Government Auditing Standards: July 1999: Chapter 6

Contents Previous Next	Chapter 6: Field Work Standards for Performance Audits
Contents Previous Next	Purpose 6.1 This chapter prescribes field work standards for performance audits. These standards also apply to some financial related audits, as discussed in chapter 4.
Contents Previous Next	Planning 6.2 The first field work standard for performance audits is: Work is to be adequately planned. 6.3 In planning, auditors should define the audit's objectives and the scope and methodology to achieve those objectives. The objectives are what the audit is to accomplish. They identify the audit subjects and performance aspects to be included, as well as the potential finding and reporting elements that the auditors expect to develop.¹ Audit objectives can be thought of as questions about the program² that auditors seek to answer. Scope is the boundary of the audit. It addresses such things as the period and number of locations to be covered. The methodology comprises the work in data gathering and in analytical methods auditors will do to achieve the objectives. [NOTE 1: See discussion of the elements of a finding in paragraphs 6.49 through 6.52.] [NOTE 2: Generally accepted government auditing standards (GAGAS) are standards for audit of government organizations, programs, activities, and functions. This chapter uses only the term "program"; however, the concepts presented also apply to audits of organizations, activities, and functions. ] 6.4 Auditors should design the methodology to provide sufficient, competent, and relevant evidence to achieve the objectives of the audit. Methodology includes not only the nature of the auditors' procedures, but also their extent (for example, sample size). 6.5 In planning a performance audit, auditors should: a. Consider significance and the needs of potential users of the audit report. (See paragraphs 6.7 and 6.8.) b. Obtain an understanding of the program to be audited. (See paragraphs 6.9 and 6.10.) c. Consider legal and regulatory requirements. (See paragraphs 6.26 through 6.38.) d. Consider management controls. (See paragraphs 6.39 through 6.45.) e. Identify criteria needed to evaluate matters subject to audit. (See paragraph 6.11.) f. Identify significant findings and recommendations from previous audits that could affect the current audit objectives. Auditors should determine if management has corrected the conditions causing those findings and implemented those recommendations. (See paragraphs 6.12 and 6.13.) g. Identify potential sources of data that could be used as audit evidence and consider the validity and reliability of these data, including data collected by the audited entity, data generated by the auditors, or data provided by third parties. (See paragraphs 6.53 through 6.62.) h. Consider whether the work of other auditors and experts may be used to satisfy some of the auditors' objectives. (See paragraphs 6.14 through 6.16.) i. Provide sufficient staff and other resources to do the audit. (See paragraphs 6.17 and 6.18.) j. Prepare a written audit plan. (See paragraphs 6.19 through 6.21.) 6.6 Planning should continue throughout the audit. Audit objectives, scope, and methodologies are not determined in isolation. Auditors determine these three elements of the audit plan together, as the considerations in determining each often overlap. Significance and User Needs 6.7 Auditors should consider significance in planning, performing, and reporting on performance audits. The significance of a matter is its relative importance to the audit objectives and potential users of the audit report. Qualitative, as well as quantitative, factors are important in determining significance. Qualitative factors can include a. visibility and sensitivity of the program under audit, b. newness of the program or changes in its conditions, c. role of the audit in providing information that can improve public accountability and decision-making, and d. level and extent of review or other forms of independent oversight. 6.8 One group of users of the auditors' report is government officials who may have authorized or requested the audit. Another important user of the auditors' report is the auditee, which is responsible for acting on the auditors' recommendations. Other potential users of the auditors' report include government officials (other than those who may have authorized or requested the audit), the media, interest groups, and individual citizens. These other potential users may have, in addition to an interest in the program, an ability to influence the conduct of the program. Thus, an awareness of these potential users' interests and influence can help auditors understand why the program operates the way it does. This awareness can also help auditors judge whether possible findings could be significant to these other users. Understanding the Program 6.9 AAuditors should obtain an understanding of the program to be audited to help assess, among other matters, the significance of possible audit objectives and the feasibility of achieving them. The auditors' understanding may come from knowledge they already have about the program and knowledge they gain from inquiries and observations they make in planning the audit. The extent and breadth of those inquiries and observations will vary among audits, as will the need to understand individual aspects of the program, such as the following. a. Laws and regulations: Government programs usually are created