Planning

Bottom of Page TOC PREVIOUS NEXT


GAO-03-673G Government Auditing Standards > Chapter 7 Field Work Standards for Performance Audits > Planning


7.02 The field work standard related to planning for performance audits performed in accordance with GAGAS are:

Work is to be adequately planned.

7.03 In planning the audit, auditors should define the audit objectives, as well as the scope and methodology to achieve those objectives. Audit objectives, scope, and methodologies are not determined in isolation. Auditors determine these three elements of the audit plan together, as the considerations in determining each often overlap. Planning is a continuous process throughout the audit. Therefore, auditors should consider the need to make adjustments to the audit objectives, scope, and methodology as work is being completed.

7.04 The objectives are what the audit is intended to accomplish. They identify the audit subjects and performance aspects to be included, as well as the potential finding and reporting elements that the auditors expect to develop. 1  Audit objectives can be thought of as questions about the program 2  that auditors seek to answer. (See paragraphs 2.09 through 2.13.)

7.05 Scope is the boundary of the audit and should be directly tied to the audit objectives. For example, the scope defines parameters of the audit such as the period of time reviewed, the availability of necessary documentation or records, and the locations at which field work will be performed.

7.06 The methodology comprises the work involved in gathering and analyzing data to achieve the objectives. Audit procedures are the specific steps and tests auditors will carry out to address the audit objectives. Auditors should design the methodology to provide sufficient, competent, and relevant evidence to achieve the objectives of the audit. Methodology includes both the types and extent of audit procedures used to achieve the audit objectives.

7.07 Planning should be documented and should include

a. considering the significance of various programs and the needs of potential users of the audit report (see paragraphs 7.08 and 7.09);

b. obtaining an understanding of the program to be audited (see paragraph 7.10);

c. obtaining an understanding of internal control as it relates to the specific objectives and scope of the audit (see paragraphs 7.11 through 7.16);

d. designing methodology and procedures to detect significant violations of legal and regulatory requirements, contract provisions, or grant agreements (see paragraphs 7.17 through 7.27);

e. identifying the criteria needed to evaluate matters subject to audit (see paragraph 7.28);

f. considering the results of previous audits and attestation engagements that could affect the current audit objectives (see paragraphs 7.29 and 7.30);

g. identifying potential sources of data that could be used as audit evidence (see paragraph 7.31);

h. considering whether the work of other auditors and experts may be used to satisfy some of the audit objectives (see paragraphs 7.32 through 7.34);

i. providing appropriate and sufficient staff and other resources to perform the audit (see paragraphs 7.35 through 7.38);

j. communicating general information concerning the planning and performance of the audit to management officials responsible for the program being audited and others as applicable (see paragraphs 7.39 and 7.40); and

k. preparing an audit plan (see paragraphs 7.41 through 7.43).

Program Significance

7.08 The significance of a matter is its relative importance to the audit objectives and potential users of the audit report. Auditors should consider the significance of a program or program component and the potential use that will be made of the audit results or report as they plan a performance audit. Indicators of significance and/or use to consider include

a. visibility and sensitivity of the program under audit,

b. newness of the program or changes in its conditions,

c. role of the audit in providing information that can improve public accountability and decision making, and

d. level and extent of review or other forms of independent oversight.

7.09 One group of users of the auditors’ report is government officials who may have authorized or requested the audit. Other important users of the auditors’ report are the entity being audited and legislative bodies, which are responsible for acting on the auditors’ recommendations. Other potential users of the auditors’ report include government legislators or officials (other than those who may have authorized or requested the audit), the media, interest groups, and individual citizens. In addition to an interest in the program, potential users may have an ability to influence the conduct of the program. An awareness of these potential users’ interests and influence can help auditors understand why the program operates the way it does. This awareness can also help auditors judge whether possible findings could be significant to various possible users.

