This is the accessible text file for GAO report number GAO-01-765G
entitled 'Financial Audit Manual: Volumes 1 and 2' which was released
on August 01, 2001 and updated by GAO-03-466G entitled 'Financial
Audit Manual: Update to Part II - Tools' which was released on April
01, 2003.
This text file was formatted by the U.S. General Accounting Office
(GAO) to be accessible to users with visual impairments, as part of a
longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
[This page intentionally left blank.]
GAO/PCIE Financial Audit Manual:
(including April 2003 update):
This page was last revised April 28 ,2003:
Volume 1 - Methodology [PDF 1.5mb]
Cover to Volume 1 [PDF 8.3mb]
Section 100 - Foreword, Table of Contents, Introduction:
Section 200 - Planning:
Section 300 - Internal Control:
Section 400 - Testing:
Section 500 - Reporting:
Section Appendixes - Appendixes, Glossary, Abbreviations, Index:
Volume 2 - Tools [PDF 3.0mb]
Cover to Volume 2 [PDF 8.3mb]
Section 600 - Planning and General:
Section 700 - Internal Control:
Section 800 - Compliance:
Section 900 - Substantive Testing:
Section 1000, except for CFO Act Checklist - Reporting:
CFO Act Checklist, Beginning - Overview, General Items, Balance Sheet:
CFO Act Checklist, End - Statements of Net Cost, Changes in Net
Position, Budgetary Resources, Financing, Custodial Activity, Notes,
and Supplementary Information:
Other Related Guidance:
GAO's FFMIA Reporting:
Download zipped files that allow users to enter data:
Sections 300, 400, and 500 - SCE (FAM 395 H - both transaction-related
and line item-related), ARA (FAM 395 I), sampling documentation (FAM
495 E), example audit report and summaries of misstatements (FAM 595 A,
B, C, and D):
Sections 600 and 700 - example documentation and templates for using
the work of others (FAM 650 B and C), agreed-upon procedures (FAM 660
A, B, C, and D), and testing compliance with FFMIA (FAM 701 A and B):
Section 800 - general compliance checklist (FAM 802) and summary and
audit procedures for other acts (FAM 803, 808, 809, 810, 812, 813, 814,
816, and 817):
Sections 900 and 1000, except CFO Act checklist - example documentation
and templates for related parties, including intragovernmental activity
and balances (FAM 902 C), Fund Balance with Treasury (FAM 921 D),
management representations (FAM 1001 A), inquiries of legal counsel
(FAM 1002 A, B, C, and D), audit completion checklist (FAM 1003), and
subsequent events review (FAM 1005):
CFO Act checklist (FAM 1004):
Financial Audit Manual:
Foreword:
On behalf of the General Accounting Office (GAO) and the President's
Council on Integrity and Efficiency (PCIE), we are pleased to present
the first-ever GAO/PCIE Financial Audit Manual.
With passage of the Government Management and Reform Act of 1994,
executive branch Inspectors General and GAO gained statutory
responsibility for auditing agency and government-wide consolidated
financial statements, respectively. Since that time, GAO and the PCIE
community have worked cooperatively to ensure that these audits are of
the highest possible quality, consistency, and cost-effectiveness. This
manual is a natural outgrowth of that cooperation. More importantly,
the new manual represents our ongoing efforts to ensure that financial
statement audits achieve their intended outcomes of providing enhanced
accountability over taxpayer-provided resources.
We extend our thanks to the many individuals and organizations that
provided comments and insights to make the manual stronger. The Task
Force assembled by GAO and the PCIE also deserves much credit for its
dedication to completing this project.
Jeffrey C. Steinhoff
Managing Director
U.S. General Accounting Office
The Honorable Gregory H. Friedman:
Chair, Audit Committee:
President's Council on Integrity and Efficiency:
Signed by Jeffrey C. Steinhoff and Gregory H. Friedman:
[End of section]
CONTENTS:
:
100; INTRODUCTION.
200; PLANNING PHASE.
210; Overview.
220; Understand the Entity's Operations.
225; Perform Preliminary Analytical Procedures.
230; Determine Planning, Design, and Test Materiality.
235; Identify Significant Line Items, Accounts, Assertions, and RSSI.
240; Identify Significant Cycles, Accounting Applications, and
Financial Management Systems.
245; Identify Significant Provisions of Laws and Regulations.
250; Identify Relevant Budget Restrictions.
260; Identify Risk Factors.
270; Determine Likelihood of Effective Information System Controls.
275; Identify Relevant Operations Controls to Evaluate and Test.
280; Plan Other Audit Procedures.
* Inquiries of Attorneys.
* Management Representations.
* Related Party Transactions.
* Sensitive Payments.
* Reaching an Understanding with Management and Requesters.
* Other Audit Requirements.
285; Plan Locations to Visit.
290; Documentation.
* Appendixes to Section 200:
295 A; Potential Inherent Risk Conditions.
295 B; Potential Control Environment, Risk Assessment, Communication,
and Monitoring Weaknesses.
295 C; An Approach for Multiple-Location Audits.
295 D; Interim Substantive Testing of Balance Sheet Accounts.
295 E; Effect of Risk on Extent of Audit Procedures.
295 F; Types of Information System Controls.
295 G; Budget Controls.
295 H; Laws Identified in OMB Audit Guidance and Other General Laws.
295 I; Examples of Auditor Responses to Fraud Risk Factors.
295 J; Steps in Assessing Information System Controls.
300; INTERNAL CONTROL PHASE.
310; Overview.
320; Understand Information Systems.
330; Identify Control Objectives.
340; Identify and Understand Relevant Control Activities.
350; Determine the Nature, Timing, and Extent of Control Tests and of
Tests for Systems' Compliance with FFMIA Requirements.
360; Perform Nonsampling Control Tests and Tests for Systems'
Compliance with FFMIA Requirements.
370; Assess Controls on a Preliminary Basis.
380; Other Considerations.
390; Documentation.
Appendixes to Section 300:
395 A; Typical Relationships of Accounting Applications to Line Items/
Accounts.
395 B; Financial Statement Assertions and Potential Misstatements.
395 C; Typical Control Activities.
395 D; Selected Statutes Relevant to Budget Execution.
395 E; Budget Execution Process.
395 F; Budget Control Objectives.
395 F Sup; Budget Control Objectives - Federal Credit Reform Act
Supplement.
395 G; Rotation Testing of Controls.
395 H; Specific Control Evaluation Worksheet.
395 I; Account Risk Analysis Form.
400; TESTING PHASE.
410; Overview.
420; Consider the Nature, Timing, and Extent of Tests.
430; Design Efficient Tests.
440; Perform Tests and Evaluate Results.
450; Sampling Control Tests.
460; Compliance Tests.
470; Substantive Tests - Overview.
475; Substantive Analytical Procedures.
480; Substantive Detail Tests.
490; Documentation.
Appendixes to Section 400:
495 A; Determining Whether Substantive Analytical Procedures Will Be
Efficient and Effective.
495 B; Example Procedures for Tests of Budget Information.
495 C; Guidance for Interim Testing.
495 D; Example of Audit Matrix with Statistical Risk Factors.
495 E; Sampling.
495 F; Manually Selecting a Dollar Unit Sampling.
500; REPORTING PHASE.
510; Overview.
520; Perform Overall Analytical Procedures.
530; Determine Adequacy of Audit Procedures and Audit Scope.
540; Evaluate Misstatements.
550; Conclude Other Audit Procedures.
* Inquiries of Attorneys.
* Subsequent Events.
* Management Representations.
* Related Party Transactions.
560; Determine Conformity with Generally Accepted Accounting
Principles.
570; Determine Compliance with GAO/PCIE Financial Audit Manual.
580; Draft Reports.
* Financial Statements.
* Internal Control.
* Financial Management Systems.
* Compliance with Laws and Regulations.
* Other Information in the Accountability Report.
590; Documentation.
Appendixes to Section 500:
595 A; Example Auditor's Report - Unqualified.
595 B; Suggested Modifications to Auditor's Report.
595 C; Example Summary of Possible Adjustments.
595 D; Example Summary of Unadjusted Misstatements.
APPENDIXES.
A; Consultations.
B; Instances Where the Auditor "Must" Comply with the FAM.
GLOSSARY.
ABBREVIATIONS.
INDEX.
[End of table]
SECTION 100:
Introduction:
Table 1: Methodology Overview:
Figure 100.1: Methodology Overview:
Planning Phase:
Understand the entity's operations: Section: 220:
Perform preliminary analytical procedures: Section: 225:
Determine planning, design, and test materiality: Section: 230:
Identify significant line items, accounts, assertions, and RSSI:
Section: 235:
Identify significant cycles, accounting applications, and financial
management systems: Section: 240:
Identify significant provisions of laws and regulations: Section: 245:
Identify relevant budget restrictions: Section: 250:
Assess risk factors: Section: 260:
Determine likelihood of effective information system controls:
Section: 270:
Identify relevant operations controls to evaluate and test: Section:
275:
Plan other audit procedures: Section: 280:
Plan locations to visit: Section: 285:
Internal Control Phase:
Understand information systems: Section: 320:
Identify control objectives: Section: 330:
Identify and understand relevant control activities: Section: 340:
Determine the nature, timing, and extent of control tests and of tests
for systems' compliance with FFMIA requirements: Section: 350:
Perform nonsampling control tests and tests for systems' compliance
with FFMIA requirements: Section: 360:
Assess controls on a preliminary basis: Section: 370:
Testing Phase:
Consider the nature, timing, and extent of tests: Section: 420:
Design efficient tests: Section: 430:
Perform tests and evaluate results: Section: 440:
Sampling control tests: Section: 450:
Compliance tests: Section: 460:
Substantive tests: Section: 470:
Substantive analytical procedures: Section: 475:
Substantive detail tests: Section: 480:
Reporting Phase:
Perform overall analytical procedures: Section: 520:
Determine adequacy of audit procedures and audit scope: Section: 530:
Evaluate misstatements: Section: 540:
Conclude other audit procedures: Section: 550:
Inquire of attorneys:
Consider subsequent events:
Obtain management representations:
Consider related party transactions:
Determine conformity with generally accepted accounting
principles: Section: 560:
Determine compliance with GAO/PCIE Financial Audit Manual: Section: 570:
Draft reports: Section: 580:
[End of table]
.01: This introduction provides an overview of the methodology of the
General Accounting Office (GAO) and the President's Council on
Integrity and Efficiency (PCIE) for performing financial statement
audits of federal entities, describes how the methodology relates to
relevant auditing and attestation standards and Office of Management
and Budget (OMB) guidance, and outlines key issues to be considered in
using the methodology.
OVERVIEW OF THE METHODOLOGY:
.02 The overall purposes of performing financial statement audits of
federal entities include providing decisionmakers (financial statement
users) with assurance as to whether the financial statements are
reliable, internal control is effective, and laws and regulations are
complied with. To achieve these purposes, the approach to federal
financial statement audits involves four phases:
* Plan the audit to obtain relevant information in the most efficient
manner.
* Evaluate the effectiveness of the entity's internal control and, for
Chief Financial Officers (CFO) Act Agencies and components designated
by OMB, whether financial management systems substantially comply with
the requirements of the Federal Financial Management Improvement Act of
1996 (FFMIA): federal financial management systems requirements,
applicable federal accounting standards,[Footnote 1] and the U.S.
Government Standard General Ledger (SGL) at the transaction
level.[Footnote 2]
* Test the significant assertions related to the financial statements
and test compliance with laws and regulations.
* Report the results of audit procedures performed.
These phases are illustrated in figure 100.1 and are summarized below.
[Footnote 3]
Planning Phase:
.03: Although planning continues throughout the audit, the objectives
of this initial phase are to identify significant areas and to design
efficient audit procedures. To accomplish this, the methodology
includes guidance to help in
* understanding the entity's operations, including its organization,
management style, and internal and external factors influencing the
operating environment;
* identifying significant accounts, accounting applications, and
financial management systems; important budget restrictions,
significant provisions of laws and regulations; and relevant controls
over the entity's operations;
determining the likelihood of effective information systems (IS)
controls;
performing a preliminary risk assessment to identify high-risk areas,
including considering the risk of fraud; and:
planning entity field locations to visit.
Internal Control Phase:
.04: This phase entails evaluating and testing internal control to
support the auditor's conclusions about the achievement of the following
internal control objectives:
Reliability of financial reporting--transactions are properly
recorded, processed, and summarized to permit the preparation of the
principal statements and required supplementary stewardship
information (RSSI) in accordance with generally accepted accounting
principles (GAAP), and assets are safeguarded against loss from
unauthorized acquisition, use, or disposition.
Compliance with applicable laws and regulations--transactions are
executed in accordance with (a) laws governing the use of budget
authority and other laws and regulations that could have a direct and
material effect on the principal statements or RSSI and (b) any other
laws, regulations, and governmentwide policies identified by OMB in its
audit guidance.
OMB audit guidance requires the auditor to test controls that have been
properly designed to achieve these objectives and placed in operation,
to support a low assessed level of control risk. This may be enough
testing to give an opinion on internal control. GAO audits should be
designed to give an opinion on internal control.[Footnote 4] If the
auditor does not give an opinion, generally accepted government
auditing standards (GAGAS) require the report to state whether tests
were sufficient to give an opinion.
.05:
OMB's audit guidance includes a third objective of internal control,
related to performance measures. The auditor is required to understand
the components of internal control relating to the existence and
completeness assertions and to report on internal controls that have
not been properly designed and placed in operation, rather than to test
controls.
.06:
This manual also provides guidance on evaluating internal controls
related to operating objectives that the auditor elects to evaluate.
Such controls include those related to safeguarding assets from waste
or preparing statistical reports.
.07:
To evaluate internal control, the auditor identifies and understands
the relevant controls and tests their effectiveness. Where controls are
considered to be effective, the extent of substantive testing can be
reduced.
.08: The methodology includes guidance on:
* assessing specific levels of control risk,
* selecting controls to test,
* determining the effectiveness of IS controls, and:
* testing controls, including coordinating control tests with the
testing phase.
.09:
Also, during the internal control phase, for CFO Act agencies and their
components identified in OMB's audit guidance, the auditor should
understand the entity's significant financial management systems and
test their compliance with FFMIA requirements.
Testing Phase:
.10: The objectives of this phase are to (1) obtain reasonable assurance
about whether the financial statements are free from material
misstatements, (2) determine whether the entity complied with
significant provisions of applicable laws and regulations, and (3)
assess the effectiveness of internal control through control tests that
are coordinated with other tests.
.11: To achieve these objectives, the methodology includes guidance on:
* designing and performing substantive, compliance, and control tests;
* designing and evaluating audit samples;
* correlating risk and materiality with the nature, timing, and extent
of substantive tests; and:
* designing multipurpose tests that use a common sample to test several
different controls and specific accounts or transactions.
Reporting Phase:
.12: This phase completes the audit by reporting useful information
about the entity, based on the results of audit procedures performed in
the preceding phases. This involves developing the auditor's report on
the entity's (1) financial statements (also called Principal Statements)
and other information (management's discussion and analysis [MD&A] or
the overview, RSSI, other required supplementary information, and other
accompanying information), (2) internal control, (3) whether the
financial management systems substantially comply with FFMIA
requirements, and (4) compliance with laws and regulations. To assist
in this process, the methodology includes guidance on forming opinions
on the principal statements and conclusions on internal control, as
well as how to determine which findings should be reported. Also
included is an example report designed to be understandable to the
reader.
RELATIONSHIP TO APPLICABLE STANDARDS:
.13: The following section describes the relationship of this audit
methodology to applicable auditing standards, OMB guidance, and other
policy requirements. It is organized into three areas:
* relevant auditing standards and OMB guidance,
* audit requirements beyond the "yellow book," and:
* auditing standards and other policies not addressed in this manual.
Relevant Auditing Standards and OMB Guidance:
.14: This manual provides a framework for performing financial statement
audits in accordance with Government Auditing Standards (also known as
generally accepted government auditing standards or GAGAS) issued by
the Comptroller General of the United States ("yellow book");
incorporated generally accepted auditing standards (GAAS) and
attestation standards established by the American Institute of
Certified Public Accountants (AICPA); and OMB's audit guidance.
.15: This manual describes an audit methodology that both integrates the
requirements of the standards and provides implementation guidance. The
methodology is designed to achieve:
* effective audits by considering compliance with the CFO Act, FFMIA,
GAGAS, and OMB guidance;
* efficient audits by focusing audit procedures on areas of higher risk
and materiality and by providing an integrated approach designed to
gather evidence efficiently;
* quality control through an agreed-upon framework that can be followed
by all personnel; and:
* consistency of application through a documented methodology.
.16:
The manual supplements GAGAS and OMB's audit guidance. References are
made to Statements on Auditing Standards (preceded by the prefix "AU")
and Statements on Standards for Attestation Engagements (SSAE)
(preceded by the prefix "AT") of the Codification of Statements on
Auditing Standards, issued by the AICPA, that are incorporated into
GAGAS.
Audit Requirements Beyond the "Yellow Book":
.17:
In addition to meeting GAGAS requirements, audits of federal entities
to which OMB's audit guidance applies must be designed to achieve the
following objectives described in OMB's audit guidance:
* responsibility for performing sufficient tests of internal controls
that have been properly designed and placed in operation, to support a
low assessed level of control risk;
* expansion of the nature of controls that are evaluated and tested to
include controls related to RSSI, budget execution, and compliance with
laws and regulations;
* responsibility to understand the components of internal control
relating to the existence and completeness assertions relevant to the
performance measures included in the MD&A, in order to report on
controls that have not been properly designed and placed in operation;
* responsibility to consider the entity's process for complying with 31
U.S.C. 3512 (the Federal Managers' Financial Integrity Act (FMFIA));
* responsibility to perform tests at CFO Act agencies and components
identified by OMB to report on the entity's financial management
systems' substantial compliance with FFMIA requirements;
* responsibility to test for compliance with laws, regulations, and
governmentwide policies identified in OMB's audit guidance at CFO Act
agencies (regardless of their materiality to the audit); and:
* responsibility to consider conformity of the MD&A, RSSI, required
supplementary information, and other accompanying information with
FASAB requirements and OMB guidance.
.18:
To help achieve the goals of the CFO Act, GAO audits should be designed
to achieve the following objectives,[Footnote 5] in addition to those
described in OMB's audit guidance:
* Provide an opinion on internal control.
* Determine the effects of misstatements and internal control weaknesses
on (1) the achievement of operations control objectives, (2) the
accuracy of reports prepared by the entity, and (3) the formulation of
the budget.
* Determine whether specific control activities are properly designed and
placed in operation, even if a poor control environment precludes their
effectiveness.
* Understand the components of internal control relating to the
valuation assertion relevant to performance measures reported in the
MD&A in order to report on controls that have not been properly
designed and placed in operation.
Auditing Standards and Other Policies Not Addressed in the Manual:
.19: This manual was designed to supplement financial audit and other
policies and procedures adopted by GAO and Inspectors General (IGs). As
such, it was not intended to address in detail all requirements. For
example, report processing is not addressed.
.20: Updates to this manual that include additional audit guidance and
practice aids, such as checklists and audit programs, will be issued
from time to time. GAO and a team representing the PCIE audit committee
will be responsible for preparing the updates. There will be an
exposure process for significant updates.
KEY IMPLEMENTATION ISSUES:
.21: The auditor should consider the following factors in applying the
methodology to a particular entity:
* audit objectives,
* exercise of professional judgment,
* references to positions,
* use of IS auditors,
* compliance with policies and procedures in the manual,
* use of technical terms, and:
* reference to GAO/PCIE Financial Audit Manual (FAM).
Audit Objectives:
.22:
While certain federal entities are not subject to OMB audit guidance,
financial statement audits of all federal entities should be conducted
in accordance with this guidance to the extent applicable to achieve
the audit's objectives. The manual generally assumes that the objective
of the audit is to render an opinion on the current year financial
statements, a report on internal control, and a report on compliance.
Where these are not the objectives, the auditor should use judgment in
applying the guidance. In some circumstances, the auditor will expect
to issue a disclaimer on the current year financial statements (because
of scope limitations). In these circumstances, the auditor may develop
a multiyear plan to be able to render an opinion when the financial
statements are expected to become auditable.
Exercise of Professional Judgment:
.23:
In performing a financial statement audit, the auditor should exercise
professional judgment. Consequently, the auditor should tailor the
guidance in the manual to respond to situations encountered in an
audit. However, the auditor must exercise judgment properly, assuring
that, at a minimum, the work meets professional standards. Proper
application of professional judgment could result in additional or more
extensive audit procedures than described in this manual.
