Examples of Deficiencies in Internal Control

A.03 GAGAS contain requirements for reporting identified deficiencies in internal control.

• For financial audits, see paragraphs 5.10 through 5.14.
• For attestation engagements, see paragraphs 6.33 through 6.35.
• For performance audits, see paragraphs 8.18 through 8.20.

A.04 The following are examples of control deficiencies:

a. Insufficient control consciousness within the organization, for example the tone at the top and the control environment. Control deficiencies in other components of internal control could lead the auditor to conclude that weaknesses exist in the control environment.

b. Ineffective oversight by those charged with governance of the entity's financial reporting, performance reporting, or internal control, or an ineffective overall governance structure.

c. Control systems that did not prevent or detect material misstatements so that it was later necessary to restate previously issued financial statements or operational results. Control systems that did not prevent or detect material misstatements in performance or operational results so that it was later necessary to make significant corrections to those results.

d. Control systems that did not prevent or detect material misstatements identified by the auditor. This includes misstatements involving estimation and judgment for which the auditor identifies potential material adjustments and corrections of the recorded amounts.

e. An ineffective internal audit function or risk assessment function at an entity for which such functions are important to the monitoring or risk assessment component of internal control, such as for a very large or highly complex entity.

f. Identification of fraud of any magnitude on the part of senior management.

g. Failure by management or those charged with governance to assess the effect of a significant deficiency previously communicated to them and either to correct it or to conclude that it will not be corrected.

h. Inadequate controls for the safeguarding of assets.

i. Evidence of intentional override of internal control by those in authority to the detriment of the overall objectives of the system.

j. Deficiencies in the design or operation of internal control that could result in violations of laws, regulations, provisions of contracts or grant agreements, fraud, or abuse having a direct and material effect on the financial statements or the audit objective.

k . Inadequate design of information systems general and application controls that prevent the information system from providing complete and accurate information consistent with financial or performance reporting objectives and other current needs.

l. Failure of an application control caused by a deficiency in the design or operation of an information systems general control.

m. Employees or management who lack the qualifications and training to fulfill their assigned functions.

Examples of Abuse

A.05 GAGAS contain requirements for responding to indications of material abuse and reporting abuse that is material to the audit objectives.

• For financial audits, see paragraphs 4.12 and 4.13 and paragraphs 5.15 through 5.17.
• For attestation engagements, see paragraphs 6.13c and 6.14 and paragraphs 6.36c through 6.38.
• For performance audits, see paragraphs 7.33 and 7.34 and paragraphs 8.21 through 8.23.

A.06 The following are examples of abuse, depending on the facts and circumstances:

a. Creating unneeded overtime.

b. Requesting staff to perform personal errands or work tasks for a supervisor or manager.

c. Misusing the official's position for personal gain (including actions that could be perceived by an objective third party with knowledge of the relevant information as improperly benefiting an official's personal financial interests or those of an immediate or close family member; a general partner; an organization for which the official serves as an officer, director, trustee, or employee; or an organization with which the official is negotiating concerning future employment).

d. Making travel choices that are contrary to existing travel policies or are unnecessarily extravagant or expensive.

e. Making procurement or vendor selections that are contrary to existing policies or are unnecessarily extravagant or expensive.

Examples of Indicators of Fraud Risk

A.07 GAGAS contain requirements relating to evaluating fraud risk.

• For financial audits, see paragraphs 4.27 and 4.28 and paragraphs 5.15 through 5.17.
• For attestation engagements, see paragraphs 6.13a and b and paragraphs 6.36 through 6.38.
• For performance audits, see paragraphs 7.30 through 7.32 and paragraphs 8.21 through 8.23.

A.08 In some circumstances, conditions such as the following might indicate a heightened risk of fraud:

a. the entity's financial stability, viability, or budget is threatened by economic, programmatic, or entity operating conditions;

b. the nature of the audited entity's operations provide opportunities to engage in fraud;

c. inadequate monitoring by management for compliance with policies, laws, and regulations;

d. the organizational structure is unstable or unnecessarily complex;

e. lack of communication and/or support for ethical standards by management;

f. management has a willingness to accept unusually high levels of risk in making significant decisions;

g. a history of impropriety, such as previous issues with fraud, waste, abuse, or questionable practices, or past audits or investigations with findings of questionable or criminal activity;

h. operating policies and procedures have not been developed or are outdated;

i. key documentation is lacking or does not exist ;

j. lack of asset accountability or safeguarding procedures;

k. improper payments;

l. false or misleading information;

m. a pattern of large procurements in any budget line with remaining funds at year end, in order to "use up all of the funds available"; and

n. unusual patterns and trends in contracting, procurement, acquisition, and other activities of the entity or program under audit.