Understanding the Program

7.10 Auditors should obtain an understanding of the program to be audited to help assess, among other matters, the significance of possible audit objectives and the feasibility of achieving them. The auditors’ understanding may come from knowledge they already have about the program or knowledge they gain from inquiries and observations they make in planning the audit. The extent and breadth of those inquiries and observations will vary among audits based on the audit objectives, as will the need to understand individual aspects of the program, such as the following:

a. Laws, regulations, and provisions of contracts or grant agreements: Government programs usually are created by law and are subject to specific laws and regulations. For example, laws and regulations usually set forth what is to be done, who is to do it, the purpose to be achieved, the population to be served, and how much can be spent on what. Government programs may also be subject to provisions of contracts and grant agreements. Thus, understanding the laws and the legislative history establishing a program and the provisions of any contracts or grant agreements can be essential to understanding the program itself. Obtaining that understanding is also a necessary step in identifying provisions of laws, regulations, contracts, or grant agreements significant to audit objectives.

b. Purpose and goals: Purpose is the result or effect that is intended or desired from a program’s operation. Legislatures usually establish the program purpose when they provide authority for the program. Entity officials may provide more detailed guidance on program purpose to supplement the authorizing legislation. Entity officials are sometimes asked to set goals for program performance and operations, including both output and outcome goals. Auditors may use the stated program purpose and goals as criteria for assessing program performance or may develop additional criteria or best practices to compare the program against.

c. Internal control: Internal control, often referred to as management controls, in the broadest sense includes the plan of organization, methods, and procedures adopted by management to meet its missions, goals, and objectives. Internal control includes the processes for planning, organizing, directing, and controlling program operations. It includes the systems for measuring, reporting, and monitoring program performance. Internal control also serves as the first line of defense in safeguarding assets and preventing and detecting errors, fraud, and violations of laws, regulations, and provisions of contracts and grant agreements. Paragraphs 7.11 through 7.16 contain guidance pertaining to internal control.

d. Efforts: Efforts are the amount of resources (in terms of money, material, personnel, etc.) that are put into a program. These resources may come from within or outside the entity operating the program. Measures of efforts can have a number of dimensions, such as cost, timing, and quality. Examples of measures of efforts are dollars, employee-hours, and square feet of building space.

e. Program operations: Program operations are the strategies, processes, and activities management uses to convert efforts into outputs. Program operations are subject to internal control.

f. Outputs: Outputs represent the quantity of goods or services produced by a program. For example, an output measure for a job training program could be the number of persons completing training, and an output measure for an aviation safety inspection program could be the number of safety inspections completed.

g. Outcomes: Outcomes are accomplishments or results of programs. For example, an outcome measure for a job training program could be the percentage of trained persons obtaining a job and still in the work place after a specified period of time. Examples of outcome measures for an aviation safety inspection program could be the percentage reduction in significant safety problems found in subsequent inspections and/or the percentage of significant problems deemed corrected in follow-up inspections. Such outcome measures show progress in achieving the stated program purposes of helping unemployable citizens obtain and retain jobs, and improving the safety of aviation operations. Auditors should be aware that outcomes may be influenced by cultural, economic, physical, or technological factors outside the program. Auditors may use approaches drawn from other disciplines, such as program evaluation, to try to isolate the effects of the program from these other influences.

Considering Internal Control

7.11 The lack of administrative continuity in government units because of changes in elected legislative bodies and in other government officials increases the need for effective internal control. Auditors should obtain an understanding of internal control significant to the audit objectives and consider whether specific internal control procedures have been properly designed and placed in operation. Auditors also need to consider whether they plan to modify the nature, timing, or extent of their audit procedures based on the effectiveness of internal controls. If so, auditors should include specific tests of the effectiveness of internal control and consider the results in designing

audit procedures. 3  Officials of the audited entity are responsible for establishing effective internal control.

