A.01 The following sections provide supplemental guidance for auditors and the audited entities to assist in the implementation of generally accepted government auditing standards (GAGAS). The guidance does not establish additional requirements but instead is intended to facilitate auditor implementation of GAGAS in chapters 1 through 8. The supplemental guidance in the first section may be of assistance for all types of audits and engagements covered by GAGAS. Subsequent sections provide supplemental guidance for specific chapters of GAGAS, as indicated.
A.02 Chapters 4 through 8 discuss the field work and reporting standards for financial audits, attestation engagements, and performance audits. The identification of significant deficiencies in internal control, significant abuse, fraud risks, illegal acts, and significant violations of provisions of contracts or grant agreements are important aspects of government auditing. The following discussion is provided to assist auditors in identifying significant deficiencies in internal control, abuse, and indicators of fraud risk and to assist auditors in determining whether illegal acts and violations of provisions of contracts or grant agreements are significant within the context of the audit objectives.
a. Insufficient control consciousness within the organization, for example the tone at the top and the control environment. Control deficiencies in other components of internal control could lead the auditor to conclude that weaknesses exist in the control environment.
c. Control systems that did not prevent or detect material misstatements so that it was later necessary to restate previously issued financial statements or operational results. Control systems that did not prevent or detect material misstatements in performance or operational results so that it was later necessary to make significant corrections to those results.
d. Control systems that did not prevent or detect material misstatements identified by the auditor. This includes misstatements involving estimation and judgment for which the auditor identifies potential material adjustments and corrections of the recorded amounts.
e. An ineffective internal audit function or risk assessment function at an entity for which such functions are important to the monitoring or risk assessment component of internal control, such as for a very large or highly complex entity.
g. Failure by management or those charged with governance to assess the effect of a significant deficiency previously communicated to them and either to correct it or to conclude that it will not be corrected.
j. Deficiencies in the design or operation of internal control that could result in violations of laws, regulations, provisions of contracts or grant agreements, fraud, or abuse having a direct and material effect on the financial statements or the audit objective.
k . Inadequate design of information systems general and application controls that prevent the information system from providing complete and accurate information consistent with financial or performance reporting objectives and other current needs.
c. Misusing the official's position for personal gain (including actions that could be perceived by an objective third party with knowledge of the relevant information as improperly benefiting an official's personal financial interests or those of an immediate or close family member; a general partner; an organization for which the official serves as an officer, director, trustee, or employee; or an organization with which the official is negotiating concerning future employment).
A.10 Government programs are subject to many laws, regulations, and provisions of contracts or grant agreements. At the same time, their significance within the context of the audit objectives varies widely, depending on the objectives of the audit. Auditors may find the following approach helpful in assessing whether laws, regulations, or provisions of contracts or grant agreements are significant within the context of the audit objectives:
a. Express each audit objective in terms of questions about specific aspects of the program being audited (that is, purpose and goals, internal control, inputs, program operations, outputs, and outcomes).
c. Determine if the audit objectives or the auditors' conclusions could be significantly affected if violations of those laws, regulations, or provisions of contracts or grant agreements occurred. If the audit objectives or audit conclusions could be significantly affected, then those laws, regulations, and provisions of contracts or grant agreements are likely to be significant to the audit objectives.
A.11 Auditors may consult with either their own or management's legal counsel to (1) determine those laws and regulations that are significant to the audit objectives, (2) design tests of compliance with laws and regulations, or (3) evaluate the results of those tests. Auditors also may consult with either their own or management's legal counsel when audit objectives require testing compliance with provisions of contracts or grant agreements. Depending on the circumstances of the audit, auditors may consult with others, such as investigative staff, other audit organizations or government entities that provided professional services to the audited entity, or applicable law enforcement authorities, to obtain information on compliance matters.