by law and are subject to more specific laws and regulations than the private sector. For example, laws and regulations usually set forth what is to be done, who is to do it, the purpose to be achieved, the population to be served, and how much can be spent on what. Thus, understanding the laws establishing a program can be essential to understanding the program itself. Obtaining that understanding may also be a necessary step in identifying provisions of laws and regulations significant to audit objectives. b. Purpose and goals: Purpose is the result or effect that is intended or desired, and can exist without being expressly stated. Goals quantify the level of performance intended or desired. Legislatures set the program purpose when they establish a program; however, management is expected to set goals for program efforts, operations, outputs, and outcomes. Auditors may use the purpose and goals as criteria for assessing program performance. c. Efforts: Efforts are the amount of resources (in terms of money, material, personnel, and so forth) that are put into a program. These resources may come from within or outside the entity operating the program. Measures of efforts can have a number of dimensions, such as cost, timing, and quality. Examples of measures of efforts are dollars, employee-hours, and square feet of building space. d. Program operations: Program operations are the strategies, processes, and activities the auditee uses to convert efforts into outputs. Program operations are subject to management controls, which are discussed later in this chapter. e. Outputs: Outputs are the quantity of goods and services provided. Examples of measures of output are tons of solid waste processed, number of students graduated, and number of students graduated who have met a specified standard of achievement. f. Outcomes: Outcomes are accomplishments or results that occur (at least partially) because of services provided. Outcomes can be viewed as ranging from immediate outcomes to long-term outcomes. For example, an immediate outcome of a job training program and an indicator of its effectiveness might be the number of program graduates placed in jobs. That program's ultimate outcome and test of its effectiveness depends on whether program graduates are more likely to remain employed than similar persons not in the program. Outcomes may be intended or unintended, and they may be influenced by cultural, economic, physical, or technological factors external to the program. Auditors may use approaches drawn from the field of program evaluation to isolate the effects of the program from those of other influences. 6.10 One approach to setting audit objectives is to relate the elements of a program to the types of performance audits discussed in chapter 2. For example, audits concerned with economy could focus on efforts: Were resources obtained at an optimal cost and at an appropriate level of quality? Audits concerned with efficiency could focus on the program operations or the relationship between efforts (resources used) and either outputs or outcomes to determine the cost per unit of output or outcome. Program audits could be concerned with determining whether program outcomes met specified goals or whether outcomes were better than they would have been without the program. Any type of performance audit could encompass program operations if auditors are looking for reasons why the program was successful or not. Criteria 6.11 Criteria are the standards used to determine whether a program meets or exceeds expectations. Criteria provide a context for understanding the results of the audit. The audit plan, where possible, should state the criteria to be used. In selecting criteria, auditors have a responsibility to use criteria that are reasonable, attainable, and relevant to the matters being audited. The following are some examples of possible criteria: a. purpose or goals prescribed by law or regulation or set by management, b. technically developed standards or norms, c. expert opinions, d. prior years' performance, e. performance of similar entities, and f. performance in the private sector. Audit Follow-Up 6.12 Auditors should follow up on significant findings and recommendations from previous audits that could affect the audit objectives. They should do this to determine whether timely and appropriate corrective actions have been taken by auditee officials. The audit report should disclose the status of uncorrected significant findings and recommendations from prior audits that affect the audit objectives. 6.13 Much of the benefit from audit work is not in the findings reported or the recommendations made, but in their effective resolution. Auditee management is responsible for resolving audit findings and recommendations, and having a process to track their status can help it fulfill this responsibility. If management does not have such a process, auditors may wish to establish their own. Continued attention to significant findings and recommendations can help auditors assure that the benefits of their work are realized. Considering Others' Work 6.14 Auditors should determine if other auditors have previously done, or are doing, audits of the program or the entity that operates it. Whether other auditors have done performance audits or financial audits, they may be useful sources of information for planning and performing the audit. If other auditors have identified areas that warrant further study, their work may influence the auditors' selection of objectives. The availability of other auditors' work may also influence the selection of methodology, as the auditors may be able to rely on that work to limit the extent of their own testing. 