7.12 The following discussion of internal control objectives is intended to help auditors better understand internal controls and determine their significance to the audit objectives:

a. Effectiveness and efficiency of program operations: Controls over program operations include policies and procedures that officials of the audited entity have implemented to reasonably ensure that a program meets its objectives and that unintended actions do not result. Understanding these controls can help auditors understand the program operations that convert efforts to outputs or outcomes.

b. Validity and reliability of data: Controls over the validity and reliability of data include policies and procedures that officials of the audited entity have implemented to reasonably ensure that valid and reliable data are obtained, maintained, and fairly disclosed in reports. These controls help assure management that it is getting valid and reliable information about whether programs are operating properly on an ongoing basis. Understanding these controls can help auditors (1) assess the risk that the data gathered by the entity may not be valid or reliable and (2) design appropriate tests of the data.

c. Compliance with applicable laws and regulations and provisions of contracts or grant agreements: Controls over compliance include policies and procedures that officials of the audited entity have implemented to reasonably ensure that program implementation is consistent with laws, regulations, and provisions of contracts or grant agreements. Understanding the relevant controls concerning compliance with those laws and regulations and provisions of contracts or grant agreements that the auditors have determined are significant can help auditors assess the risk of illegal acts 4  and violations of provisions of contracts or grant agreements.

7.13 A subset of these categories of internal control objectives is the safeguarding of resources. Controls over the safeguarding of resources include policies and procedures that officials of the audited entity have implemented to reasonably prevent or promptly detect unauthorized acquisition, use, or disposition of resources.

7.14 Auditors can obtain an understanding of internal control through inquiries, observations, inspection of documents and records, or review of other auditors’ reports. The procedures auditors perform to obtain an understanding of internal control will vary among audits. One factor influencing the extent of these procedures is the auditors’ knowledge about internal control gained in prior audits. Also, the need to understand internal control will depend on the particular aspects of the program the auditors consider in setting objectives, scope, and methodology. The following are examples of how the auditors’ understanding of internal control can influence the audit plan:

a. Audit objectives: Poorly controlled aspects of a program have a higher risk of failure, so they may be more significant than others in terms of where auditors may want to focus their efforts.

b. Audit scope: Knowledge that internal controls are not properly designed or placed in operation at a certain location may lead auditors to target their efforts there.

c. Audit methodology: Effective controls at the audited entity over collecting, summarizing, and reporting data may enable auditors to limit the extent of their direct testing of data validity and reliability. In contrast, evidence suggesting ineffective controls may lead auditors to perform more direct testing of the data, look for data from outside the entity, or develop their own data.

7.15 When internal controls are significant to the audit objectives, auditors should plan to obtain sufficient evidence to support their judgments about those controls. The following are examples of circumstances in which internal controls can be significant to audit objectives:

a. In determining the cause of unsatisfactory performance, auditors may consider that unsatisfactory performance could result from deficiencies in internal controls.

b. When assessing the validity and reliability of performance measures developed by the audited entity, effective internal control by the audited entity over collecting, summarizing, and reporting data will help ensure that the performance measures are valid and reliable.

7.16 Internal auditing is an important part of internal control. 5  When an assessment of internal control is called for, the work of the internal auditors can be used to help provide reasonable assurance that internal controls are effectively designed and functioning properly, and to prevent duplication of effort.

Designing the Audit to Detect Violations of Legal and Regulatory Requirements, Contract Provisions, or Grant Agreement, Fraud, and Abuse

7.17 When laws, regulations, or provisions of contracts or grant agreements are significant to the audit objectives, auditors should design the audit methodology and procedures to provide reasonable assurance of detecting violations that could have a significant effect on the audit results. Auditors should determine which laws, regulations, and provisions of contracts or grant agreements are significant to the audit objectives and assess the risk that illegal acts or violations of provisions of contracts or grant agreements could occur. Based on that risk assessment, the auditors design and perform procedures to provide reasonable assurance of detecting significant instances of illegal acts or violations of provisions of contracts or grant agreements. Auditors should include audit documentation on their assessment of risk.

