8.01 This chapter establishes reporting standards and provides guidance for performance audits conducted in accordance with generally accepted government auditing standards (GAGAS). The reporting standards for performance audits relate to the form of the report, the report contents, and report issuance and distribution.
8.04 Auditors should use a form of the audit report that is appropriate for its intended use and is in writing or in some other retrievable form. (See paragraph 8.42 for situations when audit organizations are subject to public records laws.) For example, auditors may present audit reports using electronic media that are retrievable by report users and the audit organization. The users' needs will influence the form of the audit report. Different forms of audit reports include written reports, letters, briefing slides, or other presentation materials.
The purposes of audit reports are to
8.07 If after the report is issued, the auditors discover that they did not have sufficient, appropriate evidence to support the reported findings or conclusions, they should communicate with those charged with governance, the appropriate officials of the audited entity, and the appropriate officials of the organizations requiring or arranging for the audits, so that they do not continue to rely on the findings or conclusions that were not supported. If the report was previously posted to the auditors' publicly accessible website, the auditors should remove the report and post a public notification that the report was removed. The auditors should then determine whether to conduct additional audit work necessary to reissue the report with revised findings or conclusions.
8.08 Auditors should prepare audit reports that contain (1) the objectives, scope, and methodology of the audit; (2) the audit results, including findings, conclusions, and recommendations, as appropriate; (3) a statement about the auditors' compliance with GAGAS; (4) a summary of the views of responsible officials; and (5) if applicable, the nature of any confidential or sensitive information omitted.
8.09 Auditors should include in the report a description of the audit objectives and the scope and methodology used for addressing the audit objectives. Report users need this information to understand the purpose of the audit, the nature and extent of the audit work performed, the context and perspective regarding what is reported, and any significant limitations in audit objectives, scope, or methodology.
8.10 Audit objectives for performance audits may vary widely. Auditors should communicate audit objectives in the audit report in a clear, specific, neutral, and unbiased manner that includes relevant assumptions, including why the audit organization undertook the assignment and the underlying purpose of the audit and resulting report. When audit objectives are limited and broader objectives can be inferred by users, stating in the audit report that certain issues were outside the scope of the audit can avoid potential misunderstanding.
8.11 Auditors should describe the scope of the work performed and any limitations, including issues that would be relevant to likely users, so that they could reasonably interpret the findings, conclusions, and recommendations in the report without being misled. Auditors should also report any significant constraints imposed on the audit approach by information limitations or scope impairments, including denials of access to certain records or individuals.
8.12 In describing the work conducted to address the audit objectives and support the reported findings and conclusions, auditors should, as applicable, explain the relationship between the population and the items tested; identify organizations, geographic locations, and the period covered; report the kinds and sources of evidence; and explain any significant limitations or uncertainties based on the auditors' overall assessment of the sufficiency and appropriateness of the evidence in the aggregate.
8.13 In reporting audit methodology, auditors should explain how the completed audit work supports the audit objectives, including the evidence gathering and analysis techniques, in sufficient detail to allow knowledgeable users of their reports to understand how the auditors addressed the audit objectives. When the auditors used extensive or multiple sources of information, the auditors may include a description of the procedures performed as part of their assessment of the sufficiency and appropriateness of information used as audit evidence. Auditors should identify significant assumptions made in conducting the audit; describe comparative techniques applied; describe the criteria used; and, when sampling significantly supports the auditors' findings, conclusions, or recommendations, describe the sample design and state why the design was chosen, including whether the results can be projected to the intended population.
8.14 In the audit report, auditors should present sufficient, appropriate evidence to support the findings and conclusions in relation to the audit objectives. Clearly developed findings, as discussed in paragraphs 7.72 through 7.76, assist management or oversight officials of the audited entity in understanding the need for taking corrective action. If auditors are able to sufficiently develop the elements of a finding, they should provide recommendations for corrective action if they are significant within the context of the audit objectives. However, the extent to which the elements for a finding are developed depends on the audit objectives. Thus, a finding or set of findings is complete to the extent that the auditors address the audit objectives.
8.15 Auditors should describe in their report limitations or uncertainties with the reliability or validity of evidence if (1) the evidence is significant to the findings and conclusions within the context of the audit objectives and (2) such disclosure is necessary to avoid misleading the report users about the findings and conclusions. As discussed in chapter 7, even though the auditors may have some uncertainty about the sufficiency or appropriateness of some of the evidence, they may nonetheless determine that in total there is sufficient, appropriate evidence given the findings and conclusions. Auditors should describe the limitations or uncertainties regarding evidence in conjunction with the findings and conclusions, in addition to describing those limitations or uncertainties as part of the objectives, scope, and methodology. Additionally, this description provides report users with a clear understanding regarding how much responsibility the auditors are taking for the information.
8.16 Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the finding. To give the reader a basis for judging the prevalence and consequences of these findings, auditors should, as applicable, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value, or other measures, as appropriate. If the results cannot be projected, auditors should limit their conclusions appropriately.