6.15 If auditors intend to rely on the work of other auditors, they should perform procedures that provide a sufficient basis for that reliance. Auditors can obtain evidence of other auditors' qualifications³ and independence through prior experience, inquiry, and/or review of the other auditors' external quality control review report. Auditors can determine the sufficiency, relevance, and competence of other auditors' evidence by reviewing their report, audit program, or working papers, and/or making supplemental tests of their work. The nature and extent of evidence needed will depend on the significance of the other auditors' work and on whether the auditors will refer to that work in their report. [NOTE 3: Auditors from another country engaged to conduct audits in their country should meet the professional qualifications to practice under that country's laws and regulations or other acceptable standards, such as those issued by the International Organization of Supreme Audit Institutions. Also see the International Federation of Accountants' International Standards on Auditing.] 6.16 Auditors face similar considerations when relying on the work of nonauditors (consultants, experts, specialists, and so forth). In addition, auditors should obtain an understanding of the methods and significant assumptions used by the nonauditors. Staff and Other Resources 6.17 Staff planning should include: a. Assigning staff with the appropriate skills and knowledge for the job. b. Assigning an adequate number of experienced staff and supervisors to the audit. Consultants should be used when necessary. c. Providing for on-the-job training of staff. 6.18 The availability of staff and other resources is an important consideration in establishing the objectives, scope, and methodology. For example, limitations on travel funds may preclude auditors from visiting certain locations, or lack of expertise in a particular methodology may preclude auditors from undertaking certain objectives. Auditors may be able to overcome such limitations by use of staff from local offices or by engaging consultants with the necessary expertise. Written Audit Plan 6.19 A written audit plan should be prepared for each audit. The form and content of the written audit plan will vary among audits. The plan should include an audit program or a memorandum or other appropriate documentation of key decisions about the audit objectives, scope, and methodology and of the auditors' basis for those decisions. It should be updated, as necessary, to reflect any significant changes to the plan made during the audit. 6.20 Documenting the audit plan is an opportunity for the auditors to review the work done in planning the audit to determine whether a. the proposed audit objectives are likely to result in a useful report, b. the proposed audit scope and methodology are adequate to satisfy the audit objectives, and c. sufficient staff and other resources have been made available to perform the audit. 6.21 Written audit plans may include: a. Information about the legal authority for the audited program, its history and current objectives, its principal locations, and other background that can help auditors understand and carry out the audit plan. b. Information about the responsibilities of each audit team (such as preparing audit programs, conducting audit work, supervising audit work, drafting reports, handling auditee comments, and processing the final report), which can help auditors when the work is conducted at several different locations. In these audits, use of comparable audit methods and procedures can help make the data obtained from participating locations comparable. c. Audit programs describing procedures to accomplish the audit objectives and providing a systematic basis for assigning work to staff and for summarizing the work performed. d. The general format of the audit report and the types of information to be included, which can help auditors focus their field work on the information to be reported.
Contents Previous Next	Supervision 6.22 The second field work standard for performance audits is: Staff are to be properly supervised. 6.23 Supervision involves directing the efforts of auditors and others⁴ who are involved in the audit to determine whether the audit objectives are being accomplished. Elements of supervision include instructing staff members, keeping informed of significant problems encountered, reviewing the work performed, and providing effective on-the-job training. [NOTE 4: Others involved in accomplishing the objectives of the audit include external consultants and specialists.] 6.24 Supervisors should satisfy themselves that staff members clearly understand what work they are to do, why the work is to be conducted, and what it is expected to accomplish. With experienced staff, supervisors may outline the scope of the work and leave details to assistants. With a less experienced staff, supervisors may have to specify not only techniques for analyzing data but also how to gather it. 6.25 The nature of the review of audit work may vary depending on the significance of the work or the experience of the staff. For example, it may be appropriate to have experienced staff auditors review much of the work of other staff with similar experience.