.24:
In addition, when exercising judgment, the auditor should consider the
needs of, and consult in a timely manner with, other auditors who plan
to use the work being performed. In turn, the auditor should coordinate
with other auditors whose work he or she wishes to use so that the
judgments exercised can satisfy the needs of both auditors. For
example, auditors of a consolidated entity (such as the US Government
or an entire department or agency) are likely to plan to use the work
of auditors of subsidiary entities (such as individual departments and
agencies or bureaus and components of a department). This coordination
can result in more economy, efficiency, and effectiveness of government
audits in general and avoid duplication of effort.
.25: Many aspects of the audit require technical judgments. The auditor
should ensure a person(s) with adequate technical expertise is (are)
available, especially in the following areas:
* quantifying planning materiality, design materiality, and test
materiality and using materiality as one consideration in determining
the extent of testing (see section 230);
* specifying a minimum level of substantive assurance based on the
assessed combined risk, analytical procedures, and detail tests (see
sections 470, 480, and 495 D);
* documenting whether selections are samples (intended to be
representative and projected to populations) or nonsampling selections
that are not projectible (see section 480);
* using sampling methods, such as dollar-unit sampling, classical
variables estimation sampling, or classical probability proportional to
size (PPS) sampling, for substantive or multipurpose testing (including
nonstatistical sampling) (see section 480);
* using sampling for control testing, other than attribute sampling using
the tables in section 450 to determine sample size when not performing
a multipurpose test;
* using sampling for compliance testing of laws and regulations, other
than attribute sampling using the tables in section 460 to determine
sample size when not performing a multipurpose test; and:
* placing complete or partial reliance on analytical procedures, using
test materiality to calculate the limit. The limit is the amount of
difference between the expected and recorded amounts that can be
accepted without further investigation (see section 475).
References to Positions:
.26: Various sections of this manual make reference to consultation with
audit management and/or persons with technical expertise to obtain
approval or additional guidance. Key consultations should be documented
in the audit workpapers. Each audit organization should document, in
the workpapers or its audit policy manual, the specific positions of
persons who will perform these functions. An IG using a firm to perform
an audit in accordance with this manual should clarify and document the
positions of the persons the firm should consult in various
circumstances.
* The Assistant Director is the top person responsible for the
day-to-day conduct of the audit.
* The Audit Director is the senior manager responsible for the technical
quality of the financial statement audit, reporting to the Assistant
Inspector General for Audit or, at GAO, to the Managing Director.
* The Reviewer is the senior manager responsible for the quality of the
auditor's reports, reporting to the Assistant Inspector General for
Audit (or higher position) or, at GAO, is the Managing Director or the
second partner. The Reviewer may consult with others.
* The Statistician is the person the auditor consults for technical
expertise in areas such as audit sampling, audit sample evaluation, and
selecting entity field locations to visit.
* The Data Extraction Specialist is the person with technical expertise
in extracting data from agency records.
* The Technical Accounting and Auditing Expert is the senior manager
reporting to the Assistant Inspector General for Audit or higher or, at
GAO, is the Chief Accountant. The Technical Accounting and Auditing
Expert advises on accounting and auditing professional matters and
related national issues. The Technical Accounting and Auditing Expert
reviews reports on financial statements and reports that contain
opinions on financial information.
* The Office of General Counsel (OGC) provides assistance to the auditor
in (1) identifying provisions of laws and regulations to test,
(2) identifying budget restrictions, and (3) identifying and resolving
legal issues encountered in the financial statement audit, such as
evaluating potential instances of noncompliance.
* The Special Investigator Unit investigates specific allegations
involving conflict-of-interest and ethics matters, contract and
procurement irregularities, official misconduct and abuse, and fraud in
federal programs or activities. In the offices of the IGs this is the
investigation unit; at GAO, it is Special Investigations. The Special
Investigator Unit provides assistance to the auditor by (1) informing
the auditor of relevant pending or completed investigations of the
entity and (2) investigating possible instances of federal fraud,
waste, and abuse.
Use of Information Systems Auditors:
.27: The audit standards (SAS 94) require that the audit team possess
sufficient knowledge of information systems (IS) to determine the
effect of IS on the audit, to understand the IS controls, and to design
and perform tests of IS controls and substantive tests. This is
generally done by having IS auditors as part of the audit team. IS
auditors should possess sufficient technical knowledge and experience
to understand the relevant concepts discussed in the manual and to
apply them to the audit. While the auditor is ultimately responsible
for assessing inherent and control risk, assessing the effectiveness of
IS controls requires a person with IS audit technical skills.
Specialized technical skills generally are needed in situations where,
(1) the entity's systems, automated controls, or the manner in which
they are used in conducting the entity's business are complex,
(2) significant changes have been made to existing systems or new
systems implemented, (3) data are extensively shared among systems, (4)
the entity participates in electronic commerce, (5) the entity uses
emerging technologies, or (6) significant audit evidence is available
only in electronic form. Appendix V of GAO's Federal Information System
Controls Audit Manual (FISCAM) contains examples of knowledge, skills,
and abilities needed by IS auditors. Certain financial auditors also
may possess IS audit technical skills. In some cases, the auditor may
require outside consultants to provide these skills.
Compliance With Policies and Procedures in the Manual:
.28: The following terms are used throughout the manual to describe the
degree of compliance with the policy or procedure required.
* Must: Compliance with this policy or procedure is mandatory unless an
exception is approved in writing by the Reviewer, [Footnote 6]such as
in certain instances when a disclaimer of opinion is anticipated.
* Should: Compliance with this policy or procedure is expected unless
there is a reasonable basis for departure from it. Any such departure
and the basis for it are to be documented in a memorandum. The
Assistant Director should approve this memorandum and copies should be
sent to the Audit Director and the Reviewer.
Generally Should: Compliance with this policy or procedure is strongly
encouraged. Departure from such policy or procedure should be discussed
with the Assistant Director or the audit manager.
* May: Compliance with this policy or procedure is optional.
When the auditor deviates from a policy or procedure that is expressed
by use of the term "must" or "should" in the FAM, he or she should
consider the needs of, and consult in a timely manner with, other
auditors who plan to use the work of the auditor and provide an
opportunity for the other auditors to review the documentation
explaining these deviation decisions.
Use of Technical Terms:
.29: The manual uses many existing technical auditing terms and
introduces many others. To assist you, a glossary of significant terms
is included in this manual.
Reference to GAO/PCIE Financial Audit Manual:
.30: When cited in workpapers, correspondence, or other communication,
the letters "FAM" should precede section or paragraph numbers from this
manual. For example, this paragraph should be referred to as FAM
100.30.
FOOTNOTES
[1] In October 1999 the American Institute of Certified Public
Accountants (AICPA) recognized the Federal Accounting Standards
Advisory Board (FASAB) as the accounting standards-setting body for
federal government entities under Rule 203 of the AICPA's Code of
Professional Conduct. Thus, FASAB standards are recognized as generally
accepted accounting principles (GAAP) for federal entities. FASAB
standards (Statement of Federal Financial Accounting Standards No. 8,
paragraph .40) allow government corporations and certain other federal
entities to report using GAAP issued by the Financial Accounting
Standards Board (FASB).
[2] Testing for FFMIA is most efficiently accomplished, for the most
part, as part of the work done in understanding agency systems in the
Internal Control phase of the audit.
[3] The methodology presented is for performance of a financial
statement audit. If the auditor is to use the work of another auditor,
see FAM section 650 (under revision).
[4] AICPA attestation standards allow the auditor to give an opinion on
internal control or on management's assertion about the effectiveness
of internal control (except that if material weaknesses are present,
the opinion must be on internal control, not management's assertion).
The example report in this manual assumes the opinion will be on
internal control directly.
[5] The manual refers specifically to objectives of GAO audits in various sections. Such objectives are optional for other audit organizations.
[6] Capitalized positions are described in paragraph 100.25.
SECTION 200:
Planning Phase:
Table 1: Methodology Overview:
Planning Phase:
* Understand the entity's operations: 220;
* Perform preliminary analytical procedures: 225;
* Determine planning, design, and test materiality: 230;
* Identify significant line items, accounts, assertions, and RSSI: 235;
* Identify significant cycles, accounting applications, and financial
management systems: 240;
* Identify significant provisions of laws and regulations: 245;
* Identify relevant budget restrictions: 250;
* Identify risk factors: 260;
* Determine likelihood of effective information system controls: 270;
* Identify relevant operations controls to evaluate and test: 275;
* Plan other audit procedures: 280;
* Plan locations to visit: 285.
Internal Control Phase:
* Understand information systems: 320;
* Identify control objectives: 330;
* Identify and understand relevant control activities: 340;
* Determine the nature, timing, and extent of control tests and of
tests for systems' compliance with FFMIA requirements: 350;
* Perform nonsampling control tests and tests for systems' compliance
with FFMIA requirements: 360;
* Assess controls on a preliminary basis: 370.
Testing Phase:
* Consider the nature, timing, and extent of tests: 420;
* Design efficient tests: 430;
* Perform tests and evaluate results: 440;
* Sampling control tests: 450;
* Compliance tests: 460;
* Substantive tests: 470;
* Substantive analytical procedures: 475;
* Substantive detail tests: 480.
Reporting Phase: Section:
* Perform overall analytical procedures: 520;
* Determine adequacy of audit procedures and audit scope: 530;
* Evaluate misstatements: 540;
* Conclude other audit procedures: 550;
* Inquire of attorneys;
* Consider subsequent events;
* Obtain management representations;
* Consider related party transactions;
* Determine conformity with generally accepted accounting
principles: 560;
* Determine compliance with GAO/PCIE Financial Audit Manual: 570;
* Draft reports: 580.
[End of table]
210: Overview:
.01: The auditor performs planning to determine an effective and
efficient way to obtain the evidential matter necessary to report on
the entity's Accountability Report (or annual financial statement).
The nature, extent, and timing of planning varies with, for example,
the entity's size and complexity, the auditor's experience with the
entity, and the auditor's knowledge of the entity's operations.
Procedures performed in the planning phase are shown in figure 200.1.
.02:
A key to a quality audit, planning requires the involvement of senior
members of the audit team. Although concentrated in the planning phase,
planning is an iterative process performed throughout the audit. For
example, findings from the internal control phase directly affect
planning the substantive audit procedures. Also, the results of control
and substantive tests may require changes in the planned audit
approach.
.03:
Auditors should consider the needs of, and consult in a timely manner
with, other auditors who plan to use the work being performed,
especially when making decisions that require the auditor to exercise
significant judgment.
220: Understand the Entity's Operations:
.01:
The auditor should obtain an understanding of the entity sufficient to
plan and perform the audit in accordance with applicable auditing
standards and requirements. In planning the audit, the auditor gathers
information to obtain an overall understanding of the entity and its
origin and history, size and location, organization, mission, business,
strategies, inherent risks, fraud risks, control environment, risk
assessment, communications, and monitoring. Understanding the entity's
operations in the planning process enables the auditor to identify,
respond to, and resolve accounting and auditing problems early in the
audit.
.02:
The auditor's understanding of the entity and its operations does not
need to be comprehensive but should include:
* entity management and organization,
* external factors affecting operations,
* internal factors affecting operations, and:
* accounting policies and issues.
.03:
The auditor should identify key members of management and obtain a
general understanding of the organizational structure. The auditor's
main objective is to understand how the entity is managed and how the
organization is structured for the particular management style.
.04:
The auditor should identify significant external and internal factors
that affect the entity's operations. External factors might include (1)
source(s) of funds, (2) seasonal fluctuations, (3) current political
climate, and (4) relevant legislation. Internal factors might include
(1) size of the entity, (2) number of locations, (3) structure of the
entity (centralized or decentralized), (4) complexity of operations,
(5) information system structure, (6) qualifications and competence of
key personnel, and (7) turnover of key personnel.
.05:
In identifying accounting policies and issues, the auditor should
consider:
* generally accepted accounting principles, including whether the
entity is likely to be in compliance;
* changes in GAAP that affect the entity; and:
* whether entity management appears to follow aggressive or
conservative accounting policies.
.06:
The auditor also should consider whether the entity will report any
required supplementary stewardship information (RSSI). This includes
stewardship property, plant, and equipment (PP&E) (heritage assets,
national defense assets, and stewardship land), stewardship investments
(nonfederal physical property, human capital, and research and
development), social insurance, and risk-assumed information. RSSI and
deferred maintenance, which is considered required supplementary
information, should be designated "unaudited.":
.07:
The auditor should develop and document a high-level understanding of
the entity's use of information systems (IS) and how IS affect the
generation of financial statement information, RSSI, and the data that
support performance measures reported in the MD&A (overview) of the
Accountability Report (CFO report). An IS auditor may assist the
auditor in understanding the entity's use of IS. Appendix I of the GAO
Federal Information System Controls Manual (FISCAM) can be used to
document this understanding.
.08:
The auditor gathers planning information through different methods
(observation, interviews, reading policy and procedure manuals, etc.)
and from a variety of sources, including:
* top-level entity management,
* entity management responsible for significant programs,
* Office of Inspector General (IG) and internal audit management
(including any internal control officer),
* others in the audit organization concerning other completed, planned
or in-progress assignments,
* personnel in OGC,
* personnel in the Special Investigator Unit, and:
* entity legal representatives.
.09:
The auditor gathers information from relevant reports and articles
issued by or about the entity, including:
* the entity's prior Accountability Reports;
* other financial information;
* FMFIA reports and supporting documentation;
* reports by management or the auditor about systems' substantial
compliance with FFMIA requirements;
* the entity's budget and related reports on budget execution;
* GAO reports;
* IG and internal audit reports (including those for performance audits
and other reviews);
* congressional hearings and reports;
* consultant reports; and:
* material published about the entity in newspapers, magazines, internet
sites, and other publications.
225: Perform Preliminary Analytical Procedures:
.01:
During the planning phase, preliminary analytical procedures are
performed to help the auditor:
* understand the entity's business, including current-year transactions
and events;
* identify account balances or transactions that may signal inherent or
control risks (see section 260);
* identify and understand the significant accounting policies;
* determine planning, design, and test materiality (see section 230);
and:
* determine the nature, timing, and extent of audit procedures to be
performed.
.02:
GAAS requires the auditor to perform preliminary analytical procedures
(AU 329). The resources spent in performing these procedures should be
commensurate with the expected reliability of comparative information.
For example, in a first-year audit, comparative information might be
unreliable; therefore, preliminary analytical procedures generally
should be limited.
.03:
The auditor generally should perform the following steps to achieve the
objectives of preliminary analytical procedures.
a. Compare current-year amounts with relevant comparative financial
information: The financial data used in preliminary analytical
procedures generally are summarized at a high level, such as the level
of financial statements. If financial statements are not available, the
budget or financial summaries that show the entity's financial position
and results of operations may be used.
The auditor compares current-year amounts with relevant comparative
financial information. Use of unaudited comparative data might not
allow the auditor to identify significant fluctuations, particularly if
an item consistently has been treated incorrectly. Also, the auditor
may identify fluctuations that are not really fluctuations due to
errors in the unaudited comparative data.
A key to effective preliminary analytical procedures is to use
information that is comparable in terms of the time period presented
and the presentation (i.e., same level of detail and consistent
grouping of detail accounts into summarized amounts used for
comparison).
The auditor may perform ratio analysis on current-year data and compare
the current year's ratios with those derived from prior periods or
budgets. The auditor does this to study the relationships among
components of the financial statements and to increase knowledge of the
entity's activities. The auditor uses ratios that are relevant
indicators or measures for the entity. Also, the auditor should
consider any trends in the performance indicators prepared by the
entity.
b. Identify significant fluctuations: Fluctuations are differences
between the recorded amounts and the amounts expected by the auditor,
based on comparative financial information and the auditor's knowledge
of the entity. Fluctuations refer to both unexpected differences
between current-year amounts and comparative financial information as
well as the absence of expected differences. The identification of
fluctuations is a matter of the auditor's judgment.
The auditor establishes parameters for identifying significant
fluctuations. When setting these parameters, the auditor generally
considers the amount of the fluctuation in terms of absolute size and/
or the percentage difference. The amount and percentage used are left
to the auditor's judgment. An example of a parameter is "All
fluctuations in excess of $10 million and/or 15 percent of the prior-
year balance or other unusual fluctuations will be considered
significant.":
c. Inquire about significant fluctuations: The auditor discusses the
identified fluctuations with appropriate entity personnel. The focus of
the discussion is to achieve the purposes of the procedures described
in paragraph 225.01. For preliminary analytical procedures, the auditor
does not need to corroborate the explanations since they will be tested
later. However, the explanations should appear reasonable and
consistent to the auditor. The inability of entity personnel to explain
the cause of a fluctuation may indicate the existence of control,
fraud, and/or inherent risks.
230: Determine Planning, Design, and Test Materiality:
.01:
Materiality is one of several tools the auditor uses to determine that
the planned nature, timing, and extent of procedures are appropriate.
As defined in Financial Accounting Standards Board (FASB) Statement of
Financial Concepts No. 2., materiality represents the magnitude of an
omission or misstatement of an item in a financial report that, in
light of surrounding circumstances, makes it probable that the judgment
of a reasonable person relying on the information would have been
changed or influenced by the inclusion or correction of the item.
.02:
Materiality is based on the concept that items of little importance,
which do not affect the judgment or conduct of a reasonable user, do
not require auditor investigation. Materiality has both quantitative
and qualitative aspects. Even though quantitatively immaterial, certain
types of misstatements could have a material impact on or warrant
disclosure in the financial statements for qualitative reasons.
.03:
For example, intentional misstatements or omissions (fraud) usually are
more critical to the financial statement users than are unintentional
errors of equal amounts. This is because the users generally consider
an intentional misstatement more serious than clerical errors of the
same amount.
.04:
GAGAS and incorporated GAAS require the auditor to consider materiality
in planning, designing procedures, and considering need for disclosure
in the audit report. AU 312 requires the auditor, in planning the
audit, to consider his/her preliminary judgment about materiality
levels. The "yellow book" states that materiality is a matter of
professional judgment influenced by the needs of the reasonable person
relying on the financial statements. Materiality judgments are made in
the light of surrounding circumstances and involve both quantitative
and qualitative considerations, such as the public accountability of
the auditee and the visibility and sensitivity of government programs,
activities, and functions.
.05:
The term "materiality" can have several meanings. In planning and
performing the audit, the auditor uses the following terms that relate
to materiality:
* Planning materiality is a preliminary estimate of materiality, in
relation to the financial statements taken as a whole, used to
determine the nature, timing, and extent of substantive audit
procedures and to identify significant laws and regulations for
compliance testing.
* Design Materiality is the portion of planning materiality that has
been allocated to line items, accounts, or classes of transactions
(such as disbursements). This amount will be the same for all line
items or accounts (except for certain intragovernmental or offsetting
balances as discussed in paragraph 230.10).
* Test materiality is the materiality actually used by the auditor in
testing a specific line item, account, or class of transactions. Based
on the auditor's judgment, test materiality can be equal to or less
than design materiality, as discussed in paragraph 230.13. Test
materiality may be different for different line items or accounts.
.06:
The following other uses of the term "materiality" relate principally
to the reporting phase:
* Disclosure materiality is the threshold for determining whether an
item should be reported or presented separately in the financial
statements or in the related notes. This value may differ from
planning materiality.
* FMFIA materiality is the threshold for determining whether a matter
meets OMB criteria for reporting matters under FMFIA as described in
paragraphs 580.35-.37.
* Reporting materiality is the threshold for determining whether an
unqualified opinion can be issued. In the reporting phase, the auditor
considers whether unadjusted misstatements are quantitatively or
qualitatively material. If considered to be material, the auditor would
be precluded from issuing an unqualified opinion on the financial
statements. See section 540.
Unless otherwise specified, such as through using the terms above, the
term "materiality" in this manual refers to the overall financial
statement materiality as defined in paragraph 230.01.
.07:
The following guidelines provide the auditor with a framework for
determining planning materiality. However, this framework is not a
substitute for professional judgment. The auditor has the flexibility
to determine planning materiality outside of these guidelines. In such
circumstances, the Audit Director should discuss the basis for the
determination with the Reviewer. The planning materiality selected and
method of determining planning materiality should be documented and
approved by the Audit Director.
.08:
The auditor should estimate planning materiality in relation to the
element of the financial statements that is most significant to the
primary users of the statements (the materiality base). The auditor
uses judgment in determining the appropriate element of the financial
statements to use as the materiality base. Also, since the materiality
base normally is based on unaudited preliminary information determined
in the planning phase, the auditor usually has to estimate the year-end
balance of the materiality base. To provide reasonable assurance that
sufficient audit procedures are performed, any estimate of the
materiality base should use the low end of the range of estimated
materiality so that sufficient testing is performed.
