the constraints of the audited entity's confidentiality laws, rules, or policies. Auditors need to be prudent in the use of information acquired in the course of their duties. They should not use such information for any personal gain or in any manner that would be detrimental to the legitimate and ethical objectives of the audited entity. 1.23: Service and the public trust should not be subordinated to personal gain and advantage. Integrity can accommodate the inadvertent error and the honest difference of opinion; it cannot accommodate deceit or subordination of principle. Integrity requires auditors to observe both the form and the spirit of technical and ethical standards; circumvention of those standards constitutes subordination of judgment. Integrity also requires auditors to observe the principles of objectivity and independence. 1.24: Auditors should be objective and free of conflicts of interest in discharging their professional responsibilities. Auditors are also responsible for being independent in fact and appearance when providing audit and attestation services. Objectivity is a state of mind that requires auditors to be impartial, intellectually honest, and free of conflicts of interest. Independence precludes relationships that may in fact or appearance impair auditors' objectivity in performing the audit or attestation engagement. The maintenance of objectivity and independence requires continuing assessment of relationships with the audited entities in the context of the auditors' responsibility to the public. 1.25: In applying GAGAS, auditors are responsible for using professional judgment when establishing scope and methodologies for their work, determining the tests and procedures to be performed, conducting the work, and reporting the results. Auditors need to maintain integrity and objectivity when doing their work to make decisions that are consistent with the broader public interest in the program or activity under review. When reporting on the results of their work, auditors are responsible for disclosing all material or significant facts known to them which, if not disclosed, could mislead knowledgeable users, misrepresent the results, or conceal improper or unlawful practices. 1.26: Auditors are responsible for helping management and other report users[Footnote 6] understand the auditors' responsibilities under GAGAS and other audit or attestation coverage required by law or regulation. To help managers and other report users understand an engagement's objectives, time frames, and data needs, auditors need to communicate information concerning planning, conduct, and reporting of the engagement to the parties involved during the planning stages of the audit or attestation engagement. Audit Organizations' Responsibilities: 1.27: Audit organizations also have responsibility for ensuring that (1) independence and objectivity are maintained in all phases of the assignment, (2) professional judgment is used in planning and performing the work and in reporting the results, (3) the work is performed by personnel who are professionally competent and collectively have the necessary skills and knowledge, and (4) an independent peer review is periodically performed resulting in an opinion issued as to whether an audit organization's system of quality control is designed and being complied with to provide reasonable assurance of conforming with professional standards. 1.28: While management is responsible for addressing audit and attestation engagement findings and recommendations and tracking their status of resolution, audit organizations are responsible for establishing policies and procedures for follow-up to determine whether previous significant findings and recommendations are addressed and are considered in planning future engagements. [End of section] Chapter 2: Types of Government Audits and Attestation Engagements: Introduction: 2.01: This chapter describes the types of audits and attestation engagements that audit organizations perform, or arrange to have performed, of government entities, programs, and federal awards administered by contractors, nonprofit entities, and other nongovernment entities. This description is not intended to limit or require the types of audits or attestation engagements that may be performed or arranged to be performed. In performing work described below in accordance with generally accepted government auditing standards (GAGAS), auditors should follow the applicable standards included and incorporated in chapters 3 through 8. This chapter also describes nonaudit services that audit organizations may provide, although these services are not covered by GAGAS. 2.02: All engagements begin with objectives, and those objectives determine the type of work to be performed and the auditing standards to be followed. The types of work, as defined by their objectives that are covered by GAGAS, are classified in this document as financial audits, attestation engagements, and performance audits. 2.03: Engagements may have a combination of objectives that include more than one type of work described in this chapter or may have objectives limited to only some aspects of one type of work. Auditors should follow the standards that are applicable to the individual objectives of the audit or attestation engagement. 2.04: In some engagements, the applicable standards that apply to the specific audit objective will be apparent. For example, if the audit objective is to express an opinion on financial statements, the standards for financial audits apply. However, for some engagements, there may be overlap between the applicable objectives. For example, if the objectives are to determine the reliability of performance measures, this work can be done in accordance with either the standards for attestation engagements or for performance audits. In cases where there is a choice between applicable standards, auditors should consider users' needs and the auditors' knowledge, skills, and experience in deciding which standards to follow. Auditors should apply the standards that are applicable to the type of assignment conducted (the financial audit standards, the attestation engagement standards, or the performance auditing standards). Financial Audits: 2.05: Financial audits are primarily concerned with providing reason- able assurance about whether financial statements are presented fairly in all material respects in conformity with generally accepted accounting principles (GAAP),[Footnote 7] or with a comprehensive basis of accounting other than GAAP. Other objectives of financial audits, which provide for different levels of assurance and entail various scopes of work, may include: a. providing special reports for specified elements, accounts, or items of a financial statement;[Footnote 8] b. reviewing interim financial information; c. issuing letters for underwriters and certain other requesting parties; d. reporting on the processing of transactions by service organizations; and: e. auditing compliance with regulations relating to federal award expenditures and other governmental financial assistance in conjunction with or as a by-product of a financial statement audit. 2.06: Financial audits are performed under the American Institute of Certified Public Accountants' (AICPA) generally accepted auditing standards for field work and reporting, as well as the related AICPA Statements on Auditing Standards (SAS). GAGAS prescribe general standards and additional field work and reporting standards beyond those provided by the AICPA when performing financial audits. (See chapters 3, 4, and 5 for standards and guidance for auditors performing a financial audit in accordance with GAGAS.): Attestation Engagements: 2.07: Attestation engagements[Footnote 9] concern examining, reviewing, or performing agreed-upon procedures on a subject matter or an assertion[Footnote 10] about a subject matter and reporting on the results. The subject matter of an attestation engagement may take many forms, including historical or prospective performance or condition, physical characteristics, historical events, analyses, systems and processes, or behavior. Attestation engagements can cover a broad range of financial or nonfinancial subjects and can be part of a financial audit or performance audit. Possible subjects of attestation engagements could include reporting on: a. an entity's internal control over financial reporting; b. an entity's compliance with requirements of specified laws, regulations, rules, contracts, or grants; c. the effectiveness of an entity's internal control over compliance with specified requirements, such as those governing the bidding for, accounting for, and reporting on grants and contracts; d. management's discussion and analysis (MD&A) presentation; e. prospective financial statements or pro-forma financial information; f. the reliability of performance measures; g. final contract cost; h. allowability and reasonableness of proposed contract amounts; and: i. specific procedures performed on a subject matter (agreed-upon procedures). 2.08: Attestation engagements are performed under the AICPA's attestation standards, as well as the related AICPA Statements on Standards for Attestation Engagements (SSAE). GAGAS prescribe general standards and additional field work and reporting standards beyond those provided by the AICPA for attestation engagements. (See chapters 3 and 6 for standards and guidance for auditors performing an attestation engagement in accordance with GAGAS.): Performance Audits: 2.09: Performance audits entail an objective and systematic examination of evidence to provide an independent assessment of the performance and management of a program against objective criteria as well as assessments that provide a prospective focus or that synthesize information on best practices or cross-cutting issues. Performance audits provide information to improve program operations and facilitate decision making by parties with responsibility to oversee or initiate corrective action, and improve public accountability. Performance audits encompass a wide variety of objectives, including objectives related to assessing program effectiveness and results; economy and efficiency; internal control;[Footnote 11] compliance with legal or other requirements; and objectives related to providing prospective analyses, guidance, or summary information. Performance audits may entail a broad or narrow scope of work and apply a variety of methodologies; involve various levels of analysis, research, or evaluation; generally provide findings, conclusions, and recommendations; and result in the issuance of a report. (See chapters 3, 7, and 8 for standards and guidance for auditors performing a performance audit in accordance with GAGAS.): 2.10: Program effectiveness and results audit objectives address the effectiveness of a program and typically measure the extent to which a program is achieving its goals and objectives. Economy and efficiency audit objectives concern whether an entity is acquiring, protecting, and using its resources in the most productive manner to achieve program objectives. Program effectiveness and results audit objectives and economy and efficiency audit objectives are often interrelated and may be concurrently addressed in a performance audit. Examples of these audit objectives include assessing: a. the extent to which legislative, regulatory, or organizational goals and objectives are being achieved; b. the relative ability of alternative approaches to yield better program performance or eliminate factors that inhibit program effectiveness; c. the relative cost and benefits or cost effectiveness of program performance;[Footnote 12] d. whether a program produced intended results or produced effects that were not intended by the program's objectives; e. the extent to which programs duplicate, overlap, or conflict with other related programs; f. whether the audited entity is following sound procurement practices; g. the validity and reliability of performance measures concerning program effectiveness and results, or economy and efficiency; and: h. the reliability, validity, or relevance of financial information related to the performance of a program. 