Determining Whether Laws, Regulations, or Provisions of Contracts or Grant Agreements Are Significant within the Context of the Audit Objectives

A.09 GAGAS contain requirements for determining whether laws, regulations, or provisions of contracts or grant agreements are significant within the context of the audit objectives.

• For financial audits, see paragraphs 4.10 and 4.11.
• For attestation engagements, see paragraphs 6.13a and b.
• For performance audits, see paragraphs 7.28 and 7.29.

A.10 Government programs are subject to many laws, regulations, and provisions of contracts or grant agreements. At the same time, their significance within the context of the audit objectives varies widely, depending on the objectives of the audit. Auditors may find the following approach helpful in assessing whether laws, regulations, or provisions of contracts or grant agreements are significant within the context of the audit objectives:

a. Express each audit objective in terms of questions about specific aspects of the program being audited (that is, purpose and goals, internal control, inputs, program operations, outputs, and outcomes).

b. Identify laws, regulations, and provisions of contracts or grant agreements that directly relate to specific aspects of the program within the context of the audit objectives.

c. Determine if the audit objectives or the auditors' conclusions could be significantly affected if violations of those laws, regulations, or provisions of contracts or grant agreements occurred. If the audit objectives or audit conclusions could be significantly affected, then those laws, regulations, and provisions of contracts or grant agreements are likely to be significant to the audit objectives.

A.11 Auditors may consult with either their own or management's legal counsel to (1) determine those laws and regulations that are significant to the audit objectives, (2) design tests of compliance with laws and regulations, or (3) evaluate the results of those tests. Auditors also may consult with either their own or management's legal counsel when audit objectives require testing compliance with provisions of contracts or grant agreements. Depending on the circumstances of the audit, auditors may consult with others, such as investigative staff, other audit organizations or government entities that provided professional services to the audited entity, or applicable law enforcement authorities, to obtain information on compliance matters.

Laws, Regulations, and Guidelines That Require Use of GAGAS

A1.02 Laws, regulations, contracts, grant agreements, or policies frequently require the use of GAGAS. (See paragraph 1.04.) The following are among the laws, regulations, and guidelines that require the use of GAGAS:

a. The Inspector General Act of 1978, as amended, 5 U.S.C. App. requires that the statutorily appointed federal inspectors general comply with GAGAS for audits of federal establishments, organizations, programs, activities, and functions. The act further states that the inspectors general shall take appropriate steps to assure that any work performed by nonfederal auditors complies with GAGAS.

b. The Chief Financial Officers Act of 1990 (Public Law 101-576), as expanded by the Government Management Reform Act of 1994 (Public Law 103-356), requires that GAGAS be followed in audits of executive branch departments' and agencies' financial statements. The Accountability of Tax Dollars Act of 2002 (Public Law 107-289) extends this requirement to most executive agencies not subject to the Chief Financial Officers Act unless they are exempted for a given year by the Office of Management and Budget (OMB).

c. The Single Audit Act Amendments of 1996 (Public Law 104-156) require that GAGAS be followed in audits of state and local governments and nonprofit entities that receive federal awards.104 OMB Circular No. A-133, Audits of States, Local Governments, and Non-Profit Organizations , which provides the governmentwide guidelines and policies on performing audits to comply with the Single Audit Act, also requires the use of GAGAS.

A1.03 Other laws, regulations, or other authoritative sources may require the use of GAGAS. For example, auditors at the state and local levels of government may be required by state and local laws and regulations to follow GAGAS. Also, auditors may be required by the terms of an agreement or contract to follow GAGAS. Auditors may also be required to follow GAGAS by federal audit guidelines pertaining to program requirements, such as those issued for Housing and Urban Development programs and Student Financial Aid programs. Being alert to such other laws, regulations, or authoritative sources may assist auditors in performing their work in accordance with the required standards.

