Chapter 4: Field Work Standards for Financial Audits

a. The work is to be adequately planned and assistants, if any, are to be properly supervised.

b. A sufficient understanding of internal control is to be obtained to plan the audit and to determine the nature, timing, and extent of tests to be performed.

c. Sufficient competent evidential matter is to be obtained through inspection, observation, inquiries, and confirmations to afford a reasonable basis for an opinion regarding the financial statements under audit.

a. auditor communication (see paragraphs 4.6.3 through 4.6.9),

b. audit follow-up (see paragraphs 4.7, 4.10, and 4.11);

c. noncompliance other than illegal acts (see paragraphs 4.13 and 4.18 through 4.20);

d. documentation of the assessment of control risk for assertions significantly dependent upon computerized information systems (see paragraphs 4.21.1 through 4.21.4); and

e. working papers. (See paragraphs 4.35 through 4.38.)

[NOTE 1: GAGAS incorporate any new AICPA field work standards relevant to financial statement audits unless the General Accounting Office (GAO) excludes them by formal announcement.]

a. materiality (see paragraphs 4.6.1 and 4.6.2),

b. fraud and illegal acts (see paragraphs 4.14 through 4.17), and

c. internal control. (See paragraphs 4.22 and 4.25 through 4.30.)

The work is to be properly planned, and auditors should consider materiality, among other matters, in determining the nature, timing, and extent of auditing procedures and in evaluating the results of those procedures.

Auditors should communicate information to the auditee, the individuals contracting for or requesting the audit services, and the audit committee regarding the nature and extent of planned testing and reporting on compliance with laws and regulations and internal control over financial reporting.

[NOTE 1.1: This requirement applies only to situations where the law or regulation specifically identifies the entity to be audited, such as an audit of a specific agency’s financial statements required by the Chief Financial Officers Act, as expanded by the Government Management Reform Act of 1994. Situations where the financial statement audit mandate applies to entities not specifically identified, such as audits required by the Single Audit Act Amendments of 1996, are excluded.]

[NOTE 1.2: For example, when engaged to perform audits under the Single Audit Act of state and local government entities and nonprofit organizations that receive federal awards, auditors should be familiar with the Single Audit Act Amendments of 1996 and Office of Management and Budget (OMB) Circular A- 133. The act and circular include specific audit requirements, mainly in the areas of compliance with laws and regulations and internal control, that exceed the minimum audit requirements in the standards in chapters 4 and 5 of this document. Audits conducted under the Chief Financial Officers Act of 1990, as expanded by the Government Management Reform Act of 1994, also have specific audit requirements prescribed by OMB in the areas of compliance and internal control. Many state and local governments have additional audit requirements.]

a. supplemental (or agreed-upon) procedures or

b. examination, resulting in an opinion.

Auditors should follow up on known material findings and recommendations from previous audits.

[Paragraphs 4.8 and 4.9 have been moved and renumbered to paragraphs 4.6.1 and 4.6.2.]

a. Auditors should design the audit to provide reasonable assurance of detecting fraud that is material to the financial statements.²

[NOTE 2: Two types of misstatements are relevant to the auditors' consideration of fraud in a financial statement audit—misstatements arising from fraudulent financial statements and misstatements arising from misappropriation of assets. The primary factor that distinguishes fraud from error is whether the underlying action that results in the misstatement in the financial statements is intentional or unintentional.]

b.Auditors should design the audit to provide reasonable assurance of detecting material misstatements resulting from direct and material illegal acts.³

[NOTE 3: Direct and material illegal acts are violations of laws and regulations having a direct and material effect on the determination of financial statement amounts.]

c.Auditors should be aware of the possibility that indirect illegal acts may have occurred.⁴ If specific information comes to the auditors' attention that provides evidence concerning the existence of possible illegal acts that could have a material indirect effect on the financial statements, the auditors should apply audit procedures specifically directed to ascertaining whether an illegal act has occurred.

[NOTE 4: Indirect illegal acts are violations of laws and regulations having material but indirect effects on the financial statements.]

Auditors should design the audit to provide reasonable assurance of detecting material misstatements resulting from noncompliance with provisions of contracts or grant agreements that have a direct and material effect on the on the determination of financial statement amounts. If specific information comes to the auditors' attention that provides evidence concerning the existence of possible noncompliance that could have a material indirect effect on the financial statements, auditors should apply audit procedures specifically directed to ascertaining whether that noncompliance has occurred.

[NOTE 5: AICPA standards provide guidance for auditors who use the work of a specialist who is not a member of their staff.]

Auditors should obtain a sufficient understanding of internal control to plan the audit and determine the nature, timing, and extent of tests to be performed.

a. the extent to which computer processing is used in each significant accounting application;^5.2

b. the complexity of the entity's computer operations;

c. the organizational structure of the computer processing activities; and

d. the kinds and competence of available evidential matter, in electronic and in paper formats, to achieve audit objectives.