2.11: Internal control audit objectives relate to management's plans, methods, and procedures used to meet its mission, goals, and objectives. Internal control includes the processes and procedures for planning, organizing, directing, and controlling program operations, and the system put in place for measuring, reporting, and monitoring program performance. Examples of audit objectives related to internal control include the extent that internal control of a program provides reasonable assurance that: a. organizational missions, goals, and objectives are achieved effectively and efficiently; b. resources are used in compliance with laws, regulations, or other requirements; c. resources are safeguarded against unauthorized acquisition, use, or disposition; d. management information and public reports that are produced, such as performance measures, are complete, accurate, and consistent to support performance and decision making; e. security over computerized information systems will prevent or timely detect unauthorized access; and: f. contingency planning for information systems provides essential back-up to prevent unwarranted disruption of activities and functions the systems support. 2.12: Compliance audit objectives relate to compliance criteria established by laws, regulations, contract provisions, grant agreements, and other requirements[Footnote 13] that could affect the acquisition, protection, and use of the entity's resources and the quantity, quality, timeliness, and cost of services the entity produces and delivers. Compliance objectives also concern the purpose of the program, the manner in which it is to be conducted and services delivered, and the population it serves. 2.13: Audit organizations also undertake work that provides a prospective focus or may provide guidance, best practice information, and information that cuts across program or organizational lines, or summary information on issues already studied or under study by an audit organization. Examples of objectives pertaining to this work include: a. assessing program or policy alternatives, including forecasting program outcomes under various assumptions; b. assessing the advantages and disadvantages of legislative proposals; c. analyzing views of stakeholders on policy proposals for decision makers; d. analyzing budget proposals or budget requests to assist legislatures in the budget process; e. identifying best practices for users in evaluating program or management system approaches, including financial and information management systems; and: f. producing a high-level summary or a report that affects multiple programs or entities on issues studied or under study by the audit organization. Nonaudit Services Provided by Audit Organizations: 2.14: Audit organizations may also provide nonaudit services that are not covered by GAGAS.[Footnote 14] Nonaudit services generally differ from financial audits, attestation engagements, and performance audits in that auditors may (1) perform tasks requested by management that directly support the entity's operations, such as developing or implementing accounting systems; determining account balances; developing internal control systems; establishing capitalization criteria; processing payroll; posting transactions; evaluating assets; designing or implementing information technology or other systems; or performing actuarial studies or (2) provide information or data to a requesting party without providing verification, analysis, or evaluation of the information or data, and, therefore, the work does not usually provide a basis for conclusions, recommendations, or opinions on the information or data. These services may or may not result in the issuance of a report. In the case of nongovernment auditors who conduct audits under GAGAS, the term nonaudit services is synonymous with consulting services. 2.15: GAGAS do not cover nonaudit services described in this chapter since such services are not audits or attestation engagements. Therefore, auditors should not report that nonaudit services were conducted in accordance with GAGAS. However, audit organizations are encouraged to establish policies for maintaining the quality of this type of work, and may wish to disclose such policies in any product resulting from this work, any other professional standards followed, and the quality control steps taken. 2.16: Importantly, although GAGAS do not provide standards for conducting nonaudit services, auditors providing such services need to ensure that their independence to provide audit services is not impaired by providing nonaudit services. (See chapter 3, general standards on independence.): [End of section] Chapter 3: General Standards: Introduction: 3.01: This chapter prescribes general standards and provides guidance for performing financial audits, attestation engagements,[Footnote 15] and performance audits. These general standards concern the fundamental requirements for ensuring the credibility of auditors' results. Credibility is essential to all audit organizations performing work that government leaders and other users rely on for making decisions, and is what the public expects of information provided by auditors. These general standards encompass the independence of the audit organization and its individual auditors; the exercise of professional judgment in the performance of work and the preparation of related reports; the competence of audit staff, including the need for their continuing professional education; and the existence of quality control systems and external peer reviews. 3.02: These general standards provide the underlying framework that is critical in effectively applying the field work and reporting standards described in the following chapters when performing the detailed work associated with audits or attestation engagements and when preparing related reports and other products. Therefore, these general standards are required to be followed by all auditors and audit organizations, both government and nongovernment, performing work under generally accepted government auditing standards (GAGAS). Independence: 3.03: The general standard related to independence is: In all matters relating to the audit work, the audit organization and the individual auditor, whether government or public, should be free both in fact and appearance from personal, external, and organizational impairments to independence. 3.04: Auditors and audit organizations have a responsibility to maintain independence so that opinions, conclusions, judgments, and recommendations will be impartial and will be viewed as impartial by knowledgeable third parties. Auditors should avoid situations that could lead reasonable third parties with knowledge of the relevant facts and circumstances to conclude that the auditors are not able to maintain independence and, thus, are not capable of exercising objective and impartial judgment on all issues associated with conducting and reporting on the work. 3.05: Auditors need to consider three general classes of impairments to independence--personal, external, and organizational.[Footnote 16] If one or more of these impairments affects an individual auditor's capability to perform the work and report results impartially, that auditor should either decline to perform the work, or in those situations in which the government auditor, because of a legislative requirement or for other reasons, cannot decline to perform the work, the impairment or impairments should be reported in the scope section of the audit report. 3.06: In using the work of a specialist,[Footnote 17] auditors need to consider the specialist as a member of the audit team and, accordingly, assess the specialist's ability to perform the work and report results impartially. In conducting this assessment, auditors should provide the specialist with the GAGAS independence requirements and obtain representations from the specialist regarding the specialist's independence from the activity or program under audit. If the specialist has an impairment to independence, auditors should not use the work of that specialist. Personal Impairments: 3.07: The audit organization should have an internal quality control system to help determine whether auditors have any personal impairments to independence that could affect their impartiality or the appearance of impartiality. The audit organization needs to be alert for personal impairments to independence of its staff members. Personal impairments of staff members result from relationships and beliefs that might cause auditors to limit the extent of the inquiry, limit disclosure, or weaken or slant audit findings in any way. Auditors are responsible for notifying the appropriate officials within their audit organizations if they have any personal impairments to independence. Examples of personal impairments of individual auditors include, but are not limited to, the following: a. immediate family or close family member[Footnote 18] who is a director or officer of the audited entity, or as an employee of the audited entity, is in a position to exert direct and significant influence over the entity or the program under audit; b. financial interest that is direct, or is significant/material though indirect, in the audited entity or program;[Footnote 19] c. responsibility for managing an entity or decision making that could affect operations of the entity or program being audited; for example as a director, officer, or other senior position of the entity, activity, or program being audited, or as a member of management in any decision making, supervisory, or ongoing monitoring function for the entity, activity, or program under audit;[Footnote 20],[Footnote 21] d. concurrent or subsequent performance of an audit by the same individual who maintained the official accounting records when such services involved preparing source documents or originating data, in electronic or other form; posting transactions (whether coded by management or not coded); authorizing, executing, or consummating transactions (for example, approving invoices, payrolls, claims, or other payments of the entity or program being audited); maintaining an entity's bank account or otherwise having custody of the audited entity's funds; or otherwise exercising authority on behalf of the entity, or having authority to do so;[Footnote 22] e. preconceived ideas toward individuals, groups, organizations, or objectives of a particular program that could bias the audit; f. biases, including those induced by political, ideological, or social convictions, that result from employment in, or loyalty to, a particular type of policy, group, organization, or level of government; and: g. seeking employment with an audited organization during the conduct of the audit. 3.08: Audit organizations and auditors may encounter many different circumstances or combination of circumstances that could create a personal impairment. Therefore, it is impossible to identify every situation that could result in a personal impairment. Accordingly, audit organizations should include as part of their internal quality control system requirements to identify personal impairments and assure compliance with GAGAS independence requirements. At a minimum, audit organizations should: a. establish policies and procedures that will enable the identification of personal impairments to independence, including whether performing nonaudit services affects the subject matter of audits and applying safeguards to appropriately reduce that risk (See paragraphs 3.10 through 3.18.); b. communicate the audit organization's policies and procedures to all auditors in the organization and assure understanding of requirements through training or other means such as auditors periodically acknowledging their understanding; c. establish internal policies and procedures to monitor compliance with the audit organization's policies and procedures; d. establish a disciplinary mechanism to promote compliance with the audit organization's policies and procedures; and: e. stress the importance of independence and the expectation that auditors will always act in the public interest. 3.09: When the audit organization identifies a personal impairment to independence, the impairment needs to be resolved in a timely manner. In situations in which the personal impairment is applicable only to an individual auditor on a particular assignment, the audit organization may be able to mitigate the personal impairment by requiring the auditor to eliminate the personal impairment. For example, the auditor could sell a financial interest that created the personal impairment, or the audit organization could remove that auditor from any work on that audit assignment.