Report Contents

Bottom of Page TOC PREVIOUS NEXT


GAO-03-673G Government Auditing Standards > Chapter 8 Reporting Standards for Performance Audits > Report Contents


8.07 The reporting standard related to the contents of the report for performance audits conducted in accordance with GAGAS is:

The audit report should include the objectives, scope, and methodology; the audit results, including findings, conclusions, and recommendations, as appropriate; a reference to compliance with generally accepted government auditing standards; the views of responsible officials; and, if applicable, the nature of any privileged and confidential information omitted.

Objectives, Scope, and Methodology

8.08 Auditors should include in the report the audit objectives and the scope and methodology used for achieving the audit objectives. This information is needed by report users to understand the purpose of the audit and the nature of the audit work performed, to provide perspective as to what is reported, and to understand any significant limitations in audit objectives, scope, or methodology.

8.09 Audit objectives should be communicated in the audit report in a clear, specific, and neutral manner that avoids unstated assumptions. Auditors should explain why the audit organization undertook the assignment and state what the report is to accomplish and why the subject matter is important. Articulating what the report is to accomplish normally involves identifying the audit subject and the aspect of performance examined. The reported audit objectives provide more meaningful information to report users if they are measurable and feasible and avoid being presented in a broad or general manner. To reduce misunderstanding in cases where the objectives are particularly limited and broader objectives can be inferred, it may be necessary to state objectives that were not pursued.

8.10 In reporting the scope of the audit, auditors should describe the depth and coverage of work conducted to accomplish the audit’s objectives. Auditors should, as applicable, explain the relationship between the population of items sampled and what was audited; identify organizations, geographic locations, and the period covered; report the kinds and sources of evidence; and explain any problems with the evidence. Auditors should also report significant constraints imposed on the audit approach by data limitations or scope impairments, including demands of access to certain records or individuals.

8.11 To report the methodology used, auditors should clearly explain how the audit objectives were accomplished, including the evidence gathering and analysis techniques used, in sufficient detail to allow knowledgeable users of their reports to understand the work. This explanation should identify any significant assumptions made in conducting the audit; describe any comparative techniques applied; describe the criteria used; and, when sampling significantly supports auditors’ findings, describe the sample design and state why it was chosen, including whether the results can be projected to the intended population.

8.12 Auditors should attempt to avoid misunderstanding by the report user concerning the work that was and was not done to achieve the audit objectives, particularly when the work was limited because of constraints on time or resources. The auditors’ report should clearly describe the scope of the work performed and any limitations; any applicable standards that were not followed, and the reasons therefor; and how not following the applicable standards affected or could affect the results of the work. For example, if the auditors are unable to determine the reliability of information from an agency’s database, and information from this database is critical to achieving the audit objectives, the report should clearly state the limitations associated with the information and refrain from making unwarranted conclusions or recommendations. In these situations, the audit report should also include the reasons the auditors were unable to perform this work and the potential impact on the findings if the information is not reliable. 1 

Findings

8.13 Auditors should report findings by providing credible evidence that relates to the audit objectives. These findings should be supported by sufficient, competent, and relevant evidence. They also should be presented in a manner to promote adequate understanding of the matters reported and to provide convincing but fair presentations in proper perspective. The audit report should provide selective background information to provide the context for the overall message and to help the reader understand the findings and significance of the issues discussed. 2 

8.14 As discussed in chapter 7, audit findings have often been regarded as containing the elements of criteria, condition, cause, and effect. However, the elements needed for a finding depend on the audit objectives. For example, an audit objective may be limited to determining the current status or condition of implementing legislative requirements, and not the related cause or effect. Thus, a finding or set of findings is complete to the extent that the audit objectives are satisfied and the report clearly relates those objectives to the elements of the finding.