7.18 It is not practical to set precise standards for determining whether laws, regulations, or provisions of contracts or grant agreements are significant to audit objectives because government programs are subject to many laws, regulations, and provisions of contracts or grant agreements, and audit objectives vary widely. However, auditors may find the following approach helpful in making that determination:

a. Reduce each audit objective to questions about specific aspects of the program being audited (that is, purpose and goals, internal control, efforts, program operations, outputs, and outcomes, as discussed in paragraph 7.10).

b. Identify laws, regulations, and provisions of contracts or grant agreements that directly relate to specific aspects of the program included in questions that reflect the audit objectives.

c. Determine if violations of those laws, regulations, or provisions of contracts or grant agreements could significantly affect the auditors’ answers to the questions that relate to the audit objectives. If they could, then those laws, regulations, and provisions of contracts or grant agreements are likely to be significant to the audit objectives.

7.19 Auditors may find it necessary to rely on the work of legal counsel to (1) determine those laws and regulations that are significant to the audit objectives, (2) design tests of compliance with laws and regulations, or (3) evaluate the results of those tests. 6  Auditors also may find it necessary to rely on the work of legal counsel when audit objectives require testing compliance with provisions of contracts or grant agreements. Depending on the circumstances of the audit, auditors may find it necessary to obtain information on compliance matters from others, such as investigative staff, other audit organizations or government entities that provided assistance to the audited entity, or the applicable law enforcement authority.

7.20 In planning tests of compliance with significant laws, regulations, and provisions of contracts or grant agreements, auditors should assess the risk that violations could occur. That risk may be affected by such factors as the complexity or newness of the laws, regulations, and provisions of contracts or grant agreements. The auditors’ assessment of risk includes consideration of whether the entity has controls that are effective in preventing or detecting violations of laws, regulations, and provisions of contracts or grant agreements. If auditors obtain sufficient evidence of the effectiveness of these controls, they can reduce the extent of their tests of compliance.

7.21 In planning the audit, auditors should consider risks due to fraud 7  that could significantly8 affect their audit objectives and the results of their audit. The audit team should discuss potential fraud risks, considering fraud factors such as individuals’ incentives or pressures to commit fraud, the opportunity for fraud to occur, and rationalizations or attitudes that could allow individuals to commit fraud. Auditors should gather and assess information necessary to identify fraud risks which could be relevant to the audit objectives or affect the results of their audit. For example, auditors may need to obtain information through discussion with officials of the audited entity or through other means to determine the susceptibility of the program to fraud, the status of internal controls the entity has established to detect and prevent fraud, or the risk that officials of the audited entity could override internal control. Auditors should exercise professional skepticism in assessing these risks to determine which factors or risks could significantly affect the results of their work if fraud has occurred or is likely to have occurred.

7.22 When auditors identify factors or risks related to fraud that they believe could significantly affect the audit objectives or the results of the audit, auditors should respond by designing procedures to provide reasonable assurance of detecting fraud significant to the audit objectives. Auditors should prepare audit documentation related to their identification and assessment of and response to fraud risks. Auditors should also be aware that assessing the risk of fraud is an ongoing process throughout the audit and relates not only to planning the audit but also to evaluating evidence obtained during the audit.

7.23 Auditors should also be alert to situations or transactions that could be indicative of fraud. When information comes to the auditors’ attention (through audit procedures, allegations received through fraud hotlines, or other means) indicating that fraud may have occurred, auditors should consider whether the possible fraud could significantly affect the audit results. If the fraud could significantly affect the audit results, auditors should extend the audit steps and procedures, as necessary, to (1) determine if fraud likely has occurred and (2) if so, determine its effect on the audit results.

7.24 Auditors’ training, experience, and understanding of the program being audited may provide a basis for recognizing that some acts coming to their attention may be indicative of fraud. Whether an act is, in fact, fraud is a determination to be made through the judicial or other adjudicative system and is beyond auditors’ professional expertise and responsibility. However, auditors are responsible for being aware of vulnerabilities to fraud associated with the area being audited in order to be able to identify indications that fraud may have occurred. In some circumstances, conditions such as the following might indicate a heightened risk of fraud:

a. weak management that fails to enforce existing internal control or to provide adequate oversight over the control process;

b. inadequate separation of duties, especially those that relate to controlling and safeguarding resources;

c. transactions that are out of the ordinary and are not satisfactorily explained, such as unexplained adjustments in inventories or other resources;

d. instances when employees of the audited entity refuse to take vacations or accept promotions;

e. missing or altered documents, or unexplained delays in providing information;

f. false or misleading information; or

g. a history of impropriety, such as past audits or investigations with findings of questionable or criminal activity.