[Footnote 23] If the personal impairment cannot be mitigated through these means, the audit organization should withdraw from the audit. In situations in which government auditors cannot withdraw from the audit, they should follow the requirement in paragraph 3.05. 3.10: Audit organizations that provide other professional services (nonaudit services) should consider whether providing these services creates a personal impairment either in fact or appearance that adversely affects their independence for conducting audits.[Footnote 24] 3.11: Nonaudit services generally differ from financial audits, attestation engagements, and performance audits described in chapter 2 in that auditors may (1) perform tasks requested by management that directly support the entity's operations, such as developing or implementing accounting systems; determining account balances;[Footnote 25] developing internal control systems; establishing capitalization criteria; processing payroll; posting transactions; evaluating assets; designing or implementing information technology or other systems; or performing actuarial studies, or (2) provide information or data to a requesting party without providing verification, analysis, or evaluation of the information or data, circumstances in which the work does not usually provide a basis for conclusions, recommendations, or opinions on the information or data. These other services may or may not result in a report. In the case of nongovernment auditors who perform audits of government entities under GAGAS, the term "nonaudit services" is synonymous with consulting services. 3.12: Audit organizations have the capability of performing a range of services for their clients. However, in certain circumstances, it is not appropriate for the audit organization to perform both audit and certain nonaudit services for the same client. In these circumstances, auditors and/or the audited entity will have to make a choice as to which of these services the audit organization will provide. GAGAS recognize that nonaudit services are provided by audit organizations and that care needs to be taken to avoid situations that can impair auditor independence, either in fact or appearance, when performing financial audits, attestation engagements, or performance audits in accordance with GAGAS. 3.13: Before an audit organization agrees to perform nonaudit services, it should carefully consider the requirements of paragraph 3.04 that auditors should avoid situations that could lead reasonable third parties with knowledge of the relevant facts and circumstances to conclude that auditors are not able to maintain independence in conducting audits. In conducting the assessment, the audit organization should apply two overarching principles: (1) audit organizations should not provide nonaudit services that involve performing management functions or making management decisions and (2) audit organizations should not audit their own work or provide nonaudit services in situations where the nonaudit services are significant/material to the subject matter of audits. If the audit organization makes the determination that the nonaudit service does not violate these principles, it should comply with all the safeguards stated in paragraph 3.17. 3.14: Audit organizations should not perform management functions or make management decisions. Performing management functions or making management decisions creates a situation that impairs the audit organization's independence, both in fact and in appearance, to perform audits of that subject matter and may affect the audit organization's independence to conduct audits of related subject matter. For example, auditors should not serve as members of an entity's management committee or board of directors, make policy decisions that affect future direction and operation of an entity's programs, supervise entity employees, develop programmatic policy, authorize an entity's transactions, or maintain custody of an entity's assets.[Footnote 26] 3.15: Auditors may participate on committees or task forces in a purely advisory capacity to advise entity management on issues related to the knowledge and skills of the auditors without impairing their independence. However, auditors should not make management decisions or perform management functions. For example, auditors can provide routine advice to the audited entity and management to assist them in activities such as establishing internal controls or implementing audit recommendations and can answer technical questions and/or provide training. The decision to follow the auditors' advice remains with management of the audited entity. These types of interactions are normal between auditors and officials of the audited entity given the auditors' technical expertise and the knowledge auditors gain of the audited entity's operations. Auditors may also provide tools and methodologies, such as best practice guides, benchmarking studies, and internal control assessment methodologies that can be used by management. By their very nature, these are routine activities that would not require the audit organization to apply the safeguards described in paragraph 3.17. 3.16: Audit organizations should not audit their own work or provide nonaudit services if the services are significant/material to the subject matter of the audits. In considering whether the nonaudit service can have a significant or material affect on the subject matter of the audits, audit organizations should consider (1) ongoing audits; (2) planned audits; (3) requirements and commitments for providing audits, which includes laws, regulations, rules, contracts, and other agreements; and (4) policies placing responsibilities on the audit organization for providing audit services. Government auditors generally have broad audit responsibilities that may extend to a level of government or a particular entity within a level of government. Given their broad area of audit responsibility, government auditors need to be especially careful in providing nonaudit services to the entity so that their independence is not impaired for fulfilling their full range of audit responsibilities. Nongovernment audit organizations may provide audit and nonaudit services (commonly referred to as consulting) under contractual commitments to an entity and need to consider whether nonaudit services they have provided or are committed to provide have a significant or material effect on the subject matter of the audits. 3.17: Audit organizations may perform nonaudit services that do not violate the principles stated in paragraph 3.13 only if the audit organization and the audited entity comply with the following safeguards. These safeguards would not apply in connection with the type of routine activities described in paragraph 3.15. The intent in this paragraph is not for the audit organization to apply these safeguards to every interaction it has with management. a. The audit organization should document its consideration of the nonaudit services as discussed in paragraph 3.13, including documentation for its rationale that providing the nonaudit services does not violate the two overarching principles. b. Before performing nonaudit services, the audit organization should establish and document an understanding with the audited entity regarding the objectives, scope of work, and product or deliverables of the nonaudit service. The audit organization should also establish and document an understanding with management that (1) management is responsible for the substantive outcomes of the work and, therefore, has a responsibility to be in a position in fact and appearance to make an informed judgment on the results of the nonaudit service and (2) the audited entity complies with the following: 1. designates a management-level individual to be responsible and accountable for overseeing the nonaudit service, 2. establishes and monitors the performance of the nonaudit service to ensure that it meets management's objectives, 3. makes any decisions that involve management functions related to the nonaudit service and accepts full responsibility for such decisions, and: 4. evaluates the adequacy of the services performed and any findings that result. c. The audit organization should preclude personnel who provided the nonaudit services from planning, conducting, or reviewing audit work of subject matter involving the nonaudit service under the overarching principle that auditors cannot audit their own work.[Footnote 27] d. The audit organization is precluded from reducing the scope and extent of the audit work below the level that would be appropriate if the nonaudit work were performed by an unrelated party. e. The audit organization's quality control systems for compliance with independence requirements should include: (1) policies and procedures to assure consideration of the effect on the ongoing, planned, and future audits when deciding whether to provide nonaudit services, and (2) a requirement to have the understanding with management of the audited entity documented. The understanding should be communicated to management in writing and can be included in the engagement letter. In addition, the documentation should specifically identify management's compliance with the elements discussed in paragraph 3.17b, including evidence of the management-level individual responsible for overseeing the nonaudit service's qualifications to conduct the required oversight and that the tasks required of management were performed. f. By their nature, certain nonaudit services impair the audit organization's ability to meet either or both of the overarching principles in paragraph 3.13 for certain types of audit work. In these cases, the audit organization should communicate to management of the audited entity that the audit organization will not be able to perform subsequent audit work related to the subject matter of the nonaudit service. It should be clear to management up front that the audit organization would be in violation of the independence standard if it were to perform such audit work and that another audit organization that meets the independence standard will have to be engaged to perform the audit. For example, if the audit organization has been responsible for designing, developing, and/or installing the entity's accounting system or is operating the system and then performs a financial statement audit of the entity, the audit organization would clearly be in violation of the two overarching principles of the GAGAS independence standard discussed in paragraph 3.13. Likewise, if the audit organization developed an entity's performance measurement system, the audit organization would not be deemed independent in conducting a performance audit to evaluate whether the system was adequate. In both of these examples, the audit organization could decide to perform the nonaudit service but would then not be independent under GAGAS with regard to the subsequent audit because it would be in violation of one or both of the two overarching principles. It becomes a matter of choice for the audit organization and the audited entity. But the audit organization cannot maintain independence under GAGAS while providing both the nonaudit service and performing the audit if either of the two overarching principles would be violated. g. For individual audits selected for inspection during a peer review, all related nonaudit services should be disclosed to the audit organization's peer reviewer, and the audit documentation required by paragraphs 3.17a through 3.17e should be made available for inclusion in the audit organization's peer review. 3.18: Audit organizations and auditors may encounter many different circumstances or combinations of circumstances; therefore, it is impossible to define every situation that could result in an impairment, as discussed in paragraph 3.12. The following are examples of nonaudit services performed by an audit organization that typically would not create an impairment to the audit organization's independence as long as (1) auditors avoid situations that would conflict with the two overarching principles listed in paragraph 3.13 and (2) the audit organization complies with the safeguards in paragraph 3.17: a. Providing basic accounting assistance limited to services such as preparing draft financial statements that are based on management's chart of accounts and trial balance and any adjusting, correcting, and closing entries that have been approved by management; preparing draft notes to the financial statements based on information determined and approved by management; preparing a trial balance based on management's chart of accounts; maintaining depreciation schedules for which management has determined the method of depreciation, rate of depreciation, and salvage value of the asset.