Contents Previous Next	Compliance with Laws and Regulations 6.26 The third field work standard for performance audits is: When laws, regulations, and other compliance requirements are significant to audit objectives, auditors should design the audit to provide reasonable assurance about compliance with them. In all performance audits, auditors should be alert to situations or transactions that could be indicative of illegal acts or abuse. 6.27 The following paragraphs elaborate on the requirements of this standard. They also discuss ways auditors obtain information about laws, regulations, and other compliance requirements; and the limitations of performance auditing in detecting illegal acts and abuse. Illegal Acts and Other Noncompliance 6.28 Auditors should design the audit to provide reasonable assurance about compliance with laws and regulations that are significant to audit objectives. This requires determining if laws and regulations are significant to the audit objectives and, if they are, assessing the risk that significant illegal acts could occur.⁵ Based on that risk assessment, the auditors design and perform procedures to provide reasonable assurance of detecting significant illegal acts. [NOTE 5: Illegal acts are violations of laws or regulations.] 6.29 It is not practical to set precise standards for determining if laws and regulations are significant to audit objectives because government programs are subject to so many laws and regulations, and audit objectives vary widely. However, auditors may find the following approach helpful in making that determination: a. Reduce each audit objective to questions about specific aspects of the program being audited (that is, purpose and goals, efforts, program operations, outputs, and outcomes, as discussed in paragraph 6.9). b. Identify laws and regulations that directly address specific aspects of the program included in the audit objectives' questions. c. Determine if violations of those laws and regulations could significantly affect the auditors' answers to the questions encompassed in the audit objectives. If they could, then those laws and regulations are likely to be significant to the audit objectives. 6.30 The following are examples of types of laws and regulations that can be significant to the objectives of economy and efficiency audits and of program audits. a. Economy and efficiency: Laws and regulations that could significantly affect the acquisition, protection, and use of the entity's resources, and the quantity, quality, timeliness, and cost of the products and services it produces and delivers. b.Program: Laws and regulations pertaining to the purpose of the program, the manner in which it is to be delivered, and the population it is to serve. 6.31 In planning tests of compliance with significant laws and regulations, auditors assess the risk that illegal acts could occur. That risk may be affected by such factors as the complexity of the laws and regulations or their newness. The auditors' assessment of risk includes consideration of whether the entity has controls that are effective in preventing or detecting illegal acts. Management is responsible for establishing effective controls to ensure compliance with laws and regulations. If auditors obtain sufficient evidence of the effectiveness of these controls, they can reduce the extent of their tests of compliance. 6.32 Auditors should be alert to situations or transactions that could be indicative of illegal acts. When information comes to the auditors' attention (through audit procedures, tips, or other means) indicating that illegal acts may have occurred, auditors should consider whether the possible illegal acts could significantly affect the audit results. If they could, the auditors should extend the audit steps and procedures, as necessary, (1) to determine if the illegal acts have or are likely to have occurred and (2) if so, to determine their effect on the audit results. 6.33 Auditors should exercise due professional care in pursuing indications of possible illegal acts so as not to interfere with potential investigations, legal proceedings, or both. Under some circumstances, laws, regulations, or policies require auditors to report indications of certain types of illegal acts to law enforcement or investigatory authorities before extending audit steps and procedures. Auditors may also be required to withdraw from or defer further work on the audit or a portion of the audit in order not to interfere with an investigation. 