8.17 Auditors may provide selective background information to establish the context for the overall message and to help the reader understand the findings and significance of the issues discussed.100 When reporting on the results of their work, auditors should disclose significant facts relevant to the objectives of their work and known to them which, if not disclosed, could mislead knowledgeable users, misrepresent the results, or conceal significant improper or illegal practices.
8.18 Auditors should report deficiencies101 in internal control that are significant within the context of the objectives of the audit, all instances of fraud, illegal acts102 unless they are inconsequential within the context of the audit objectives, significant violations of provisions of contracts or grant agreements, and significant abuse that have occurred or are likely to have occurred.
8.19 Auditors should include in the audit report (1) the scope of their work on internal control and (2) any deficiencies in internal control that are significant within the context of the audit objectives and based upon the audit work performed. When auditors detect deficiencies in internal control that are not significant to the objectives of the audit, they may include those deficiencies in the report or communicate those deficiencies in writing to officials of the audited entity unless the deficiencies are inconsequential considering both qualitative and quantitative factors. Auditors should refer to that written communication in the audit report, if the written communication is separate from the audit report. Determining whether or how to communicate to officials of the audited entity deficiencies that are inconsequential within the context of the audit objectives is a matter of professional judgment. Auditors should document such communications.
8.20 In a performance audit, auditors may conclude that identified deficiencies in internal control that are significant within the context of the audit objectives are the cause of deficient performance of the program or operations being audited. In reporting this type of finding, the internal control deficiency would be described as the cause.
8.21 When auditors conclude, based on sufficient, appropriate evidence, that fraud, illegal acts, significant violations of provisions of contracts or grant agreements, or significant abuse either has occurred or is likely to have occurred, they should report the matter as a finding.
8.22 When auditors detect violations of provisions of contracts or grant agreements, or abuse that are not significant, they should communicate those findings in writing to officials of the audited entity unless the findings are inconsequential within the context of the audit objectives, considering both qualitative and quantitative factors. Determining whether or how to communicate to officials of the audited entity fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse that is inconsequential is a matter of the auditors' professional judgment. Auditors should document such communications.
8.23 When fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse either have occurred or are likely to have occurred, auditors may consult with authorities or legal counsel about whether publicly reporting such information would compromise investigative or legal proceedings. Auditors may limit their public reporting to matters that would not compromise those proceedings, and for example, report only on information that is already a part of the public record.
8.24 Auditors should report known or likely fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse directly to parties outside the audited entity in the following two circumstances.103
a. When entity management fails to satisfy legal or regulatory requirements to report such information to external parties specified in law or regulation, auditors should first communicate the failure to report such information to those charged with governance. If the audited entity still does not report this information to the specified external parties as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the information directly to the specified external parties.
b. When entity management fails to take timely and appropriate steps to respond to known or likely fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse that (1) is significant to the findings and conclusions, and (2) involves funding received directly or indirectly from a government agency, auditors should first report management's failure to take timely and appropriate steps to those charged with governance. If the audited entity still does not take timely and appropriate steps as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the entity's failure to take timely and appropriate steps directly to the funding agency.
8.25 The reporting in paragraph 8.24 is in addition to any legal requirements to report such information directly to parties outside the audited entity. Auditors should comply with these requirements even if they have resigned or been dismissed from the audit prior to its completion.
8.26 Auditors should obtain sufficient, appropriate evidence, such as confirmation from outside parties, to corroborate assertions by management of the audited entity that it has reported such findings in accordance with laws, regulations, and funding agreements. When auditors are unable to do so, they should report such information directly as discussed in paragraph 8.24.
8.27 Auditors should report conclusions, as applicable, based on the audit objectives and the audit findings. Report conclusions are logical inferences about the program based on the auditors' findings, not merely a summary of the findings. The strength of the auditors' conclusions depends on the sufficiency and appropriateness of the evidence supporting the findings and the soundness of the logic used to formulate the conclusions. Conclusions are stronger if they lead to the auditors' recommendations and convince the knowledgeable user of the report that action is necessary.
8.28 Auditors should recommend actions to correct problems identified during the audit and to improve programs and operations when the potential for improvement in programs, operations, and performance is substantiated by the reported findings and conclusions. Auditors should make recommendations that flow logically from the findings and conclusions, are directed at resolving the cause of identified problems, and clearly state the actions recommended.
8.29 Effective recommendations encourage improvements in the conduct of government programs and operations. Recommendations are effective when they are addressed to parties that have the authority to act and when the recommended actions are specific, practical, cost effective, and measurable.
8.30 When auditors comply with all applicable GAGAS requirements, they should use the following language, which represents an unmodified GAGAS compliance statement, in the audit report to indicate that they performed the audit in accordance with GAGAS. (See paragraphs 1.12 and 1.13.)
We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.
When auditors do not comply with all applicable GAGAS requirements, they should include a modified GAGAS compliance statement in the audit report. For performance audits, auditors should use a statement that includes either (1) the language in 8.30, modified to indicate the standards that were not followed or
8.32 Providing a draft report with findings for review and comment by responsible officials of the audited entity and others helps the auditors develop a report that is fair, complete, and objective. Including the views of responsible officials results in a report that presents not only the auditors' findings, conclusions, and recommendations, but also the perspectives of the responsible officials of the audited entity and the corrective actions they plan to take. Obtaining the comments in writing is preferred, but oral comments are acceptable.