[Footnote 28] The audit organization, however, cannot maintain or prepare the audited entity's basic accounting records or maintain or take responsibility for basic financial or other records that the audit organization will audit.[Footnote 29] As part of this prohibition, auditors should not post transactions (whether coded or not coded) to the entity's financial records or to other records that subsequently provide data to the entity's financial records. b. Providing payroll services limited to services such as computing pay amounts for the entity's employees based on entity-maintained and approved time records, salaries or pay rates, and deductions from pay; generating unsigned payroll checks; transmitting client-approved payroll data to a financial institution provided management has approved the transmission and limited the financial institution to making payments only to previously approved individuals. In cases in which the audit organization was processing the entity's entire payroll and payroll was a material amount to the subject matter of the audit, this would be a violation of one of the overarching principles in paragraph 3.13, and auditors would not be deemed independent under GAGAS. c. Providing appraisal or valuation services limited to services such as reviewing the work of the entity or a specialist employed by the entity where the entity or specialist provides the primary evidence for the balances recorded in financial statements or other information that will be audited; valuing an entity's pension, other post-employment benefit, or similar liabilities provided management has determined and taken responsibility for all significant assumptions and data. d. Preparing an entity's indirect cost proposal[Footnote 30] or cost allocation plan provided management assumes responsibility for all significant assumptions and data. e. Providing advisory services on information technology limited to services such as advising on system design, system installation, and system security if management, in addition to the safeguards in paragraph 3.17, acknowledges responsibility for the design, installation, and internal control over the entity's system and does not rely on the auditors' work as the primary basis for determining (1) whether to implement a new system, (2) the adequacy of the new system design, (3) the adequacy of major design changes to an existing system, and (4) the adequacy of the system to comply with regulatory or other requirements. However, the audit organization should not operate or supervise the operation of the entity's information technology system. f. Providing human resource services to assist management in its evaluation of potential candidates when the services are limited to activities such as serving on an evaluation panel to review applications or interviewing candidates to provide input to management in arriving at a listing of best qualified applicants to be provided to management. The auditors should not recommend a single individual for a specific position, nor should the auditors conduct an executive search or a recruiting program for the audited entity. g. Preparing routine tax filings in accordance with federal tax laws, rules, and regulations of the Internal Revenue Service, and state and local tax authorities, and any other applicable laws. h. Gathering and reporting on unverified external or third-party data to aid legislative and administrative decision making. i. Advising an entity regarding its performance of internal control self-assessments. j. Assisting a legislative body by developing questions for use at a hearing. External Impairments: 3.19: Factors external to the audit organization may restrict the work or interfere with auditors' ability to form independent and objective opinions and conclusions. External impairments to independence occur when auditors are deterred from acting objectively and exercising professional skepticism by pressures, actual or perceived, from management and employees of the audited entity or oversight organizations. For example, under the following conditions, auditors may not have complete freedom to make an independent and objective judgment and an audit may be adversely affected: a. external interference or influence that could improperly or imprudently limit or modify the scope of an audit or threaten to do so, including pressure to reduce inappropriately the extent of work performed in order to reduce costs or fees; b. external interference with the selection or application of audit procedures or in the selection of transactions to be examined; c. unreasonable restrictions on the time allowed to complete an audit or issue the report; d. interference external to the audit organization in the assignment, appointment, and promotion of audit personnel; e. restrictions on funds or other resources provided to the audit organization that adversely affect the audit organization's ability to carry out its responsibilities; f. authority to overrule or to inappropriately influence the auditors' judgment as to the appropriate content of the report; g. threat of replacement over a disagreement with the contents of an audit report, the auditors' conclusions, or the application of an accounting principle or other criteria; and: h. influences that jeopardize the auditors' continued employment for reasons other than incompetence, misconduct, or the need for audit services. 3.20: An audit organization's internal quality control system for compliance with GAGAS independence requirements, as stated in paragraph 3.08, should include internal policies and procedures for reporting and resolving external impairments. Organizational Impairments: 3.21: In addition to the preceding paragraphs that address personal and external impairments, a government audit organization's ability to perform the work and report the results impartially can be affected by its place within government and the structure of the government entity that the audit organization is assigned to audit. Whether performing work to report externally to third parties outside the audited entity or internally to top management within the audited entity, audit organizations need to be free from organizational impairments to independence. Organizational Impairment Considerations When Reporting Externally to Third Parties: 3.22: Government auditors can be presumed to be free from organizational impairments to independence when reporting externally to third parties if their audit organization is organizationally independent from the audited entity. Government audit organizations can meet the requirement for organizational independence in a number of ways. 3.23: First, a government audit organization may be presumed to be free from organizational impairments to independence from the audited entity to report externally, if the audit organization is: a. assigned to a level of government other than the one to which the audited entity is assigned (federal, state, or local), for example, a federal auditor auditing a state government program, or: b. assigned to a different branch of government within the same level of government as the audited entity; for example, a legislative auditor auditing an executive branch program. 3.24: Second, a government audit organization may also be presumed to be free from organizational impairments for external reporting if the audit organization's head meets any of the following criteria: a. directly elected by voters of the jurisdiction being audited; b. elected or appointed by a legislative body subject to removal by a legislative body, and reports the results of audits to and is accountable to a legislative body; c. appointed by someone other than a legislative body, so long as the appointment is confirmed by a legislative body and removal from the position is subject to oversight or approval by a legislative body,[Footnote 31] and reports the results of audits to and is accountable to a legislative body; or: d. appointed by, accountable to, reports to, and can only be removed by a statutorily created governing body, the majority of whose members are independently elected or appointed and come from outside the organization being audited. 3.25: In addition to the presumptive criteria in paragraphs 3.23 and 3.24, GAGAS recognize that there may be other organizational structures under which a government audit organization could be considered to be free from organizational impairments and thereby be considered organizationally independent for reporting externally. These other structures should provide sufficient safeguards to prevent the audited entity from interfering with the audit organization's ability to perform the work and report the results impartially. For an audit organization to be considered free from organizational impairments for reporting externally under a structure different from the ones listed in paragraphs 3.23 and 3.24, the audit organization should have all of the following safeguards: a. statutory protections that prevent the abolishment of the audit organization by the audited entity; b. statutory protections that require that if the head of the audit organization is removed from office, the head of the agency should report this fact and the reasons for the removal to the legislative body; c. statutory protections that prevent the audited entity from interfering with the initiation, scope, timing, and completion of any audit; d. statutory protections that prevent the audited entity from interfering with the reporting on any audit, including the findings, conclusions, and recommendations, or the manner, means, or timing of the audit organization's reports; e. statutory protections that require the audit organization to report to a legislative body or other independent governing body on a recurring basis; f. statutory protections that give the audit organization sole authority over the selection, retention, advancement, and dismissal of its staff; and: g. statutory access to records and documents that relate to the agency, program, or function being audited.[Footnote 32] 3.26: If the head of the audit organization concludes that the organization meets all the safeguards listed in paragraph 3.25, the audit organization should be considered free from organizational impairments to independence when reporting the results of its audits externally to third parties. The audit organization should document the statutory provisions in place that allow it to meet these safeguards. Those provisions should be reviewed during an external peer review to ensure that all the necessary safeguards have been met. Organizational Impairment Considerations When Reporting Internally to Management: 3.27: Certain federal, state, or local government audit organizations or audit organizations within other government entities, such as public colleges, universities, and hospitals, employ auditors to work for management of the audited entities. These auditors may be subject to administrative direction from persons involved in the government management process. Such audit organizations are internal audit organizations. A government internal audit organization can be presumed to be free from organizational impairments to independence when reporting internally to management if the head of the audit organization meets all of the following criteria: a. accountable to the head or deputy head of the government entity, b. required to report the results of the audit organization's work to the head or deputy head of the government entity, and: c. located organizationally outside the staff or line management function of the unit under audit. 