6.34 The term noncompliance has a broader meaning than illegal acts. Noncompliance includes not only illegal acts, but also violations of provisions of contracts or grant agreements. Like illegal acts, these other types of noncompliance can be significant to audit objectives. The auditors' considerations in planning and performing tests of compliance with provisions of contracts or grant agreements are similar to those discussed in paragraphs 6.28 through 6.33. Abuse 6.35 Abuse is distinct from illegal acts and other noncompliance. When abuse occurs, no law, regulation, contract provision, or grant agreement is violated. Rather, the conduct of a government program falls far short of societal expectations for prudent behavior. Auditors should be alert to situations or transactions that could be indicative of abuse. When information comes to the auditors' attention (through audit procedures, tips, or other means) indicating that abuse may have occurred, auditors should consider whether the possible abuse could significantly affect the audit results. If it could, the auditors should extend the audit steps and procedures, as necessary, (1) to determine if the abuse occurred and (2) if so, to determine its effect on the audit results. However, because the determination of abuse is so subjective, auditors are not expected to provide reasonable assurance of detecting it. Obtaining Information About Laws, Regulations, and Other Compliance Requirements 6.36 Auditors' training, experience, and understanding of the program being audited may provide a basis for recognition that some acts coming to their attention may be illegal. Whether an act, in fact, is illegal is a determination normally beyond auditors' professional capacity. However, auditors are responsible for being aware of vulnerabilities to fraud⁶ associated with the area being audited in order to be able to identify indications that fraud may have occurred. In some circumstances, conditions such as the following might indicate a heightened risk of fraud: a. Auditees offer unreasonable explanations to the auditors' inquiries. b. Auditees are annoyed at reasonable questions by auditors. c. Auditees refuse to provide records. d. Auditees refuse to take vacations or accept promotions. [NOTE 6: Fraud is a type of illegal act involving the obtaining of something of value through willful misrepresentation.] 6.37 Auditors may find it necessary to rely on the work of legal counsel in (1) determining those laws and regulations that are significant to the audit objectives, (2) designing tests of compliance with laws and regulations, and (3) evaluating the results of those tests.⁷ Auditors also may find it necessary to rely on the work of legal counsel when audit objectives require testing compliance with provisions of contracts or grant agreements. Depending on the circumstances of the audit, auditors may find it necessary to obtain information on compliance matters from others, such as investigative staff, audit officials of other government entities that provided assistance to the auditee, or the applicable law enforcement authority. [NOTE 7: Paragraphs 6.14 through 6.16 discuss relying on the work of others.] Limitations of An Audit 6.38 An audit made in accordance with these standards provides reasonable assurance that its objectives have been achieved; it does not guarantee the discovery of illegal acts or abuse. Nor does the subsequent discovery of illegal acts or abuse committed during the audit period necessarily mean that the auditors' performance was inadequate, provided the audit was made in accordance with these standards.
Contents Previous Next	Management Controls 6.39 The fourth field work standard for performance audits is: Auditors should obtain an understanding of management controls that are relevant to the audit. When management controls are significant to audit objectives, auditors should obtain sufficient evidence to support their judgments about those controls. 6.40 Management is responsible for establishing effective management controls. The lack of administrative continuity in government units because of continuing changes in elected legislative bodies and in administrative organizations increases the need for effective management controls. 6.41 Management controls, in the broadest sense, include the plan of organization, methods, and procedures adopted by management to ensure that its goals are met. Management controls include the processes for planning, organizing, directing, and controlling program operations. They include the systems for measuring, reporting, and monitoring program performance. The following classification of management controls is intended to help auditors focus on understanding management controls and in determining their significance to the audit objectives. a.Program operations: Controls over program operations include policies and procedures that management has implemented to reasonably ensure that a program meets its objectives. Understanding these controls can help auditors understand the program operations that convert efforts to outputs. b.Validity and reliability of data: Controls over the validity and reliability of data include policies and procedures that management has implemented to reasonably ensure that valid and reliable data are obtained, maintained, and fairly disclosed in reports. These controls help assure management that it is getting valid and reliable information about whether programs are operating properly. Understanding these controls can help auditors (1) assess the risk that the data gathered by the entity may not be valid and reliable and (2) design appropriate tests of the data. c.Compliance with laws and regulations: Controls over compliance with laws and regulations include policies and procedures that management has implemented to reasonably ensure that resource use is consistent with laws and regulations. Understanding the controls relevant to compliance with those laws and regulations that the auditors have determined are significant can help auditors assess the risk of illegal acts. d. Safeguarding resources: Controls over the safeguarding of resources include policies and procedures that management has implemented to reasonably ensure that resources are safeguarded against waste, loss, and misuse. Understanding these controls can help auditors plan economy and efficiency audits. 