8.33 When auditors receive written comments from the responsible officials, they should include in their report a copy of the officials' written comments, or a summary of the comments received. When the responsible officials provide oral comments only, auditors should prepare a summary of the oral comments and provide a copy of the summary to the responsible officials to verify that the comments are accurately stated.
8.34 Auditors should also include in the report an evaluation of the comments, as appropriate. In cases in which the audited entity provides technical comments in addition to its written or oral comments on the report, auditors may disclose in the report that such comments were received.
8.35 Obtaining oral comments may be appropriate when, for example, there is a reporting date critical to meeting a user's needs; auditors have worked closely with the responsible officials throughout the conduct of the work and the parties are familiar with the findings and issues addressed in the draft report; or the auditors do not expect major disagreements with the findings, conclusions, and recommendations in the draft report, or major controversies with regard to the issues discussed in the draft report.
8.36 When the audited entity's comments are inconsistent or in conflict with the findings, conclusions, or recommendations in the draft report, or when planned corrective actions do not adequately address the auditors' recommendations, the auditors should evaluate the validity of the audited entity's comments. If the auditors disagree with the comments, they should explain in the report their reasons for disagreement. Conversely, the auditors should modify their report as necessary if they find the comments valid and supported with sufficient, appropriate evidence.
8.37 If the audited entity refuses to provide comments or is unable to provide comments within a reasonable period of time, the auditors may issue the report without receiving comments from the audited entity. In such cases, the auditors should indicate in the report that the audited entity did not provide comments.
8.38 If certain pertinent information is prohibited from public disclosure or is excluded from a report due to the confidential or sensitive nature of the information, auditors should disclose in the report that certain information has been omitted and the reason or other circumstances that makes the omission necessary.
8.39 Certain information may be classified or may be otherwise prohibited from general disclosure by federal, state, or local laws or regulations. In such circumstances, auditors may issue a separate, classified or limited use report containing such information and distribute the report only to persons authorized by law or regulation to receive it.
8.40 Additional circumstances associated with public safety and security concerns could also justify the exclusion of certain information from a publicly available or widely distributed report. For example, detailed information related to computer security for a particular program may be excluded from publicly available reports because of the potential damage that could be caused by the misuse of this information. In such circumstances, auditors may issue a limited use report containing such information and distribute the report only to those parties responsible for acting on the auditors' recommendations. The auditors may consult with legal counsel regarding any requirements or other circumstances that may necessitate the omission of certain information.
8.41 Considering the broad public interest in the program or activity under review assists auditors when deciding whether to exclude certain information from publicly available reports. When circumstances call for omission of certain information, auditors should evaluate whether this omission could distort the audit results or conceal improper or illegal practices.
8.42 When audit organizations are subject to public records laws, auditors should determine whether public records laws could impact the availability of classified or limited use reports and determine whether other means of communicating with management and those charged with governance would be more appropriate. For example, the auditors may communicate general information in a written report and communicate detailed information verbally. The auditor may consult with legal counsel regarding applicable public records laws.
8.43 Distribution of reports completed under GAGAS depends on the relationship of the auditors to the audited organization and the nature of the information contained in the report. If the subject of the audit involves material that is classified for security purposes or contains confidential or sensitive information, auditors may limit the report distribution. (See paragraphs 8.38 through 8.42 for additional guidance on limited report distribution.) Auditors should document any limitation on report distribution. The following discussion outlines distribution for reports completed under GAGAS:
a. Audit organizations in government entities should distribute audit reports to those charged with governance, to the appropriate officials of the audited entity, and to the appropriate oversight bodies or organizations requiring or arranging for the audits. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority or who may be responsible for acting on audit findings and recommendations, and to others authorized to receive such reports.
Internal audit organizations in government entities may follow the Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing. Under GAGAS and IIA standards, the head of the internal audit organization should communicate results to parties who can ensure that the results are given due consideration. If not otherwise mandated by statutory or regulatory requirements, prior to releasing results to parties outside the organization, the head of the internal audit organization should:
c. Public accounting firms contracted to perform an audit under GAGAS should clarify report distribution responsibilities with the engaging organization. If the contracted firm is to make the distribution, it should reach agreement with the party contracting for the audit about which officials or organizations will receive the report and the steps being taken to make the report available to the public.
100. Appropriate background information may include information on how programs and operations work; the significance of programs and operations (e.g., dollars, impact, purposes, and past audit work, if relevant); a description of the audited entity's responsibilities; and explanation of terms, organizational structure, and the statutory basis for the program and operations.
As discussed in paragraph 7.21, in performance audits, a deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect
102. Whether a particular act is, in fact, illegal may have to await final determination by a court of law or other adjudicative body. Disclosing matters that have led auditors to conclude that an illegal act is likely to have occurred is not a final determination of illegality.