.09:
For capital-intensive entities, total assets may be an appropriate
materiality base. For expenditure-intensive entities, total expenses
may be an appropriate materiality base. Based on these concepts, the
materiality base generally should be the greater of total assets or
expenses (net of adjustments for intragovernmental balances and
offsetting balances). (See discussion of these adjustments in next
paragraph.) Other materiality bases that might be considered include
total liabilities, equity, revenues, and net cost to the government
(appropriations).
.10:
In considering a materiality base, the auditor should consider how to
handle significant intragovernmental balances (such as funds with the
U.S. Treasury, U.S. Treasury securities, and interentity balances) and
offsetting balances (such as future funding sources that offset certain
liabilities and collections that are offset by transfers to other
government entities). The auditor should establish a separate
materiality base for significant intragovernmental or offsetting
balances because combining all accounts may improperly distort the
nature, timing, and extent of audit procedures. For example, an entity
that collects and remits funds on behalf of other federal entities
could have operating accounts that are small in comparison to the funds
processed on behalf of other entities. In this example, the auditor
would compute separate planning materiality for auditing (1) the
offsetting accounts, using the balance of the offsetting accounts as
the materiality base and (2) the rest of the financial statements using
the materiality base guidance in paragraph 230.09.
.11:
Planning materiality generally should be 3 percent of the materiality
base. Although a mechanical means might be used to compute planning
materiality, the auditor should use judgment in evaluating whether the
computed level is appropriate. The auditor also should consider
adjusting the materiality base for the impact of such items as
unrecorded liabilities, contingencies, and other items that are not
incorporated in the entity's financial statements (and not reflected in
the materiality base) but that may be important to the financial
statement user.
.12:
Design materiality for the audit should be one-third of planning
materiality to allow for the precision of audit procedures. This
guideline recognizes that misstatements may occur throughout the
entity's various accounts. The design materiality represents the
materiality used as a starting point to design audit procedures for
line items or accounts so that an aggregate material misstatement in
the financial statements will be detected, for a given level of audit
assurance (discussed in paragraph 260.04).
.13:
Generally, the test materiality used for a specific test is the same as
the design materiality. However, the auditor may use a test materiality
lower than the design materiality for substantive testing of specific
line items and assertions (which increases the extent of testing) when:
* the audit is being performed at some, but not all, entity locations
(requiring increased audit assurance for those locations visited - see
section 285);
* the area tested is deemed to be sensitive to the financial statement
users; or:
* the auditor expects to find a significant amount of misstatements.
[Footnote 1]
235: Identify Significant Line Items, Accounts, Assertions, and RSSI:
.01:
The auditor should identify significant line items and accounts in the
financial statements and significant related financial statement
assertions. The auditor should also identify significant RSSI.[Footnote
2] In the internal control and testing phases, the auditor performs
control and substantive tests for each significant assertion for each
significant account. By identifying significant line items, accounts,
and the related assertions early in the planning process, the auditor
is more likely to design efficient audit procedures. Some insignificant
line items, accounts, and assertions may not warrant substantive audit
tests to the extent that they are not significant in the aggregate.
However, some line items and accounts with zero or unusual balances may
warrant testing, especially with regard to the completeness assertion.
.02:
Financial statement assertions, as defined by AU 326, are management
representations that are embodied in financial statement components.
Most of the auditor's work in forming an opinion on financial
statements consists of obtaining and evaluating evidential matter
concerning the assertions in such financial statements. The assertions
can be either explicit or implicit and can be classified into the
following broad categories:
* Existence or occurrence: An entity's assets or liabilities exist at a
given date, and recorded transactions have occurred during a given
period.
* Completeness: All transactions and accounts that should be presented
in the financial statements are so included.
* Rights and obligations: Assets are the rights of the entity, and
liabilities are the obligations of the entity at a given date.
* Valuation or allocation: Asset, liability, revenue, and expense
components have been included in the financial statements at
appropriate amounts.
* Presentation and disclosure: The particular components of the
financial statements are properly classified, described, and disclosed.
.03:
A line item or an account in the financial statements or RSSI should be
considered significant if it has one or more of the following
characteristics:
* Its balance is material (exceeds design materiality) or comprises a
significant portion of a material financial statement or RSSI amount.
* A high combined risk (inherent and control risk, as discussed in
paragraph 260.02) of material misstatement (either overstatement or
understatement) is associated with one or more assertions relating to
the line item or account. For example, a zero or unusually small
balance account may have a high risk of material understatement.
* Special audit concerns, such as regulatory requirements, warrant
added consideration.
The auditor should determine that any accounts considered insignificant
are not significant in the aggregate.
.04:
An assertion is significant if misstatements in the assertion could
exceed test materiality for the related line item, account, or
disclosure. Certain assertions for a specific line item or account,
such as completeness and disclosure, could be significant even though
the recorded balance of the related line item or account is not
material. For example, (1) the completeness assertion could be
significant for an accrued payroll account with a high combined risk of
material understatement even if its recorded balance is zero and (2)
the disclosure assertion could be significant for a contingent
liability even if no amount is recordable.
.05:
Assertions are likely to vary in degree of significance, and some
assertions may be insignificant or irrelevant for a given line item or
account. For example:
* The completeness assertion for liabilities may be of greater
significance than the existence assertion for liabilities.
* All assertions related to an account that is not significant (as
defined in paragraph 235.03) are considered to be insignificant.
The rights and obligations assertion for a revenue or expense account
is irrelevant.
.06: Significant line items, accounts, and assertions should be
identified in the Account Risk Analysis (ARA) or other appropriate
audit planning workpapers.
240: Identify Significant Cycles, Accounting Applications, and
Financial Management Systems:
.01:
In the internal control phase, the auditor evaluates controls for each
significant cycle and accounting application and determines whether
significant financial management systems substantially comply with
federal financial management systems requirements, federal accounting
standards, and the SGL at the transaction level. A cycle or an
accounting application should be considered significant if it processes
an amount of transactions in excess of design materiality or if it
supports a significant account balance in the financial statements or
significant RSSI. A financial management system generally consists of
one or more accounting applications. If one or more of the accounting
applications making up a financial management system are considered
significant, then that financial management system generally should be
considered significant for determining whether the system substantially
complies with FFMIA requirements. The auditor may identify other
cycles, accounting applications, or financial management systems as
significant based on qualitative considerations. For example, financial
management systems covered by FFMIA include not only systems involved
in processing financial transactions and preparing financial
statements, but also systems supporting financial planning, management
reporting, or budgeting activities, systems accumulating and reporting
cost information, and the financial portion of mixed systems, such as
benefit payment, logistics, personnel, and acquisition systems.
.02:
The entity's accounting system may be viewed as consisting of logical
groupings of related transactions and activities, or accounting
applications. Each significant line item/account is affected by input
from one or more accounting applications (sources of debits or
credits). Related accounting applications may be grouped into cycles by
the auditor and into financial management systems by the entity.
Accounting applications are classified as (1) transaction-related or
(2) line item/account-related.
.03:
A transaction-related accounting application consists of the methods
and records established to identify, assemble, analyze, classify, and
record (in the general ledger) a particular type of transaction.
Typical transaction-related accounting applications include billing,
cash receipts, purchasing, cash disbursements, and payroll. A line
item/account-related accounting application consists of the methods and
records established to report an entity's recorded transactions and to
maintain accountability for related assets and liabilities. Typical
line item/account-related accounting applications include cash
balances, accounts receivable, inventory control, property and
equipment, and accounts payable.
.04:
Within a given entity, there may be several examples of each accounting
application. For example, a different billing application may exist for
each program that uses a billing process. Accounting applications that
process a related group of transactions and accounts comprise cycles.
For instance, the billing, returns, cash receipts, and accounts
receivable accounting applications might be grouped to form the revenue
cycle. Similarly, related accounting applications also comprise
financial management systems.
.05:
For each significant line item and account, the auditor should use the
Account Risk Analysis form (ARA) (see section 395 I) or an equivalent
workpaper to document the significant transaction cycles (such as
revenue, purchasing, and production) and the specific significant
accounting applications that affect these significant line items and
accounts. For example, the auditor might determine that billing,
returns, cash receipts, and accounts receivable are significant
accounting applications that affect accounts receivable (a significant
line item). The Account Risk Analysis form provides a convenient way
for documenting the specific risks of misstatement for significant line
items for consideration in determining the nature, timing, and extent
of audit procedures. If an equivalent workpaper is used, rather than
the ARA, it should document the information discussed in section 395 I.
.06:
Related accounting applications may be grouped into cycles to aid in
preparing workpapers. This helps the auditor design audit procedures
that are both efficient and relevant to the reporting objectives. The
auditor may document insignificant accounts in each line item on the
ARA or equivalent, indicating their insignificance and consequent lack
of audit procedures applied to them. In such instances, the cycle
matrix may not be necessary. Otherwise, the auditor should prepare a
cycle matrix or equivalent document that links each of the entity's
accounts (in the chart of accounts) to a cycle, an accounting
application, and a financial statement or RSSI line item.
.07:
Based on discussions with entity personnel, the auditor should
determine the accounting application that is the best source of the
financial statement information. When a significant line item has more
than one source of financial data, the auditor should consider the
various sources and determine which is best for financial audit
purposes. The auditor needs to consider the likelihood of misstatement
and auditability in choosing the source to use. For audit purposes, the
best source of financial information sometimes may be operational
information prepared outside the accounting system.
.08:
Once the significant accounting applications are identified, the
auditor determines which computer systems are involved in those
applications. Those particular computer systems are then considered in
assessing computer-related controls using an appropriate methodology.
.09:
An appropriate methodology would require the auditor to obtain
sufficient knowledge of the information system relevant to financial
reporting to understand the accounting processing from initiation of a
transaction to its inclusion in the financial statements, including
electronic means used to transmit, process, maintain, and access
information (see AU 319.49, SAS 94). AU 319.61 requires documentation
of this understanding. OMB audit guidance notes that the components of
internal control include general and application controls. General
controls are the entitywide security management program, access
control, application software development and change control, system
software control, segregation of duties, and service continuity
control. Application controls are authorization control, completeness
control, accuracy control, and control over integrity of processing and
data files. OMB audit guidance also requires that, for controls that
have been properly designed and placed in operation, the auditor shall
perform sufficient tests to support a low assessed level of control
risk. The auditor should document the basis for believing that the
methodology used is appropriate to satisfy these requirements for
assessing general and application controls. The GAO Federal Information
System Controls Audit Manual (FISCAM) is designed to meet these
requirements. See section 295 J for a flowchart of steps generally
followed in assessing information system controls in a financial
statement audit. IS security controls are also addressed in OMB
Circular A-130, Management of Federal Information Resources, in the
National Institute of Standards and Technology's An Introduction to
Computer Security: The NIST Handbook, and in other publications.
245: Identify Significant Provisions of Laws and Regulations:
.01:
To design relevant compliance-related audit procedures, the auditor
identifies the significant provisions of laws and regulations. To aid
the auditor in this process, this manual classifies provisions of laws
and regulations into the following categories:
* Transaction-based provisions are those for which compliance is
determined on individual transactions. For example, the Prompt Payment
Act requires that late payments be individually identified and interest
paid on such late payments.
* Quantitative-based provisions are those that require the accumulation/
summarization of quantitative information for measurement. These
provisions may contain minimum, maximum, or targeted amounts
(restrictions) for the accumulated/summarized information. For
example, the Comprehensive Environmental Response, Compensation, and
Liability Act of 1980 prohibits the Environmental Protection Agency
from exceeding certain spending limits on specific projects.
* Procedural-based provisions are those that require the entity to
implement policies or procedures to achieve certain objectives. For
example, the Single Audit Act, as amended, requires the awarding entity
to review certain financial information on awardees.
.02:
The auditor should identify the significant provisions of laws and
regulations. For each significant provision, the auditor should study
and evaluate related compliance controls and should test compliance
with the provision. To identify such significant provisions, the
auditor should take these steps:
a. The auditor should review the lists of laws and regulations that OMB
and the entity have determined might be significant to others. The OMB
list is provided in an appendix of OMB's audit guidance and is included
in section 295 H. The entity is expected to develop a list that, for
CFO Act agencies and components listed in OMB audit guidance, should
include laws and regulations in OMB audit guidance, whether or not they
are material to the entity, because they have been determined to be
material to the consolidated financial statements of the United States
Government. In addition, the auditor should identify (with OGC
assistance) any laws or regulations (in addition to those identified by
OMB and the entity) that have a direct effect on determining amounts in
the financial statements. The meaning of direct effect is discussed
below in paragraph 245.03.
b. For each such law or regulation, the auditor should identify those
provisions that are significant. A provision should be considered
significant if (1) compliance with the provision can be measured
objectively and (2) it meets one of the following criteria for
determining that the provision has a material effect on determining
financial statement amounts:
* Transaction-based provisions: Transactions processed by the entity
that are subject to the provision exceed planning materiality in the
aggregate.
* Quantitative-based provisions: The quantitative information required
by the provision or by established restrictions exceeds planning
materiality.
* Procedural-based provisions: The provision broadly affects all or a
segment of the entity's operations that process transactions exceeding
planning materiality in the aggregate. For example, a provision may
require that the entity establish procedures to monitor the receipt of
certain information from grantees; in determining whether to test
compliance with this provision, the auditor should consider whether the
total amount of money granted exceeded planning materiality.
.03: A direct effect means that the provision specifies:
* the nature and/or dollar amount of transactions that may be incurred
(such as obligation, outlay, or borrowing restrictions),
* the method used to record such transactions (such as revenue
recognition policies), or:
* the nature and extent of information to be reported or disclosed in the
annual financial statements (such as the statement of budgetary
resources).
For example, entity-enabling legislation may contain provisions that
limit the nature and amount of obligations or outlays and therefore
have a direct effect on determining amounts in the financial
statements. If a provision's effect on the financial statements is
limited to contingent liabilities as a result of noncompliance
(typically for fines, penalties, and interest), such a provision does
not have a direct effect on determining financial statement amounts.
Laws identified by the auditor that have a direct effect might include
(1) new laws and regulations (not yet reflected on OMB's list) and (2)
entity-specific laws and regulations. The concept of direct effect is
discussed in AU 801 (SAS 74) and AU 317.
.04:
In contrast, indirect laws relate more to the entity's operating
aspects than to its financial and accounting aspects, and their
financial statement effect is indirect. In other words, their effect
may be limited to recording or disclosing liabilities arising from
noncompliance. Examples of indirect laws and regulations include those
related to environmental protection and occupational safety and health.
.05:
The auditor is not responsible for testing compliance controls over or
compliance with any indirect laws and regulations not otherwise
identified by OMB or the entity (see paragraph 245.02.a.). However, as
discussed in AU 317, the auditor should make inquiries of management
regarding policies and procedures for the prevention of noncompliance
with indirect laws and regulations. Unless possible instances of
noncompliance with indirect laws or regulations come to the auditor's
attention during the audit, no further procedures with respect to
indirect laws and regulations are necessary.
.06:
The auditor may elect to test compliance with indirect laws and
regulations. For example, if the auditor becomes aware that the entity
has operations similar to those of another entity that was recently in
noncompliance with environmental laws and regulations, the auditor may
elect to test compliance with such laws and regulations. The auditor
may also elect to test provisions of direct laws and regulations that
do not meet the materiality criteria in paragraph 245.02.b. but that
are deemed significant, such as laws and regulations that have
generated significant interest by the Congress, the media, or the
public.
.07:
The significant provisions identified by the above procedures are
intended to include provisions of all laws and regulations that have a
direct and material effect on the determining of financial statement
amounts and therefore comply with GAGAS, AU 801 (SAS 74), and OMB audit
guidance.
.08:
In considering regulations to test for compliance, the auditor should
consider externally imposed requirements issued pursuant to the
Administrative Procedures Act, which has a defined due process. This
would include regulations in the Code of Federal Regulations, but would
not include OMB circulars and bulletins. Such circulars and bulletins
generally implement laws, and the provisions of the laws themselves
could be considered for compliance testing. Internal policies, manuals,
and directives may be the basis for internal controls, but are not
regulations to consider for testing for compliance.
250: Identify Relevant Budget Restrictions:
.01: To evaluate budget controls (see section 295 G) and to design
compliance-related audit procedures relevant to budget restrictions,
the auditor should understand the following information (which may be
obtained from the entity or OGC):
* the Antideficiency Act (title 31 of the U.S. Code, sections 1341,
1342, 1349-1351, 1511-1519);
* the Purpose Statute (title 31 of the U.S. Code, section 1301);
* the Time Statute (title 31 of the U.S. Code, section 1502);
* OMB Circular A-34;
* title 7 of the GAO Policy and Procedures Manual for Guidance of Federal
Agencies;
* the Impoundment Control Act; and:
* the Federal Credit Reform Act of 1990.
.02: The auditor should read the following information relating to the
entity's appropriation (or other budget authority) for the period of
audit interest:
* authorizing legislation;
* enabling legislation and amendments;
* appropriation legislation and supplemental appropriation legislation;
* apportionments and budget execution reports (including OMB forms 132
and 133 and supporting documentation);
* Impoundment Control Act reports regarding rescissions and deferrals,
if any;
* the system of funds control document approved by OMB; and:
* any other information deemed by the auditor to be relevant to
understanding the entity's budget authority, such as legislative
history contained in committee reports or conference reports.
Although legislative histories are not legally binding, they may help
the auditor understand the political environment surrounding the entity
(i.e., why the entity has undertaken certain activities and the
objectives of these activities).
.03: Through discussions with OGC and the entity and by using the above
information, the auditor should identify all legally binding
restrictions on the entity's use of appropriated funds that are
relevant to budget execution, such as restrictions on the amount,
purpose, or timing of obligations and outlays ("relevant budget
restrictions"). Additionally, the auditor should consider any legally
binding restrictions that the entity has established in its fund
control regulations, such as lowering the legally binding level for
compliance with the Antideficiency Act to the allotment level.
.04:
The auditor should obtain an understanding of the implications if the
entity were to violate these relevant budget restrictions. In the
internal control phase, the auditor identifies and tests the entity's
controls to prevent or detect noncompliance with these relevant
restrictions. The auditor may elect to evaluate controls over budget
restrictions that are not legally binding but that may be considered
sensitive or otherwise important.
.05:
During these discussions with OGC and the entity, the auditor should
determine whether any of these relevant budget restrictions relate to
significant provisions of laws and regulations for purposes of testing
compliance.
.06:
For those entities that do not receive appropriated funds, the auditor
should identify budget-related requirements that are legally binding on
the entity. These requirements, if any, are usually found in the
legislation that created the entity or its programs (such as the
authorizing and enabling legislation) as well as any subsequent
amendments. Although budget information on these entities may be
included in the President's budget submitted to the Congress, this
information usually is not legally binding. In general, certain budget-
related restrictions (such as the Antideficiency Act) apply to
government corporations but not to government-sponsored enterprises.
Regardless, the auditor should consider the entity's budget formulation
and execution as part of the control environment, as discussed in
section 260.
260: IDENTIFY RISK FACTORS:
.01:
The auditor's consideration of inherent risk, fraud risk, control
environment, risk assessment, communication, and monitoring (parts of
internal control) affects the nature, timing, and extent of substantive
and control tests. This section describes (1) the impact of risk
factors identified during this consideration on substantive and control
tests, (2) the process for identifying these risk factors, and (3) the
auditor's consideration of the entity's process for reporting under
FMFIA (both for internal control (section 2 of FMFIA) and for financial
management systems' conformance with system requirements (section 4 of
FMFIA)) and for formulating the budget.
IMPACT ON SUBSTANTIVE TESTING:
.02:
AU 312 provides guidance on the consideration of audit risk and defines
"audit risk" as the risk that the auditor may unknowingly fail to
appropriately modify an opinion on financial statements that are
materially misstated. Audit risk can be thought of in terms of the
following three component risks:
* Inherent risk is the susceptibility of an assertion to a material
misstatement, assuming that there are no related internal controls.
* Control risk is the risk that a material misstatement that could occur
in an assertion will not be prevented or detected and corrected on a
timely basis by the entity's internal control. Internal control
consists of five components: (1) the control environment, (2) risk
assessment, (3) monitoring, (4) information and communication, and (5)
control activities (defined in paragraph 260.08 below). This section
will discuss the first three of the components and communication and
section 300 (Internal Control Phase) will discuss the information
systems and control activities.
* Detection risk is the risk that the auditor will not detect a material
misstatement that exists in an assertion.
AU 316 (SAS 82) requires the auditor to consider fraud risk, which is a
part of audit risk, making up a portion of inherent and control risk.