3.28: If the conditions of paragraph 3.27 are met, the audit organization should be considered free of organizational impairments to independence to audit internally and report objectively to the entity's management. Further distribution of reports outside the organization should only be made in accordance with applicable law, rule, regulation, or policy. In these situations, the fact that the auditors are auditing in their employing organizations should be clearly reflected in the auditors' reports. 3.29: Auditors need to be sufficiently removed from political pressures to ensure that they can conduct their audits objectively and report their findings, opinions, and conclusions objectively without fear of political repercussions. Whenever feasible, auditors within internal audit organizations should be under a personnel system in which compensation, training, job tenure, and advancement are based on merit. 3.30: The audit organization's independence is enhanced when it also reports regularly to the entity's independent audit committee and/or the appropriate government oversight body. 3.31: When internal audit organizations that are free of organizational impairments to independence, under the criteria in paragraph 3.27, perform audits external to the government entities to which they are directly assigned, such as auditing contractors or outside party agreements, and no personal or external impairments exist, they may be considered independent of the audited entities and free to report objectively to the heads or deputy heads of the government entities to which they are assigned and to parties outside the organizations in accordance with applicable law, rule, regulation, or policy. 3.32: The audit organization should document the conditions that allow it to be considered free of organizational impairments to independence to report internally. Those conditions should be reviewed during the peer review to ensure that all the necessary safeguards have been met. Professional Judgment: 3.33: The general standard related to professional judgment is: Professional judgment should be used in planning and performing audits and attestation engagements and in reporting the results. 3.34: This standard requires auditors to exercise reasonable care and diligence and to observe the principles of serving the public interest and maintaining the highest degree of integrity, objectivity, and independence in applying professional judgment to all aspects of their work. This standard also imposes a responsibility upon each auditor performing work under GAGAS to observe GAGAS. If auditors state they are performing their work in accordance with GAGAS, they should justify any departures from GAGAS. 3.35: Auditors should use professional judgment in determining the type of assignment to be performed and the standards that apply to the work; defining the scope of work; selecting the methodology; determining the type and amount of evidence to be gathered; and choosing the tests and procedures for their work. Professional judgment also should be applied in performing the tests and procedures and in evaluating and reporting the results of the work. 3.36: Professional judgment requires auditors to exercise professional skepticism, which is an attitude that includes a questioning mind and a critical assessment of evidence. Auditors use the knowledge, skills, and experience called for by their profession to diligently perform, in good faith and with integrity, the gathering of evidence and the objective evaluation of the sufficiency, competency, and relevancy of evidence. Since evidence is gathered and evaluated throughout the assignment, professional skepticism should be exercised throughout the assignment. 3.37: Auditors neither assume that management is dishonest nor assume unquestioned honesty. In exercising professional skepticism, auditors should not be satisfied with less than persuasive evidence because of a belief that management is honest. 3.38: The exercise of professional judgment allows auditors to obtain reasonable assurance that material misstatements or significant inaccuracies in data will likely be detected if they exist. Absolute assurance is not attainable because of the nature of evidence and the characteristics of fraud. Therefore, an audit or attestation engagement conducted in accordance with GAGAS may not detect a material misstatement or significant inaccuracy, whether from error or fraud, illegal acts, or violations of provisions of contracts or grant agreements. Accordingly, while this standard places responsibility on each auditor and audit organization to exercise professional judgment in planning and performing an assignment, it does not imply unlimited responsibility, nor does it imply infallibility on the part of either the individual auditor or the audit organization. Competence: 3.39: The general standard related to competence is: The staff assigned to perform the audit or attestation engagement should collectively possess adequate professional competence for the tasks required. 3.40: This standard places responsibility on audit organizations to ensure that each audit or attestation engagement is performed by staff who collectively have the knowledge, skills, and experience necessary for that assignment. Accordingly, audit organizations should have a process for recruitment, hiring, continuous development, and evaluation of staff to assist the organization in maintaining a workforce that has adequate competence. The nature, extent, and formality of the process will depend on various factors such as the size of the audit organization, its work, and its structure. 3.41: The competencies discussed below apply to the knowledge, skills, and experience of audit organizations and not necessarily to each individual auditor. An audit organization may need to employ personnel or hire specialists who are knowledgeable, skilled, or experienced in such areas as accounting, statistics, law, engineering, audit design and methodology, information technology, public administration, economics, social sciences, or actuarial science. Technical Knowledge and Competence: 3.42: Audit organizations should ensure that staff members assigned to conduct an audit or attestation engagement under GAGAS should collectively possess the technical knowledge, skills, and experience necessary to be competent for the type of work being performed before beginning work on that assignment. Staff members should collectively possess: a. knowledge of GAGAS applicable to the type of work they are assigned and the education, skills, and experience to apply such knowledge to the work being performed; b. general knowledge of the environment in which the audited entity operates and the subject matter under review; c. skills to communicate clearly and effectively, both orally and in writing; and: d. skills appropriate for the work being performed. For example: (1) if the work requires use of statistical sampling, the staff or specialists should include persons with statistical sampling skills; (2) if the work requires extensive review of information systems, the staff or specialists should include persons with information technology skills; (3) if the work involves review of complex engineering data, the staff or specialists should include persons with engineering skills; or: (4) if the work involves the use of specialized audit methodologies or analytical techniques, such as the use of complex survey instruments, actuarial-based estimates, or statistical analysis tests, the staff or specialists should include persons with skills in those methodologies or techniques. Additional Qualifications for Financial Audits and Attestation Engagements: 3.43: Auditors performing financial audits should be knowledgeable in generally accepted accounting principles (GAAP)[Footnote 33] and the AICPA's generally accepted auditing standards for field work and reporting and the related Statements on Auditing Standards (SAS), and they should be competent in applying these standards and SASs to the task assigned. Similarly, when performing an attestation engagement, auditors should be knowledgeable in the AICPA general attestation standard related to criteria, and the AICPA attestation standards for field work and reporting and the related Statements on Standards for Attestation Engagements (SSAE), and they should be competent in applying these standards and SSAEs to the task assigned. 3.44: Auditors engaged to perform financial audits or attestation engagements should be licensed certified public accountants or persons working for a licensed certified public accounting firm or a government auditing organization.[Footnote 34] Public accountants and accounting firms meeting licensing requirements should also comply with the applicable provisions of the public accountancy law and rules of the jurisdiction(s) where the audit is being performed and the jurisdiction(s) in which the public accountants and their firms are licensed. Continuing Professional Education: 3.45: Auditors performing work under GAGAS, including planning, directing, performing field work, or reporting on an audit or attestation engagement under GAGAS, need to maintain their professional competence through continuing professional education (CPE). Therefore, each auditor performing work under GAGAS should complete, every 2 years, at least 80 hours of CPE that directly enhance the auditor's professional proficiency to perform audits and/or attestation engagements.[Footnote 35] At least 24 of the 80 hours of CPE should be in subjects directly related to government auditing, the government environment, or the specific or unique environment in which the audited entity operates.[Footnote 36] At least 20 hours of the 80 should be completed in any 1 year of the 2-year period. 3.46: CPE may include a variety of topics that contribute to auditors' proficiency to perform audits and/or attestation engagements, such as developments in auditing standards and methodology, accounting principles, assessment of internal control, principles of management or supervision, information systems management, audit sampling, financial statement analysis, evaluation design, and data analysis. It may also include subjects related to specific fields of work, such as public administration, public policy and structure, industrial engineering, finance, economics, social sciences, and information technology. 3.47: The audit organization is responsible for ensuring that auditors meet the continuing education requirements and should maintain documentation of the CPE completed. The U.S. General Accounting Office (GAO) has developed guidance pertaining to CPE requirements to assist auditors and audit organizations in exercising professional judgment in complying with the CPE requirements.[Footnote 37] 3.48: External and internal specialists assisting in performing a GAGAS assignment should be qualified and should maintain professional competence in their areas of specialization but are not required to meet the CPE requirements described here. However, auditors who use the work of external and internal specialists should ensure that such specialists are qualified in their areas of specialization and should document such assurance. Quality Control and Assurance: 3.49: The general standard related to quality control and assurance is: Each audit organization performing audits and/or attestation engagements in accordance with GAGAS should have an appropriate internal quality control system in place and should undergo an external peer review. 3.50: An audit organization's system of quality control encompasses the audit organization's structure and the policies adopted and procedures established to provide the organization with reasonable assurance of complying with applicable standards governing audits and attestation engagements. An audit organization's internal quality control system should include procedures for monitoring, on an ongoing basis, whether the policies and procedures related to the standards are suitably designed and are being effectively applied. 3.51: The nature and extent of an audit organization's internal quality control system depends on a number of factors, such as its size, the degree of operating autonomy allowed its personnel and its audit offices, the nature of its work, its organizational structure, and appropriate cost-benefit considerations. Thus, the systems established by individual audit organizations will vary as will the need for, and extent of, their documentation of the systems. However, each audit organization should prepare appropriate documentation for its system of quality control to demonstrate compliance with its policies and procedures. The form and content of such documentation is a matter of judgment. Documentation of compliance should be retained for a period of time sufficient to enable those performing monitoring procedures and peer reviews to evaluate the extent of the audit organization's compliance with the quality control policies and procedures. 