5.01 This chapter establishes reporting standards and provides guidance for financial audits conducted in accordance with generally accepted government auditing standards (GAGAS). For financial audits, GAGAS incorporate the American Institute of Certified Public Accountants (AICPA) field work and reporting standards and the related statements on auditing standards (SAS) unless specifically excluded or modified by GAGAS.61 This chapter identifies the AICPA reporting standards and prescribes additional standards for financial audits performed in accordance with GAGAS.
5.03 The four AICPA generally accepted standards of reporting62 are as follows:
d. The auditor must either express an opinion regarding the financial statements, taken as a whole, or state that an opinion cannot be expressed, in the auditor's report. When the auditor cannot express an overall opinion, the auditor should state the reasons therefor in the auditor's report. In all cases where an auditor's name is associated with financial statements, the auditor should clearly indicate the character of the auditor's work, if any, and the degree of responsibility the auditor is taking in the auditor's report.
5.04 GAGAS establish reporting standards for financial audits in addition to the standards contained in the AICPA standards. Auditors should comply with these additional standards when citing GAGAS in their audit reports. The additional government auditing standards relate to
5.05 When auditors comply with all applicable GAGAS requirements, they should include a statement in the auditors' report that they performed the audit in accordance with GAGAS. (See paragraphs 1.12 and 1.13 for additional requirements on citing compliance with GAGAS.)
5.06 An audited entity receiving a GAGAS audit report may also request auditors to issue a financial audit report for purposes other than complying with requirements for a GAGAS audit. For example, the audited entity may need audited financial statements to issue bonds or for other financing purposes. GAGAS do not prohibit auditors from issuing a separate report conforming only to AICPA or other standards.
5.07 When providing an opinion or a disclaimer on financial statements, auditors must also report on internal control over financial reporting and on compliance with laws, regulations, and provisions of contracts or grant agreements.
5.08 Auditors should include either in the same or in separate report(s) a description of the scope of the auditors' testing of internal control over financial reporting and compliance with laws, regulations, and provisions of contracts or grant agreements. If the auditors issue separate reports, they should include a reference to the separate reports in the report on financial statements. Auditors should state in the reports whether the tests they performed provided sufficient, appropriate evidence to support an opinion on the effectiveness of internal control over financial reporting and on compliance with laws, regulations, and provisions of contracts or grant agreements. The internal control reporting standard under GAGAS differs from the objective of an examination of internal control in accordance with the AICPA Statement on Standards for Attestation Engagements (SSAE), which is to express an opinion on the design or the design and operating effectiveness of an entity's internal control, as applicable. To form a basis for expressing such an opinion, the auditor must plan and perform the examination to obtain reasonable assurance about whether the entity maintained, in all material respects, effective internal control as of a point in time or for a specified period of time.
5.09 When auditors report separately (including separate reports bound in the same document) on internal control over financial reporting and compliance with laws and regulations and provisions of contracts or grant agreements, they should state in the financial statement audit report that they are issuing those additional reports. They should include a reference to the separate reports63 and also state that the reports on internal control over financial reporting and compliance with laws and regulations and provisions of contracts or grant agreements are an integral part of a GAGAS audit and important for assessing the results of the audit. If auditors issued or intend to issue a management letter, they should refer to that management letter in the reports.
5.10 For financial audits, including audits of financial statements in which auditors provide an opinion or disclaimer, auditors should report, as applicable to the objectives of the audit, and based upon the audit work performed, (1) significant deficiencies in internal control, identifying those considered to be material weaknesses; (2) all instances of fraud and illegal acts unless inconsequential; and (3) violations of provisions of contracts or grant agreements and abuse that could have a material effect on the financial statements.64
a. Significant deficiency: a deficiency in internal control, or combination of deficiencies, that adversely affects the entity's ability to initiate, authorize, record, process, or report financial data reliably in accordance with GAAP such that there is more than a remote65 likelihood that a misstatement of the entity's financial statements that is more than inconsequential 66 will not be prevented or detected.67
b. Material weakness: a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected.