Fraud risk consists of the risk of fraudulent financial reporting and
the risk of misappropriation of assets that cause a material
misstatement of the financial statements. The auditor should
specifically consider and document the risk of material misstatements
of the financial statements due to fraud and keep in mind the
consideration of fraud risk in designing audit procedures. Considering
the risk of material fraud generally should be done concurrently with
the consideration of inherent and control risk, but it should be a
separate conclusion. The auditor also should consider the risk of fraud
throughout the audit. Section 290 includes documentation requirements
for the consideration of fraud risk.
.03:
Based on the level of audit risk and an assessment of the entity's
inherent and control risk, including the consideration of fraud risk,
the auditor determines the nature, timing, and extent of substantive
audit procedures necessary to achieve the resultant detection risk. For
example, in response to a high level of inherent and control risk, the
auditor may perform:
* additional audit procedures that provide more competent evidential
matter (nature of procedures);
* substantive tests at or closer to the financial statement date (timing
of procedures); or:
* more extensive substantive tests (extent of procedures), as discussed
in section 295 E.
.04:
Audit assurance is the complement of audit risk. The auditor can
determine the level of audit assurance obtained by subtracting the
audit risk from 1. (Assurance equals 1 minus risk).[Footnote 3] AU
350.48 uses 5 percent as the allowable audit risk in explaining the
audit risk model (95 percent audit assurance). The audit organization
should determine the level of assurance to use, which may vary between
audits based on risk. GAO auditors should use 95 percent. In other
words, the GAO auditor, in order to provide an opinion, should design
the audit to achieve at least 95 percent audit assurance that the
financial statements are not materially misstated (5 percent audit
risk). Section 470 provides guidance to the auditor on how to combine
(1) the assessment of inherent and control risk (including fraud risk)
and (2) substantive tests to achieve the audit assurance required by
the audit organization.
.05:
The auditor may consider it necessary to achieve increased audit
assurance if the entity is politically sensitive or if the Congress has
expressed concerns about the entity's financial reporting. In this
case, the level of audit assurance should be approved by the Reviewer.
RELATIONSHIP TO CONTROL ASSESSMENT:
.06:
Internal control, as identified in AU 319 (SAS 55 amended by SAS 78),
is a process--effected by an entity's governing body, management, and
other personnel--designed to provide reasonable assurance regarding the
achievement of objectives in the following categories (OMB audit
guidance expands the category definitions as noted):[Footnote 4]
* Reliability of financial reporting--transactions are properly
recorded, processed, and summarized to permit the preparation of the
financial statements and RSSI in accordance with generally accepted
accounting principles, and assets are safeguarded against loss from
unauthorized acquisition, use, or disposition. (Note that safeguarding
controls (see paragraphs 310.02-.04) are considered as part of
financial reporting controls, although they are also operations
controls.):
* Compliance with applicable laws and regulations--transactions are
executed in accordance with (a) laws governing the use of budget
authority and other laws and regulations that could have a direct and
material effect on the financial statements or RSSI, and (b) any other
laws, regulations, and governmentwide policies identified by OMB in its
audit guidance. (Note that budget controls are part of financial
reporting controls as they relate to the statements of budgetary
resources and of financing, but that they are also part of compliance
controls in that they are used to manage and control the use of
appropriated funds and other forms of budget authority in accordance
with applicable law. These controls are described in more detail in
section 295 G.):
* Effectiveness and efficiency of operations. These controls include
policies and procedures to carry out organizational objectives, such as
planning, productivity, programmatic, quality, economy, efficiency,
and effectiveness objectives. Management uses these controls to provide
reasonable assurance that the entity (1) achieves its mission,
(2) maintains quality standards, and (3) does what management directs
it to do. (Note that performance measures controls (those designed to
provide reasonable assurance about reliability of performance
reporting--transactions and other data that support reported
performance measures are properly recorded, processed, and summarized
to permit the preparation of performance information in accordance with
criteria stated by management) are included in operations controls.):
.07:
Some control policies and procedures belong in more than one category
of control. For example, financial reporting controls include controls
over the completeness and accuracy of inventory records. Such controls
are also necessary to provide complete and accurate inventory records
to allow management to analyze and monitor inventory levels to better
control operations and make procurement decisions (operations
controls).
.08:
The five components of internal control relate to objectives that an
entity strives to achieve in each of the three categories: financial
reporting (including safeguarding), compliance, and operations
(including performance measures) controls. The components are defined
in AU 319 as:
* The control environment sets the tone of an organization, influencing
the control consciousness of its people. It is the foundation for all
other components of internal control, providing discipline and
structure.
* Risk assessment is the entity's identification and analysis of
relevant risks to achievement of its objectives, forming a basis for
determining how the risks should be managed.
* Information and communication are the identification, capture, and
exchange of information in a form and time frame that enable employees
to carry out their responsibilities.
* Monitoring is a process that assesses the quality of internal control
performance over time.
* Control activities are the policies and procedures that help ensure
that management directives are carried out.
PROCESS FOR IDENTIFYING RISK FACTORS:
.09: In the planning phase, the auditor should (1) identify conditions
that significantly increase inherent, fraud, and control risk (based on
identified control environment, risk assessment, communication, or
monitoring weaknesses) and (2) conclude whether any identified control
risks preclude the effectiveness of specific control activities in
significant applications. The auditor identifies specific inherent
risks, fraud risks, and control environment, risk assessment,
communication, and monitoring weaknesses based on information obtained
earlier in the planning phase, primarily from understanding the
entity's operations and preliminary analytical procedures. The auditor
considers factors such as those listed in paragraphs 260.16-.51 in
identifying such risks and weaknesses. These factors are general in
nature and require the auditor's judgment in determining (1) the extent
of procedures (testing) to identify the risks and weaknesses and (2)
the impact of such risks and weaknesses on the entity and its financial
statements. Because this risk consideration requires the exercise of
significant audit judgment, it should be performed by experienced audit
team personnel.
.10:
The auditor considers the implications of these risk factors on related
operations controls. For example, inherent risk may be associated with
a material liability for loan guarantees because it is subject to
significant management judgment. In light of this inherent risk, the
entity should have strong operations controls to monitor the entity's
exposure to losses from loan guarantees. Potential weaknesses in such
operations controls could significantly affect the ultimate program
cost. Therefore, the need for operations controls in a particular area
or the awareness of operations control weaknesses related to these risk
factors should be identified and considered for further review, as
discussed in section 275.
.11:
Specific conditions that may indicate inherent or fraud risks or
control environment, risk assessment, communication, or monitoring
weaknesses are provided in sections 295 A and 295 B, respectively.
These sections are designed to aid the auditor in identifying these
risks and weaknesses but are not intended to be all inclusive. The
auditor should consider any other factors and conditions deemed
relevant.
.12:
The auditor identifies and documents any significant risk factors after
considering (1) his/her knowledge of the entity (obtained in previous
steps in the planning phase); (2) the risk factors discussed in
paragraphs 260.16-.51 and in sections 295 A and 295 B; and (3) other
relevant factors. These risks and weaknesses and their impact on
proposed audit procedures should be documented on the General Risk
Analysis (GRA) or equivalent (see section 290). The auditor also should
summarize and document any account-specific risks on the Account Risk
Analysis (ARA) or equivalent (see sections 290 and 395 I).
.13:
For each risk factor identified, the auditor documents the nature and
extent of the risk or weakness; the condition(s) that gave rise to that
risk or weakness; and the specific cycles, accounts, line items, and
related assertions affected (if not pervasive). For example, the
auditor may identify a significant risk that the valuation of the net
receivables line item could contain a material misstatement due to (1)
the materiality of the receivables and potential allowance, (2) the
subjectivity of management's judgment related to the loss allowance
(inherent risk), and (3) management's history of aggressively
challenging any proposed adjustments to the valuation of the
receivables (control environment weakness). The auditor should also
document other considerations that may mitigate the effects of
identified risks and weaknesses. For example, the use of a lock box (a
control activity) may mitigate inherent risks associated with the
completeness of cash receipts.
.14:
The auditor also should document, in the GRA or equivalent, the overall
effectiveness of the control environment, risk assessment,
communication, and monitoring, including whether weaknesses preclude
the effectiveness of specific control activities. The focus should be
on management's overall attitude, awareness, and actions, rather than
on specific conditions related to a control environment, risk
assessment, communication, or monitoring factor. This assessment will
be considered when determining the control risk associated with the
entity.
.15:
In assessing the control environment, risk assessment, communication,
and monitoring, the auditor should specifically assess the quality of
the entity's process for compliance with FMFIA (see paragraphs 260.43-
.47) and should obtain an overall understanding of the budget
formulation process (see paragraph 260.51).
INHERENT RISK FACTORS:
.16:
Inherent risk factors incorporate characteristics of an entity, a
transaction, or account that exist due to:
* the nature of the entity's programs,
* the prior history of audit adjustments, or:
* the nature of material transactions and accounts.
The assessment of inherent risk generally should be limited to
significant programs, transactions, or accounts. For each factor listed
below, section 295 A lists conditions that may indicate inherent risk.
a. Nature of the entity's programs: The mission/business of an entity
includes the implementation of various programs or services. The
characteristics of these programs or services affect the entity's
susceptibility to errors and fraud and sensitivity to changes in
economic conditions. For example, student loan guarantee programs may
be more susceptible to errors and fraud because of loans issued and
serviced by third parties.
b. Prior history of significant audit adjustments: Significant audit
adjustments identified in previous financial statement audits or other
audits often identify problem areas that may result in financial
statement misstatements. For example, the prior year's audit may have
identified the necessity for recording a contingent liability as the
result of certain economic conditions. The auditor could then focus on:
* determining whether similar conditions continue to exist;
* understanding management's response to such conditions (including
implementation of controls), if any; and:
* assessing the nature and extent of the related inherent risk.
c. Nature of material transactions and accounts: The nature of an
entity's transactions and accounts has a direct relation to the risk of
errors or fraud. For example, accounts involving subjective management
judgments, such as loss allowances, are usually of higher risk than
those involving objective determinations.
INFORMATION SYSTEMS (IS) EFFECTS ON INHERENT RISK:
Information systems (IS) do not affect the audit objectives for an
account or a cycle. However, IS can introduce inherent risk factors not
present in a manual accounting system. The auditor should (1) consider
each of the following IS factors and (2) assess the overall impact of
IS processing on inherent risk. The impact of these factors typically
will be pervasive in nature. An IS auditor may assist the auditor in
considering these factors and making this assessment. More detail on
assessing IS controls in a financial statement audit is available in
FISCAM, and a flowchart of the steps to follow is in section 295 J.
a. Uniform processing of transactions: Because IS process groups of
identical transactions consistently, any misstatements arising from
erroneous computer programming will occur consistently in similar
transactions. However, the possibility of random processing errors is
reduced substantially in computer-based information systems.
b. Automatic processing: The information system may automatically
initiate transactions or perform processing functions. Evidence of
these processing steps (and any related controls) may or may not be
visible.
c. Increased potential for undetected misstatements: Computers use and
store information in electronic form and require less human involvement
in processing. This increases the potential for individuals to gain
unauthorized access to sensitive information and to alter data without
visible evidence. Due to the electronic form, changes to computer
programs and data are not readily detectible. Also, users may be less
likely to challenge the reliability of computer output than manual
reports.
d. Existence, completeness, and volume of the audit trail: The audit
trail is the evidence that demonstrates how a specific transaction was
initiated, processed, and summarized. For example, the audit trail for
a purchase could include a purchase order, a receiving report, an
invoice, invoice register (purchases summarized by day, month, and/or
account), and general ledger postings from the invoice register. Some
computerized financial management systems are designed so that the
audit trail exists for only a short period (such as in on-line
systems), only in an electronic format, or only in summary form. Also,
the information generated may be too voluminous to allow effective
manual review. For example, one posting to the general ledger may
result from the computer summarization of information from hundreds of
locations.
e. Nature of the hardware and software used in IS: The nature of the
hardware and software can affect inherent risk, as illustrated below:
* The type of computer processing (on-line, batch-oriented, or
distributed) presents different levels of inherent risk. For example,
the inherent risk of unauthorized transactions and data entry errors
may be greater for on-line processing than for batch-oriented
processing.
* Peripheral access devices or system interfaces can increase inherent
risk. For example, Internet and dial-up access to a system increases
the system's accessibility to additional persons and therefore
increases the risk of unauthorized access to computer resources.
* Distributed networks enable multiple computer processing units to
communicate with each other, increasing the risk of unauthorized access
to computer resources and possible data alteration. On the other hand,
distributed networks may decrease the risk of conflicting computerized
data between multiple processing units.
* Applications software developed in-house may have higher inherent risk
than vendor-supplied software that has been thoroughly tested and is in
general commercial use.
f. Unusual or nonroutine transactions: As with manual systems, unusual
or nonroutine transactions increase inherent risk. Programs developed
to process such transactions may not be subject to the same procedures
as programs developed to process routine transactions. For example, the
entity may use a utility program to extract specified information in
support of a nonroutine management decision.
FRAUD RISK FACTORS:
.18:
The auditor is concerned with fraud that causes a material misstatement
of the financial statements. Fraud is distinguished from error in that
the action causing the misstatement in fraud is intentional. Two types
of misstatements are relevant in the auditor's consideration of fraud
in a financial statement audit--misstatements arising from fraudulent
financial reporting and misstatements arising from misappropriation of
assets.
.19:
Misstatements arising from fraudulent financial reporting are
intentional misstatements or omissions of amounts or disclosures in
financial statements to deceive financial statement users.
Misstatements arising from misappropriation of assets involve the theft
of an entity's assets causing the financial statements not to be
presented in conformity with GAAP.
.20:
Both types of fraud usually involve a pressure or incentive to commit
fraud and a perceived opportunity to do so. Many experts believe that
fraud requires that both be present. Fraud may be concealed through
falsified documentation. In a financial statement audit, the auditor
does not have a responsibility to authenticate documents. Fraud also
may involve collusion, which may cause evidence to appear persuasive
when it is not. Although fraud is usually concealed, the presence of
risk factors or other conditions may alert the auditor to a possibility
of fraud. For example, documents may be missing or records out of
balance. However, these conditions may be the result of errors rather
than fraud.
Identification of Fraud Risk Factors:
.21:
The auditor should specifically consider and document the risk of
material misstatement of the financial statements due to fraud and keep
the consideration in mind in designing audit procedures. Considering
the risk of material fraud generally should be done concurrently with
the consideration of inherent and control risk, but it should result in
specific identification of fraud risk factors that are present and the
auditor's response to the factors. Although fraud risk factors do not
necessarily indicate the presence of fraud, they have often been found
in situations where fraud has occurred.
.22:
As part of the consideration of fraud risk, in addition to obtaining
representations about fraud risk in the management representation
letter (see section 1001), the auditor should inquire of management (a)
to obtain management's understanding regarding the risk of fraud in the
entity and (b) to learn whether management has knowledge of fraud
perpetrated on or within the entity. In addition, if the entity has
established a program to prevent, deter, and detect fraud, the auditor
should ask the fraud prevention program managers whether the program
has identified fraud risk factors.
.23:
Inspectors general often report numerous cases of fraud and have
significant experience in this area. The auditor should obtain
information about instances of fraud identified by the IG, ask the
Special Investigator Unit to summarize how cases of reported fraud were
committed, and ask management whether controls have been strengthened,
to consider whether there is a risk of material fraud.
.24:
Fraud risk factors that relate to misstatements arising from fraudulent
financial reporting may be grouped in three categories as follows:
* Industry conditions. These factors involve the economic and regulatory
environment in which the entity operates.
* Operating characteristics and financial stability. These factors
pertain to the nature and complexity of the entity and its
transactions, the entity's financial condition, and its profitability.
* Management's characteristics and influence over the control
environment. These factors pertain to management's abilities,
pressures, style, and attitude relating to internal control and the
financial reporting process.
The first two of these categories contain factors that are also
inherent risk factors mentioned in the earlier paragraphs of this
section and the third category contains factors that are also control
risk factors as discussed in subsequent paragraphs. Examples of fraud
risk factors in each of these three categories in the federal
government are included in sections 295 A and B.
.25: Fraud risk factors that relate to misstatements arising from
misappropriation of assets may be grouped in two categories as follows:
* Susceptibility of assets to misappropriation. These factors pertain to
the nature of an entity's assets and the degree to which they are
subject to theft.
* Controls. These factors involve the lack of controls designed to
prevent or detect misappropriations of assets.
Examples of fraud risk factors in the first of these two categories in
the federal government are also included in section 295 A, and examples
of the second category are included in section 295 B.
.26: It is not necessary for the auditor to search for indications of
financial or other stress on employees that might make them likely to
commit fraud. However, if the auditor becomes aware of such
information, he or she should keep it in mind in considering the risk
of material misstatement due to fraud. Other similar information would
include disgruntled employees, anticipated layoffs, and known unusual
changes in behavior or lifestyle of employees with access to assets
susceptible to misappropriation.
The Auditor's Response to the Fraud Risk Consideration:
.27:
The risk of material misstatement due to fraud always exists to some
degree. The auditor should decide whether the audit procedures already
planned are sufficient to respond to the fraud risk factors found or
whether there is a need to modify the planned audit procedures. If
audit procedures need to be modified, the auditor should decide whether
an overall response is appropriate or whether the response should be
specific to a particular account balance, class of transactions, or
assertion or whether both an overall and a specific response are called
for. If it is not practicable, as part of a financial statement audit,
to modify planned audit procedures sufficiently to address the fraud
risk, the auditor should consider requesting assistance from the
Special Investigator Unit. See section 290 for documentation
re* quirements.
.28:
The auditor may decide that an overall response covering one or more of
the following is appropriate:
* Professional skepticism. Due professional care requires the exercise
of professional skepticism--an attitude that includes a questioning mind
and critical assessment of audit evidence. With an increased risk of
material misstatement due to fraud, professional skepticism may cause
the auditor to examine documentation of a different nature and greater
extent in support of material transactions, or to corroborate
management representations more extensively.
* Assignment of audit personnel. The qualifications and extent of
supervision of personnel assigned on an audit generally should be
commensurate with the level of fraud risk.
* Accounting principles and policies. With a greater risk of material
misstatement due to fraud, the auditor may have a greater concern about
whether management may apply accounting principles and policies in an
inappropriate manner to create a material misstatement of the financial
statements and may need to test more extensively.
* Controls. If increased fraud risk exists because of risk factors that
have control implications, the auditor may have to assess control risk
as high. However, understanding controls in this situation may be even
more important than otherwise. The auditor generally should understand
how controls (or lack thereof) relate to the fraud risk factors, while
noting the extent of management's ability to override controls.
.29: Also in an overall response, the nature, timing, and extent of
procedures related to certain accounts and assertions may be modified
as follows:
* The nature may be changed to obtain more reliable evidence or further
corroboration, such as from independent sources outside the entity. For
example, physical observation of certain assets may become more
important.
* The timing of substantive tests may be closer to or at year end.
* The extent of procedures may involve larger sample sizes or more
extensive analytical procedures.
.30:
The auditor may determine that a specific response is required due to
the types of risk factors identified and the accounts and assertions
that may be affected. Examples of specific responses are in section 295
I.
.31:
The consideration of fraud risk is a cumulative process that should be
ongoing throughout the audit. Fraud risk factors may be identified at
any time during the audit. Also, other conditions may be identified
during fieldwork that change or support a judgment regarding fraud
risk, such as discrepancies in the accounting records, conflicting or
missing evidential matter, or problematic or unusual relationships
between management and the auditor. Thus the auditor should continue to
be aware of the risk of fraud, and at the conclusion of the audit, the
auditor should consider whether the accumulated results of audit
procedures and other observations affect the consideration of the risk
of material misstatement due to fraud. (See section 540.):
CONTROL ENVIRONMENT FACTORS:
.32: As discussed in AU 319 (SAS 55 amended by SAS 78), control environment
risk factors incorporate management's attitude, awareness, and actions
concerning the entity's control environment. These factors include:
* integrity and ethical values,
* commitment to competence,
* management's philosophy and operating style,
* organizational structure,
* assignment of authority and responsibility,
* human resource policies and practices,
* management's control methods over budget formulation and execution,
* management's control methods over compliance with laws and
regulations, and:
* the functioning of oversight bodies (including congressional
committees).
.33: The auditor should obtain sufficient knowledge of the control
environment to determine whether the collective effect of these factors
establishes, enhances, or mitigates the effectiveness of specific
control activities. In making this determination, the auditor should
consider the following factors and their effect on internal control.