A1.01 Chapter 1 discusses the use and application of GAGAS and the role of auditing in government accountability. Those charged with governance and management of audited organizations also have roles in government accountability. The discussion that follows is provided to assist auditors in understanding the roles of others in accountability. The following section also contains background information on the laws, regulations, and guidelines that require the use of GAGAS. This information is provided to place GAGAS within the context of overall government accountability.
A1.02 Laws, regulations, contracts, grant agreements, or policies frequently require the use of GAGAS. (See paragraph 1.04.) The following are among the laws, regulations, and guidelines that require the use of GAGAS:
a. The Inspector General Act of 1978, as amended, 5 U.S.C. App. requires that the statutorily appointed federal inspectors general comply with GAGAS for audits of federal establishments, organizations, programs, activities, and functions. The act further states that the inspectors general shall take appropriate steps to assure that any work performed by nonfederal auditors complies with GAGAS.
b. The Chief Financial Officers Act of 1990 (Public Law 101-576), as expanded by the Government Management Reform Act of 1994 (Public Law 103-356), requires that GAGAS be followed in audits of executive branch departments' and agencies' financial statements. The Accountability of Tax Dollars Act of 2002 (Public Law 107-289) extends this requirement to most executive agencies not subject to the Chief Financial Officers Act unless they are exempted for a given year by the Office of Management and Budget (OMB).
c. The Single Audit Act Amendments of 1996 (Public Law 104-156) require that GAGAS be followed in audits of state and local governments and nonprofit entities that receive federal awards.104 OMB Circular No. A-133, Audits of States, Local Governments, and Non-Profit Organizations , which provides the governmentwide guidelines and policies on performing audits to comply with the Single Audit Act, also requires the use of GAGAS.
A1.03 Other laws, regulations, or other authoritative sources may require the use of GAGAS. For example, auditors at the state and local levels of government may be required by state and local laws and regulations to follow GAGAS. Also, auditors may be required by the terms of an agreement or contract to follow GAGAS. Auditors may also be required to follow GAGAS by federal audit guidelines pertaining to program requirements, such as those issued for Housing and Urban Development programs and Student Financial Aid programs. Being alert to such other laws, regulations, or authoritative sources may assist auditors in performing their work in accordance with the required standards.
A1.04 Even if not required to do so, auditors may find it useful to follow GAGAS in performing audits of federal, state, and local government programs as well as in performing audits of government awards administered by contractors, nonprofit entities, and other nongovernment entities. Many audit organizations not formally required to do so, both in the United States of America and in other countries, voluntarily follow GAGAS.
A1.06 Those charged with governance have the duty to oversee the strategic direction of the entity and obligations related to the accountability of the entity. This includes overseeing the financial reporting process, subject matter, or program under audit including related internal controls. In certain entities covered by GAGAS, those charged with governance also may be part of the entity's management. In some audit entities, multiple parties may be charged with governance, including oversight bodies, members or staff of legislative committees, boards of directors, audit committees, or parties contracting for the audit.
A1.07 Because the governance structures of government entities and organizations can vary widely, it may not always be clearly evident who is charged with key governance functions. In these situations, auditors evaluate the organizational structure for directing and controlling operations to achieve the entity's objectives. This evaluation also includes how the government entity delegates authority and establishes accountability for its management personnel.
a. using government resources legally, effectively, efficiently, economically, ethically, and equitably to achieve the purposes for which the resources were furnished or the program was established;105
d. establishing and maintaining effective internal control to help ensure that appropriate goals and objectives are met; using resources efficiently, economically, effectively, and equitably, and safeguarding resources; following laws and regulations; and ensuring that management and financial information is reliable and properly reported;
e. providing appropriate reports to those who oversee their actions and to the public in order to demonstrate accountability for the resources and authority used to carry out government programs and the results of these programs;
A3.01 Chapter 3 discusses the general standards applicable to financial audits, attestation engagements, and performance audits under GAGAS. Auditors may also provide professional services, other than audits and attestation engagements, which are sometimes referred to as nonaudit services or consulting services. GAGAS do not cover nonaudit services since such services are not audits or attestation engagements. If an audit organization decides to perform nonaudit services, their independence for performing audits or attestation engagements may be impacted. Nonaudit services which may impair or do impair auditor independence are discussed in chapter 3. (See paragraphs 3.20 through 3.30.) The following supplemental guidance is provided to assist auditors and audited entities in identifying nonaudit services that are often provided by audit organizations in government entities without impairing their independence with respect to entities for which they provide audits or attestation engagements.
