Reporting Deficiencies in Internal Control, Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant Agreements, and Abuse

Bottom of Page TOC PREVIOUS NEXT


GAO-03-673G Government Auditing Standards > Chapter 5 Reporting Standards for Financial Audits > Reporting Deficiencies in Internal Control, Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant Agreements, and Abuse


5.12 The standard related to reporting deficiencies in internal control, fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse for financial audits performed in accordance with GAGAS is:

For financial audits, including audits of financial statements in which the auditor provides an opinion or disclaimer, auditors should report, as applicable to the objectives of the audit,
(1) deficiencies in internal control considered to be reportable conditions as defined in AICPA standards, (2) all instances of fraud and illegal acts unless clearly inconsequential,1 and
(3) significant violations of provisions of contracts or grant agreements and abuse. In some circumstances, auditors should report fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse directly to parties external to the audited entity.

Reporting Deficiencies in Internal Control

5.13 For all financial audits, auditors should report deficiencies in internal control considered to be reportable conditions as defined in AICPA standards. 2  The following are examples of matters that may be reportable conditions:

a. absence of appropriate segregation of duties consistent with appropriate control objectives;

b. absence of appropriate reviews and approvals of transactions, accounting entries, or systems output;

c. inadequate provisions for the safeguarding of assets;

d. evidence of failure to safeguard assets from loss, damage, or misappropriation;

e. evidence that a system fails to provide complete and accurate output consistent with the control objectives of the audited entity because of the misapplication of control activities;

f. evidence of intentional override of internal control by those in authority to the detriment of the overall objectives of the system;

g. evidence of failure to perform tasks that are a significant part of internal control, such as reconciliations not prepared or not timely prepared;

h. a weakness in the control environment at an entity such as the absence of a sufficient positive and supportive attitude towards internal control by management within the organization;

i. deficiencies in the design or operation of internal control that could result in violations of laws, regulations, provisions of contracts or grant agreements; fraud; or abuse having a direct and material effect on the financial statements or the audit objectives; and

j. failure to follow up and correct previously identified deficiencies in internal control.

5.14 When reporting deficiencies in internal control, auditors should identify those reportable conditions that are individually or in the aggregate considered to be material weaknesses. 3  Auditors should place their findings in proper perspective by providing a description of the work performed that resulted in the finding. To give the reader a basis for judging the prevalence and consequences of these findings, the instances identified should be related to the population or the number of cases examined and be quantified in terms of dollar value, if appropriate.

5.15 To the extent possible, in presenting audit findings such as deficiencies in internal control, auditors should develop the elements of criteria, condition, cause, and effect to assist management or oversight officials of the audited entity in understanding the need for taking corrective action. In addition, if auditors are able to sufficiently develop the findings, they should provide recommendations for corrective action. Following is guidance for reporting on elements of findings:

a. Criteria: An audit report is improved when it provides information so that the report user will be able to determine what is the required or desired state or what is expected from the program or operation. The criteria are easier to understand when stated fairly, explicitly, and completely, and the source of the criteria is identified in the audit report. 4 

b. Condition: The audit report is improved when it provides evidence of what the auditors found regarding the actual situation. Reporting the scope or extent of the condition allows the report user to gain an accurate perspective.

c. Cause: The audit report is improved when it provides persuasive evidence on the factor or factors responsible for the difference between condition and criteria. In reporting the cause, auditors may consider whether the evidence provides a reasonable and convincing argument for why the stated cause is the key factor or factors contributing to the difference as opposed to other possible causes, such as poorly designed criteria or factors uncontrollable by program management. The auditors also may consider whether the identified cause could serve as a basis for the recommendations.

d. Effect: The audit report is improved when it provides a clear, logical link to establish the impact of the difference between what the auditors found (condition) and what should be (criteria). Effect is easier to understand when it is stated clearly, concisely, and, if possible, in quantifiable terms. The significance of the reported effect can be demonstrated through credible evidence.

5.16 When auditors detect deficiencies in internal control that are not reportable conditions, they should communicate those deficiencies separately in a management letter to officials of the audited entity unless the deficiencies are clearly inconsequential considering both quantitative and qualitative factors. Auditors should refer to that management letter in the report on internal control. Auditors should use their professional judgment in deciding whether or how to communicate to officials of the audited entity deficiencies in internal control that are clearly inconsequential. Auditors should include in their audit documentation evidence of all communications to officials of the audited entity about deficiencies in internal control found during the audit.

Reporting Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant Agreements, and Abuse

5.17 AICPA standards and GAGAS require auditors to address the effect fraud or illegal acts may have on the audit report and to determine that the audit committee or others with equivalent authority and responsibility are adequately informed about the fraud or illegal acts. GAGAS further require that this information be in writing and also include reporting on significant violations of provisions of contracts or grant agreements and significant abuse.5 Therefore, when auditors conclude, on the basis of evidence obtained, that fraud, an illegal act, a significant violation of a contract or grant agreement, or significant abuse either has

occurred or is likely to have occurred, 6  they should include in their audit report the relevant information. 7 

5.18 When reporting instances of fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse, auditors should place their findings in proper perspective by providing a description of the work performed that resulted in the finding. To give the reader a basis for judging the prevalence and consequences of these findings, the instances identified should be related to the population or the number of cases examined and be quantified in terms of dollar value, if appropriate. If the results cannot be projected, auditors should limit their conclusion to the items tested.