8.15 To the extent possible, in presenting findings, auditors should develop the elements of criteria, condition, cause, and effect to assist officials of the audited entity or oversight officials of the audited entity in understanding the need for taking corrective action. In addition, if auditors are able to sufficiently develop the findings, auditors should provide recommendations for corrective action. Following is guidance for reporting on elements of findings:

a. Criteria provides information so that the report user will be able to determine what is the required or desired state or what is expected from the program or operation. The criteria are easier to understand when stated fairly, explicitly, and completely and when the source of the criteria is identified in the audit report. 3 

b. Condition provides evidence on what the auditors found regarding the actual situation. Reporting the scope or extent of the condition allows the report user to gain an accurate perspective.

c. Cause provides persuasive evidence on the factor or factors responsible for the difference between condition and criteria. In reporting the cause, auditors may consider whether the evidence provides a reasonable and convincing argument for why the stated cause is the key factor or factors contributing to the difference as opposed to other possible causes, such as poorly designed criteria or factors uncontrollable by program management. The auditors also may consider whether the identified cause could serve as a basis for the recommendations.

d. Effect provides a clear, logical link to establish the impact of the difference between what the auditors found (condition) and what should be (criteria). Effect is easier to understand when it is stated clearly, concisely, and, if possible, in quantifiable terms. The significance of the reported effect can be demonstrated through credible evidence.

8.16 The audit report should also include any significant deficiencies 4  in internal control, all instances of fraud and illegal acts unless they are clearly inconsequential,5 significant violations of provisions of contracts or grant agreements, and significant abuse.

Internal Control Deficiencies

8.17 Auditors should include in the audit report the scope of their work on internal control and any significant deficiencies found during the audit. When auditors detect deficiencies in internal control that are not significant, they should communicate those deficiencies in a separate letter to officials of the audited entity unless the deficiencies are clearly inconsequential considering both qualitative and quantitative factors. If the auditors have communicated deficiencies in a separate letter to officials of the audited entity, they should refer to that letter in the audit report. Auditors should use professional judgment in determining whether or how to communicate deficiencies that are clearly inconsequential to officials of the audited entity. Auditors should include in their audit documentation evidence of all communications about internal control deficiencies found during the audit.

8.18 In a performance audit, auditors may identify significant deficiencies in internal control as the cause of deficient performance. In reporting this type of finding, the internal control weakness would be described as the cause.

Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant Agreements, and Abuse

8.19 When auditors conclude, based on evidence obtained, that fraud, illegal acts, significant violations of provisions of contracts or grant agreements, or significant abuse either has occurred or is likely to have occurred, they should include in their audit report relevant information. 6  Abuse occurs when the conduct of a government program or entity falls far short of behavior that is expected to be reasonable and necessary business practices by a prudent person.

8.20 When reporting instances of fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse, auditors should place their findings in proper perspective by providing a description of the work conducted that resulted in the finding. To give the reader a basis for judging the prevalence and consequences of these findings, the instances identified should be related to the population or the number of cases examined and be quantified in terms of dollar value, if appropriate. If the results cannot be projected, auditors should limit their conclusion to the items tested.

8.21 When auditors detect violations of provisions of contracts or grant agreements; or abuse that is not significant, they should communicate those findings in a separate letter to officials of the audited entity unless the findings are clearly inconsequential, considering both qualitative and quantitative factors. If the auditors have communicated instances of fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse in a separate letter to officials of the audited entity, auditors should refer to that letter in the audit report. Auditors should use their professional judgment in determining whether and how to communicate to officials of the audited entity fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse that are clearly inconsequential. Auditors should include in their audit documentation evidence of all communications to officials of the audited entity about instances of fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse.

Direct Reporting of Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant Agreements, and Abuse

8.22 GAGAS require auditors to report fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse directly to parties outside the audited entity in certain circumstances, as discussed below. 7  These requirements are in addition to any legal requirements for direct reporting of fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse. Auditors should meet these requirements even if they have resigned or been dismissed from the audit.

8.23 The audited entity may be required by law or regulation to report certain fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse to specified external parties, such as a federal inspector general or a state attorney general. If auditors have communicated such fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse to the audited entity and it fails to report them, then the auditors should communicate their awareness of that failure to the governing body of the audited entity. If the audited entity does not make the required report as soon as possible after the auditors’ communication with the entity’s governing body, then the auditors should report such fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse directly to the external party specified in the law or regulation.