A3.02 Audit organizations in government entities frequently provide nonaudit services that differ from the traditional professional services provided by an accounting or consulting firm to or for the audited entity. These types of nonaudit services are often performed in response to a statutory requirement, at the discretion of the authority of the audit organization, or for a legislative oversight body or an independent external organization and do not impair auditor independence. (See paragraphs 3.20 through 3.30 for the requirements for evaluating whether nonaudit services impair auditor independence.)
i. contracting for audit services on behalf of an audited entity and overseeing the audit contract, as long as the overarching principles are not violated and the auditor under contract reports to the audit organization and not to management;
(2) review-level work such as sales tax reviews that are designed to review whether governmental entities receive from businesses, merchants, and vendors all of the sales taxes to which they are entitled;
A3.04 Chapter 3 discusses the elements of an audit organization's system of quality control. The following supplemental guidance is provided to assist auditors and audit organizations in establishing policies and procedures in its system of quality control to address the following elements from paragraph 3.53: (1) audit and attestation engagement performance, documentation, and reporting and (2) monitoring of quality.
a. GAGAS standards for audit and attestation engagement performance, documentation, and reporting are in chapters 4 and 5 for financial audits, chapter 6 for attestation engagements, and chapters 7 and 8 for performance audits. Chapter 3 specifies that an audit organization's quality control system include policies and procedures designed to provide the audit organization with reasonable assurance that audits and attestation engagements are performed and reports are issued in accordance with professional standards and legal and regulatory requirements. (See paragraph 3.52) Examples of such policies and procedures include the following:
b. Monitoring is an ongoing, periodic assessment of audit and attestation engagements designed to provide management of the audit organization with reasonable assurance that the policies and procedures related to the system of quality control are suitability designed and operating effectively in practice. (See paragraph 3.53f) The following guidance is provided to assist audit organizations with implementing and continuing its monitoring of quality:
(1) Who: Monitoring is most effective when performed by persons who do not have responsibility for the specific activity being monitored (e.g., for specific engagements or specific centralized processes). The staff member or team of staff members assigned with responsibility for the monitoring process collectively need sufficient and appropriate competence and authority in the audit organization to assume that responsibility. Generally the staff member or the team of staff members performing the monitoring are apart from the normal audit supervision associated with individual audits.
(2) How much: The extent of monitoring procedures varies based on the audit organization's circumstances to enable the audit organization to assess compliance with applicable professional standards and the audit organization's quality control policies and procedures. Examples of specific monitoring procedures include
(d) periodic summarization of the findings from the monitoring procedures in writing, (at least annually), and consideration of the systematic causes of findings that indicate improvements are needed;
(e) determination of any corrective actions to be taken or improvements to be made with respect to the specific audits and attestation engagements reviewed or the audit organization's quality control policies and procedures;
(g) consideration of findings by appropriate audit organization management personnel who also determine whether actions necessary, including necessary modifications to the quality control system, are performed on a timely basis.
(4) Follow-up on previous findings: Monitoring procedures include an evaluation of whether the audit organization has taken appropriate corrective action to address findings and recommendations from previous monitoring and peer reviews. Personnel involved in monitoring use this information as part of the assessment of risk associated with the design and implementation of the audit organization's quality control system and in determining the nature, timing, and extent of monitoring procedures.