5.12 Assessing the significance of control deficiencies includes qualitative considerations such as public accountability of the audited entity, legal and regulatory requirements, the visibility and sensitivity of the entity or program, the needs of users and concerns of oversight officials, and current and emerging risks and uncertainties facing the government entity or entity that receives government funding. The significance of a deficiency in internal control also is influenced by
5.13 Auditors should include all significant deficiencies in the auditors' report on internal control over financial reporting and indicate those that represent material weaknesses. If (1) a significant deficiency is remediated before the auditors' report is issued and (2) the auditors obtain sufficient, appropriate evidence supporting the remediation of the significant deficiency, then the auditors should report the significant deficiency and the fact that it was remediated before the auditors' report was issued.
5.14 Determining whether and how to communicate to officials of the audited entity internal control deficiencies that have an inconsequential effect on the financial statements is a matter of professional judgment. Auditors should document such communications.
5.15 Under AICPA standards and GAGAS, auditors have responsibilities for detecting fraud and illegal acts that have a material effect on the financial statements and determining whether those charged with governance are adequately informed about fraud and illegal acts. GAGAS include additional reporting standards. When auditors conclude, based on sufficient, appropriate evidence, that any of the following either has occurred or is likely to have occurred, they should include in their audit report the relevant information about
a . fraud and illegal acts68 that have an effect on the financial statements that is more than inconsequential,
5.16 When auditors detect violations of provisions of contracts or grant agreements or abuse that have an effect on the financial statements that is less than material but more than inconsequential, they should communicate those findings in writing to officials of the audited entity. Determining whether and how to communicate to officials of the audited entity fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse that is inconsequential is a matter of professional judgment. Auditors should document such communications.
5.17 When fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse either have occurred or are likely to have occurred, auditors may consult with authorities or legal counsel about whether publicly reporting such information would compromise investigative or legal proceedings. Auditors may limit their public reporting to matters that would not compromise those proceedings, and for example, report only on information that is already a part of the public record.
5.18 Auditors should report known or likely fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse directly to parties outside the audited entity in the following two circumstances.69
a. When entity management fails to satisfy legal or regulatory requirements to report such information to external parties specified in law or regulation, auditors should first communicate the failure to report such information to those charged with governance. If the audited entity still does not report this information to the specified external parties as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the information directly to the specified external parties.
b. When entity management fails to take timely and appropriate steps to respond to known or likely fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse that (1) is likely to have a material effect on the financial statements and (2) involves funding received directly or indirectly from a government agency, auditors should first report management's failure to take timely and appropriate steps to those charged with governance. If the audited entity still does not take timely and appropriate steps as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the entity's failure to take timely and appropriate steps directly to the funding agency.
5.19 The reporting in paragraph 5.18 is in addition to any legal requirements to report such information directly to parties outside the audited entity. Auditors should comply with these requirements even if they have resigned or been dismissed from the audit prior to its completion.
5.20 Auditors should obtain sufficient, appropriate evidence, such as confirmation from outside parties, to corroborate assertions by management of the audited entity that it has reported such findings in accordance with laws, regulations, and funding agreements. When auditors are unable to do so, they should report such information directly as discussed in paragraph 5.18.
5.21 In presenting findings such as deficiencies in internal control, fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse, auditors should develop the elements of the findings to the extent necessary to achieve the audit objectives. Clearly developed audit findings, as discussed in paragraphs 4.14 through 4.18, assist management or oversight officials of the audited entity in understanding the need for taking corrective action. If auditors sufficiently develop the elements of a finding, they may provide recommendations for corrective action.
5.22 Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the finding. To give the reader a basis for judging the prevalence and consequences of these findings, auditors should, as applicable, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures, as appropriate. If the results cannot be projected, auditors should limit their conclusions appropriately.