A1.04 Even if not required to do so, auditors may find it useful to follow GAGAS in performing audits of federal, state, and local government programs as well as in performing audits of government awards administered by contractors, nonprofit entities, and other nongovernment entities. Many audit organizations not formally required to do so, both in the United States of America and in other countries, voluntarily follow GAGAS.

The Role of Those Charged with Governance in Accountability

A1.05 During the course of GAGAS audits, auditors communicate with those charged with governance.

• For financial audits, see paragraphs 4.05 and 4.06.
• For attestation engagements, see paragraphs 6.06 through 6.08.
• For performance audits, see paragraphs 7.46 through 7.49.

A1.06 Those charged with governance have the duty to oversee the strategic direction of the entity and obligations related to the accountability of the entity. This includes overseeing the financial reporting process, subject matter, or program under audit including related internal controls. In certain entities covered by GAGAS, those charged with governance also may be part of the entity's management. In some audit entities, multiple parties may be charged with governance, including oversight bodies, members or staff of legislative committees, boards of directors, audit committees, or parties contracting for the audit.

A1.07 Because the governance structures of government entities and organizations can vary widely, it may not always be clearly evident who is charged with key governance functions. In these situations, auditors evaluate the organizational structure for directing and controlling operations to achieve the entity's objectives. This evaluation also includes how the government entity delegates authority and establishes accountability for its management personnel.

Management's Role in Accountability

A1.08 Government managers have fundamental responsibilities for carrying out government functions. (See paragraph 1.02.) Management of the audited entity is responsible for

a. using government resources legally, effectively, efficiently, economically, ethically, and equitably to achieve the purposes for which the resources were furnished or the program was established;105

b. complying with applicable laws and regulations (including identifying the requirements with which the entity and the official are responsible for compliance);

c. implementing systems designed to achieve compliance with applicable laws and regulations;

d. establishing and maintaining effective internal control to help ensure that appropriate goals and objectives are met; using resources efficiently, economically, effectively, and equitably, and safeguarding resources; following laws and regulations; and ensuring that management and financial information is reliable and properly reported;

e. providing appropriate reports to those who oversee their actions and to the public in order to demonstrate accountability for the resources and authority used to carry out government programs and the results of these programs;

f. addressing the findings and recommendations of auditors, and for establishing and maintaining a process to track the status of such findings and recommendations;

g. following sound procurement practices when contracting for audits and attestation engagements, including ensuring procedures are in place for monitoring contract performance; and

h. taking timely and appropriate steps to remedy fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse that auditors report to it.

Nonaudit Services

A3.02 Audit organizations in government entities frequently provide nonaudit services that differ from the traditional professional services provided by an accounting or consulting firm to or for the audited entity. These types of nonaudit services are often performed in response to a statutory requirement, at the discretion of the authority of the audit organization, or for a legislative oversight body or an independent external organization and do not impair auditor independence. (See paragraphs 3.20 through 3.30 for the requirements for evaluating whether nonaudit services impair auditor independence.)

A3.03 Examples of these types of services include the following:

a. providing information or data to a requesting party without auditor evaluation or verification of the information or data;

b. developing standards, methodologies, audit guides, audit programs, or criteria for use throughout the government or for use in certain specified situations;

c. collaborating with other professional organizations to advance auditing of government entities and programs;

d. developing question and answer documents to promote understanding of technical issues or standards;

e. providing assistance and technical expertise to legislative bodies or independent external organizations and assisting legislative bodies by developing questions for use at a hearing;

f. providing training, speeches, and technical presentations;

g. developing surveys, collecting responses on behalf of others, and reporting results as "an independent third party";

h. providing oversight assistance in reviewing budget submissions;

i. contracting for audit services on behalf of an audited entity and overseeing the audit contract, as long as the overarching principles are not violated and the auditor under contract reports to the audit organization and not to management;

j. identifying good business practices for users in evaluating program or management system approaches, including financial and information management systems; and

k. providing audit, investigative, and oversight-related services that do not involve a GAGAS audit (but which could be performed as an audit, if the audit organization elects to do so), such as

(1) investigations of alleged fraud, violation of contract provisions or grant agreements, or abuse;

(2) review-level work such as sales tax reviews that are designed to review whether governmental entities receive from businesses, merchants, and vendors all of the sales taxes to which they are entitled;

(3) periodic audit recommendation follow-up engagements and reports;

(4) identifying best practices or leading practices for use in advancing the practices of government organizations;

(5) analyzing cross-cutting and emerging issues; and

(6) providing forward-looking analysis involving programs.