6.42 Auditors can obtain an understanding of management controls through inquiries, observations, inspection of documents and records, or review of other auditors' reports. The procedures auditors perform to obtain an understanding of management controls will vary among audits. One factor influencing the extent of these procedures is the auditors' knowledge about management controls gained in prior audits. Also, the need to understand management controls will depend on the particular aspects of the program the auditors consider in setting objectives, scope, and methodology. The following are examples of how the auditors' understanding of management controls can influence the audit plan. a.Objectives: Poorly controlled aspects of a program have higher risk of failure, so they may be more significant than others in terms of where auditors would want to focus their efforts. b.Scope: Poor controls in a certain location may lead auditors to target their efforts there. c.Methodology: Effective controls over collecting, summarizing, and reporting data may enable auditors to limit the extent of their direct testing of data validity and reliability. In contrast, poor controls may lead auditors to perform more direct testing of the data, look for data from outside the entity, or develop their own data. 6.43 The need to test management controls depends on their significance to the audit objectives. The following are examples of circumstances where management controls can be significant to audit objectives: a. In determining the cause of unsatisfactory performance if that unsatisfactory performance could result from weaknesses in specific management controls. b. When assessing the validity and reliability of performance measures developed by the audited entity. Effective management controls over collecting, summarizing, and reporting data will help ensure valid and reliable performance measures. 6.44 Internal auditing is an important part of management control. When an assessment of management controls is called for, the work of the internal auditors can be used to help provide reasonable assurance that management controls are functioning properly and to prevent duplication of effort. 6.45 Considering the wide variety of government programs, no single pattern for internal audit activities can be specified. Many government entities have these activities identified by other names, such as inspection, appraisal, investigation, organization and methods, or management analysis. These activities assist management by reviewing selected functions.
Contents Previous Next	Evidence 6.46 The fifth field work standard for performance audits is: Sufficient, competent, and relevant evidence is to be obtained to afford a reasonable basis for the auditors' findings and conclusions. A record of the auditors' work should be retained in the form of working papers. Working papers should contain sufficient information to enable an experienced auditor having no previous connection with the audit to ascertain from them the evidence that supports the auditors' significant conclusions and judgments.⁸ [NOTE 8: The nature of this documentation will vary with the nature of the work performed. For example, when this work includes examination of auditee records, the working papers should describe those records so that an experienced auditor would be able to examine those same records. Auditors may meet this requirement by listing file numbers, case numbers, or other means of identifying specific documents they examined. They are not required to include in the working papers copies of documents they examined, nor are they required to list detailed information from those documents.] 6.47 Evidence may be categorized as physical, documentary, testimonial, and analytical. Physical evidence is obtained by auditors' direct inspection or observation of people, property, or events. Such evidence may be documented in memoranda, photographs, drawings, charts, maps, or physical samples. Documentary evidence consists of created information such as letters, contracts, accounting records, invoices, and management information on performance. Testimonial evidence is obtained through inquiries, interviews, or questionnaires. Analytical evidence includes computations, comparisons, separation of information into components, and rational arguments. 6.48 The guidance in the following paragraphs is intended to help auditors judge the quality and quantity of evidence needed to satisfy audit objectives. Paragraphs 6.49 through 6.52 describe the elements of an audit finding. Paragraphs 6.53 through 6.62 provide guidance to help auditors determine what constitutes sufficient, competent, and relevant evidence to support their findings and conclusions. Finally, paragraphs 6.63 through 6.65 provide guidance on how to document that evidence. Audit Findings 6.49 Audit findings often have been regarded as containing the elements of criteria, condition, and effect, plus cause when problems are found. However, the elements needed for a finding depend entirely on the objectives of the audit. Thus, a finding or set of findings is complete to the extent that the audit objectives are satisfied and the report clearly relates those objectives to the finding's elements. Criteria are discussed in paragraph 6.11; the other elements of a finding--condition, effect, and cause--are discussed in the following paragraphs. 