3.52: Audit organizations performing audits and attestation engagements in accordance with GAGAS should have an external peer review of their auditing and attestation engagement practices at least once every 3 years by reviewers independent of the audit organization being reviewed.[Footnote 38] The external peer review should determine whether, during the period under review, the reviewed audit organization's internal quality control system was adequate and whether quality control policies and procedures were being complied with to provide the audit organization with reasonable assurance of conforming with applicable professional standards. Audit organizations should take remedial, corrective actions as needed based on the results of the peer review. 3.53: Members of the external peer review team should meet the following requirements: a. Each review team member should have current knowledge of GAGAS and of the government environment relative to the work being reviewed. b. Each review team member should be independent (as defined in GAGAS) of the audit organization being reviewed, its staff, and the audits and attestation engagements selected for the external peer review. A review team or a member of the review team is not permitted to review the audit organization that conducted its audit organization's most recent external peer review. c. Each review team member should have knowledge on how to perform a peer review. Such knowledge may be obtained from on-the-job training, training courses, or a combination of both. 3.54: The peer review should meet the following requirements: a. The peer review should include a review of the audit organization's internal quality control policies and procedures, including related monitoring procedures, audit and attestation engagement reports, audit and attest documentation, and other necessary documents (for example, independence documentation, CPE records, and personnel management files related to compliance with hiring, performance evaluation, and assignment policies). The review should also include interviews with various levels of the reviewed audit organization's professional staff to assess their understanding of and compliance with relevant quality control policies and procedures. b. The review team should use one of the following approaches to selecting audits and attestation engagements for review: (1) select audits and attestation engagements that provide a reasonable cross section of the assignments performed by the reviewed audit organization in accordance with GAGAS or (2) select audits and attestation engagements that provide a reasonable cross section of the reviewed audit organization's work subject to quality control requirements, including one or more assignments performed in accordance with GAGAS. c. The peer review should be sufficiently comprehensive to provide a reasonable basis for concluding whether the reviewed audit organization's system of quality control was complied with to provide the organization with reasonable assurance of conforming with professional standards in the conduct of its work. The review team should consider the adequacy and results of the reviewed audit organization's monitoring efforts to efficiently plan its peer review procedures. d. The review team should prepare a written report(s) communicating the results of the external peer review. The report should indicate the scope of the review, including any limitations thereon, and should express an opinion on whether the system of quality control of the reviewed audit organization's audit and/or attestation engagement practices was adequate and was being complied with during the year reviewed to provide the audit organization with reasonable assurance of conforming with professional standards for audits and attestation engagements. The report should state the professional standards[Footnote 39] to which the reviewed audit organization is being held. The report should also describe the reasons for any modification of the opinion. When there are matters that resulted in a modification to the opinion, reviewers should report a detailed description of the findings and recommendations, either in the peer review report or in a separate letter of comment or management letter, to enable the reviewed audit organization to take appropriate actions. The written report should refer to the letter of comment or management letter if such a letter is issued along with a modified report. 3.55: Audit organizations seeking to enter into a contract to perform an assignment in accordance with GAGAS should provide their most recent external peer review report and any letter of comment, and any subsequent peer review reports and letters of comment received during the period of the contract, to the party contracting for the audit or attestation engagement. Information in the external peer review report and letter of comment is often relevant to decisions on procuring audit or attestation engagement services. Auditors who are relying on another audit organization's work should request a copy of the audit organization's peer review report and any letter of comment, and the audit organization should provide the peer review report and letter of comment when requested. 3.56: Government audit organizations also should transmit their external peer review reports to appropriate oversight bodies. It is also recommended that, upon request, the peer review report and letter of comment be made available to the public in a timely manner. [End of section] Chapter 4: Field Work Standards for Financial Audits: Introduction: 4.01: This chapter prescribes field work standards and provides guidance for financial audits performed in accordance with generally accepted government auditing standards (GAGAS). Financial audits consist of all work performed under the American Institute of Certified Public Accountants' (AICPA) generally accepted auditing standards and governed by the AICPA Statements on Auditing Standards (SAS). GAGAS incorporate the AICPA generally accepted field work standards for audits and the related SASs unless the Comptroller General of the United States excludes them by formal announcement. [Footnote 40] This chapter identifies the AICPA field work standards and prescribes additional standards for financial audits performed in accordance with GAGAS. 4.02: Financial audits performed in a government environment primarily include audits of financial statements.[Footnote 41] The SASs also govern and provide guidance for other types of financial audits which may be performed in a government environment, such as compliance auditing, issuing special reports,[Footnote 42] audits of service organizations, reviews of interim financial information, and issuing letters to underwriters and certain other requesting parties. These other services may be performed in conjunction with an audit of financial statements. AICPA Field Work Standards: 4.03: The three AICPA generally accepted standards of field work are as follows: a. The work is to be adequately planned, and assistants, if any, are to be properly supervised. b. A sufficient understanding of internal control[Footnote 43] is to be obtained to plan the audit and to determine the nature, timing, and extent of tests to be performed. c. Sufficient competent evidential matter is to be obtained through inspection, observation, inquiries, and confirmations to afford a reasonable basis for an opinion regarding the financial statements under audit. 4.04: Auditors should use professional judgment and consider the needs of users in applying the AICPA standards and related guidance to audits of a government entity or an entity that receives government awards. For example, auditors may need to set lower materiality levels than in audits in the private sector because of the public accountability of the audited entity, various legal and regulatory requirements, and the visibility and sensitivity of government programs. Also, auditors need to be sensitive to the concerns of oversight officials regarding previously reported internal control deficiencies of the audited entity and, accordingly, may need to test the effectiveness of internal control that have been changed in response to reported deficiencies even if auditors do not plan to rely on the effectiveness of such internal control. Additional GAGAS Standards: 4.05: GAGAS prescribe additional standards for financial audits that go beyond the requirements contained in the AICPA SASs. Auditors must comply with these additional standards when citing GAGAS in their audit reports. The additional GAGAS standards relate to: a. auditor communication (see paragraphs 4.06 through 4.13); b. considering the results of previous audits and attestation engagements (see paragraphs 4.14 through 4.16); c. detecting material misstatements resulting from violations of contract provisions or grant agreements or from abuse (see paragraphs 4.17 through 4.20); d. developing elements of a finding for financial audits (see paragraph 4.21); and: e. audit documentation (see paragraphs 4.22 through 4.26). Auditor Communication: 4.06: The standard related to auditor communication for financial audits performed in accordance with GAGAS is: Auditors should communicate information regarding the nature, timing, and extent of planned testing and reporting and the level of assurance provided to officials of the audited entity and to the individuals contracting for or requesting the audit. 4.07: AICPA standards and GAGAS require auditors to establish an understanding with the client and to communicate with audit committees. GAGAS broaden the parties with whom auditors must communicate and require auditors to communicate specific information during the planning stages of a financial audit, including any potential restriction of the auditors' reports, to reduce the risk that the needs or expectations of the parties involved may be misinterpreted. Auditors should use their professional judgment to determine the form, content, and frequency of the communication, although written communication is preferred. Auditors may use an engagement letter, if appropriate, to communicate the information. Auditors should document the communication in their audit documentation. 4.08: Auditors should communicate their responsibilities for the engagement to the appropriate officials of the audited entity, including: a. the head of the audited entity, b. the audit committee or board of directors or other equivalent oversight body in the absence of an audit committee, and: c. the individual who possesses a sufficient level of authority and responsibility for the financial reporting process, such as the chief financial officer. 4.09: In situations in which auditors are performing the audit under a contract with a party other than the officials of the audited entity, or pursuant to a third-party request, auditors should also communicate with the individuals contracting for or requesting the audit, such as contracting officials or members or staff of legislative committees. When auditors are performing the audit pursuant to a law or regulation, auditors should communicate with the members or staff of legislative committees who have oversight of the auditee.[Footnote 44] Auditors should coordinate communications with the responsible government audit organization and/or management of the audited entity and may use the engagement letter to keep interested parties informed. If an audit is terminated before it is completed, auditors should write a memorandum for the record that summarizes the results of the work and explains the reasons why the audit was terminated. In addition, auditors should communicate the reason for terminating the audit to management of the audited entity, the entity requesting the audit, and other appropriate officials, preferably in writing. This communication should be documented. 