7.25 Abuse is distinct from fraud, illegal acts, or violations of provisions of contracts or grant agreements. When abuse occurs, no law, regulation, or provision of a contract or grant agreement is violated. Rather, abuse involves behavior that is deficient or improper when compared with behavior that a prudent person would consider reasonable and necessary business practice given the facts and circumstances.9 Auditors should be alert to situations or transactions that could be indicative of abuse. When information comes to the auditors’ attention (through audit procedures, allegations received through a fraud hotline, or other means) indicating that abuse may have occurred, auditors should consider whether the possible abuse affects the audit results significantly. If indications of abuse exist that significantly affect the audit results, the auditors should extend the audit steps and procedures, as necessary, to (1) determine whether the abuse occurred and, if so, (2) determine its effect on the audit results. However, because the determination of abuse is subjective, auditors are not expected to provide reasonable assurance of detecting it. Auditors should consider both quantitative and qualitative factors in making judgments regarding the significance of possible abuse and whether they need to extend the audit steps and procedures.

7.26 Auditors should exercise professional judgment in pursuing indications of possible fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse in order to not interfere with potential investigations, legal proceedings, or both. Under some circumstances, laws, regulations, or policies require auditors to report indications of certain types of fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse to law enforcement or investigatory authorities before extending audit steps and procedures. Auditors may also be required to withdraw from or defer further work on the audit or a portion of the audit in order not to interfere with an investigation.

7.27 An audit made in accordance with these standards provides reasonable assurance of detecting illegal acts, violations of provisions of contracts or grant agreements, or fraud that could significantly affect the audit results; however, it does not guarantee the discovery of illegal acts, violations of provisions of contracts or grant agreements, or fraud. Nor does the subsequent discovery of illegal acts, violations of contracts or grant agreements, or fraud committed during the audit period necessarily mean that the auditors’ performance was inadequate, provided the audit was made in accordance with these standards.

Identifying Audit Criteria

7.28 Criteria are the standards, measures, expectations of what should exist, best practices, and benchmarks against which performance is compared or evaluated. Criteria, one of the elements of a finding, provide a context for understanding the results of the audit. (See paragraphs 7.62 through 7.65 for a discussion on the other elements of a finding.) The audit plan, where possible, should state the criteria to be used. In selecting criteria, auditors have a responsibility to use criteria that are reasonable, attainable, and relevant to the objectives of the performance audit. The following are some examples of possible criteria:

a. purpose or goals prescribed by law or regulation or set by officials of the audited entity,

b. policies and procedures established by officials of the audited entity,

c. technically developed standards or norms,

d. expert opinions,

e. prior periods’ performance,

f. performance of similar entities,

g. performance in the private sector, or

h. best practices of leading organizations.

Considering the Results of Previous Audits and Attestation Engagements

7.29 Auditors should consider the results of previous audits and attestation engagements and follow up on known significant findings and recommendations 10  identified in previous audit reports that directly relate to the objectives of the audit being undertaken. Auditors should ask audited entity officials to identify previous financial audits, attestation engagements, performance audits, or other studies related to the objectives of the audit being undertaken and to identify corrective actions taken to address significant findings and recommendations. For example, an audit report on an entity’s computerized information systems may contain significant findings that could relate to the performance audit if the entity uses such systems to process its accounting or other information the auditors plan on using. Auditors should use professional judgment in determining (1) prior periods to be considered, (2) the level of work necessary to follow up on significant findings and recommendations that affect the audit, and (3) the risk assessment used in planning the current audit and designing audit procedures to be performed.