8.24 Officials of the audited entity are responsible for taking timely and appropriate steps to remedy fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse that auditors report to them. When fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse involves assistance received directly or indirectly from a government agency, auditors may have a duty to report such fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse directly to that government agency if officials of the audited entity fail to take remedial steps. If auditors conclude that such failure is likely to cause them to report such findings or resign from the audit, they should communicate that conclusion to the governing body of the audited entity. Then, if the audited entity does not report the fraud, illegal act, violation of provisions of contracts or grant agreements, or abuse as soon as possible to the entity that provided the government assistance, the auditors should report the fraud, illegal act, violation of provisions of contracts or grant agreements, or abuse directly to that entity.

8.25 In these situations, auditors should obtain sufficient, competent, and relevant evidence, such as confirmation with outside parties, to corroborate assertions by officials of the audited entity that the officials have reported fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse. If the officials are unable to do so, then the auditors should report such fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse directly as discussed above.

8.26 Laws, regulations, or other authority may require auditors to report promptly indications of certain types of fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse to law enforcement or investigatory authorities. In such circumstances, when auditors conclude that these types of fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse either have occurred or are likely to have occurred, they should ask those authorities or legal counsel if publicly reporting certain information about the potential fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse would compromise investigative or legal proceedings. Auditors should limit the extent of their public reporting to matters that would not compromise those proceedings, such as information that is already a part of the public record.

Conclusions

8.27 Auditors should report conclusions when called for by the audit objectives and the results of the audit. Conclusions are logical inferences about the program based on the auditors’ findings and should represent more than just a summary of the findings. Conclusions should be clearly stated, not implied. The strength of the auditors’ conclusions depends on the persuasiveness of the evidence supporting the findings and the soundness of the logic used to formulate the conclusions. Conclusions are stronger if they set up the report’s recommendations and convince the knowledgeable user of the report that action is necessary.

Recommendations

8.28 If warranted, auditors should make recommendations for actions to correct problems identified during the audit and to improve programs and operations. Auditors should make recommendations when the potential for improvement in programs, operations, and performance is substantiated by the reported findings and conclusions. Recommendations should logically flow from the findings and conclusions and need to state clearly the actions to be taken. Recommendations to effect compliance with laws and regulations and improve internal control also should be made when significant instances of possible fraud, illegal acts, or violations of provisions of contracts or grant agreements are noted, or when abuse or deficiencies in internal control are found.

8.29 Constructive recommendations can encourage improvements in the conduct of government programs and operations. For recommendations to be most constructive, they should be directed at resolving the cause of identified problems, action oriented and specific, addressed to parties that have the authority to act, practical and, to the extent feasible, cost effective and measurable.

Statement on Compliance with GAGAS

8.30 Auditors should report that the audit was made in accordance with GAGAS. The statement of compliance with GAGAS refers to all the applicable standards that the auditors should have followed during the audit. The statement referencing compliance with GAGAS should be qualified in situations in which the auditors did not follow an applicable standard. In these situations, auditors should disclose in the scope section of the report the applicable standard that was not followed, the reasons therefor, and how not following the standard affected, or could have affected, the results of the audit. In assessing the impact of not following an applicable standard on the results of the audit, auditors may need to qualify any assurances, disclaim from providing any assurances, or withdraw from the audit.

Reporting Views of Responsible Officials

8.31 Auditors should report the views of responsible officials of the audited program concerning auditors’ findings, conclusions, and recommendations; as well as planned corrective actions. One of the most effective ways to ensure that a report is fair, complete, and objective is to obtain advance review and comments by responsible officials of the audited entity and others, as may be appropriate. Including the views of responsible officials results in a report that presents not only the auditors’ findings, conclusions, and recommendations, but also what the responsible officials of the audited entity think about the audit results and what corrective actions officials of the audited entity plan to take. Auditors should include in their report a copy of the officials’ written comments or a summary of the comments received.