5.23 Under AICPA standards, auditors may emphasize in the auditors' report significant matters regarding the financial statements.70 Due to the public interest in the operations of government entities and entities that receive or administer government awards, there may be situations in GAGAS audits in which certain types of information would help facilitate the readers' understanding of the financial statements and the auditors' report. These situations may be in addition to the examples presented in AICPA standards.
a. Significant concerns or uncertainties about the fiscal sustainability of a government or program or other matters that could have a significant impact on the financial condition or operations of the government entity beyond 1 year of the financial statement date.71 Such concerns or uncertainties may arise due to revenue or expenditure trends; economic dependency on other governments or entities; the government's current commitments, responsibilities, liabilities, or promises to citizens for future benefits that are not sustainable over the long term; deficit trends; the relationship between the financial information and other key indicators; and other significant risks and uncertainties that raise doubts about the long-term sustainability of current government programs in relation to the resources expected to be available. However, auditors are not responsible for designing audit procedures to detect such concerns or uncertainties, and any judgment about the future is based on information that is available at the time the judgment is made.
5.25 Determining whether to communicate such information in the auditors' report is a matter of professional judgment. The communication may be presented in a separate paragraph or separate section of the auditors' report and may include information that is not disclosed in the financial statements.
5.26 AICPA Professional Standards, AU Section 561, Subsequent Discovery of Facts Existing at the Date of the Auditor's Report, establish standards and provide guidance for situations when auditors become aware of new information that could have affected their report on previously-issued financial statements.72 Under AU Section 561, if auditors become aware of new information that might have affected their opinion on previously-issued financial statement(s), then the auditors should advise entity management to determine the potential effect(s) of the new information on the previously-issued financial statement(s) as soon as reasonably possible. Such new information may lead management to conclude that previously-issued financial statements were materially misstated and to restate and reissue the misstated financial statements. In such circumstances, auditors should advise management to make appropriate disclosure of the newly discovered facts and their impact on the financial statements to those who are likely to rely on the financial statements.73
5.27 Under GAGAS, auditors should advise management to make appropriate disclosures when the auditors believe that the following conditions exist: (1) it is likely that previously-issued financial statements are misstated and (2) the misstatement is or reasonably could be material. Under GAGAS, auditors also should perform the following procedures related to restated financial statements:74
Evaluate the Timeliness and Appropriateness of Management's Disclosure and Actions to Determine and Correct Misstatements in Previously-Issued Financial Statements
5.28 Auditors should evaluate the timeliness and appropriateness of management's disclosure to those who are likely to rely on the financial statements and management's actions to determine and correct misstatements in previously-issued financial statements in accordance with AU Sections 561.06 through 561.08. Under GAGAS, auditors also should evaluate whether management
a. acted in an appropriate time frame after new information was available to (1) determine the financial statement effects of the new information and (2) notify those who are likely to rely on the financial statements;
c. disclosed the following information in the entity's restated financial statements: (1) the nature and cause(s) of the misstatement(s) that led to the need for restatement, (2) the specific amount(s) of the material misstatement(s), and (3) the related effect(s) on the previously-issued financial statement(s) (e.g., year(s) being restated, specific financial statement(s) affected and line items restated, actions the agency's management took after discovering the misstatement), and (4) the impact on the financial statements as a whole (e.g., change in overall net position, change in the audit opinion) and on key information included in the Management Discussion & Analysis.
5.29 When management restates financial statements, auditors should perform audit procedures sufficient to reissue or update the auditors' report on the restated financial statements regardless of whether the restated financial statements are separately issued or presented on a comparative basis with those of a subsequent period.75 Auditors should include the following in an explanatory paragraph in the reissued or updated auditors' report:
b. a statement that (1) the previously-issued auditors' report (identified by report date) is not to be relied on because the previously-issued financial statements were materially misstated and (2) the previously-issued auditors' report is replaced by the auditors' report on the restated financial statements;
d . if applicable, a reference to the report on internal control containing a discussion of any significant internal control deficiency identified by the auditors as having failed to prevent or detect the misstatement and any corrective action taken by management to address the deficiency.
5.30 Management's failure to include appropriate disclosures, as discussed in paragraph 5.28c, in restated financial statements may have implications for the audit. In addition, auditors should include the omitted disclosures in the auditors' report, if practicable.