6.50Condition is a situation that exists. It has been determined and documented during the audit. 6.51Effect as two meanings, which depend on the audit objectives. When the auditors' objectives include identifying the actual or potential consequences of a condition that varies (either positively or negatively) from the criteria identified in the audit, "effect" is a measure of those consequences. Auditors often use effect in this sense to demonstrate the need for corrective action in response to identified problems. When the auditors' objectives include estimating the extent to which a program has caused changes in physical, social, or economic conditions, "effect" is a measure of the impact achieved by the program. Here, effect is the extent to which positive or negative changes in actual physical, social, or economic conditions can be identified and attributed to program operations. 6.52 Like effect, cause also has two meanings, which depend on the audit objectives. When the auditors' objectives include explaining why the poor (or good) performance determined in the audit happened, the reasons for that performance are referred to as "cause." Identifying the cause of problems can assist auditors in making constructive recommendations for correction. Because problems can result from a number of plausible factors, the recommendation can be more persuasive if auditors can clearly demonstrate and explain with evidence and reasoning the link between the problems and the factor or factors they identified as the cause. When the auditors' objectives include estimating the program's effect on changes in physical, social, or economic conditions, they seek evidence of the extent to which the program itself is the "cause" of those changes. Tests of Evidence 6.53 Evidence should be sufficient, competent, and relevant. Evidence is sufficient if there is enough of it to support the auditors' findings. In determining the sufficiency of evidence it may be helpful to ask such questions as: Is there enough evidence to persuade a reasonable person of the validity of the findings? When appropriate, statistical methods may be used to establish sufficiency. Evidence used to support a finding is relevant if it has a logical, sensible relationship to that finding. Evidence is competent to the extent that it is consistent with fact (that is, evidence is competent if it is valid). 6.54 The following presumptions are useful in judging the competence of evidence. However, these presumptions are not to be considered sufficient in themselves to determine competence. a. Evidence obtained from a credible third party is more competent than that secured from the auditee. b. Evidence developed under an effective system of management controls is more competent than that obtained where such controls are weak or nonexistent. c. Evidence obtained through the auditors' direct physical examination, observation, computation, and inspection is more competent than evidence obtained indirectly. d. Original documents provide more competent evidence than do copies. e. Testimonial evidence obtained under conditions where persons may speak freely is more competent than testimonial evidence obtained under compromising conditions (for example, where the persons may be intimidated). f. Testimonial evidence obtained from an individual who is not biased or has complete knowledge about the area is more competent than testimonial evidence obtained from an individual who is biased or has only partial knowledge about the area. 6.55 Auditors may find it useful to obtain from officials of the auditee written representations concerning the competence of the evidence they obtain. Written representations ordinarily confirm oral representations given to auditors, indicate and document the continuing appropriateness of such representations, and reduce the possibility of misunderstanding concerning the matters that are the subject of the representations. 6.56 The auditors' approach to determining the sufficiency, competence, and relevance of evidence depends on the source of the information that constitutes the evidence. Information sources include original data gathered by auditors and existing data gathered by either the auditee or a third party. Data from any of these sources may be obtained from computer-based systems. 6.57Data Gathered by Auditors. Data gathered by auditors include the auditors' own observations and measurements. Among the methods for gathering this type of data are questionnaires, structured interviews, direct observations, and computations. The design of these methods and the skill of the auditors applying them are the keys to ensuring that these data constitute sufficient, competent, and relevant evidence. When these methods are applied to determine cause, auditors are concerned with eliminating rival explanations. 