[NOTE 5.1: Significant accounting applications are those which relate to accounting information that can materially affect the financial statements the auditor is auditing. Significant accounting applications could include financial as well as other systems, such as management information systems or systems that monitor compliance, if they provide data for material account balances, transaction classes, and disclosure components of financial statements.]

[NOTE 5.2: Obtaining an understanding of these elements would include consideration of internal control related to security over computerized information systems.]

In planning the audit, auditors should document in the working papers (1) the basis for assessing control risk at the maximum level for assertions related to material account balances, transaction classes, and disclosure components of financial statements when such assertions are significantly dependent upon computerized information systems, and (2) consideration that the planned audit procedures are designed to achieve audit objectives and to reduce audit risk to an acceptable level.

a. the rationale for determining the nature, timing, and extent of planned audit procedures;

b. the kinds and competence of available evidential matter produced outside a computerized information system; and

c. the effect on the audit opinion or report if evidential matter to be gathered during the audit does not afford a reasonable basis for the auditor’s opinion on the financial statements.

[NOTE 5.3: See paragraphs 4.34 through 4.38 for a discussion of the working paper standards.]

a. failure to adequately monitor decentralized operations;

b. lack of control over activities, such as lack of documentation for major transactions;

c. lack of control over computerized information systems, such as a lack of control over access to applications that initiate or control the movement of assets;

d. failure to develop or communicate adequate control activities for security of data or assets, such as allowing unauthorized personnel to have ready access to data or assets; and

e. failure to investigate significant unreconciled differences between reconciliations of a control account and subsidiary records.

a. management's awareness or lack of awareness of applicable laws and regulations;

b. auditee policy regarding such matters as acceptable operating practices and codes of conduct; and

c. assignment of responsibility and delegation of authority to deal with such matters as organizational goals and objectives, operating functions, and regulatory requirements.

A record of the auditors' work should be retained in the form of working papers.

Working papers should contain sufficient information to enable an experienced auditor having no previous connection with the audit to ascertain from them the evidence that supports the auditors' significant conclusions and judgments.

a. the objectives, scope, and methodology, including any sampling criteria used;

b. documentation of the work performed to support significant conclusions and judgments, including descriptions of transactions and records examined that would enable an experienced auditor to examine the same transactions and records⁶; and

c. evidence of supervisory reviews of the work performed.

[NOTE 6: Auditors may meet this requirement by listing voucher numbers, check numbers, or other means of identifying specific documents they examined. They are not required to include in the working papers copies of documents they examined nor are they required to list detailed information from those documents.]

a. SAS No. 75, Engagements to Apply Agreed-Upon Procedures to Specific Elements, Accounts, or Items of a Financial Statement;

b. SAS No. 62, Special Reports, for auditing specified elements, accounts, or items of a financial statement;

c. SAS No. 74, Compliance Auditing Considerations in Audits of Governmental Entities and Recipients of Governmental Financial Assistance, for testing compliance with laws and regulations applicable to federal financial assistance programs;

d. SAS No. 70, Reports on the Processing of Transactions by Service Organizations, for examining descriptions of internal control of service organizations that process transactions for others;

e. Statement on Standards for Attestation Engagements (SSAE) No. 1, Attestation Standards, as amended by SSAE No. 9, Amendments to Statement on Standards for Attestation Engagements Nos. 1, 2, and 3, for examining or reviewing an entity's assertions about financial related matters not specifically addressed in other AICPA standards;

f. SSAE No. 2, Reporting on an Entity's Internal Control Over Financial Reporting, as amended by SSAE No. 9, Amendments to Statement on Standards for Attestation Engagements Nos. 1, 2, and 3, for examining an entity's assertions about its internal control over financial reporting and/or safeguarding assets;

g. SSAE No. 3, Compliance Attestation, as amended by SSAE No. 9, Amendments to Statement on Standards for Attestation Engagements Nos. 1, 2, and 3, for (1) examining or applying agreed-upon procedures to an entity's assertions about compliance with specified requirements or (2) applying agreed-upon procedures to an entity's assertions about internal control over compliance with laws and regulations; and

h. SSAE No. 4, Agreed-Upon Procedures Engagements, for applying agreed-upon procedures to (1) an entity’s assertions about internal control over financial reporting and/or safeguarding of assets or (2) an entity’s assertions about financial related matters not specifically addressed in other AICPA standards.

[NOTE 7: GAGAS incorporate any new AICPA field work standards relevant to financial related audits unless GAO excludes them by formal announcement.]

[NOTE 8: Chapter 2 provides examples of other types of financial related audits. ]