5.19 To the extent possible, auditors should develop in their report the elements of criteria, condition, cause, and effect when fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse is found. Auditors should develop their findings following the guidance for reporting deficiencies in internal control in paragraph 5.15.

5.20 When auditors detect inmaterial violations of provisions of contracts or grant agreements or abuse, they should communicate those findings in a management letter to officials of the audited entity unless the findings are clearly inconsequential considering both qualitative and quantitative factors. Auditors should refer to that management letter in their audit report on compliance. Auditors should use their professional judgment in determining whether and how to communicate to officials of the audited entity fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse that is clearly inconsequential. Auditors should include in their audit documentation evidence of all communications to officials of the audited entity about fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse.

Direct Reporting of Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant Agreements, and Abuse

5.21 GAGAS require auditors to report fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse directly to parties outside the audited entity in two circumstances, as discussed below. 8  These requirements are in addition to any legal requirements for direct reporting of fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse. Auditors should meet these requirements even if they have resigned or been dismissed from the audit prior to its completion.

5.22 The audited entity may be required by law or regulation to report certain fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse to specified external parties, such as a federal inspector general or a state attorney general. If auditors have communicated such fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse to the audited entity and the audited entity fails to report them, then the auditors should communicate such an awareness to the governing body of the audited entity. If the audited entity does not make the required report as soon as possible after the auditors’ communication with the entity’s governing body, then the auditors should report such fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse directly to the external party specified in the law or regulation.

5.23 Management of the audited entity is responsible for taking timely and appropriate steps to remedy fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse that auditors report to it. When fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse involve awards received directly or indirectly from a government agency, auditors may have a duty to report directly if management fails to take remedial steps. If auditors conclude that such failure is likely to cause them to depart from the standard report on the financial statements or resign from the audit, they should communicate that conclusion to the governing body of the audited entity. Then, if the audited entity does not report the fraud, illegal act, violation of provisions of contracts or grant agreements, or abuse as soon as possible to the entity that provided the government assistance, the auditors should report the fraud, illegal act, violation of provisions of contracts or grant agreements, or abuse directly to that entity.

5.24 In these situations, auditors should obtain sufficient, competent, and relevant evidence, such as confirmation from outside parties, to corroborate assertions by management that it has reported fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse. If they are unable to do so, then the auditors should report such fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse directly as discussed above.

5.25 Laws, regulations, or policies may require auditors to report promptly indications of certain types of fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse to law enforcement or investigatory authorities. In such circumstances, when auditors conclude that these types of fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse either have occurred or are likely to have occurred, they should ask those authorities and/or legal counsel if publicly reporting certain information about the potential fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse would compromise investigative or legal proceedings. Auditors should limit their public reporting to matters that would not compromise those proceedings, such as information that is already a part of the public record.

1If the auditor is performing an audit in accordance with OMB Circular A-133, Audits of States, Local Governments, and Non-Profit Organizations, the thresholds for reporting are defined in the circular. These reporting thresholds are sufficient to meet the requirements of GAGAS.

2AICPA standards define reportable conditions as significant deficiencies in the design or operation of internal control that could adversely affect the entity’s ability to record, process, summarize, and report financial data consistent with the assertions of management in the financial statements.

3The AICPA standards define a material weakness as a reportable condition in which the design or operation of one or more of the internal control components does not reduce to a relatively low level the risk that misstatements caused by error or fraud in amounts that would be material in relation to the financial statements being audited may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions.

4Common sources for criteria include laws, regulations, policies, procedures, and best or standard practices. The Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1 (Washington, D.C.: Nov. 1999) and Internal Control--Integrated Framework, published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) are two sources of established criteria auditors can use to support their judgments and conclusions about internal control. The related Internal Control Management and Evaluation Tool (GAO-01-1008G, Aug. 2001), based on the federal internal control standards, provides a systematic, organized, and structured approach to assessing internal control.

5See paragraph 4.19 for a discussion of abuse.

6Whether a particular act is, in fact, illegal may have to await final determination by a court of law or other adjudicative body. Thus, when auditors disclose matters that have led them to conclude that an illegal act is likely to have occurred, they should not unintentionally imply that a final determination of illegality has been made.

7Auditors should include information about fraud or abuse in the audit reports required by paragraph 5.08 as applicable to internal control and compliance with laws, regulations, and provisions of contracts and grant agreements.

8Internal audit organizations do not have a duty to report outside that entity unless required by law, rule, regulation, or policy. See paragraph 3.28 for reporting requirements for internal audit organizations when reporting externally.


Top of Page TOC PREVIOUS NEXT

GAO-03-673G Government Auditing Standards