For each factor listed below, section 295 B lists conditions that may
indicate control environment weaknesses.
a. Integrity and ethical values: Control effectiveness cannot rise above
the integrity and ethical values of those who create, administer, and
monitor the controls. Integrity and ethical values are essential
elements of the control environment, affecting the design,
administration, and monitoring of the other components. Integrity and
ethical behavior result when the entity and its leaders have high
ethical and behavioral standards and properly communicate them and
reinforce them in practice. The standards include management's actions
to remove or reduce incentives and temptations that might prompt
personnel to engage in dishonest, illegal, or unethical acts. The
communication of entity values and behavioral standards to personnel
takes place through policy statements and codes of conduct and by
example.
b. Commitment to competence: Competence is the knowledge and skills
necessary to accomplish tasks required by an individual's job.
Commitment to competence includes management's consideration of the
competence levels for various jobs and the requisite skills and
knowledge.
c. Management's philosophy and operating style: Management's philosophy
and operating style encompass a broad range of beliefs, concepts, and
attitudes. Such characteristics may include management's approach to
taking and monitoring operational/program risks, attitudes and actions
toward financial reporting, emphasis on meeting financial and operating
goals, and management's attitude toward information processing,
accounting, and personnel.
d. Organizational structure: An entity's organizational structure
provides the overall framework for planning, directing, and controlling
operations. The organizational structure should appropriately assign
authority and responsibility within the entity. An organizational
structure includes the form and nature of an entity's organizational
units, including the data processing organization, and related
management functions and reporting relationships.
e. Assignment of authority and responsibility: An entity's policies or
procedures for assigning authority for operating activities and for
delegating responsibility affect the understanding of established
reporting relationships and responsibilities. This factor includes
policies relating to appropriate business practices, knowledge and
experience of key personnel, and resource allocations. It also includes
policies and communications to ensure that all personnel understand the
entity's objectives, how they contribute to these objectives, and how
and for what they will be held accountable.
f. Human resource policies and practices: Human resource policies and
practices affect an entity's ability to employ sufficient competent and
trustworthy personnel to accomplish its goals and objectives. Such
policies and practices include hiring, training, evaluating, promoting,
compensating, and assisting employees in the performance of their
assigned responsibilities by giving them the necessary resources.
g. Management's control methods over budget formulation and execution:
Management's budget control methods affect the authorized use of
appropriated funds. Budget formulation is discussed in more detail in
paragraph 260.51, and controls over budget execution (budget controls)
are addressed in more detail in section 300.
h. Management's control methods over compliance with laws and
regulations: Such methods have a direct impact on an entity's
compliance with applicable laws and regulations. (Compliance controls
are addressed in more detail in section 300).
i. The functioning of oversight groups: An entity's oversight groups
typically are responsible for overseeing both business activities and
financial reporting. The effectiveness of an oversight group is
influenced by its authority and its role in overseeing the entity's
business activities. In the federal government, oversight groups are
the Congress and the central agencies (OMB, Treasury, GSA, OPM, and
GAO). Within agencies, senior management councils may also have a role
in overseeing operations and programs.
RISK ASSESSMENT FACTORS:
.34: Risk assessment is an entity's internal process for identifying,
analyzing, and managing risks relevant to achieving the objectives of
reliable financial reporting, safeguarding of assets, and compliance
with budget and other laws and regulations. For example, risk
assessment may address how the entity analyzes significant estimates
recorded in the financial statements or how it considers the
possibility of unrecorded transactions. Risks can arise due to both
internal and external circumstances such as:
* changes in the operating or statutory environment,
* new personnel who may have a different focus on internal control,
* new or significantly changed information systems,
* rapid growth of programs which can strain controls,
* new technology which may change risks,
* new programs or activities which may introduce new control risks,
* restructurings or budget cutbacks which may include downsizing and
changes in supervision and segregation of duties, or:
* adoption of new accounting principles which may affect risks in
preparing financial statements.
.35: The auditor should gain sufficient knowledge of the entity's risk
assessment process to understand how management considers risks
relevant to the objectives of financial reporting (including
safeguarding), and compliance with budget and other laws and decides
what actions to take. This understanding may include how management
identifies risks, estimates their significance, assesses the likelihood
of occurrence, and relates them to financial reporting.
COMMUNICATION FACTORS:
.36:
Communication involves providing an understanding of individual roles
and responsibilities pertaining to internal control. It includes the
extent to which personnel understand how their activities relate to the
work of others and the means of reporting exceptions to an appropriate
higher level within the entity. Open communication channels help ensure
that exceptions are reported and acted on. Communication takes such
forms as policy manuals, accounting and financial reporting manuals,
and memoranda. Communication also may be electronic, oral, and through
the actions of management in demonstrating acceptable behavior.
.37:
The auditor should obtain sufficient knowledge of the means the entity
uses to communicate roles and responsibilities for, and significant
matters relating to financial reporting, safeguarding, and compliance
with budget and other laws and regulations.
MONITORING FACTORS:
.38:
Monitoring is the process by which management assesses the quality of
internal control performance over time. This may include ongoing
activities, such as regular management and supervision, or
communications from external parties, such as customer complaints or
regulator comments that may indicate areas in need of improvement. This
also may include separate evaluations, such as FMFIA work and IG or
internal auditor work, or a combination of ongoing activities and
separate evaluations.
.39:
The auditor should gain sufficient knowledge of the major types of
activities the entity uses to monitor internal control over financial
reporting, including safeguarding, and compliance with budget and other
laws and regulations and how those activities are used to initiate
corrective actions.
.40: The IG's office or internal audit is often an important part of
monitoring. The IG's office is responsible for (1) conducting and
supervising audits and investigations relating to programs and
operations, (2) providing leadership and coordination, including
recommending policies for programs and operations, and (3) keeping the
entity head and the Congress informed about problems and deficiencies,
including the progress of corrective actions. The auditor should assess
the effectiveness of the IG or internal audit as a monitoring control.
However, if the auditor is the IG, the office should not attempt to
assess its effectiveness as a control. Evaluating an IG's office or
internal audit includes consideration of its authority and reporting
relationships, the qualifications of its staff, and its resources. (In
using the work of the IG or internal auditors, refer to section 650.):
IS EFFECTS ON THE CONTROL ENVIRONMENT, RISK ASSESSMENT, COMMUNICATION,
AND MONITORING:
.41: IS affects the effectiveness of the control environment, risk
assessment, communication, and monitoring. For example, controls that
normally would be performed by separate individuals in manual systems
may be concentrated in one computer application and pose a potential
segregation-of-duties problem.
.42: The auditor should consider the following IS factors in making an
overall assessment of the control environment, risk assessment,
communication, and monitoring. An IS auditor may assist the auditor in
considering these factors:
a. Management's attitudes and awareness with respect to IS: Management's
interest in and awareness of IS functions is important in establishing
an organizationwide consciousness of control issues. Management may
demonstrate such interest and awareness by:
* considering the risks and benefits of computer applications;
* communicating policies regarding IS functions and responsibilities;
* overseeing policies and procedures for developing, modifying,
maintaining, and using computers and for controlling access to programs
and files;
* considering the inherent and control risk, including fraud risk,
related to IS;
* responding to previous recommendations or concerns;
* quickly and effectively planning for, and responding to, computerized
processing crises; and:
* depending on computer-generated information for key operating
decisions.
b. Organization and structure of the IS function: The organizational
structure affects the control environment. Centralized structures often
have a single computer processing organization and use a single set of
system and applications software, enabling tighter management control
over IS. In decentralized structures, each computer center generally
has its own computer processing organization, application programs, and
system software, which may result in differences in policies and
procedures and various levels of compliance at each location.
c. Clearly defined assignment of responsibilities and authority:
Appropriate assignment of responsibility according to typical IS
functional areas can affect the control environment. Factors to
consider include:
* how the position of the Chief Information Officer (CIO) fits into the
organizational structure;
* whether duties are appropriately segregated within the IS function,
since lack of segregation typically affects all systems;
* the extent to which management external to the IS function is involved
in major systems development decisions; and:
* the extent to which policies, standards, and procedures are documented,
understood, followed, and enforced.
d. Management's ability to identify and to respond to potential risk:
Computer processing, by its nature, introduces additional risk factors.
The entity should be aware of these risks and should develop
appropriate policies and procedures to respond to any IS issues that
might occur. Factors to consider include:
* the methods for monitoring incompatible functions and for enforcing
segregation of duties and:
* management's mechanism for identifying and responding to unusual or
exceptional conditions.
FEDERAL MANAGERS' FINANCIAL INTEGRITY ACT OF 1982:
.43:
In considering the control environment, risk assessment, communication,
and monitoring, the auditor should assess the quality of the FMFIA
process to provide evidence of management's control consciousness and
the overall quality of the control environment, risk assessment,
communication, and monitoring. In this regard, the quality of the FMFIA
process is a good indicator of management's (1) philosophy and
operating style, (2) assignment of authority and responsibility, and
(3) control methods for monitoring and follow-up. The FMFIA process
also may be the basis for management's assertion about the
effectiveness of internal control (section 2) and about the entity's
financial management systems' substantial compliance with FFMIA
requirements (section 4).
.44:
In considering the quality of the FMFIA process, the auditor generally
should perform the following procedures. If the entity does not issue
its own FMFIA report, the auditor should perform the following with
respect to information the entity contributes to the FMFIA report in
which the entity is included.
Read:
* the FMFIA report,
* important workpapers prepared by the entity in support of the FMFIA
report,
* IG reports on FMFIA compliance,
* OMB's most recent annual letter concerning FMFIA reporting, and:
* management's description of the FMFIA process.
Discuss the FMFIA process with appropriate entity management (including
management's opinion of the quality of the process).
Understand:
* how the FMFIA process is organized;
* who is assigned to manage the process, including the staffing level,
experience and qualifications of assigned personnel, and reporting
responsibilities; and:
* how the process finds and evaluates weaknesses.
* Identify the entity's actions on previously reported weaknesses and
examine agency documentation that demonstrates the results/
effectiveness of those actions.
* Determine whether the audit finds different issues from those
identified in the FMFIA process. (If so, see section 580 for reporting
on FMFIA.):
.45:
In assessing the quality of the FMFIA process, the auditor should
consider whether management procedures and supporting documentation are
sufficient to (1) provide management with reasonable assurance that
FMFIA objectives have been achieved and (2) meet OMB requirements. This
assessment is based on the auditor's overview and is not a result of
extensive tests. Factors for the auditor to consider may include:
* evidence of efforts to rectify previously identified material
weaknesses;
* management's commitment of resources to the FMFIA process, as
reflected in the skills, objectivity, and number of personnel
assigned to manage the process;
* extent to which management's methodology and assessment process
conform to the guidance in Circulars A-123 ( June 21, 1995) and A-127
(July 23, 1993 and revisions in Transmittal Memorandum No. 2, dated
June 10, 1999) and related OMB guidelines;
* IG and internal auditor involvement (if any);
* the process used to identify and screen material weaknesses as FMFIA
reports are consolidated and moved up the entity's hierarchy; and:
* the sources that identify material weaknesses, since items
identified by management personnel, rather than from IG, GAO, or
other external reports, demonstrate that the process can detect and
report weaknesses.
.46:
The auditor's assessment of the quality of the FMFIA process will
affect the auditor's ability to use information in the FMFIA report and
supporting documentation when identifying risks, testing controls, and
preparing workpapers. The higher the quality of the FMFIA process, the
more likely the auditor will be able to use the FMFIA findings in the
financial audit. The auditor should document the assessment of the
quality of the FMFIA process in the audit workpapers. Regardless, any
material weaknesses identified in the FMFIA report should be considered
in considering risk.
.47:
The reliance that the auditor places on management's FMFIA work depends
on a number of factors as discussed in FAM 650 (under revision).
Federal Financial Management Improvement Act of 1996:
.48:
As part of its FMFIA work, management determines whether its financial
management systems comply with the requirements found in OMB
Circular A-127, Financial Management Systems. Under FFMIA, the auditor
is required to report whether the financial management systems'
substantially comply with those requirements. Further, OMB issues
guidance that agencies and auditors should consider when addressing
compliance with FFMIA.
.49:
During the planning phase, the auditor generally should understand what
management did to determine that the entity's systems were in
substantial compliance in order to report under FMFIA. The entity may
have used the OMB FFMIA guidance, the GAO Financial Management Series
of checklists for Systems Reviewed Under the Federal Financial
Management Improvement Act of 1996, the draft JFMIP Financial
Management Systems Compliance Review Guide (http://www.financenet.gov/
financenet/fed/jfmip/fmscrg.pdf), or other tools. The auditor
generally should review this documentation in the internal control
phase of the audit to determine the degree to which he or she may rely
on it as discussed in section 650 (under revision). (See section 320.):
.50:
If the entity previously had an assessment made of its financial
management systems' substantial compliance with these requirements that
resulted in lack of substantial compliance, the auditor should read the
remediation plan required by FFMIA and note whether the plan appears
feasible and likely to remedy the deficiencies.
BUDGET FORMULATION:
.51: While assessing the control environment, risk assessment,
communication, and monitoring, the auditor should obtain an overall
understanding of the budget formulation process. The auditor does this
to understand better how misstatements and internal control weaknesses
affect the budget formulation process and, possibly, to consider the
budget process as a control. Based on discussions with entity
management responsible for the budget formulation process and review of
budget documents, the auditor should consider:
* the entity's process for developing and summarizing the budget,
* the nature and sufficiency of instructions and training provided to
individuals responsible for developing the budget,
* the extent that individuals involved in approving budget requests are
also involved in the budget formulation process,
* the general extent to which the budget is based on historical
information,
* the reliability of information on which the budget is based,
* the extent to which the budget formulation system is integrated with
the budget execution system, and:
* the extent of correlation between information developed in the budget
formulation process and the allotments and suballotments in the budget
execution system.
[End of section]
270 - DETERMINE LIKELIHOOD OF EFFECTIVE INFORMATION SYSTEM CONTROLS:
.01:
Controls are considered IS controls if their effectiveness depends on
computer processing. In the planning phase, the auditor (with the
assistance of the IS auditor and using FISCAM or another appropriate
methodology) should determine whether IS controls are likely to be
effective and should therefore be considered in the internal control
phase. The auditor may coordinate work done to meet the requirements of
Division A, Title X, Subtitle G (Government Information Security
Reform) of the National Defense Authorization Act for Fiscal Year 2001
(P.L. 106-398) with work done as part of the financial statement audit.
(See section 295 J for a flowchart of steps in assessing IS controls in
a financial statement audit.) The procedures to be performed build on
those procedures performed while understanding the entity's operations
and assessing the effects of IS on inherent risk and the control
environment, risk assessment, communication, and monitoring. AU 319
(SAS 55, as amended by SAS 78 and SAS 94) requires the auditor to
sufficiently understand each of the five components of internal
control--control environment, risk assessment, information and
communications, monitoring, and control activities--to plan the audit.
This understanding should include relevant IS aspects.
.02:
Computerized financial management systems are used extensively in the
federal government. While many of these systems are mainframe based,
numerous other technologies also exist. Some of these systems share
programs and data files with one another. Others may be networked into
major subsystems. In addition to producing financial and accounting
information, such systems typically generate other information used in
management decision-making.
.03:
As discussed in paragraph 260.06, the auditor evaluates and tests the
following types of controls in a financial statement audit:
* financial reporting controls,
* compliance controls, and:
* certain operations controls (to the extent described in section 275).
.04:
For each of the controls to be evaluated and tested, the auditor should
distinguish which are IS controls. IS controls--those whose
effectiveness depends on computer processing--can be classified into
three types (described in section 295 F):
* general controls,
* application controls, and:
* user controls.
Testing of technical IS controls should be performed by an IS auditor
as described in section 360. The audit team may assist the IS auditor
by testing user controls and application controls involving manual
follow-up.
.05:
In the planning phase, the auditor and the IS auditor should understand
each of the three types of IS controls to the extent necessary to
tentatively conclude whether IS controls are likely to be effective. If
they are likely to be effective, the auditor should consider specific
IS controls in determining whether control objectives are achieved (in
the internal control phase).
.06:
If IS controls are not likely to be effective, the auditor (with the
assistance of the IS auditor) should obtain a sufficient understanding
of control risks arising from IS to develop appropriate findings and to
plan substantive testing. Also, in the internal control phase, the
auditor generally should focus on the effectiveness of manual controls
in achieving control objectives. If IS controls are not likely to be
effective due to poor general controls and if manual controls do not
achieve the control objectives, the auditor should identify and
evaluate, but not test, any specific IS controls that are designed to
achieve the control objectives (to provide recommendations to improve
internal control).
.07:
In the planning phase, the auditor and the IS auditor generally limit
the understanding of general controls to those at an overall entity
level. However, obtaining this understanding generally requires visits
to selected installations. General controls related to an installation
level and to specific applications will be considered in more detail in
the internal control phase. In assessing general controls, the auditor
and the IS auditor should consider the results of past internal and
external reviews.
.08:
The auditor should keep in mind that, as stated in SAS 94, paragraph
66, in some circumstances, such as where a significant amount of
information is electronically initiated, recorded, processed, and
reported, it may not be practical or possible to restrict detection
risk to an acceptable level by performing only substantive tests for
one or more financial statement assertions. In such circumstances, the
auditor should test IS controls to obtain evidential matter about the
effectiveness of both the design and operation of controls to reduce
the assessed level of control risk.
[End of section]
275 - IDENTITY RELEVANT OPERATIONS CONTROLS TO EVAULATE AND TEST:
.01:
The overall intent of the CFO Act is to improve the quality of federal
financial management. Reliable financial information and effective
internal control are important to the quality of such federal financial
management. In a financial statement audit, the auditor draws a
conclusion about the effectiveness of certain financial reporting
(including safeguarding and budget) and compliance (including budget)
controls. For operations controls, the auditor:
* may evaluate certain operations controls considered relevant (see
paragraphs 275.02-.07),
* should evaluate and test operations controls that are relied on in
performing audit procedures (see paragraph 275.08), and:
* should understand the components of internal control relating to the
existence and completeness (and valuation is required for GAO audits)
assertions relevant to the performance measures reported in the MD&A,
in order to report on those controls that have not been properly
designed and placed in operation, but does not need to test those
controls, although he or she may decide to do so (see paragraph
275.09).
RELEVANT OPERATIONS CONTROLS:
.02:
For the potential operations control needs of the entity or for
operations control weaknesses identified through the procedures
described in paragraphs 275.04-.07, the auditor should determine
whether the evaluation of related controls should (1) be included in
the financial audit, (2) become a separate audit, or (3) not be
performed but any weaknesses be reported to the IG. In making this
determination, the auditor might consider the following factors:
* the significance of the operations control to the entity's
operations,
* the time required to identify and test the operations control,
* available resources, and:
* congressional interest.
.03:
Audit team management should agree on the operations controls that are
to be evaluated and tested as part of the financial audit. Such
operations controls should be documented in the workpapers. For
example, audit management may require that before evaluating and
testing a specific operations control, the audit team submit relevant
information to audit management on a standard form developed by the
audit team.
.04:
In the planning phase and throughout the audit, the auditor generally
should identify significant areas where the entity would be expected to
have operations controls. The auditor may become aware of these areas,
as well as potential weaknesses in operations controls, through:
* understanding the entity's operations.
* planning the audit procedures,
* understanding audit risks and weaknesses in financial reporting and
compliance controls,
* understanding the cause of misstatements noted, or:
* observations made during on-site fieldwork.
.05:
In obtaining an understanding of the entity's operations, the auditor
should identify those areas that are critical to such operations. For
each of these areas, the entity should have effective operations
controls. Also, in planning the audit, the auditor may identify
operations controls that could be evaluated in conjunction with planned
audit and other procedures. For example, the auditor may evaluate
whether management considered appropriate order quantities for each
inventory purchase selected in a test of inventory purchases.
.06:
The auditor identifies specific risks and weaknesses in planning and
performing the audit and in determining the causes of misstatements
requiring audit adjustments. The auditor should consider the
implications of those risks and weaknesses on the entity's operations
controls. For example, misstatements in inventory records may indicate
weaknesses in operations controls whose effectiveness depends on
accurate inventory records. This would include the operations controls
for maintaining proper inventory levels.
.07: The auditor should be alert to any opportunities to recommend
improvements to operations controls. Such opportunities could come to
light while visiting the entity's various locations and performing the
financial audit.
OPERATIONS CONTROLS RELIED ON IN THE AUDIT:
.08:
If any contemplated audit procedure relies on operations controls, the
auditor should identify and test such controls. For example, assume
that an auditor is using substantive analytical procedures, based on
entity-generated "per unit" statistics, to test the reasonableness of
certain operating costs. The auditor plans to compare such "per unit"
statistics with published costs incurred by similar operations. The
auditor will need to identify and test the entity's operations controls
over the production of these internal statistics.