System of Quality Control

A3.04 Chapter 3 discusses the elements of an audit organization's system of quality control. The following supplemental guidance is provided to assist auditors and audit organizations in establishing policies and procedures in its system of quality control to address the following elements from paragraph 3.53: (1) audit and attestation engagement performance, documentation, and reporting and (2) monitoring of quality.

a. GAGAS standards for audit and attestation engagement performance, documentation, and reporting are in chapters 4 and 5 for financial audits, chapter 6 for attestation engagements, and chapters 7 and 8 for performance audits. Chapter 3 specifies that an audit organization's quality control system include policies and procedures designed to provide the audit organization with reasonable assurance that audits and attestation engagements are performed and reports are issued in accordance with professional standards and legal and regulatory requirements. (See paragraph 3.52) Examples of such policies and procedures include the following:

(1) communication provided to team members so that they sufficiently understand the objectives of their work and the applicable professional standards;

(2) audit and attestation engagement planning and supervision;

(3) appropriate documentation of the work performed;

(4) review of the work performed, the significant judgments made, and the resulting audit documentation and report;

(5) review of the independence and qualifications of any outside experts or contractors used, as well as a review of the scope and quality of their work;

(6) procedures for resolving difficult or contentious issues or disagreements among team members, including specialists;

(7) obtaining and addressing comments from the audited entity on draft reports; and

(8) reporting supported by the evidence obtained, and in accordance with applicable professional standards and legal and regulatory requirements.

b. Monitoring is an ongoing, periodic assessment of audit and attestation engagements designed to provide management of the audit organization with reasonable assurance that the policies and procedures related to the system of quality control are suitability designed and operating effectively in practice. (See paragraph 3.53f) The following guidance is provided to assist audit organizations with implementing and continuing its monitoring of quality:

(1) Who: Monitoring is most effective when performed by persons who do not have responsibility for the specific activity being monitored (e.g., for specific engagements or specific centralized processes). The staff member or team of staff members assigned with responsibility for the monitoring process collectively need sufficient and appropriate competence and authority in the audit organization to assume that responsibility. Generally the staff member or the team of staff members performing the monitoring are apart from the normal audit supervision associated with individual audits.

(2) How much: The extent of monitoring procedures varies based on the audit organization's circumstances to enable the audit organization to assess compliance with applicable professional standards and the audit organization's quality control policies and procedures. Examples of specific monitoring procedures include

(a) examination of selected administrative and personnel records pertaining to quality control;

(b) review of selected audit and attest documentation, and reports;

(c) discussions with the audit organization's personnel (as applicable and appropriate);

(d) periodic summarization of the findings from the monitoring procedures in writing, (at least annually), and consideration of the systematic causes of findings that indicate improvements are needed;

(e) determination of any corrective actions to be taken or improvements to be made with respect to the specific audits and attestation engagements reviewed or the audit organization's quality control policies and procedures;

(f) communication of the identified findings to appropriate audit organization management with subsequent follow-up; and

(g) consideration of findings by appropriate audit organization management personnel who also determine whether actions necessary, including necessary modifications to the quality control system, are performed on a timely basis.

(3) Review of selected administrative and personnel records: The review of selected administrative and personnel records pertaining to quality control may include tests of

(a) compliance with policies and procedures on independence;

(b) compliance with continuing professional development policies, including training;

(c) procedures related to recruitment and hiring of qualified personnel, including hiring of specialists or consultants when needed;

(d) procedures related to performance evaluation and advancement of personnel;

(e) procedures related to initiation, acceptance, and continuance of audit and attestation engagements;

(f) audit organization personnel's understanding of the quality control policies and procedures, and implementation of these policies and procedures; and

(g) audit organization's process for updating its policies and procedures.

(4) Follow-up on previous findings: Monitoring procedures include an evaluation of whether the audit organization has taken appropriate corrective action to address findings and recommendations from previous monitoring and peer reviews. Personnel involved in monitoring use this information as part of the assessment of risk associated with the design and implementation of the audit organization's quality control system and in determining the nature, timing, and extent of monitoring procedures.