5.31 Auditors should notify those charged with governance if entity management (1) does not act in an appropriate time frame after new information was available to determine the financial statement effects of the new information and take the necessary steps to timely inform those who are likely to rely on the financial statements and the related auditors' reports of the situation or (2) does not restate with reasonable timeliness the financial statements under circumstances in which auditors believe they need to be restated. Auditors should inform those charged with governance that the auditors will take steps to prevent further reliance on the auditors' report and advise them to notify oversight bodies and funding agencies that rely on the financial statements. If those charged with governance do not notify appropriate oversight bodies and funding agencies, then the auditors should do so.76
5.32 If the auditors' report discloses deficiencies in internal control, fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse, auditors should obtain and report the views of responsible officials concerning the findings, conclusions, and recommendations, as well as planned corrective actions.
5.33 Providing a draft report with findings for review and comment by responsible officials of the audited entity and others helps the auditors develop a report that is fair, complete, and objective. Including the views of responsible officials results in a report that presents not only the auditors' findings, conclusions, and recommendations, but also the perspectives of the responsible officials of the audited entity and the corrective actions they plan to take. Obtaining the comments in writing is preferred, but oral comments are acceptable.
5.34 When auditors receive written comments from the responsible officials, they should include in their report a copy of the officials' written comments, or a summary of the comments received. When the responsible officials provide oral comments only, auditors should prepare a summary of the oral comments and provide a copy of the summary to the responsible officials to verify that the comments are accurately stated.
5.35 Auditors should also include in the report an evaluation of the comments, as appropriate. In cases in which the audited entity provides technical comments in addition to its written or oral comments on the report, auditors may disclose in the report that such comments were received.
5.36 Obtaining oral comments may be appropriate when, for example, there is a reporting date critical to meeting a user's needs; auditors have worked closely with the responsible officials throughout the conduct of the work and the parties are familiar with the findings and issues addressed in the draft report; or the auditors do not expect major disagreements with findings, conclusions, and recommendations in the draft report, or major controversies with regard to the issues discussed in the draft report.
5.37 When the audited entity's comments are inconsistent or in conflict with findings, conclusions, or recommendations in the draft report, or when planned corrective actions do not adequately address the auditors' recommendations, the auditors should evaluate the validity of the audited entity's comments. If the auditors disagree with the comments, they should explain in the report their reasons for disagreement. Conversely, the auditors should modify their report as necessary if they find the comments valid and supported with sufficient, appropriate evidence.
5.38 If the audited entity refuses to provide comments or is unable to provide comments within a reasonable period of time, the auditors may issue the report without receiving comments from the audited entity. In such cases, the auditors should indicate in the report that the audited entity did not provide comments.
5.39 If certain pertinent information is prohibited from public disclosure or is excluded from a report due to the confidential or sensitive nature of the information, auditors should disclose in the report that certain information has been omitted and the reason or other circumstances that make the omission necessary.
5.40 Certain information may be classified or may otherwise be prohibited from general disclosure by federal, state, or local laws or regulations. In such circumstances, auditors may issue a separate, classified, or limited use report containing the information and distribute the report only to persons authorized by law or regulation to receive it.
5.41 Additional circumstances associated with public safety and security concerns could also justify the exclusion of certain information from a publicly available or widely distributed report. For example, detailed information related to computer security for a particular program may be excluded from publicly available reports because of the potential damage that could be caused by the misuse of this information. In such circumstances, auditors may issue a limited use report containing such information and distribute the report only to those parties responsible for acting on the auditors' recommendations. The auditors may consult with legal counsel regarding any requirements or other circumstances that may necessitate the omission of certain information.
5.42 Considering the broad public interest in the program or activity under review assists auditors when deciding whether to exclude certain information from publicly available reports. When circumstances call for omission of certain information, auditors should evaluate whether this omission could distort the audit results or conceal improper or illegal practices.
5.43 When audit organizations are subject to public records laws, auditors should determine whether public records laws could impact the availability of classified or limited use reports and determine whether other means of communicating with management and those charged with governance would be more appropriate. For example, the auditors may communicate general information in a written report and communicate detailed information verbally. The auditors may consult with legal counsel regarding applicable public records laws.