6.58Data Gathered by the Auditee. Auditors can use data gathered by the auditee as part of their evidence. Auditors may determine the validity and reliability of these data by direct tests of the data. Auditors can reduce the direct tests of the data if they test the effectiveness of the entity's controls over the validity and reliability of the data, and these tests support the conclusion that the controls are effective. The nature and extent of testing of the data will depend on the significance of the data to support auditors' findings. 6.59 When the auditors' tests of data disclose errors in the data, or when they are unable to obtain sufficient, competent, and relevant evidence about the validity and reliability of the data, they may find it necessary to a. seek evidence from other sources, b. redefine the audit's objectives to eliminate the need to use the data, or c. use the data, but clearly indicate in their report the data's limitations and refrain from making unwarranted conclusions or recommendations. 6.60Data Gathered by Third Parties. The auditors' evidence may also include data gathered by third parties. In some cases, these data may have been audited by others, or the auditors may be able to audit the data themselves. In other cases, however, it will not be practical to obtain evidence of the data's validity and reliability. 6.61 How the use of unaudited third-party data affects the auditors' report depends on the data's significance to the auditors' findings. 6.62 Validity and Reliability of Data From Computer-Based Systems. Auditors should obtain sufficient, competent, and relevant evidence that computer-processed data are valid and reliable when those data are significant to the auditors' findings.⁹ This work is necessary regardless of whether the data are provided to auditors or auditors independently extract them.¹⁰ Auditors should determine if other auditors have worked to establish the validity and reliability of the data or the effectiveness of the controls over the system that produced the data. If they have, auditors may be able to use that work. If not, auditors may determine the validity and reliability of computer-processed data by direct tests of the data. Auditors can reduce the direct tests of the data if they test the effectiveness of general and application controls over computer-processed data, and these tests support the conclusion that the controls are effective.¹¹ [NOTE 9: When the reliability of a computer-based system is the primary objective of the audit, the auditors should conduct a review of the system's general and application controls.] [NOTE 10: When computer-processed data are used by the auditor, or included in the report, for background or informational purposes and are not significant to the auditors' findings, citing the source of the data and stating that they were not verified will satisfy the reporting standards for accuracy and completeness set forth in this statement.] [NOTE 11: A GAO guide, Assessing the Reliability of Computer-Based Data (GAO/OP-8.1.3, September 1990), provides guidance on the following key steps: 1) determining how computer-based data will be used and how they will affect the audit objectives, (2) finding out what is known about the data and the system that produced them, (3) obtaining an understanding of relevant system controls, which can reduce risk to an acceptable level, (4) testing the data for reliability, and (5) disclosing the data source and how data reliability was established or qualifying the report if data reliability could not be established.] Working Papers 6.63 Working papers serve three purposes. They provide the principal support for the auditors' report, aid the auditors in conducting and supervising the audit, and allow others to review the audit's quality. This third purpose is important because audits done in accordance with GAGAS often are subject to review by other auditors and by oversight officials. Working papers allow for the review of audit quality by providing the reviewer written documentation of the evidence supporting the auditors' significant conclusions and judgments. 6.64 Working papers should contain a. the objectives, scope, and methodology, including any sampling criteria used; b. documentation of the work performed to support significant conclusions and judgments; and c. evidence of supervisory review of the work performed. 6.65 One factor underlying GAGAS audits is that federal, state, and local governments and other organizations cooperate in auditing programs of common interest so that auditors may use others' work and avoid duplicate audit efforts. Arrangements should be made so that working papers will be made available, upon request, to other auditors. To facilitate reviews of audit quality and reliance by other auditors on the auditors' work, contractual arrangements for GAGAS audits should provide for access to working papers. Audit organizations should also establish reasonable policies and procedures for the safe custody and retention of working papers for a time sufficient to satisfy legal and administrative requirements. If you have questions about Government Auditing Standards, send email to yellowbook@gao.gov. Updated 8/13/99