4.10: In communicating the nature of services and level of assurance provided, auditors should specifically address their planned work and reporting related to testing internal control over financial reporting and compliance with laws, regulations, and provisions of contracts or grant agreements. During the planning stages of an audit, auditors should communicate their responsibilities for testing and reporting on internal control over financial reporting and compliance with laws, regulations, and provisions of contracts or grant agreements. Such communication should include the nature of any additional testing of internal control and compliance required by laws, regulations, and provisions of contracts or grant agreements, or otherwise requested, and whether the auditors are planning on providing opinions on internal control over financial reporting and compliance with laws, regulations, and provisions of contracts or grant agreements. 4.11: To assist in understanding the limitations of auditors' responsibilities for testing and reporting on internal control over financial reporting and compliance with laws, regulations, and provisions of contracts or grant agreements, auditors may want to contrast those responsibilities with other audits of internal control and compliance. The discussion in paragraphs 4.12 and 4.13 may be helpful to auditors in explaining their responsibilities for testing and reporting on internal control over financial reporting and compliance to officials of the audited entity and other interested parties. 4.12: Tests of internal control over financial reporting and compliance with laws, regulations, and provisions of contracts or grant agreements in a financial statement audit contribute to the evidence supporting the auditors' opinion on the financial statements or other conclusions regarding financial data. However, such tests generally are not sufficient in scope to opine on internal control over financial reporting or compliance with laws, regulations, and provisions of contracts or grant agreements. To meet certain audit report users' needs, laws and regulations sometimes prescribe testing and reporting on internal control over financial reporting and compliance with laws, regulations, and provisions of contracts and grant agreements to supplement coverage of these areas.[Footnote 45] 4.13: Even after auditors perform and report the results of additional tests of internal control over financial reporting and compliance with laws, regulations, and provisions of contracts and grant agreements, some reasonable needs of officials of the audited entity or individuals contracting for or requesting the audit still may be unmet. Auditors may meet these needs by performing further tests of internal control and compliance with laws, regulations, and provisions of contracts or grant agreements using the AICPA Statements on Standards for Attestation Engagements and additional GAGAS requirements (see chapter 6), or the performance audit standards (see chapters 7 and 8), to achieve these objectives. Considering the Results of Previous Audits and Attestation Engagements: 4.14: The standard related to considering the results of previous audits and attestation engagements for financial audits performed in accordance with GAGAS is: Auditors should consider the results of previous audits and attestation engagements and follow up on known significant findings and recommendations that directly relate to the objectives of the audit being undertaken. 4.15: Auditors should ask audited entity officials to identify previous financial audits, attestation engagements, performance audits, or other studies related to the objectives of the audit being undertaken and to identify corrective actions taken to address significant findings and recommendations,[Footnote 46] including those related to reportable conditions. For example, an audit report on an entity's computerized information systems may contain significant findings that could relate to the financial audit if the entity uses such systems to process its accounting information. Auditors should use professional judgment in determining (1) prior periods to be considered, (2) the level of work necessary to follow up on significant findings and recommendations that affect the audit, and (3) the effect on the risk assessment and audit procedures in planning the current audit. 4.16: Providing continuing attention to significant findings and recommendations is important to ensure that the benefits of the auditors' work are realized. Ultimately, the benefits of audit work occur when management of the audited entity takes meaningful and effective corrective action in response to the auditors' findings and recommendations. Management of the audited entity is responsible for resolving audit findings and recommendations directed to them and for having a process to track their status. If management of the audited entity does not have such a process, auditors may wish to establish their own process. Detecting Material Misstatements Resulting from Violations of Contract Provisions or Grant Agreements, or from Abuse: 4.17: The standard related to violations of contract provisions or grant agreements or abuse for financial audits performed in accordance with GAGAS is: a. Auditors should design the audit to provide reasonable assurance of detecting material misstatements resulting from violations of provisions of contracts or grant agreements that have a direct and material effect on the determination of financial statement amounts or other financial data significant to the audit objectives. If specific information comes to the auditors' attention that provides evidence concerning the existence of possible violations of provisions of contracts or grant agreements that could have a material indirect effect on the determination of financial statement amounts or other financial data significant to the audit objectives, auditors should apply audit procedures specifically directed to ascertain whether violations of provisions of contracts or grant agreements have occurred or are likely to have occurred. b. Auditors should be alert to situations or transactions that could be indicative of abuse, and if indications of abuse exist that could significantly affect the financial statement amounts or other financial data, auditors should apply audit procedures specifically directed to ascertain whether abuse has occurred and the effect on the financial statement amounts or other financial data. 4.18: AICPA standards and GAGAS require auditors to assess the risk of material misstatements of financial statement amounts or other financial data significant[Footnote 47] to the audit objectives due to fraud and to consider that assessment in designing the audit procedures to be performed.[Footnote 48] Auditors are also required to design the audit to provide reasonable assurance of detecting material misstatements resulting from direct and material illegal acts (violations of laws and regulations) and to be aware of the possibility that indirect illegal acts[Footnote 49] may have occurred.[Footnote 50] Under GAGAS, auditors have the same responsibilities for detecting material misstatements arising from violations of provisions of contracts or grant agreements as they do for detecting those arising from fraud and illegal acts. Auditors should design the audit to provide reasonable assurance of detecting material misstatements resulting from direct and material violations of provisions of contracts or grant agreements. If specific information comes to the auditors' attention that provides evidence concerning the existence of possible violations of provisions of contracts or grant agreements that could have a material indirect effect on the financial statements or significant indirect effect on other financial data needed to achieve audit objectives, auditors should apply audit procedures specifically directed to ascertain whether violations have occurred or are likely to have occurred. 4.19: Abuse is distinct from fraud, illegal acts, and violations of provisions of contracts or grant agreements. When abuse occurs, no law, regulation, or provision of a contract or grant agreement is violated. Rather, abuse involves behavior that is deficient or improper when compared with behavior that a prudent person would consider reasonable and necessary business practice given the facts and circumstances.[Footnote 51] Auditors should be alert to situations or transactions that could be indicative of abuse. When information comes to the auditors' attention (through audit procedures, allegations received through a fraud hotline, or other means) indicating that abuse may have occurred, auditors should consider whether the possible abuse could affect the financial statement amounts or other financial data significantly. If indications of possible abuse exist that significantly affect the financial statement amounts or other financial data, the auditors should extend the audit steps and procedures, as necessary, to (1) determine whether the abuse occurred and, if so, (2) determine its effect on the financial statement amounts or other financial data. Auditors should consider both quantitative and qualitative factors in making judgments regarding the materiality of possible abuse and whether they need to extend the audit steps and procedures. However, because the determination of abuse is subjective, auditors are not expected to provide reasonable assurance of detecting abuse. 4.20: Auditors should exercise professional judgment in pursuing indications of possible fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse, in order not to interfere with potential investigations, legal proceedings, or both. Under some circumstances, laws, regulations, or policies require auditors to report indications of certain types of fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse to law enforcement or investigatory authorities before extending audit steps and procedures. Auditors may also be required to withdraw from or defer further work on the engagement or a portion of the engagement in order not to interfere with an investigation. Developing Elements of a Finding: 4.21 Audit findings, such as deficiencies in internal control, fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse, have often been regarded as containing the elements of criteria, condition, and effect, plus cause when problems are found. However, the elements needed for a finding depend entirely on the objectives of the audit. Thus, a finding or set of findings is complete to the extent that the audit objectives are satisfied. When problems are identified, to the extent possible, auditors should plan audit procedures to develop the elements of a finding to facilitate developing the auditors' report. (See paragraph 5.15 for a description of the elements of a finding.): Audit Documentation: 4.22: The standard related to audit documentation for financial audits performed in accordance with GAGAS is: Audit documentation related to planning, conducting, and reporting on the audit should contain sufficient information to enable an experienced auditor who has had no previous connection with the audit to ascertain from the audit documentation the evidence that supports the auditors' significant judgments and conclusions. Audit documentation should contain support for findings, conclusions, and recommendations before auditors issue their report. 4.23: AICPA standards and GAGAS require auditors to prepare and maintain audit documentation. The form and content of audit documentation should be designed to meet the circumstances of the particular audit. The information contained in audit documentation constitutes the principal record of the work that the auditors have performed in accordance with professional standards and the conclusions that the auditors have reached. The quantity, type, and content of audit documentation are a matter of the auditors' professional judgment. 