7.30 Providing continuing attention to significant findings and recommendations is important to ensure that the benefits of audit work are realized. Ultimately, the benefits of audit work occur when officials of the audited entity take meaningful and effective corrective action in response to the auditors’ findings and recommendations. Officials of the audited entity are responsible for resolving audit findings and recommendations directed to them and for having a process to track their status. If the audited entity does not have such a process, auditors may wish to establish their own process.

Identifying Sources of Audit Evidence

7.31 In identifying potential sources of data that could be used as audit evidence, auditors should consider the validity and reliability of the data, including data collected by the audited entity, data generated by the auditors, or data provided by third parties, as well as the sufficiency and relevance of the evidence. (See paragraphs 7.48 through 7.65 for standards and guidance concerning evidence.)

Considering Work of Others

7.32 Auditors should determine whether other auditors have previously done, or are doing, audits of the program or the entity that operates it. Whether other auditors have done performance audits, financial audits, or attestation engagements, the other auditors may be useful sources of information for planning and performing the audit. If other auditors have identified areas that warrant further study, their work may influence the auditors’ selection of performance audit objectives. The availability of other auditors’ work may also influence the selection of methodology, since the auditors may be able to rely on that work to limit the extent of their own testing.

7.33 If auditors intend to rely on the work of other auditors, they should perform procedures regarding the specific work to be relied on that provide a sufficient basis for that reliance. Auditors should obtain evidence concerning the other auditors’ qualifications and independence through prior experience, inquiry, and/or review of the other auditors’ external quality control review report. Auditors should determine the sufficiency, relevance, and competence of other auditors’ evidence by reviewing their report, audit program, or audit documentation, or by performing supplemental tests of the other auditors’ work. The nature and extent of evidence needed will depend on the significance of the other auditors’ work, on the extent to which the auditors will rely on that work, and whether auditors will refer to that work in their work.

7.34 Auditors face similar considerations when using the work of nonauditors (such as specialists). In addition, auditors should obtain an understanding of the methods and significant assumptions used by the nonauditors. (See paragraph 3.06 for independence considerations when relying on the work of others.)

Assigning Staff and Other Resources

7.35 Staff planning should include, among other things:

a. assigning staff with the appropriate collective knowledge, skills, and experience for the job;

b. assigning an adequate number of staff and supervisors to the audit;

c. providing for on-the-job training of staff; and

d. engaging specialists when necessary.

7.36 The availability of staff and other resources and the need for specialized skills are important considerations in establishing the audit objectives, scope, and methodology. For example, limitations on travel funds may preclude auditors from visiting certain critical locations, or lack of appropriate expertise in a particular methodology or with computerized information systems may preclude auditors from undertaking certain objectives. Auditors may be able to overcome such limitations by engaging specialists with the necessary expertise.

7.37 If the use of a specialist is planned, auditors should have sufficient knowledge to

a. articulate the objectives required of the specialist,

b. evaluate whether the specified procedures will meet auditors’ objectives, and

c. evaluate the results of the procedures applied as they relate to other planned audit procedures.

7.38 Auditors without sufficient knowledge to perform the functions listed above should consider alternative measures for ensuring audit quality related to the specialist’s work, such as engaging another specialist to review the specialist’s work.

Communicating with Management and Others

7.39 Auditors should communicate information about the specific nature of the performance audit, as well as general information concerning the planning and conduct of the audit and reporting--such as the form of the report and any potential restrictions on the report--to the various parties involved in the audit to help them understand the objectives, time frames, and any data needs. Parties involved may include

a. the head of the audited entity;

b. the audit committee or, in the absence of an audit committee, the board of directors or other equivalent oversight body;

c. the individual who possesses a sufficient level of authority and responsibility for the program or activity being audited; and

d. the individuals contracting for or requesting audit services, such as contracting officials or legislative members or staff, if applicable.