(5) Written report: The audit organization communicates the results of the monitoring of its quality control systems in a written report that allows the audit organization to take prompt and appropriate action where necessary. Information included in this report includes:

(a) a description of the monitoring procedures performed;

(b) the conclusions drawn from the monitoring procedures; and

(c) where relevant, a description of the systemic, repetitive, or other significant deficiencies and of the actions taken to resolve those deficiencies.

A3.05 As discussed in paragraph 3.61, an external audit organization should make its most recent peer review report publicly available. Examples of how to achieve this transparency requirement include posting the peer review report on an external Web site or to a publicly available file. To help the public understand the peer review reports, an audit organization may also include a description of the peer review process and how it applies to its organization. The following provides examples of additional information that audit organizations may include to help users understand the meaning of the peer review report.

a. Explanation of the peer review process.

b. Description of the audit organization's system of quality control.

c. Explanation of the relationship of the peer review results to the audited organization's work.

d. If the peer review report is modified, explanation of the reviewed audit organization's plan for improving quality controls and the status of the improvements.

Types of Evidence

A7.02 In terms of its form and how it is collected, evidence may be categorized as physical, documentary, or testimonial. Physical evidence is obtained by auditors' direct inspection or observation of people, property, or events. Such evidence may be documented in summary memos, photographs, videos, drawings, charts, maps, or physical samples. Documentary evidence is obtained in the form of already existing information such as letters, contracts, accounting records, invoices, spreadsheets, database extracts, electronically stored information, and management information on performance. Testimonial evidence is obtained through inquiries, interviews, focus groups, public forums, or questionnaires. Auditors frequently use analytical processes including computations, comparisons, separation of information into components, and rational arguments to analyze any evidence gathered to determine whether it is sufficient and appropriate. (See paragraphs 7.66 and 7.59 for definitions of sufficient and appropriate.) The strength and weakness of each form of evidence depends on the facts and circumstances associated with the evidence and professional judgment in the context of the audit objectives.

Appropriateness of Evidence in Relation to the Audit Objectives

A7.03 One of the primary factors influencing the assurance associated with a performance audit is the appropriateness of the evidence in relation to the audit objectives. For example:

a. The audit objectives might focus on verifying specific quantitative results presented by the audited entity. In these situations, the audit procedures would likely focus on obtaining evidence about the accuracy of the specific amounts in question. This work may include the use of statistical sampling.

b. The audit objectives might focus on the performance of a specific program or activity in the agency being audited. In these situations, the auditor may be provided with information compiled by the agency being audited in order to answer the audit objectives. The auditor may find it necessary to test the quality of the information, which includes both its validity and reliability.

c. The audit objectives might focus on information that is used for widely accepted purposes and obtained from sources generally recognized as appropriate. For example, economic statistics issued by government agencies for purposes such as adjusting for inflation, or other such information issued by authoritative organizations, may be the best information available. In such cases, it may not be practical or necessary for auditors to conduct procedures to verify the information. These decisions call for professional judgment based on the nature of the information, its common usage or acceptance, and how it is being used in the audit.

d. The audit objectives might focus on comparisons or benchmarking between various government functions or agencies. These types of audits are especially useful for analyzing the outcomes of various public policy decisions. In these cases, auditors may perform analyses, such as comparative statistics of different jurisdictions or changes in performance over time, where it would be impractical to verify the detailed data underlying the statistics. Clear disclosure as to what extent the comparative information or statistics were evaluated or corroborated will likely be necessary to place the evidence in proper context for report users.

e. The audit objectives might focus on trend information based on data provided by the audited entity. In this situation, auditors may assess the evidence by using overall analytical tests of underlying data, combined with a knowledge and understanding of the systems or processes used for compiling information.

f. The audit objectives might focus on the auditor identifying emerging and cross-cutting issues using information compiled or self-reported by agencies. In such cases, it may be helpful for the auditor to consider the overall appropriateness of the compiled information along with other information available about the program. Other sources of information, such as inspector general reports or other external audits, may provide the auditors with information regarding whether any unverified or self-reported information is consistent with or can be corroborated by these other external sources of information.