OPERATIONS CONTROLS OVER REPORTED PERFORMANCE MEASURES:
.09:
OMB audit guidance requires the auditor to understand the design of
internal controls over the existence and completeness (see definition
in paragraph 235.02) assertions (and GAO has added valuation as a
requirement for its audits) related to the performance measures the
entity reports on in the MD&A and whether they have been placed in
operation. However, OMB does not require the auditor to test the
controls (determine operating effectiveness), although he or she may
decide to do so. The procedures the auditor performs to gain the
understanding do not need to be extensive but may consist of
discussions, observations, and walkthroughs (see AU 319.41-.43).
[End of section]
280 - PLAN OTHER AUDIT PROCEDURES:
.01:
The auditor should consider the following areas during the planning
phase, even though many related audit procedures will be applied during
the other phases.
INQUIRIES OF ATTORNEYS:
.02:
As discussed in AU 337 and section 550, the auditor should make
inquires of the entity's counsel and perform other audit procedures
regarding litigation, claims, and assessments. Because of the amount of
the time needed by management and the attorneys to gather and report
the necessary information (including the potential need for management
to inquire of Department of Justice attorneys on a case-specific
basis), the auditor should plan the following procedures (which are
described in more detail in AU 337) for an appropriate time in the
audit:
* making inquiries of management regarding their policies and
procedures used for identifying, evaluating, and accounting for
litigation, claims, and assessment;
* obtaining a description and evaluation of all such matters existing
as of the balance sheet date and through the date of management's
response (which should be near the end of fieldwork);
* obtaining evidence regarding attorneys used by the entity and
matters handled; and:
* sending letters of audit inquiry to attorneys (the auditor should
consider the aggregation of cases in deciding on the materiality to
include in the legal letter to ensure it is sufficiently low).
MANAGEMENT REPRESENTATIONS:
.03: As discussed in section 550, the auditor is required to obtain a
representation letter from management on specific matters prior to
completion of the audit. Particularly during first year audits and when
standards change, the auditor may want to discuss these required
representations with management early in the audit to identify and
resolve any difficulties related to obtaining these representations.
Note that for federal government auditors, these representations
include (1) the effectiveness of internal control, (2) financial
management systems' substantial compliance with FFMIA requirements, and
(3) compliance with laws and regulations. Additional guidance on
management representations is provided in AU 333, AU 801, SSAE 2, and
section 1001 (Part II). Also, per SAS 89, a summary of uncorrected
misstatements aggregated by the auditor is to be included or attached
to the letter, which shall state management's belief that the effects
of the misstatements are immaterial to the financial statements taken
as a whole, both individually and in the aggregate. (See section 595 D
for an example summary of uncorrected misstatements.):
RELATED PARTY TRANSACTIONS:
.04: AU 334 and section 1006 provide guidance on audit procedures that
should be performed to identify related parties and related party
transactions as well as examining these transactions for appropriate
disclosure in the financial statements. During the planning phase, the
auditor should perform procedures to identify and document related
parties and the nature of related party transactions that might need to
be disclosed in the financial statements and related notes. Such
information should be distributed to all members of the audit team for
use in summarizing and testing related party transactions and
identifying any additional related parties.
SENSITIVE PAYMENTS:
.05:
In the planning phase, the auditor should consider the audit procedures
that will be applied to sensitive payments. Sensitive payments
encompass a wide range of executive functions including executive
compensation, travel, official entertainment funds, unvouchered
expenses, and consulting services. See GAO's technical guideline 8.1.2,
Guide for Review of Sensitive Payments.
REACHING AN UNDERSTANDING WITH MANAGEMENT AND REQUESTERS:
.06: During planning, it is important that the auditor reach an
understanding with the entity's management and individuals contracting
for or requesting the audit, about the work to be performed, as
required by AU 310 and Amendment No. 2 to Government Auditing Standards
(paragraphs 4.6.3-4.6.9). If the audit is done based on the request of
a committee or member of Congress, the auditor should communicate with
that committee or member as well as management. If the audit is
required by law or is self-initiated, the auditor should communicate
with the committee members or staff who have oversight of the auditee
as well as management.
.07:
The auditor should communicate with management and the committee or
member in writing (preferred) or orally and document the understanding
reached in the workpapers. "Commitment" letters may be used to
communicate with Congress about the auditor's planned work. In drafting
commitment letters, the auditor should consider the matters required to
be communicated by the auditing standards. If the audit organization
has a general ongoing working relationship with Congress and prior
audit reports, there may already be an understanding with the
applicable committee or other requester.
.08:
Because of an ongoing working relationship with either a requester or
management, the auditor may affirm the contents of the prior audit
report, since the types of information included in the understanding
are generally included in the objectives, scope, and methodology
section of the audit report.
.09: Examples of the matters that are generally included in the
understanding are the objectives and limitations of the audit and
management's and the auditor's responsibilities. These are described in
AU 310.06-.07. GAGAS also requires the understanding to relate to the
auditor's responsibility for testing and reporting on compliance and
internal control.
OTHER AUDIT REQUIREMENTS:
.10:
GAGAS (section 4.7) also require the auditor to follow up on known
material findings and recommendations from previous audits. Generally,
a financial audit should cover areas that had findings and
recommendations in previous audits. However, the auditor should
consider whether any findings and recommendations from the prior year
financial audit need follow-up that would not otherwise be covered (for
example, findings at locations that would not otherwise be revisited).
.11: During planning, the auditor also should consider the additional
requirements in OMB audit guidance for legal letters, management
representation letters, and certain agreed-upon procedures. OMB audit
guidance has specific dates by which interim and updated legal letters
for CFO Act agencies are to be requested and received, specific formats
for summarizing the information in the letters, and a list of specific
officials to whom copies of the letters and summaries should be
forwarded. The guidance also has an example of a management
representation letter. In addition, the guidance requires that certain
agreed-upon procedures to be applied to agency payroll offices and
requires that reports be submitted to OPM by a specific date.
[End of section]
285 - PLAN LOCATIONS TO VISIT:
.01:
Most federal entities conduct operations, perform accounting functions,
and/or retain records at multiple locations. During planning, the
auditor needs to consider the effect of these multiple locations on the
audit approach. The auditor should develop an understanding of the
respective locations, including significant accounts and accounting
systems and cycles/applications. This understanding may be obtained
centrally or in combination with visits to field offices, as
appropriate. When planning locations to visit, the auditor should
consider whether certain locations warrant more extensive testing than
others, based on the following factors:
* Materiality or significance of locations to the overall entity: More
material locations, particularly those individually exceeding design
materiality, and significant cycles/accounting applications may
require more extensive testing.
* The results of the preliminary analytical procedures applied during
planning: Unusual results require follow-up, possibly including on-site
testing at specific locations causing such results.
* The results and the extent of audit procedures applied in prior years
by the auditor or others, including the time since significant
procedures were performed: Problems noted in prior audits could
indicate areas of concern for the current audit, and the effectiveness
of prior evidence ordinarily diminishes with the passage of time.
* The auditor's assessment of inherent risk, including the nature of
operations, sensitivity to economic conditions, and key management
turnover: Locations at which inherent risk is high generally warrant
more extensive testing than those where inherent risk is low.
* The auditor's preliminary assessment of control risk, including the
control environment, risk assessment, communications, and monitoring:
Locations at which control risk (particularly concerning the control
environment, risk assessment, communication, and monitoring) is high
warrant more extensive testing than those where control risk is low.
* The auditor's consideration of the risk of material misstatement due
to fraud: Locations at which the auditor has considered there may be a
greater risk of material misstatement due to fraud warrant more
extensive testing than those where he or she has considered a lower
risk of material misstatement due to fraud is present.
* The extent to which accounting records are centralized: A high
degree of centralization may enable the auditor to conduct the
majority of work at the central location, with only limited work at
other locations.
* The extent of uniformity of control systems (including computer
controls) throughout the entity: The number of locations visited is a
function of the uniformity of significant control systems. For example,
if there are two major procurement control systems, the auditor
generally should test each system to a sufficient extent. Where
locations develop or modify systems, more locations may require visits
than for those entities using centrally developed systems that cannot
be changed locally.
* The extent of work performed by other auditors: Work done by other
auditors may be used to reduce or eliminate tests at selected locations
or to assist in tests of locations not selected. (See section 650.):
* Special reporting or entity requirements: The auditor should select
sufficient locations to meet special needs, such as separate-location
reports.
.02:
The auditor should plan the general nature of audit procedures to be
performed at each location. The extent of testing may vary between
locations, depending on test materiality, control risk, and other
factors. Using common audit programs, workpaper formats, and indexes
for the various locations visited makes it easier to plan, review the
workpapers, and combine the results of all locations or funds to
improve effectiveness and efficiency.
.03:
The auditor should obtain an understanding of the procedures for
combining the locations' financial information to prepare the entity's
financial statements. The auditor should understand and test these
procedures during the audit, including any necessary adjustments and
eliminations.
.04:
One approach to stratifying the locations and selecting samples for
multiple-location audits is provided in section 295 C. This method
assumes that increased testing is not required at any location because
of the factors in paragraph 285.01. Other methods of selecting
locations for on-site testing may be used with the approval of the
Reviewer. For example, selecting fewer locations but more items to test
at each of those locations may be appropriate in some instances.
Although other methods generally will require more overall audit
testing than the method described in section 295 C, the costs of
performing additional work at fewer locations may be lower.
[End of section]
290 - DOCUMENTATION:
.01:
The auditor should document relevant information obtained during the
planning phase in the documents described in paragraphs 290.03-.06.
Also, as described in paragraph 290.07, the auditor should document the
understanding reached with requesters and management. Information that
is likely to be useful in future audits may be documented in a
permanent file.
.02:
As the audit work is performed, the auditors may become aware of
possible reportable conditions or other matters that should be
communicated to the auditee. A structured method to document these
matters will aid in communicating them to the audit team, management
for review, and the agency soon after their discovery. The auditor
generally should document the nature of the reportable condition and
the criteria, cause, potential effect, and suggestions for improvement
(as applicable) throughout the audit and discuss them with management
when identified, rather than waiting until the exit conference.
.03:
In the entity profile or an equivalent document, the auditor should
document the information gathered to gain an understanding of the
entity (section 220). This profile should briefly document such
elements as the entity's origin and history, size and location,
organization, mission, results of prior and current audits, and
accounting and auditing considerations. The auditor generally should
limit the information in the entity profile to that which is relevant
to planning the audit. This information may include documents prepared
by the entity, such as historical information or the mission of the
entity. If this and other documents were prepared in prior years, they
need only be updated for changes each year.
.04:
The General Risk Analysis or an equivalent document contains the
overall audit plan, including the strategy for conducting the audit,
and also should include information on the following areas:
a. Preliminary analytical procedures and the results of those
procedures (section 225): The auditor should document the following
information:
* data used and sources of financial data used for current-year amounts
and for developing expected amounts, including:
** the amounts of the financial items,
** the dates or periods covered by the data,
** whether the data are audited or unaudited,
** the person from whom the data were obtained (if applicable), and:
** the source of the information (for example, the general ledger trial
balance, prior-year audit workpapers, or prior-year financial
statements);
* parameters for identifying significant fluctuations;
* explanations for fluctuations identified and sources of these
explanations, including the name and title of the person(s) from whom
the explanations were obtained; and:
* the auditor's conclusion and consideration of the impact of the
results of preliminary analytical procedures on the audit.
b. Planning, design, and test materiality, including the basis for
their determination (section 230).
c. Methodology used in assessing computer-related controls (section
240): If the auditor uses a methodology other than the FISCAM, he or
she should document the basis for believing that the methodology is
appropriate.
d. Significant provisions of laws and regulations (section 245).
e. Relevant budget restrictions (section 250).
f. Level of audit assurance (section 260): The auditor should document
the overall level of audit assurance and the justification for the
level used. If the level of audit assurance chosen is 95 percent, the
auditor may reference the FAM.
g. Assessment of inherent risk and the overall effectiveness of the
control environment, risk assessment, communication, and monitoring,
including whether they preclude the effectiveness of specific control
activities (section 260): The auditor identifies and documents any
inherent risks or control risks arising from the control environment,
risk assessment, communication, and monitoring and associates them with
significant financial statement line items and assertions. For each
risk identified, the auditor documents the (1) nature and extent of the
risk, (2) condition(s) that gave rise to that risk, and (3) specific
cycles, accounts, line items, and related assertions affected (if not
pervasive). The auditor also documents conclusions on the overall
effectiveness of the control environment, risk assessment,
communication, and monitoring. In addition, the auditor generally
should document the entity's basis for its determination of substantial
compliance of its systems with FFMIA requirements.
h. Risk of material misstatement due to fraud (section 260): The
auditor should document:
* the fraud risk factors identified and:
* the auditor's response to those risk factors, either individually or
in combination.
i. Effects of IS (section 270): The auditor should document:
* a basic understanding of the IS aspects of the financial management
system, including the significance of IS to the entity (section 220);
* the inherent risks arising from IS (paragraph 260.17);
* the impact of IS on the control environment, risk assessment,
communication, and monitoring (paragraphs 260.41-.42); and:
* tentative conclusions on the likelihood that IS controls are operating
effectively (section 270).
When the auditor prepares documentation of the above information, the
IS auditor generally should review and agree with the content.
Tentative conclusions on the likelihood that IS controls are operating
effectively should also be reviewed and concurred to by the Audit
Director and Assistant Director as part of their reviews of the General
Risk Analysis or equivalent. If IS controls are not likely to be
effective, the auditor should document supporting evidence and
generally should report such findings as discussed in section 580.
j. Operations controls to be tested, if any (section 275).
k. Other planned audit procedures (section 280).
l.Locations to be visited (section 285): This information includes:
* the locations selected,
* the basis for selections,
* the general nature of procedures planned for each location,
* the determination of the number of items for testing,
* the allocation of those items among the selected locations, and:
* other procedures applied.
m. Staffing requirements.
n. Audit timing, including milestones.
o. Assistance from entity personnel.
.05:
The Cycle Matrix or equivalent links each of the entity's accounts (in
the chart of accounts) to a cycle, an accounting application, and a
financial statement line item or RSSI (paragraph 240.06). This
information may instead be incorporated into the Account Risk Analysis
or equivalent.
.06:
The Account Risk Analysis or equivalent contains the audit plan for
each significant line item and account and should identify significant
line items, accounts, assertions, and cycles/accounting applications
(sections 235 and 240, respectively). The auditor also summarizes and
documents the specific risks, other than pervasive risks, for use in
determining the nature, timing, and extent of the audit procedures. The
auditor may also include insignificant accounts in each line item ARA
or equivalent, indicating their insignificance and the consequent lack
of audit procedures applied to them. In such instances, the cycle
matrix or equivalent need not be prepared.
.07:
The auditor should document in the workpapers the understanding reached
with those requesting the audit and management about the work to be
performed, as described in section 280.
.08:
The auditor also should consider the needs of, and consult in a timely
manner with, other auditors who plan to use the work being performed,
especially in areas where the auditor makes decisions requiring
significant auditor judgment. Where the auditor deviates from a policy
or procedure expressed by use of the term "must" or "should" in the
FAM, he or she should provide an opportunity for the other auditors to
review the documentation of the reasons explaining these deviation
decisions.
[End of section]
295 A - POTENTIAL INHERENT RISK CONDITIONS:
.01:
The specific conditions listed below may indicate the presence of
inherent and/or fraud risks. This section is designed to aid the
auditor in considering each of the inherent risk factors described in
paragraph 260.16 and the fraud risk factors described in paragraphs
260.24-.25 relating to industry conditions, operating conditions and
financial stability, and susceptibility of assets to misappropriation,
but is not intended to be all inclusive. The auditor should consider
any other factors and conditions considered relevant.
.02: NATURE OF THE ENTITY'S PROGRAMS:
* Programs are significantly affected by new/changing governmental
regulations, economic factors, and/or environmental factors.
* Contentious or difficult accounting issues are associated with the
administration of a significant program(s).
* Major uncertainties or contingencies, including long-term
commitments, relate to a particular program(s).
* New (in existence less than 2 years) or changing (undergoing
substantial modification or reorganization) programs lack written
policies or procedures, lack adequate resources, have inexperienced
managers, lack adequate systems to measure performance, and generally
have considerable confusion associated with them.
* Programs that are being phased out (being eliminated within 1 or 2
years), lack adequate resources, lack personnel motivation and
interest, or involve closeout activities for which controls have not
been developed.
* Significant programs have a history of improper administration,
affecting operating activities.
* Significant programs have a history of inadequate financial
management
systems causing management to resort to extensive, costly, time-
consuming, ad hoc efforts to prepare financial statements by the
required deadline.
* Significant programs have minimal IG or internal audit coverage.
* Management faces significant pressure to obtain additional funding
necessary to stay viable and maintain levels of service considering the
financial or budgetary position of a program, including the need for
funds to finance major research and development or capital
expenditures.
* Management faces significant pressure to "use or lose" appropriated
funds in order to sustain future funding levels.
* Partisan politics between competing political parties or factions or
constituent groups create conflict and a lack of stability within the
entity or programs.
* Unusually rapid growth occurs in a program.
* Economic conditions are deteriorating among the group served by the
entity.
.03: HISTORY OF SIGNIFICANT AUDIT ADJUSTMENTS:
* The underlying cause of significant audit adjustments continues to
exist.
.04: NATURE OF MATERIAL TRANSACTIONS AND ACCOUNTS:
* New types of transactions exist.
* Significant transactions or accounts have minimal IG or internal
audit coverage.
* Significant related and/or third party transactions exist.
* Classes of transactions or accounts are:
** difficult to audit;
** subject to significant management judgments (such as estimates);
** susceptible to manipulation, loss, or misappropriation;
** susceptible to inappropriate application of an accounting policy;
and:
** susceptible to problems with realization or valuation.
* Accounts have complex underlying calculations or accounting
principles.
* Accounts in which the underlying activities, transactions, or events
are operating under severe time constraints.
* Significant interagency transactions or revenue sources create
incentives to shift costs or otherwise manipulate accounting
transactions.
* Accounts in which activities, transactions, or events involve the
handling of unusually large cash receipts, cash payments, or wire
transfers.
* Inventory or equipment have characteristics such as small size, high
value, high demand, marketability, or lack of ownership identification
that make them easily converted to cash (for example, pharmaceutical
inventory or military equipment with high street values).
* Assets are easily converted to cash, such as food stamps, benefits
vouchers, commodities, supplies, or materials.
* Assets are susceptible to personal, non-program/non-government use
such as cars, computers, telephones.
* Many payments are sent to post office boxes.
* Large amounts of payments are sent to outside recipients, as in the
cases of grants, medical care reimbursements, or other federal
financial assistance.
[End of section]
295 B - POTENTIAL CONTROL ENVIRONMENT, RISK ASSESSMENT,
COMMUNICATION, AND MONITORING WEAKNESSES:
.01:
The specific conditions listed below may indicate the presence of
control environment, risk assessment, communication, and monitoring
weaknesses and fraud risk. This section is designed to aid the auditor
in considering each of the control environment, risk assessment,
communication, and monitoring factors described in paragraphs 260.32-
.40 but is not intended to be all inclusive. The auditor should
consider any other factors and conditions considered relevant. (If the
auditor is doing a more detailed assessment of internal control than is
usual in a financial audit, he or she may refer to GAO's exposure draft
of Internal Control Management and Evaluation Tool for additional and
more detailed examples of internal control factors.):
CONTROL ENVIRONMENT:
.02: Integrity and Ethical Values:
* An appropriate "tone at the top" has not been established and
communicated throughout the entity, including explicit moral guidance
about what is right and wrong.
* No (or inadequate) formal code of conduct or other policies
regarding acceptable practices, conflicts of interest, or expected
standards of ethical and moral behavior exists, or employees are
unaware of it.
* Employees do not understand what behavior is acceptable or
unacceptable, or what to do if they encounter improper behavior.
* Bad news is covered up by management rather than making full
disclosure as quickly as possible.
* Management does not quickly address signs that problems exist.
* Employees feel peer pressure to cut corners.
* High decentralization leaves top management unaware of actions taken
at lower organizational levels and thereby reduces the chances of
getting caught.
* Everyday dealings with employees, auditors, the public, oversight
groups, etc., are not generally based on honesty and fairness (for
example, overpayments received or supplier underpayments are ignored,
or efforts are made to find a way to reject legitimate benefits
claims).
* Penalties for improper behavior are insignificant or unpublicized
and thus lose their value as deterrents.
* Management has displayed a loose attitude towards internal control,
for example, by not providing guidance on when intervention is allowed
or not investigating and documenting deviations.
* Pressure is felt to meet performance targets or deadlines that are
unrealistic.
* Management is under undue pressure from the administration to attain
an unqualified opinion on the financial statements, despite
significant internal control weaknesses.