7.40 Auditors should use their professional judgment to determine the form, content, and frequency of the communication, although written communication is preferred. Auditors may use an engagement letter, if appropriate, to communicate the information. Auditors should include the communication in the audit documentation. If the audit does not result in a product, auditors should document the audit by preparing a memorandum for the record that summarizes the results of the work and explain the reason the audit was terminated. If the audit is terminated before it is completed, auditors should communicate the reason for terminating it to management of the audited entity, the entity requesting the audit, and other appropriate officials, preferably in writing. This communication should be documented.

Preparing the Audit Plan

7.41 A written audit plan should be prepared for each audit. The form and content of the written audit plan will vary among audits but should include an audit program or project plan, a memorandum, or other appropriate documentation of key decisions about the audit objectives, scope, and methodology and of the auditors’ basis for those decisions. It should be updated, as necessary, to reflect any significant changes to the plan made during the audit.

7.42 Documenting the audit plan is an opportunity for the auditors to supervise audit planning and to determine whether

a. the proposed audit objectives are likely to result in a useful report,

b. the proposed audit scope and methodology are adequate to satisfy the audit objectives, and

c. sufficient staff and other resources are available to perform the audit and to meet expected time frames for completing the work.

7.43 Written audit plans may include the following:

a. information about the legal authority for the audited program, its history and current objectives, its principal locations, and other background that can help auditors understand and carry out the audit plan;

b. information about the responsibilities of each member of the audit team (such as preparing audit programs, conducting audit work, supervising and reviewing audit work, drafting reports, handling comments from officials of the audited program, and processing the final report), which can help auditors when the work is conducted at several different locations. In these audits, use of comparable audit methods and procedures can help make the data obtained from participating locations comparable;

c. audit programs describing procedures to accomplish the audit objectives and providing a systematic basis for assigning work to staff and for summarizing the work performed; and

d. the general format of the audit report and the types of information to be included, which can help auditors focus their field work on the information to be reported.

1See discussion of the elements of a finding in paragraph 7.28 and paragraphs 7.62 through 7.65.

2This chapter uses only the term “program;” however, the concepts presented also apply to audits of entities, activities, and services.

3Refer to the internal control guidance contained in Internal Control--Integrated Framework, published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As discussed in the COSO study, internal control consists of five interrelated components, which are (1) control environment, (2) risk assessment, (3) control activities, (4) information and communication, and
(5) monitoring. The objectives of internal control relate to
(1) financial reporting, (2) operations, and (3) compliance. Safeguarding of assets is a subset of these objectives. In that respect, internal control should be designed to provide reasonable assurance regarding prevention of or prompt detection of unauthorized acquisition, use, or disposition of assets. In addition to the COSO document, the publication, Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1 (Washington, D.C.: Nov. 1999), which incorporates the relevant guidance developed by COSO, provides definitions and fundamental concepts pertaining to internal control at the federal level and may be useful to other auditors at any level of government. The related Internal Control Management and Evaluation Tool, GAO-01-1008G (Washington, D.C.: Aug. 2001), based on the federal internal control standards, provides a systematic, organized, and structured approach to assessing the internal control structure.

4Violations of laws or regulations are illegal acts.

5Many government entities have these activities identified by other names, such as inspection, appraisal, investigation, organization and methods, or management analysis. These activities assist management by reviewing selected functions.

6Paragraphs 7.32 through 7.34 discuss relying on the work of others.

7Fraud is a type of illegal act involving the obtaining something of value through willful misrepresentation.

8The terms “material” and “significant” are synonymous under GAGAS. “Material” is used in the AICPA standards in relation to audits of financial statements. “Significant” is used in relation to other types of audits governed by GAGAS, such as performance audits, where the term “material” is generally not used.

9For example, in a performance audit of management’s efficient use of funds for office building maintenance, auditors might find abuse if renovation of senior management’s offices far exceed usual office space specifications. While auditors might not view the renovation costs as quantitatively significant to the audit results, these expenses would be considered qualitatively significant to this audit objective.

10Significant findings and recommendations are those matters that, if not corrected, could affect the results of the auditors’ work and the auditors’ conclusions and recommendations about those results.


Top of Page TOC PREVIOUS NEXT

GAO-03-673G Government Auditing Standards