Reporting Deficiencies in Internal Control, Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant Agreements, and Abuse
|
GAO-03-673G Government Auditing Standards > Chapter 6 General, Field Work, and Reporting Standards for Attestation Engagements > Reporting Deficiencies in Internal Control, Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant Agreements, and Abuse
6.32 The standard related to reporting deficiencies in internal control, fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse for attestation engagements performed in accordance with GAGAS is:
The report on an attestation engagement should disclose (1) deficiencies in internal control, including internal control over compliance with laws, regulations, and provisions of contracts or grant agreements that are material to the subject matter or assertion, (2) all instances of fraud and illegal acts unless clearly inconsequential, and
(3) violations of provisions of contracts or grant agreements and abuse that are material to the subject matter or assertion of the engagement. In some circumstances, auditors should report fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse directly to parties external to the audited entity.
6.33 When reporting deficiencies in internal control or instances of fraud, illegal acts, 1 violations of provisions of contracts or grant agreements, or abuse, auditors should place their findings in proper perspective by providing a description of the work performed that resulted in the finding. To give the reader a basis for judging the prevalence and consequences of these findings, the deficiencies or instances identified should be related to the population or the number of cases examined and be quantified in terms of dollar value, if appropriate. If the results cannot be projected, auditors should limit their conclusion to the items tested.
6.34 To the extent possible, in presenting findings, auditors should develop the elements of criteria, condition, cause, and effect to assist management or oversight officials of the audited entity in understanding the need for taking corrective action. In addition, if auditors are able to sufficiently develop the findings, auditors should provide recommendations for corrective action. The following list contains guidance for reporting on elements of findings:
a. Criteria: An attestation engagement report is improved when it provides information so that the report user will be able to determine what is the required or desired state or what is expected from the program or operation. The criteria are easier to understand when stated fairly, explicitly, and completely, and the source of the criteria is identified in the attestation engagement report. 2
b. Condition: The attestation engagement report is improved when it provides evidence of what the auditors found regarding the actual situation. Reporting the scope or extent of the condition allows the report user to gain an accurate perspective.
c. Cause: The attestation engagement report is improved when it provides persuasive evidence on the factor or factors responsible for the difference between condition and criteria. In reporting the cause, auditors may consider whether the evidence provides a reasonable and convincing argument for why the stated cause is the key factor or factors contributing to the difference as opposed to other possible causes, such as poorly designed criteria or factors uncontrollable by program management. The auditors also may consider whether the identified cause could serve as a basis for the recommendations.
d. Effect: The attestation engagement report is improved when it provides a clear, logical link to establish the impact of the difference between what the auditors found (condition) and what should be (criteria). Effect is easier to understand when it is stated clearly, concisely, and, if possible, in quantifiable terms. The significance of the reported effect can be demonstrated through credible evidence.
6.35 When auditors detect internal control deficiencies, fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse that is not material to the subject matter or assertion, they should communicate those findings to the audited entity in a management letter, unless they are clearly inconsequential, considering both qualitative and quantitative factors. The auditor should refer to the management letter in the report on the attestation engagement. Auditors should use their professional judgment in determining whether and how to communicate to officials of the audited entity internal control deficiencies, fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse that are clearly inconsequential. Auditors should include in their attest documentation evidence of all communication to officials of the audited entity about fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse.
Direct Reporting of Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant Agreements, and Abuse
6.36 GAGAS require auditors to report fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse directly to parties outside the audited entity in two circumstances, as discussed below. 3 These requirements are in addition to any legal requirements for direct reporting of fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse. Auditors should meet these requirements even if they have resigned or been dismissed from the attestation engagement prior to its completion.
6.37 The audited entity may be required by law or regulation to report certain fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse to specified external parties, such as a federal inspector general or a state attorney general. If auditors have communicated such fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse to the audited entity and the entity fails to report them, then the auditors should communicate such an awareness to the governing body of the audited entity. If the audited entity does not make the required report as soon as possible after the auditors’ communication with the entity’s governing body, then the auditors should report such fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse directly to the external party specified in the law or regulation.
6.38 Officials of the audited entity are responsible for taking timely and appropriate steps to remedy fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse that auditors report to them. When fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse involves assistance received directly or indirectly from a government agency, auditors may have a duty to report directly if management fails to take remedial steps. If auditors conclude that such failure is likely to cause them to depart from the standard report on the attestation engagement or resign from the engagement, they should communicate that conclusion to the governing body of the audited entity. Then, if the audited entity does not report the fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse as soon as possible to the entity that provided the government assistance, the auditors should report the fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse directly to that entity.
6.39 In these situations, auditors should obtain sufficient, competent, and relevant evidence, such as confirmation from outside parties, to corroborate assertions by management that management has reported fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse. If they are unable to do so, the auditors should report the fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse directly as discussed above.
6.40 Laws, regulations, or policies may require auditors to report promptly indications of certain types of fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse to law enforcement or investigatory authorities. In such circumstances, when auditors conclude that these types of fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse either have occurred or are likely to have occurred, they should ask those authorities and/or legal counsel if publicly reporting certain information about the potential fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse would compromise investigative or legal proceedings. Auditors should limit their public reporting to matters that would not compromise those proceedings, such as information that is already a part of the public record.
1Whether a particular act is, in fact, illegal may have to await final determination by a court of law. Thus, when auditors disclose matters that have led them to conclude that an illegal act is likely to have occurred, they should not unintentionally imply that a final determination of illegality has been made.
2Common sources for criteria are laws, regulations, policies, procedures, best or standard practices, or assertions. The Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1 (Washington, D.C.: Nov. 1999) and Internal Control--Integrated Framework, published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) are two sources of established criteria auditors can use to support their judgments and conclusions about internal control. The related Internal Control Management and Evaluation Tool (GAO-01-1008G, Aug. 2001), based on the federal internal control standards, provides a systematic, organized, and structured approach to assessing internal control.
3Internal audit organizations do not have a duty to report outside that entity unless required by law, rule, regulation, or policy. See paragraph 3.28 for reporting requirements for internal audit organizations when reporting externally.
|