* Management displays lack of candor in dealing with oversight
committee staff, recipients of the entity's services, or auditors
regarding decisions that could have an impact on the entity.
.03: Commitment to Competence:
* Jobs have not been analyzed to determine the knowledge and skills
needed.
* Employees do not seem to have the knowledge and skills they should
have to do their jobs, based on the level of judgment necessary.
* Supervision of employees does not compensate for lack of knowledge
and skills in their specific jobs.
.04: Management's Philosophy and Operating Style:
* Management lacks concern about internal control and the environment
in which specific controls function.
* Management demonstrates an aggressive approach to risk-taking.
* Management demonstrates an aggressive approach to accounting
policies.
* Management has a history of completing significant or unusual
transactions near the year's end, including transactions with related
parties.
* Management makes numerous adjusting journal entries, especially at
yearend.
* Management is reluctant to (1) consult auditors/consultants on
accounting issues, (2) adjust the financial statements for
misstatements, or (3) make appropriate disclosures.
* Management displays a significant disregard for regulatory, legal,
or oversight requirements or for IG, GAO, or Congressional authorities.
* Top-level management lacks the financial experience/background
necessary for the positions held.
* Management is slow to respond to crisis situations in both operating
and financial areas.
* Management uses unreliable and inaccurate information to make
business decisions.
* Unexpected reorganization or replacement of management staff or
consultants occurs frequently.
* Management and personnel in key areas (such as accounting, IS, IG,
and internal auditing) have a high turnover.
* Individual members of top management are unusually closely
identified with specific major projects.
* Overly optimistic information on performance of programs and
activities is disclosed.
* Financial estimates consistently prove to be significantly
overstated or understated.
* Obtaining adequate audit evidence is difficult due to a lack of
documentation and evasive or unreasonable responses to inquiries.
* Financial arrangements/transactions are unduly complex.
* Lack of interaction of adequate frequency between senior management
and operating management, particularly with geographically removed
locations.
* Management attitude toward IS and accounting functions is that these
are necessary "bean counting" functions rather than a vehicle for
exercising control over the entity's activities.
* Management is motivated to engage in fraudulent financial reporting
resulting from substantial political pressure creating an undue concern
about reporting positive financial accomplishments.
* Management is dominated, either entity-wide or at a specific
component, by a single person or small group without compensating
controls such as effective oversight by the IG, GAO, Congressional
committees, or other oversight body.
* One or more individuals with no apparent executive position(s) with
the entity appear to exercise substantial influence over its affairs
or over individual departments or programs (for example, a major
political donor or fundraiser).
* Management has significant grantee, cooperative agreement, or
contractor relationships for which there appears to be no clear
programmatic or governmental justification.
* Management appears more concerned with an unqualified opinion on the
financial statements rather than with fixing significant weaknesses in
its systems.
* Management has difficulty meeting reporting deadlines.
.05: Organizational Structure:
* The organizational structure is inappropriate for the entity's size
and complexity. General types of organizational structures include:
** federal centralized (managed and controlled on a day-to-day basis
by a centralized federal entity system),
** federal decentralized (managed and controlled on a day-to-day basis
by federal entity field offices or staffs),
** participant administered (managed and controlled on a day-to-day
basis by a nonfederal organization), and:
** other (managed and controlled on a day-to-day basis by some
combination of the above or by other means).
* The structure inhibits segregation of duties for initiating
transactions, recording transactions, and maintaining custody over
assets.
* It is difficult to determine the organization or individual(s) that
control(s) the entity, parts of the entity, or particular programs.
* Recent changes in the management structure disrupt the organization.
* Operational responsibilities do not coincide with the divisional
structure.
* Delegation of responsibility and authority is inappropriate.
* A lack of definition and understanding of delegated authority and
responsibility exists at all levels of the organization.
* Inexperienced and/or incompetent accounting personnel are
responsible for transaction processing.
* The number of supervisors is inadequate or supervisors are
inaccessible.
* Key financial staff have excessive work loads.
* Policies and procedures are established at inappropriate levels.
* A high degree of manual activity is required in capturing,
processing, and summarizing data.
* Activities are dominated and controlled by a single person or a
small group.
* The potential exists for entity officials to obtain financial or
other benefits on the basis of decisions made or actions taken in an
official capacity.
.06: Assignment of Authority and Responsibility:
* The entity's policies are inadequate regarding the assignment of
responsibility and the delegation of authority for such matters as
organizational goals and objectives; operating functions; and
regulatory requirements, including responsibility for information
systems and authorizations for changes.
* Appropriate control-related standards and procedures are lacking.
* The number of people, particularly in IS and accounting, with
requisite skill levels relative to the size and complexity of the
operations is inadequate.
* Delegated authority is inappropriate in relation to the assigned
responsibilities.
* Appropriate system of authorization and approval of transactions
(for example, in purchasing, grants, and federal financial assistance)
is lacking.
* Policies are inadequate regarding physical safeguards over cash,
investments, inventory, and fixed assets.
.07: Human Resource Policies and Practices:
* Human resource policies for hiring and retaining capable people are
inadequate.
* Standards and procedures for hiring, promoting, transferring,
retiring, and terminating personnel are insufficient.
* Training programs do not adequately offer employees the opportunity
to improve their performance or encourage their advancement.
* Written job descriptions and reference manuals are inadequate or
inadequately maintained.
* Communication of human resource policies and procedures at field
locations is inadequate.
* Policies on employee supervision are inappropriate or obsolete.
* Inappropriate remedial actions are taken in response to departures
from approved policies and procedures.
* Employee promotion criteria and performance evaluations are
inadequate in relation to the code of conduct.
* Job applicant screening procedures for employees with access to
assets susceptible to misappropriation are lacking.
* Training is inadequate regarding controls over payments to others for
grants, federal financial assistance, etc.
* Mandatory vacations are not required for employees performing key
control functions.
.08:
Management's Control Methods Over Budget Formulation and Execution:
* Little or no guidance material and instructions are available to
provide direction to those preparing the budget information.
* The budget review, approval, and revision process is not defined or
understood.
* Management demonstrates little concern for reliable budget
information.
* Management participation in directing and reviewing the budget
process is inadequate.
* Management is not involved in determining when, how much, and for
what purpose obligations and outlays can be made.
* The planning and reporting systems that set forth management's plans
and the results of actual performance are inadequate.
* Inadequate methods are used to identify the status of actual
performance and exceptions from planned performance and communicate
them to the appropriate levels of management.
* Noncompliance with Antideficiency Act, purpose, time, or other
budget-related restrictions has been previously reported.
.09:
Management's Control Methods Over Compliance with Laws and Regulations:
* Management is unaware of the applicable laws and regulations and
potential problems.
* A mechanism to inform management of the existence of illegal acts
does not exist.
* Management neglects to react to identified instances of noncompliance
with laws and regulations.
* Management is reluctant to discuss its approach toward compliance and
the reasonableness of that approach.
* Recurring public complaints have been received through "hotline"
allegations.
* Repeated instances of noncompliance or control weaknesses are
disclosed in FMFIA reports; congressional reports; consultants'
reports; and prior audits/evaluations by GAO, the IG, internal audit,
or others.
* Management is reluctant to provide evidential matter necessary to
evaluate whether noncompliance with laws and regulations has occurred.
* Management is not responsive to changes in legislative or regulatory
bodies' requirements.
* Policies and procedures for complying with laws and regulations are
weak.
* Policies on such matters as acceptable business practices, conflicts
of interest, and codes of conduct are weak.
* Management does not have an effective legal counsel.
.10: Oversight Groups (Including Congressional Committees):
* Oversight groups demonstrate little concern toward controls and the
speed with which internal and external auditors' recommendations are
addressed.
* Oversight groups have little involvement in and scrutiny of
activities.
* Little interaction occurs between oversight groups and the IG and
internal and external auditors.
* Oversight groups demonstrate little concern for compliance with
applicable laws, regulations, and contractual requirements.
RISK ASSESSMENT:
.11: Setting Objectives:
* Management has not established or communicated its overall objectives
to employees or oversight committees.
* No strategic planning has been done, or the strategic plan does not
support the objectives.
* The strategic plan does not address high-level resource allocations
and priorities.
* The strategic plan, budgets, and/or objectives are inconsistent.
* Management has not established activity-level objectives for all
significant activities, or the objectives are inconsistent with each
other or with the overall objectives.
* Objectives do not include measurement criteria.
.12: Analyzing Risks:
* Management has not adequately identified risks to achieving the
entity's objectives arising from external sources, including economic
conditions, the President, the Congress, OMB, and the media.
* Management has not adequately identified risks arising from internal
sources, such as human resources (ability to retain key people) or IS
(adequacy of back-up systems in the event of systems failure).
* Once risks are identified, management has not adequately analyzed the
risks, including estimating the significance of risks, assessing the
likelihood of their occurring, and determining needed actions.
.13: Managing Change:
* The mechanisms for identifying and communicating events, activities,
and conditions that affect operations or financial reporting objectives
are insufficient.
* Accounting and/or information systems are not modified in response
to changing conditions.
* No consideration is given to designing new or alternative controls
in response to changing conditions.
* Management is unresponsive to changing conditions.
COMMUNICATION:
.14: Internal Communication:
* The system for communicating policies and procedures is ineffective.
* Formal or informal job descriptions do not adequately delineate
specific duties, responsibilities, reporting relationships, and
constraints.
* Channels of communication for personnel reporting suspected
improprieties are inappropriate.
* Management fails to display and communicate an appropriate attitude
regarding internal control.
* Management is not effective in communicating and supporting the
entity's accountability for public resources and ethics, especially
regarding matters such as acceptable business practices, conflicts of
interest, and codes of conduct.
* Management is not receptive to employee suggestions of ways to
enhance productivity and quality or other similar improvements.
* Communication across the organization (for example, between
procurement and program activities) is inadequate to enable people to
discharge their responsibilities effectively.
.15: External Communication:
* Channels of communication with suppliers, contractors, recipients of
program services, and other external parties are not open and effective
for communicating information on changing needs.
* Outside parties have not been made aware of the entity's ethical
standards.
* Management does not appropriately follow up on information received
in communications from program service recipients, vendors,
regulators, or other external parties.
MONITORING:
.16: Ongoing Monitoring:
* Management is not sufficiently involved in reviewing the entity's
performance.
* Management control methods are inadequate to investigate unusual or
exceptional situations and to take appropriate and timely corrective
action.
* Management lacks concern for and does not effectively establish and
monitor policies for developing and modifying accounting systems and
control activities.
* Management's follow-up action is untimely or inappropriate in
response to communications from external parties, including
complaints, notification of errors in transactions with parties, and
notification of inappropriate employee behavior.
* Management does not periodically compare amounts recorded by the
accounting system with physical assets.
* Management allows large numbers of duplicate payments.
* Management does not respond to internal and external auditors'
recommendations to strengthen internal control.
* Management has strained relationships with the IG and/or its current
or predecessor external auditors.
* Management does not encourage and consider employee suggestions.
* Personnel do not periodically acknowledge compliance with the code
of conduct or sign off to evidence performance of critical control
functions.
* Management does not adequately monitor significant activities that
have been outsourced to contractors or information systems components
maintained by contractors.
.17: FMFIA or Similar Separate Evaluations:
* Management displays a disregard for fully complying with the FMFIA
process, reporting, results, and follow-up.
* Management displays a disregard for fully complying with or a
combative attitude towards the FFMIA process, reporting, results, and
follow-up.
* FMFIA or similar reviews are not conducted by personnel with
requisite skills or using a logical and appropriate methodology.
* Auditors note weaknesses that were not included in FMFIA and FFMIA
reports.
.18: Reporting Deficiencies:
* The entity does not have a mechanism for capturing and reporting
identified internal control deficiencies from both internal and
external sources resulting from ongoing monitoring or separate
evaluations.
* Deficiencies are not reported to the person with direct
responsibility and to a person at least one level higher or to more
senior management for specified types of deficiencies.
* Corrective actions on deficiencies do not take place on a timely
basis.
* Underlying causes of problems are not investigated.
* Follow-up to ensure that the necessary corrective action has taken
place is not done.
.19: The Effectiveness of Other Auditors:
* The audit staff are responsible for making operating decisions or for
controlling other original accounting work subject to audit.
* Audit management personnel are inexperienced for the tasks assigned.
* Training activities are minimal, including little or no participation
in formal courses and seminars and inadequate on-the-job training.
* Resources to effectively conduct audits and investigations are
inadequate.
* Audits are not focused on areas of highest exposure to the entity.
* Standards against which the auditor's work is measured are minimal
or nonexistent.
* Performance reviews are nonexistent or irregular.
* The audit planning process is nonexistent or inadequate, including
little or no concentration on significant matters and little or no
consideration of the results of prior audits and current developments.
* Supervision and review procedures are nonexistent or inadequate,
including little involvement in the planning process, in monitoring
progress, and in reviewing conclusions and reports.
* Workpaper documentation (audit programs, evidence of work performed,
and support for audit findings) is incomplete.
* An inadequate mechanism is used to keep the entity head and the
Congress informed about problems, deficiencies, and the progress of
corrective action.
* Audit coverage over payments made by others (such as states) for
grants, federal financial assistance, etc. is inadequate.
* The audit has an inadequate review of computer general and
application controls.
* The auditor does not use appropriate tools, such as audit software
and sampling.
* The audit department does not have a peer review every 3 years.
* The audit department does not have an annual internal inspection.
[End of section]
295 C - AN APPROACH FOR MULTIPLE-LOCATION AUDITS:
.01:
This section provides one approach for stratifying the locations and
selecting the samples for multiple-location audits. This method assumes
that the auditor first identifies locations to be tested each year
because of specific inherent or control risks. Other methods of
selecting locations for on-site testing may be used with the approval
of the Reviewer.
STRATIFYING THE LOCATIONS:
.02:
Unless a dollar-unit sampling method is used, which automatically
stratifies the population, the auditor stratifies the locations by
separating them into an appropriate number of relatively homogeneous
groups or strata. Stratification can improve the efficiency of the
sample result (reduce the uncertainty of the estimate) by grouping
items together that are expected to behave similarly with respect to
the audit measure. Stratification can also be used to ensure that items
of special interest receive adequate coverage in the sample. The
stratification should be based on relative size and/or qualitative
factors, such as inherent or control risk. If exact information is not
available, estimates may be used. Criteria for stratifying may include
one or more of the following relative factors:
* the amount of assets;
* the amounts of revenue and expenses incurred or processed at the
location;
* the number of personnel, where payroll costs are significant;
* the amount of appropriations;
* a concentration of specific items (such as a stratum consisting of
significant inventory storage locations, of which those selected will
undergo only inventory procedures);
* the nature and extent of inherent and control risk, including fraud
risk and sensitive matters or the turnover of key management; and:
* special reporting requirements, such as separate reports, special
disclosures, or supplementary schedules.
.03:
For example, the auditor may stratify locations, based on the amount of
total assets, into the following strata: (1) individually material
locations (top stratum), (2) relatively significant locations
(intermediate stratum), and (3) relatively insignificant locations
(bottom stratum). If an entity has 100 locations and if the total
amount of assets is determined to be the relevant criterion for
stratifying locations, the first three columns of table 295 C.1 may
represent an acceptable stratification.
.04: SELECTING LOCATIONS:
The auditor selects locations for on-site testing using one of the
following methods for each stratum: (These methods are described in
more detail in section 480.):
* Dollar-unit sampling (DUS) or classical variables sampling using a
multistage approach may be used as described in section 480.
* Another representative sampling method may be used when appropriate.
The auditor should consult with the Statistician if classical variables
sampling or another representative sampling method is used.
* Nonrepresentative selection (nonsampling) is used when the auditor
determines that it is effective to select locations on a
nonrepresentative basis and to apply substantive analytical procedures
and/or other substantive tests to locations that are not tested on-
site.
.05:
Table 295 C.1 illustrates a possible DUS sample for each stratum, using
design materiality of $3 million and 95-percent assurance. For a DUS
sample, the sampling interval would be $1 million, and the preliminary
estimate of the sample size would be 100 ($100 million divided by
$1 million). Section 400 provides additional information on calculating
the amounts in the table and the various selection methods.
Table 295 C.1: EXAMPLE OF DUS SAMPLING:
[See PDF for image]
[A] The preliminary estimate of sample size is computed by dividing the
total balance by the sampling interval of $1,000,000. Refer to section
400 for additional information concerning sampling.
[B] The actual number of items tested in the top stratum may be fewer
than the preliminary estimate of sample size because a top stratum
selection may include more than one sample item. For example, if the
implicit sampling interval is $1,000,000, a $2 million selection would
include two of the sample items.
[End of table]
TESTING THE ITEMS:
.06: The auditor determines the number of items to be tested at each
location, and then selects and tests those items. For each line item/
account the auditor should determine the total number of items to be
tested, based on the applicable selection method and population, test
materiality, and risk factors, as described in sections 480 and 495 E.
.07:
The auditor should perform analytical and other procedures, as
applicable, for both the locations selected and those not selected.
Generally, the auditor should perform supplemental analytical
procedures, including comparisons of locations with each other and with
other years' information, for all locations, regardless of the
selection method. When nonrepresentative selection is used, the auditor
must apply appropriate substantive analytical procedures and/or other
substantive procedures for locations not tested on-site, unless those
locations are immaterial in total. Section 400 provides guidance on
substantive and supplemental analytical procedures. Specific matters
noted during the audit--for example, cutoff errors at one or more
locations--may warrant increased or different audit procedures at
locations not previously selected for on-site testing.
.08:
In evaluating the result of a sample, the auditor estimates the
effects, both quantitative and qualitative, on the financial statements
taken as a whole, of any misstatements noted, as discussed in sections
480 and 540. In visiting selected locations, in addition to the issues
concerning evaluation of samples in those sections, the auditor should
exercise judgment and should apply the following additional procedures:
a. Determine if apparent misstatements are, in fact, misstatements that
have not been corrected at some level in the entity.
b. Ask management to identify the cause of the misstatement.
c. Obtain evidence as to whether the same or similar types of
misstatement exist at other locations (including locations not tested
on-site). If the evidence is highly persuasive that the misstatement
does not exist at other locations and the Audit Director concurs, the
auditor may treat the effect on the entity the same as that on the
location. (See paragraph 480.40 for a discussion of requirements for
deciding whether evidence is highly persuasive.):
d. If the misstatement is not isolated to the location, determine
whether there is evidence that the misstatement exists in other than a
similar proportion throughout the entity. If such evidence exists, the
auditor should obtain evidence of the incidence rate and should
determine the effect on the entity; additional testing may be required.
If no such evidence exists, the auditor should project the misstatement
to the entity.
.09:
In a nonrepresentative selection, the auditor should consider the
possible effects of misstatements on locations not visited and
determine whether additional audit procedures are required. Because the
selection is not representative, the misstatements cannot be projected
to the entity as a whole.
.10: The auditor should evaluate the sufficiency of audit procedures
applied. The auditor should use judgment and should consider all
relevant factors to determine whether the audit objectives are met,
considering the specific circumstances.
[End of section]
295 D - INTERIM SUBSTANTIVE TESTING OF BALANCE SHEET ACCOUNTS:
.01:
The auditor may consider performing significant substantive tests of
balance sheet line items/accounts as of a date before the balance sheet
date. If such interim tests are performed, the auditor should also
apply audit procedures to the transactions during the "roll forward
period" between the interim testing date and the balance sheet date
(year end).
.02:
Because evidence obtained as of the year end about an asset or
liability balance provides a higher level of assurance than that
obtained as of a prior or subsequent date, the audit risk generally
increases as the length of the roll forward period increases. Although
generally accepted auditing standards do not require moderate or low
control risk to use interim testing, the auditor should consider
inherent, control, and fraud risk in determining whether substantive
tests of the roll forward period can be designed to provide a
reasonable basis for extending the audit conclusions from the interim
testing date to the year end.
.03:
The additional audit procedures that should be performed during the
roll forward period ordinarily increase the overall audit costs.
However, by performing these procedures before the year's end, the
auditor may be able to:
* more quickly identify and address significant audit and accounting
issues, such as problem areas and complex or unusual transactions,
enabling the entity to correct misstatements or the auditor to modify
the audit plan;
* complete the audit and issue the audit report earlier; and:
* improve staff utilization and enable a smaller number of staff
members to perform the audit by allocating the total audit hours over
a longer period before the report issuance date.
.04: Generally, the auditor should not perform interim tests for an
assertion with a high control or combined risk. In such instances, all
substantive testing of balance sheet line items/accounts generally
should be performed as of the year end. If the preliminary assessment
of control and combined risk is moderate or low and exceptions are
noted in the tests of controls, the auditor should use judgment,
considering the nature, cause, and estimated effects of the exceptions,
to determine whether revisions of the preliminary control and combined
risk assessments and audit plan are warranted.