5.44 Distribution of reports completed under GAGAS depends on the relationship of the auditors to the audited organization and the nature of the information contained in the report. If the subject of the audit involves material that is classified for security purposes or contains confidential or sensitive information, auditors may limit the report distribution. Auditors should document any limitation on report distribution. The following discussion outlines distribution for reports completed under GAGAS:
a. Audit organizations in government entities should distribute audit reports to those charged with governance, to the appropriate officials of the audited entity, and to the appropriate oversight bodies or organizations requiring or arranging for the audits. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority or who may be responsible for acting on audit findings and recommendations, and to others authorized to receive such reports.
Internal audit organizations in government entities may follow the Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing. Under GAGAS and IIA standards, the head of the internal audit organization should communicate results to the parties who can ensure that the results are given due consideration. If not otherwise mandated by statutory or regulatory requirements, prior to releasing results to parties outside the organization, the head of the internal audit organization should:
c. Public accounting firms contracted to perform an audit under GAGAS should clarify report distribution responsibilities with the engaging organization. If the contracted firm is to make the distribution, it should reach agreement with the party contracting for the audit about which officials or organizations will receive the report and the steps being taken to make the report available to the public.
62. See AU Section 150, Generally Accepted Auditing Standards . Under AU Section 150, when an auditor reports on financial statements prepared in accordance with a comprehensive basis of accounting other than GAAP, the first standard of reporting is satisfied by stating in the auditor's report that the basis of presentation is a comprehensive basis of accounting other than GAAP and by expressing an opinion (or disclaiming an opinion) on whether the financial statements are presented in conformity with the comprehensive basis of accounting used.
64. If the auditor is performing an audit in accordance with Office of Management and Budget (OMB) Circular No. A-133, Audits of States, Local Governments, and Non-Profit Organizations, the thresholds for reporting are defined in the circular. Those reporting thresholds satisfy GAGAS.
65. The term "more than remote" used in the definitions for significant deficiency and material weakness means "at least reasonably possible." The following definitions apply: (1) Remote--The chance of the future events occurring is slight. (2) Reasonably possible--The chance of the future events or their occurrence is more than remote but less than likely. (3) Probable--The future events are likely to occur.
66. The phrase "more than inconsequential" as used in the definition of significant deficiency describes the magnitude of potential misstatement that could occur as a result of a significant deficiency and serves as a threshold for evaluating whether a control deficiency or combination of control deficiencies is a significant deficiency. A misstatement is inconsequential if a reasonable person would conclude, after considering the possibility of further undetected misstatements, that the misstatement, either individually or when aggregated with other misstatements, would clearly be immaterial to the financial statements. If a reasonable person would not reach such a conclusion regarding a particular misstatement, that misstatement is more than inconsequential.
67. See appendix I, paragraph A.04 for examples of control deficiencies. AU Section 325, Communicating Internal Control Related Matters Identified in an Audit, also provides guidance on evaluating potential control deficiencies and examples.
68. Whether a particular act is, in fact, illegal may have to await final determination by a court of law or other adjudicative body. Disclosing matters that have led auditors to conclude that an illegal act is likely to have occurred is not a final determination of illegality.
69. Internal audit organizations do not have a duty to report outside the entity unless required by law, rule, regulation, or policy. (See paragraph 5.44b for reporting standards for internal audit organizations when reporting externally.)
71. AU Section 341, The Auditor's Consideration of an Entity's Ability to Continue as a Going Concern, establishes standards and provides guidance on auditor responsibilities with regard to an entity's ability to continue as a going concern for a reasonable period of time, not to exceed 1 year beyond the date of the financial statements being audited.
72. AU Section 420, Consistency of Application of GAAP, and AU Section 508, Reports on Audited Financial Statements, provide guidance on when to reissue auditors' reports on restated financial statements.
75. AU Section 9561.02 provides guidance on auditor association with subsequently discovered information when the auditor has resigned or been discharged. AU Sections 508.70 through 508.73 discusses reissuing predecessor auditors' reports.