4.24: Audit documentation serves to (1) provide the principal support for the auditors' report, (2) aid auditors in conducting and supervising the audit, and (3) allow for the review of audit quality. The preparation of audit documentation should be appropriately detailed to provide a clear understanding of its purpose and source and the conclusions the auditors reached, and it should be appropriately organized to provide a clear link to the findings, conclusions, and recommendations contained in the audit report. Audit documentation for financial audits performed under GAGAS should contain the following additional items not explicitly addressed in the AICPA standards or elsewhere in GAGAS: a. the objectives, scope, and methodology of the audit. b. the auditors' determination that certain additional government auditing standards do not apply or that an applicable standard was not followed, the reasons therefor, and the known effect that not following the applicable standard had, or could have had, on the audit. c. the auditors' consideration that the planned audit procedures are designed to achieve audit objectives when evidential matter obtained is highly dependent on computerized information systems and is material to the objective of the audit and that the auditors are not relying on the effectiveness of internal control over those computerized systems that produced the information. The audit documentation should specifically address (1) the rationale for determining the nature, timing, and extent of planned audit procedures; (2) the kinds and competence of available evidential matter produced outside a computerized information system and/or plans for direct testing of data produced from a computerized information system; and (3) the effect on the audit report if evidential matter to be gathered does not afford a reasonable basis for achieving the objectives of the audit.[Footnote 52] d. evidence of supervisory review, before the audit report is issued, of the work performed that supports findings, conclusions, and recommendations contained in the audit report. 4.25: Underlying GAGAS audits is the premise that federal, state, and local governments and other organizations cooperate in auditing programs of common interest so that auditors may use others' work and avoid duplication of audit efforts. Auditors should make arrangements to make audit documentation available, upon request, in a timely manner to other auditors or reviewers. Contractual arrangements for GAGAS audits should provide for full and timely access to audit documentation to facilitate reliance by others on the auditors' work. 4.26: Audit organizations need to adequately safeguard the audit documentation associated with any particular engagement. Audit organizations should develop clearly defined policies and criteria to deal with situations where requests are made by outside parties to obtain access to audit documentation, especially in connection with situations where an outside party attempts to obtain indirectly through the auditor information that it is unable to obtain directly from the audited entity. In developing such policies, audit organizations need to consider applicable laws and regulations that apply to the audit organizations or the audited entity. [End of section] Chapter 5: Reporting Standards for Financial Audits: [End of section] Introduction: 5.01: This chapter prescribes reporting standards and provides guidance for financial audits performed in accordance with generally accepted government auditing standards (GAGAS). Financial audits consist of all work performed under the American Institute of Certified Public Accountants' (AICPA) generally accepted auditing standards and related Statements on Auditing Standards (SAS). GAGAS incorporate the AICPA reporting standards and SASs unless the Comptroller General of the United States excludes them by formal announcement.[Footnote 53] This chapter identifies the AICPA reporting standards and prescribes additional standards for financial audits performed in accordance with GAGAS. 5.02:Financial audits performed in a government environment primarily include audits of financial statements. The AICPA SASs also govern and provide guidance for other types of financial audits that may be performed in a government environment, such as compliance auditing, issuing special reports, audits of service organizations, reviews of interim financial information, and issuing letters to underwriters and certain other requesting parties. These other services may be performed in conjunction with an audit of financial statements. AICPA Reporting Standards: 5.03: The four AICPA generally accepted standards of reporting are as follows: a. The report shall state whether the financial statements are presented in accordance with generally accepted accounting principles. b. The report shall identify those circumstances in which such principles have not been consistently observed in the current period in relation to the preceding period. c. Informative disclosures in the financial statements are to be regarded as reasonably adequate unless otherwise stated in the report. d. The report shall either contain an expression of opinion regarding the financial statements, taken as a whole, or an assertion to the effect that an opinion cannot be expressed. When an overall opinion cannot be expressed, the reasons therefor should be stated. In all cases where an auditor's name is associated with financial statements, the report should contain a clear-cut indication of the character of the auditor's work, if any, and the degree of responsibility the auditor is taking. Additional GAGAS Reporting Standards for Financial Audits: 5.04: GAGAS prescribe additional reporting standards for financial audits that go beyond the requirements contained in the AICPA SASs. Auditors must comply with these additional standards when citing GAGAS in their audit reports. The additional GAGAS standards relate to: a. reporting auditors' compliance with GAGAS (see paragraphs 5.05 through 5.07); b. reporting on internal control and on compliance with laws, regulations, and provisions of contracts or grant agreements (see paragraphs 5.08 through 5.11); c. reporting deficiencies in internal control, fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse (see paragraphs 5.12 through 5.25); d. reporting views of responsible officials (see paragraph 5.26 through 5.30); e. reporting privileged and confidential information (see paragraphs 5.31 through 5.33); and: f. report issuance and distribution (see paragraphs 5.34 through 5.38). Reporting Auditors' Compliance with GAGAS: 5.05: The standard related to reporting auditors' compliance with GAGAS for financial audits performed in accordance with GAGAS is: Audit reports should state that the audit was performed in accordance with GAGAS. 5.06: When the report on the financial audit is submitted to comply with a legal, regulatory, or contractual requirement for a GAGAS audit, or when GAGAS are voluntarily followed, the report should specifically cite GAGAS and may also cite AICPA standards. "GAGAS" refers to all the applicable standards that the auditors should follow during the audit, and the statement of compliance should be qualified in situations in which the auditors did not follow an applicable standard. In these situations, the auditors should disclose in the scope section of the report the applicable standard that was not followed, the reasons therefor, and how not following the standard affected, or could have affected, the results of the audit. In assessing the impact on the results of the audit of not following an applicable standard, auditors may need to qualify the assurances provided, disclaim from providing any assurances, or withdraw from the audit. 5.07: An audited entity receiving a GAGAS audit report may also request auditors to issue a financial audit report for purposes other than complying with requirements calling for a GAGAS audit. For example, the audited entity may need audited financial statements to issue bonds or for other financing purposes. GAGAS do not prohibit auditors from issuing a separate report conforming only to the requirements of AICPA standards. When a GAGAS audit is the basis for an auditors' subsequent report under the AICPA standards, it would be advantageous to users of the subsequent report for the auditors' report to include the information on internal control, compliance with laws, regulations, and provisions of contracts or grant agreements, fraud, and abuse that is required by GAGAS but not required by AICPA standards. Reporting on Internal Control and on Compliance with Laws, Regulations, and Provisions of Contracts or Grant Agreements: 5.08: The standard related to reporting on internal control and compliance for financial statement audits performed in accordance with GAGAS is: When providing an opinion or a disclaimer on financial statements, auditors should include in their report on the financial statements either a (1) description of the scope of the auditors' testing of internal control over financial reporting and compliance with laws, regulations, and provisions of contracts or grant agreements and the results of those tests or an opinion, if sufficient work was performed, or (2) reference to the separate report(s) containing that information. If auditors report separately, the opinion or disclaimer should contain a reference to the separate report containing this information and state that the separate report is an integral part of the audit and should be considered in assessing the results of the audit. 5.09: For audits of financial statements in which auditors provide an opinion or disclaimer, auditors should report the scope of their testing of internal control over financial reporting and of compliance with laws, regulations, and provisions of contracts or grant agreements including whether or not the tests they performed provided sufficient evidence to support an opinion on the effectiveness of internal control over financial reporting and on compliance with laws, regulations, and provisions of contracts or grant agreements. 5.10: Auditors may report on internal control over financial reporting and on compliance with laws, regulations, and provisions of contracts or grant agreements in the opinion or disclaimer on the financial statements or in a separate report or reports. When auditors report on internal control over financial reporting and compliance as part of the opinion or disclaimer on the financial statements, they should include an introduction summarizing key findings in the audit of the financial statements and the related internal control and compliance work. Auditors should not issue this introduction as a stand-alone report. 5.11: When auditors report separately (including separate reports bound in the same document) on internal control over financial reporting and compliance with laws and regulations and provisions of contracts or grant agreements, the opinion or disclaimer on the financial statements should state that the auditors are issuing those additional reports. The opinion or disclaimer on the financial statements should also state that the reports on internal control over financial reporting and compliance with laws and regulations and provisions of contracts or grant agreements are an integral part of a GAGAS audit and should be considered in assessing the results of the audit. Reporting Deficiencies in Internal Control, Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant Agreements, and Abuse: 5.12: The standard related to reporting deficiencies in internal control, fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse for financial audits performed in accordance with GAGAS is: For financial audits, including audits of financial statements in which the auditor provides an opinion or disclaimer, auditors should report, as applicable to the objectives of the audit, (1) deficiencies in internal control considered to be reportable conditions as defined in AICPA standards, (2) all instances of fraud and illegal acts unless clearly inconsequential,[Footnote 54] and (3) significant violations of provisions of contracts or grant agreements and abuse. In some circumstances, auditors should report fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse directly to parties external to the audited entity. Reporting Deficiencies in Internal Control: 5.13: For all financial audits, auditors should report deficiencies in internal control considered to be reportable conditions as defined in AICPA standards.[Footnote 55] The following are examples of matters that may be reportable conditions: a. absence of appropriate segregation of duties consistent with appropriate control objectives; b. absence of appropriate reviews and approvals of transactions, accounting entries, or systems output; c. inadequate provisions for the safeguarding of assets; d. evidence of failure to safeguard assets from loss, damage, or misappropriation; e. evidence that a system fails to provide complete and accurate output consis