(5) Written report: The audit organization communicates the results of the monitoring of its quality control systems in a written report that allows the audit organization to take prompt and appropriate action where necessary. Information included in this report includes:
A3.05 As discussed in paragraph 3.61, an external audit organization should make its most recent peer review report publicly available. Examples of how to achieve this transparency requirement include posting the peer review report on an external Web site or to a publicly available file. To help the public understand the peer review reports, an audit organization may also include a description of the peer review process and how it applies to its organization. The following provides examples of additional information that audit organizations may include to help users understand the meaning of the peer review report.
A7.01 Chapter 7 discusses the field work standards for performance audits. An integral concept for performance auditing is the use of sufficient, appropriate evidence based on the audit objectives to support a sound basis for audit findings, conclusions, and recommendations. The following discussion is provided to assist auditors in identifying the various types of evidence and assessing the appropriateness of evidence in relation to the audit objectives.
A7.02 In terms of its form and how it is collected, evidence may be categorized as physical, documentary, or testimonial. Physical evidence is obtained by auditors' direct inspection or observation of people, property, or events. Such evidence may be documented in summary memos, photographs, videos, drawings, charts, maps, or physical samples. Documentary evidence is obtained in the form of already existing information such as letters, contracts, accounting records, invoices, spreadsheets, database extracts, electronically stored information, and management information on performance. Testimonial evidence is obtained through inquiries, interviews, focus groups, public forums, or questionnaires. Auditors frequently use analytical processes including computations, comparisons, separation of information into components, and rational arguments to analyze any evidence gathered to determine whether it is sufficient and appropriate. (See paragraphs 7.66 and 7.59 for definitions of sufficient and appropriate.) The strength and weakness of each form of evidence depends on the facts and circumstances associated with the evidence and professional judgment in the context of the audit objectives.
a. The audit objectives might focus on verifying specific quantitative results presented by the audited entity. In these situations, the audit procedures would likely focus on obtaining evidence about the accuracy of the specific amounts in question. This work may include the use of statistical sampling.
b. The audit objectives might focus on the performance of a specific program or activity in the agency being audited. In these situations, the auditor may be provided with information compiled by the agency being audited in order to answer the audit objectives. The auditor may find it necessary to test the quality of the information, which includes both its validity and reliability.
c. The audit objectives might focus on information that is used for widely accepted purposes and obtained from sources generally recognized as appropriate. For example, economic statistics issued by government agencies for purposes such as adjusting for inflation, or other such information issued by authoritative organizations, may be the best information available. In such cases, it may not be practical or necessary for auditors to conduct procedures to verify the information. These decisions call for professional judgment based on the nature of the information, its common usage or acceptance, and how it is being used in the audit.
d. The audit objectives might focus on comparisons or benchmarking between various government functions or agencies. These types of audits are especially useful for analyzing the outcomes of various public policy decisions. In these cases, auditors may perform analyses, such as comparative statistics of different jurisdictions or changes in performance over time, where it would be impractical to verify the detailed data underlying the statistics. Clear disclosure as to what extent the comparative information or statistics were evaluated or corroborated will likely be necessary to place the evidence in proper context for report users.
e. The audit objectives might focus on trend information based on data provided by the audited entity. In this situation, auditors may assess the evidence by using overall analytical tests of underlying data, combined with a knowledge and understanding of the systems or processes used for compiling information.
f. The audit objectives might focus on the auditor identifying emerging and cross-cutting issues using information compiled or self-reported by agencies. In such cases, it may be helpful for the auditor to consider the overall appropriateness of the compiled information along with other information available about the program. Other sources of information, such as inspector general reports or other external audits, may provide the auditors with information regarding whether any unverified or self-reported information is consistent with or can be corroborated by these other external sources of information.
a. Accurate: An accurate report is supported by sufficient, appropriate evidence with key facts, figures, and findings being traceable to the audit evidence. Reports that are fact-based, with a clear statement of sources, methods, and assumptions so that report users can judge how much weight to give the evidence reported, assist in achieving accuracy. Disclosing data limitations and other disclosures also contribute to producing more accurate audit reports. Reports also are more accurate when the findings are presented in the broader context of the issue. One way to help audit organizations prepare accurate audit reports is to use a quality control process such as referencing. Referencing is a process in which an experienced auditor who is independent of the audit checks that statements of facts, figures, and dates are correctly reported, that the findings are adequately supported by the evidence in the audit documentation, and that the conclusions and recommendations flow logically from the evidence.