8.32 Auditors should normally request that the responsible officials submit in writing their views on reported findings, conclusions, and recommendations, as well as management’s planned corrective actions. Oral comments are acceptable as well and, in some cases, may be the only or most expeditious way to obtain comments. Cases in which obtaining oral comments can be effective include when there is a time-critical requirement to meet a user’s needs; the auditors have worked closely with the responsible officials throughout the conduct of the work and the parties are very familiar with the findings and issues addressed in the draft report; or the auditors do not expect major disagreements with the draft report’s findings, conclusions, and recommendations, or perceive any major controversies with regard to the issues discussed in the draft report. Auditors should prepare a summary of the officials’ oral comments and provide a copy of the summary to officials of the audited entity to verify that the comments are accurately stated prior to finalizing the report.

8.33 Comments should be fairly and objectively evaluated and recognized, as appropriate, in the final report. Comments, such as a promise or plan for corrective action, should be noted but should not be accepted as justification for dropping a finding or a related recommendation.

8.34 When the audited entity’s comments oppose the report’s findings, conclusions, or recommendations and are not, in the auditors’ opinion, valid, or when planned corrective actions do not adequately address the auditors’ recommendations, the auditors should state their reasons for disagreeing with the comments or planned corrective actions. The auditors’ disagreement should be stated in a fair and objective manner. Conversely, the auditors should modify their report as necessary if they find the comments valid.

Reporting Privileged and Confidential Information

8.35 If certain pertinent information is prohibited from general disclosure, the audit report should state the nature of the information omitted and the requirement that makes the omission necessary.

8.36 Certain information may be prohibited from general disclosure by federal, state, or local laws or regulations. In such circumstances, auditors may issue a separate limited-official-use report containing such information and distribute the report only to persons authorized by law or regulation to receive it. Additional circumstances associated with public safety and security concerns could also justify the exclusion of certain information in the report. For example, detailed information related to computer security for a particular program may be excluded from publicly available reports because of the potential damage that could be caused by the misuse of this information. In such circumstances, auditors may issue a limited-official-use report containing such information and distribute the report only to those parties responsible for acting on the auditors’ recommendations. The auditors should, when appropriate, consult with legal counsel regarding any requirements or other circumstances that may necessitate the omission of certain information.

8.37 Auditors’ judgments that certain information should be excluded from publicly available reports should be made in a manner consistent with consideration of the broader public interest in the program or activity under review. When circumstances call for omission of certain information, auditors should consider whether this omission could distort the engagement results or conceal improper or unlawful practices. If auditors make the judgment that certain information should be excluded from a publicly available report, they should state the general nature of the information omitted and the reasons that make the omission necessary in the report.

1When computer-processed data are included in the report for background or informational purposes and are not significant to the auditors’ findings, citing the source of the data and stating that they were not verified will satisfy the reporting standards.

2Appropriate background information may include information on how programs and operations work; the significance of programs and operations (e.g., dollars, impact, purposes, and past audit work if relevant); a description of the audited entity’s responsibilities; and explanation of terms, organizational structure, and the statutory basis for the program and operations.

3Common sources for criteria include laws, regulations, policies, procedures, and best or standard practices. The Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1 (Washington, D.C.: Nov. 1999) and Internal Control--Integrated Framework, published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) are two sources of established criteria auditors can use to support their judgments and conclusions about internal control. The related Internal Control Management and Evaluation Tool, GAO-01-1008G (Washington, D.C.: Aug. 2001), based on the federal internal control standards, provides a systematic, organized, and structured approach to assessing internal control.

4Significant deficiencies are those matters coming to the auditor’s attention that, in the auditor’s judgment, affect the results of the auditors’ work and the auditors’ conclusions and recommendations about those results.

5Whether a particular act is, in fact, illegal may have to await final determination by a court of law. Thus, when auditors disclose matters that have led them to conclude that an illegal act is likely to have occurred, they should take care not to unintentionally imply that a final determination of illegality has been made.

6See paragraphs 8.22 through 8.26 for additional reporting considerations.

7Internal audit organizations do not have a duty to report outside the entity unless required by law, rule, regulation, or policy. See paragraph 3.28 for reporting requirements for internal audit organizations when reporting externally.


Top of Page TOC PREVIOUS NEXT

GAO-03-673G Government Auditing Standards