Report Quality Elements

A8.02 The auditor may use the report quality elements of timely, complete, accurate, objective, convincing, clear, and concise when developing and writing the auditor's report as the subject permits.

a. Accurate: An accurate report is supported by sufficient, appropriate evidence with key facts, figures, and findings being traceable to the audit evidence. Reports that are fact-based, with a clear statement of sources, methods, and assumptions so that report users can judge how much weight to give the evidence reported, assist in achieving accuracy. Disclosing data limitations and other disclosures also contribute to producing more accurate audit reports. Reports also are more accurate when the findings are presented in the broader context of the issue. One way to help audit organizations prepare accurate audit reports is to use a quality control process such as referencing. Referencing is a process in which an experienced auditor who is independent of the audit checks that statements of facts, figures, and dates are correctly reported, that the findings are adequately supported by the evidence in the audit documentation, and that the conclusions and recommendations flow logically from the evidence.

b. Objective: Objective means that the presentation of the report is balanced in content and tone. A report's credibility is significantly enhanced when it presents evidence in an unbiased manner and in the proper context. This means presenting the audit results impartially and fairly. The tone of reports may encourage decision makers to act on the auditors' findings and recommendations. This balanced tone can be achieved when reports present sufficient, appropriate evidence to support conclusions while refraining from using adjectives or adverbs that characterize evidence in a way that implies criticism or unsupported conclusions. The objectivity of audit reports is enhanced when the report explicitly states the source of the evidence and the assumptions used in the analysis. The report may recognize the positive aspects of the program reviewed if applicable to the audit objectives. Inclusion of positive program aspects may lead to improved performance by other government organizations that read the report. Audit reports are more objective when they demonstrate that the work has been performed by professional, unbiased, independent, and knowledgeable staff.

c. Complete: Being complete means that the report contains sufficient, appropriate evidence needed to satisfy the audit objectives and promote an understanding of the matters reported. It also means the report states evidence and findings without omission of significant relevant information related to the audit objectives. Providing report users with an understanding means providing perspective on the extent and significance of reported findings, such as the frequency of occurrence relative to the number of cases or transactions tested and the relationship of the findings to the entity's operations. Being complete also means clearly stating what was and was not done and explicitly describing data limitations, constraints imposed by restrictions on access to records, or other issues.

d. Convincing: Being convincing means that the audit results are responsive to the audit objectives, that the findings are presented persuasively, and that the conclusions and recommendations flow logically from the facts presented. The validity of the findings, the reasonableness of the conclusions, and the benefit of implementing the recommendations are more convincing when supported by sufficient, appropriate evidence. Reports designed in this way can help focus the attention of responsible officials on the matters that warrant attention and can provide an incentive for taking corrective action.

e. Clear: Clarity means the report is easy for the intended user to read and understand. Preparing the report in language as clear and simple as the subject permits assists auditors in achieving this goal. Use of straightforward, nontechnical language is helpful to simplify presentation. Defining technical terms, abbreviations, and acronyms that are used in the report is also helpful. Auditors may use a highlights page or summary within the report to capture the report user's attention and highlight the overall message. If a summary is used, it is helpful if it focuses on the specific answers to the questions in the audit objectives, summarizes the audit's most significant findings and the report's principal conclusions, and prepares users to anticipate the major recommendations. Logical organization of material, and accuracy and precision in stating facts and in drawing conclusions assist in the report's clarity and understanding. Effective use of titles and captions and topic sentences makes the report easier to read and understand. Visual aids (such as pictures, charts, graphs, and maps) may clarify and summarize complex material.

f. Concise: Being concise means that the report is not longer than necessary to convey and support the message. Extraneous detail detracts from a report, may even conceal the real message, and may confuse or distract the users. Although room exists for considerable judgment in determining the content of reports, those that are fact-based but concise are likely to achieve results.

g. Timely: To be of maximum use, providing relevant evidence in time to respond to officials of the audited entity, legislative officials, and other users' legitimate needs is the auditors' goal. Likewise, the evidence provided in the report is more helpful if it is current. Therefore, the timely issuance of the report is an important reporting goal for auditors. During the audit, the auditors may provide interim reports of significant matters to appropriate entity officials. Such communication alerts officials to matters needing immediate attention and allows them to take corrective action before the final report is completed.