b. Objective: Objective means that the presentation of the report is balanced in content and tone. A report's credibility is significantly enhanced when it presents evidence in an unbiased manner and in the proper context. This means presenting the audit results impartially and fairly. The tone of reports may encourage decision makers to act on the auditors' findings and recommendations. This balanced tone can be achieved when reports present sufficient, appropriate evidence to support conclusions while refraining from using adjectives or adverbs that characterize evidence in a way that implies criticism or unsupported conclusions. The objectivity of audit reports is enhanced when the report explicitly states the source of the evidence and the assumptions used in the analysis. The report may recognize the positive aspects of the program reviewed if applicable to the audit objectives. Inclusion of positive program aspects may lead to improved performance by other government organizations that read the report. Audit reports are more objective when they demonstrate that the work has been performed by professional, unbiased, independent, and knowledgeable staff.
c. Complete: Being complete means that the report contains sufficient, appropriate evidence needed to satisfy the audit objectives and promote an understanding of the matters reported. It also means the report states evidence and findings without omission of significant relevant information related to the audit objectives. Providing report users with an understanding means providing perspective on the extent and significance of reported findings, such as the frequency of occurrence relative to the number of cases or transactions tested and the relationship of the findings to the entity's operations. Being complete also means clearly stating what was and was not done and explicitly describing data limitations, constraints imposed by restrictions on access to records, or other issues.
d. Convincing: Being convincing means that the audit results are responsive to the audit objectives, that the findings are presented persuasively, and that the conclusions and recommendations flow logically from the facts presented. The validity of the findings, the reasonableness of the conclusions, and the benefit of implementing the recommendations are more convincing when supported by sufficient, appropriate evidence. Reports designed in this way can help focus the attention of responsible officials on the matters that warrant attention and can provide an incentive for taking corrective action.
e. Clear: Clarity means the report is easy for the intended user to read and understand. Preparing the report in language as clear and simple as the subject permits assists auditors in achieving this goal. Use of straightforward, nontechnical language is helpful to simplify presentation. Defining technical terms, abbreviations, and acronyms that are used in the report is also helpful. Auditors may use a highlights page or summary within the report to capture the report user's attention and highlight the overall message. If a summary is used, it is helpful if it focuses on the specific answers to the questions in the audit objectives, summarizes the audit's most significant findings and the report's principal conclusions, and prepares users to anticipate the major recommendations. Logical organization of material, and accuracy and precision in stating facts and in drawing conclusions assist in the report's clarity and understanding. Effective use of titles and captions and topic sentences makes the report easier to read and understand. Visual aids (such as pictures, charts, graphs, and maps) may clarify and summarize complex material.
f. Concise: Being concise means that the report is not longer than necessary to convey and support the message. Extraneous detail detracts from a report, may even conceal the real message, and may confuse or distract the users. Although room exists for considerable judgment in determining the content of reports, those that are fact-based but concise are likely to achieve results.
g. Timely: To be of maximum use, providing relevant evidence in time to respond to officials of the audited entity, legislative officials, and other users' legitimate needs is the auditors' goal. Likewise, the evidence provided in the report is more helpful if it is current. Therefore, the timely issuance of the report is an important reporting goal for auditors. During the audit, the auditors may provide interim reports of significant matters to appropriate entity officials. Such communication alerts officials to matters needing immediate attention and allows them to take corrective action before the final report is completed.
104. Under the Single Audit Act, as amended, federal awards include federal financial assistance (grants, loans, loan guarantees, property, cooperative agreements, interest subsidies, insurance, food commodities, direct appropriations, or other assistance) and cost-reimbursement contracts.