.05:
In determining whether to apply interim testing, the auditor should
consider the following factors:
* The assessment of inherent, control, and fraud risk: The auditor
should consider the risk of misstatement during the roll forward
period, as well as all other relevant factors, including business
conditions that may make management more susceptible to pressures,
causing a misstatement of the financial statements. As combined risk
(inherent and control risk) and fraud risk increase, so does the
extent of the additional procedures that should be applied to the roll
forward period, possibly making interim testing much more costly than
testing the year-end balance. However, the auditor may be able to
apply interim testing to certain assertions for which combined risk is
assessed at lower levels while testing the other assertions as of the
year end.
* The anticipated comparability of the internal controls and the
nature of the line item/account balances from the interim testing date
to the year end: To extend the audit conclusions from the interim date
to the year-end date, it is essential that no significant changes in
internal control occur from the interim date to the year-end date and
that the line item/account balances consist of similar types of items
at both dates.
* The amount of the line item/account balance at the interim testing
date in relation to the expected year-end balance: A significant
increase in the amount of the line item/account balance between
interim and year-end dates would diminish the auditor's ability to
extend the audit conclusions to the year end. In addition, applying
substantive interim tests to a large line item/account balance may be
inefficient if the year-end balance is expected to be lower than the
balance at the interim date.
* The length of the roll forward period: The longer the roll forward
period, the more difficult it is to control the increased audit risk.
The roll forward period generally should not be longer than 3 months.
* The anticipated level of transaction activity during the roll forward
period: Interim testing generally decreases in effectiveness and
efficiency as the level of transaction activity during the roll forward
period increases, particularly if there are large or unusual
transactions during this period.
* The ease with which substantive procedures can be applied to test
the transactions during the roll forward period: As the difficulty of
such procedures increases, the efficiency of interim testing generally
decreases.
* The availability of information to test roll forward period activity
using substantive analytical procedures, detail tests, or a combination
of both: If sufficient information is not available, interim testing is
not appropriate.
* The timing of the audit, staffing and scheduling requirements, and
reporting deadlines: Tight deadlines or the unavailability of necessary
staff to perform audit procedures at the year's end may necessitate
interim testing.
.06:
In determining the timing of audit tests, the auditor should consider
the relationships between line items/accounts that are affected by the
same transactions. For example, if the auditor applies interim testing
to inventory, the audit risk associated with inventory-related accounts
payable, including cutoff matters, should be considered. The auditor
may apply substantive procedures to each of the related line items/
accounts as of the same interim testing date or may apply other
procedures to obtain sufficient audit assurance.
.07:
The auditor should document in the ARA (or equivalent) line items/
accounts (and assertions, where applicable) to which interim testing is
applied. The factors considered when concluding that the use of interim
testing is appropriate should be documented in the GRA or equivalent.
[End of section]
295 E - EFFECT OF RISK ON EXTENT OF AUDIT PROCEDURES:
.01:
The concepts of materiality and risk interrelate and sometimes are
confused. The auditor determines materiality based on the users'
perceived concerns and needs. The auditor assesses risk based on (but
not limited to) knowledge of the entity, its business (purpose),
applicable laws and regulations, and internal control.
.02:
The auditor considers both materiality and risk in (1) determining the
nature, timing, and extent of audit procedures and (2) evaluating the
results of audit procedures. The evaluation of risk usually does not
affect materiality. However, risk affects the extent of testing needed.
The higher the auditor's assessment of inherent and control risk
(combined risk), including fraud risk, the higher the required level of
substantive assurance from the audit procedures. The discussion of
consideration of risk in planning begins at paragraph 260.02.
Consideration of risk in determining sample size is discussed in
section 470.
.03:
As an example, assume that the auditor is testing accounts receivable
using dollar-unit sampling techniques described in section 480.
Following are the pertinent data for this test:
* Accounts receivable total $2.5 million.
* Test materiality is $100,000.
If the auditor assesses combined risk as low, the sample size would be
25 items; if combined risk is assessed as high, the sample size would
be 75 items. The increase in the assessment of risk caused the required
sample size to triple with the same test materiality.
.01:
As discussed in paragraph 270.04, the auditor should identify IS
controls. Such controls should be tested by an IS auditor as described
in section 300 and in accordance with the FISCAM or other appropriate
methodology. IS controls can be classified into three types:
* general controls,
* application controls, and:
* user controls.
GENERAL CONTROLS:
.02:
General controls are the policies and procedures that apply to an
entity's overall computer operations and that create the environment in
which application controls and certain user controls, which are control
activities, operate. They are classified as:
* entitywide security management program that provides a framework and
continuing cycle of activity for managing risk, developing security
policies, assigning responsibilities, and monitoring the adequacy of
the entity's computer-related controls;
* access control that limits or detects access to computer resources
(data, programs, equipment, and facilities), thereby protecting these
resources against unauthorized modification, loss, and disclosure;
* application software development and change control that prevents
unauthorized programs or modifications to an existing program from
being implemented;
* system software control that limits and monitors access to the
powerful programs and sensitive files that (1) control the computer
hardware and (2) secure applications supported by the system;
* segregation of duties that means having policies, procedures, and an
organizational structure established so that one individual cannot
control key aspects of computer-related operations and thereby conduct
unauthorized actions or gain unauthorized access to assets or records;
and:
* service continuity control to ensure that when unexpected events
occur, critical operations continue without interruption or are
promptly resumed and critical and sensitive data are protected.
Chapter 3 of the FISCAM has detailed guidance on evaluating and testing
general controls.
.03:
General controls are established at an (1) entity and/or installation/
system level and (2) application level. For example, consider the
following general controls related to security access:
* In evaluating general controls at the entity or installation level,
the IS auditor considers security on an overall basis. For instance,
the IS auditor may evaluate the entity's use of security access
software, including its proper implementation.
* When evaluating general controls at the application level, the IS
auditor reviews security controls that limit access to particular
applications and related computer files. Thus, the IS auditor may focus
on how security access software restricts access to payroll
applications and related files (such as the employee master file and
payroll transaction files) to authorized users.
* Finally, security is typically built into the application itself to
further restrict authorized access. This security is usually
accomplished by means of menus and other restrictions programmed into
the application software. Thus, a payroll clerk may have access to
payroll applications but may be restricted from access to a specific
function, such as reviewing or updating payroll data on payroll
department employees.
.04: The effectiveness of general controls is a significant factor in
determining the effectiveness of application controls and certain user
controls. Without effective general controls, application controls may
be rendered ineffective by circumvention or modification. For example,
the production and review of an exception report of unmatched items can
be an effective application control. However, this control would be
ineffective if the general controls permitted unauthorized program
modifications such that certain items would be inappropriately excluded
from the report. Certain user controls are also affected by general
controls. For example, a user control may be the comparison of manually
calculated batch totals with computer-generated totals. Such a
procedure would be ineffective if the general controls permitted
unauthorized modifications of the program such that the program would
print the desired batch totals without summarizing the detail.
APPLICATION CONTROLS:
.05: Application controls are incorporated directly into individual
computer applications to provide reasonable assurance of accurate and
reliable processing. Application controls address three major
operations:
* data input,
* data processing, and:
* data output.
.06: FISCAM, in chapter 4, uses control categories that better tie in
with the methodology used in the FAM. These categories relate to the
financial statement assertions and are as follows.
* Authorization control. This category is most closely aligned with the
financial statement accounting assertion of existence or occurrence
and, therefore, focuses on the validity of transactions. Consequently,
it includes controls designed to ensure that transactions are
appropriately authorized and approved and represent economic events
that actually occurred during a given period.
* Completeness control. This category directly relates to the financial
statement accounting assertion on completeness and deals with whether
all valid transactions are recorded. Also included in this category are
reconciliation controls, which not only help detect misstatements
relating to transaction completeness, but can also be used to identify
the cutoff and summarization misstatements associated with both the
existence or occurrence and completeness assertions.
* Accuracy control. This category most directly relates with the
financial statement assertion on valuation or allocation, which deals
with whether transactions are recorded at correct amounts. This control
category, however, is not limited to valuation, and also includes
controls designed to ensure that transactions are properly classified
and entered into the application correctly.
* Control over integrity of processing and data files. These
application controls are not limited directly to one specific
accounting application assertion, and if deficient could nullify other
application controls and allow the occurrence of unauthorized
transactions, as well as contribute to incomplete and inaccurate
data.
USER CONTROLS:
.07:
User controls are manual comparisons of computer output (generally
totals) to source documents or other input (including control totals).
For example, a manual calculation of total hours worked may be
reconciled to a corresponding computer-generated total from the payroll
processing application. Where user controls are used, computer-
generated information should be manually compared with reliable
information prepared or verified independently of the computer.
.08:
In certain circumstances, user controls may function independently of
general controls. For example, a user control may be to manually check
the accuracy and completeness of IS-computed transactions against
manually prepared records. With the concurrence of the IS auditor, such
control activities may be evaluated and tested without testing general
controls.
[End of section]
295 G - BUDGET CONTROLS:
.01:
Budget controls are management's policies and procedures for managing
and controlling the use of appropriated funds and other forms of budget
authority. Budget controls are part of the internal controls covered in
OMB's audit guidance. During planning, the auditor should assess
related inherent risk and the control environment, risk assessment,
communication, and monitoring and should obtain an understanding of the
budget accounting system.
.02:
Certain controls may achieve both financial reporting and other control
objectives. Accordingly, to maximize efficiency, the auditor should
coordinate the evaluation of budget controls with that of financial
reporting, compliance, and operations controls, to the extent possible.
.03:
Budget authority is authority provided by law to enter into financial
obligations which will result in immediate or future outlays involving
government funds (2 U.S.C. 622(2)). The Congress provides an entity
with budget authority and may place restrictions on the amount,
purpose, and timing of the obligation or outlay of such budget
authority.
.04:
The three forms of budget authority follow:
* Appropriations are the most common form of budget authority. An
appropriation is an authorization by an act of the Congress that
permits federal agencies to incur obligations and to make payments out
of the Treasury for specified purposes. Appropriations do not represent
cash actually set aside in the Treasury for purposes specified in the
appropriation acts. Appropriations represent amounts that agencies may
obligate during the period specified in the appropriation acts.
* Borrowing authority is statutory authority that permits federal
agencies to borrow and obligate and expend borrowed funds (title 7 of
the GAO Policies and Procedures Manual). Usually, the amount that may
be borrowed and the purposes for which the borrowed funds are to be
used are stipulated by the authorizing statute.
* Contract authority is statutory authority that permits obligations
to be incurred before appropriations or in anticipation of receipts to
be credited to a revolving fund or other account (offsetting
collections). By definition, contract authority is unfunded and must
subsequently be funded by an appropriation or offsetting collections
to liquidate the obligations incurred under the contract authority.
.05:
Offsetting collections are collections of a business-or market-oriented
nature and intragovernmental transactions. If, pursuant to law, they
are deposited to receipt accounts and are available for obligation,
they are considered budget authority and referred to as offsetting
receipts. Contract authority and immediate availability of offsetting
receipts for use are the usual forms of budget authority for revolving
funds. Offsetting collections may also include reimbursements for
materials or services provided to other government entities.
.06:
Borrowing and contract authority are sometimes called "back door
authority," which refers to any type of budget authority that is
provided by legislation outside the normal appropriations process.
[End of section]
295 H - LAWS IDENTIFIED IN OMB AUDIT GUIDANCE AND OTHER GENERAL LAWS:
.01:
When identifying significant provisions of laws and regulations (see
paragraph 245.02), the auditor should consider the following laws and
regulations identified in OMB audit guidance in addition to any others
that could have a direct and material effect on the financial
statements and RSSI. Following each listed law is the subsection in FAM
section 800 (under revision) that contains the compliance summary and
audit program for that law.
* Antideficiency Act (codified as amended in 31 U.S.C. 1341, 1342,
1351, and 1517). (FAM section 803). Provisions: 31 U.S.C.
1341(a)(1)(A) and (C), and 31 U.S.C. 1517(a).
* Provisions Governing Claims of the United States Government as
provided primarily in sections 3711-3720E of Title 31, Unites States
Code (including provisions of the Debt Collection Improvement Act of
1996, Pub. L. No. 104-134, 110 Stat. 1321-358, which also is codified
in various sections of 5 U.S.C., 18 U.S.C., 26 U.S.C., 31 U.S.C., and
42 U.S.C.). (FAM section 809). Provisions: 31 U.S.C. 3711, 31 U.S.C.
3717(a), (b), (c), (e), and (f), and 31 U.S.C. 3719.
* Federal Credit Reform Act of 1990, Pub. L. No. 100-508, 104 Stat.
1388-610 (codified in various sections of 2 U.S.C.). (FAM section 808).
Provisions: 2 U.S.C. 661(b) and (e).
* Pay and Allowance System for Civilian Employees as provided
primarily in Chapters 51-59 of Title 5, United States Code. (FAM
section 812). Provisions: 5 U.S.C. 5332 and 5343 and 29 U.S.C. 206.
* Prompt Payment Act (codified as amended in 31 U.S.C. 3901-3907).
(FAM section 810). Provisions: 31 U.S.C. 3902(a), (b), and (f) and 31
U.S.C. 3904.
OMB audit guidance lists the specific provisions for each law above
that the CFO Act agency is expected to test at a minimum.
.02:
The auditor should also consider whether any other general or entity-
specific laws are significant laws for the audited entity, per FAM
sections 245 and 802. The following are some general laws for which we
have included in section 800 (under revision) a compliance summary for
internal control testing and a compliance audit program. See FAM
section 802 (Part II), General Compliance Checklist, and the referenced
section for each law for internal control and compliance testing.
* Civil Service Retirement Act, 5 U.S.C. 8331 et. seq. (FAM section
813).
* Federal Employees' Compensation Act, 5 U.S.C. 8101 et. seq. (FAM
section 816).
* Federal Employees Health Benefits Act, 5 U.S.C. 8901 et. seq. (FAM
section 814).
* Federal Employees Retirement System Act of 1986. This becomes
increasingly material each year as the number of employees covered by
this act increases and those covered by the Civil Service Retirement
Act decreases. We will include a new FAM section on the compliance
summary and audit program for this act.
[End of section]
295 I - EXAMPLES OF AUDITOR RESPONSES TO FRAUD RISK FACTORS:
.01:
As discussed in section 260, the auditor is required by AU 316 (SAS 82)
to consider the risk of material misstatement to the financial
statements due to fraud. Misstatements due to fraud may arise from
fraudulent financial reporting or from misappropriation of assets.
Examples of fraud risk factors the auditor may encounter in the federal
government are found in sections 295 A and B (inherent and control risk
factors). Depending on the nature of the programs audited, the auditor
may need to consider further risk factors. The auditor generally should
consider the cases the IG has investigated or is investigating to
obtain ideas of specific risk factors to look for.
.02:
In considering the risk factors in those sections, the auditor should
note that some of these fraud risk factors will exist in entities where
circumstances do not present a risk of material misstatement. Also,
specific controls may exist to mitigate fraud risk, even where risk
factors are present. The auditor should consider whether identified
risk factors, individually and in combination, present a risk of
material misstatement of the financial statements.
.03:
In addition to the overall responses to the presence of fraud risk
factors affecting professional skepticism, assignment of personnel,
accounting principles and policies, controls, and/or modification of
the nature, timing, and extent of procedures discussed in section 260,
the auditor may decide that a specific response to the fraud risk
factors identified is required. These are examples of specific
responses:
* Conduct surprise or unannounced visits or procedures (such as
inventory observations or cash counts).
* Request that physical inventory be taken closer to year end.
* Contact major customers and suppliers orally and in writing for
confirmations, request confirmations of specific persons in the
organizations, or request confirmation of more or different
information.
* Review year-end adjusting entries in detail and investigate any that
appear unusual.
* For significant and unusual transactions, especially near year end,
investigate the possibility of related parties (see section 1006).
* Perform substantive analytical procedures at a detailed level, such
as by location, line of business, or month.
* Interview personnel in areas where fraud risk factors are a concern
to obtain their insights about the risk and whether or how controls
address the risk.
* Discuss with other auditors who are auditing departments, locations,
or
programs of the entity, the extent of work necessary to assure that the
risk of material misstatement due to fraud resulting from transactions
and activities among these components is adequately addressed.
* If a specialist's work is particularly significant, perform
additional procedures with respect to some or all of the specialist's
assumptions, methods, or findings to determine that the findings are
not unreasonable, or engage another specialist to do that (see section
650).
* Perform additional or more focused analytical procedures concerning
budget to actual variances and their underlying causes.
* Test a larger sample of disbursement transactions for validity.
.04: If there is an increased risk of material misstatement due to
fraudulent financial reporting, example responses include:
* Revenue recognition. Confirm with customers relevant contract terms
and absence of side agreements.
* Inventory quantities. Review inventory records to identify
locations, areas, or items for specific attention during or after
physical inventory. It may be important to count all locations on the
same date, or to observe some locations on an unannounced basis. The
auditor may examine the contents of boxed items more rigorously,
investigate how boxes are stacked or labeled and the quality of the
contents, or he or she may do additional testing of count sheets or
tags or maintain copies to minimize the risk of subsequent alteration.
* Allowance for loan losses. Perform more detailed analytical
procedures (such as analyzing specific credit lines rather than the
portfolio taken as a whole), increase the sample size of loans to
conclude as to the accuracy of credit risk and adequacy of loan loss
allowances for specific loans, or increase the number of confirmation
requests to gain further evidence as to existence.
.05:
If there is an increased risk of material misstatements due to
misappropriation of assets, example responses include the following:
* Evaluate control risk differently at different locations when the
risk is greater at specific locations (such as when a large amount of a
specific type of asset that is particularly susceptible to such risk is
present at some locations), requiring a different response at different
locations.
* With a particular asset that is highly susceptible to
misappropriation, understanding and testing controls may be important.
Also, physical inspection of such assets at or near year end may be
appropriate, as well as analytical procedures using a narrow precision
in the auditor's expectation.
* In some programs, consider additional participant eligibility
testing, including unannounced visits to intake centers or work sites
to test the existence and identity of participants, or observe benefit
payment distribution to identify "ghost" participants, or use
confirmation requests to test the existence of program participants.
[End of section]
295 J - STEPS IN ASSESSING INFORMATION SYSTEM CONTROLS:
.01:
As discussed in section 260, the following are the steps the auditor
and the IS auditor generally follow in assessing IS controls in a
financial statement audit. However, the audit team may decide to test
the effectiveness of the general controls even if they are not likely
to be effective, or the team may decide to review application controls
even though general controls are not effective. The team may decide to
do this to be able to make better recommendations on how to fix weak
controls.
Steps in Assessing Information System Controls In a Financial
Statement Audit:
[See PDF for image]
[End of figure]
[End of section]
FOOTNOTES
[1] If the auditor uses software to calculate sample size, he or she
should understand how the software considers expected misstatements.
For example, if the auditor uses Interactive Data Extraction and
Analysis (IDEA) to calculate sample size when test materiality is lower
than design materiality, because the auditor expects misstatements, the
auditor should use design materiality in IDEA because he or she
separately inputs the expected misstatement. See paragraph 480.27.
[2] The auditor is not required to opine on RSSI, but, per OMB audit
guidance, internal control over RSSI should be tested the same as
internal control over the financial statements.
[3] Assurance is not the same as statistical confidence. Assurance is a
combination of quantitative measurement and auditor judgment.
[4] See also GAO's Standards for Internal Control in the Federal
Government, GAO/AIMD-00-21.3.1, November 1999.
SECTION 300:
Internal Control Phase:
Figure 300.1: Methodology Overview
Planning Phase:
* Understand the entity's operations: Section 220:
* Perform preliminary analytical procedures: Section 225:
* Determine planning, design, and test materiality: Section 230:
* Identify significant line items, accounts, assertions, and RSSI:
Section 235:
* Identify significant cycles, accounting applications, and financial
management systems: Section 240:
* Identify significant provisions of laws and regulations: Section 245:
* Identify relevant budget restrictions: Section 250:
* Assess risk factors: Section 260:
* Determine likelihood of effective information system controls:
Section 270:
* Identify relevant operations controls to evaluate and test: Section
275:
* Plan other audit procedures: Section 280:
* Plan locations to visit: Section 285:
Internal Control Phase:
* Understand information systems: Section 320:
* Identify control objectives: Section 330:
* Identify and understand relevant control activities: Section 340:
* Determine the nature, timing, and extent of control tests and of
tests for systems’ compliance with FFMIA requirements: Section 350:
* Perform nonsampling control tests and tests for systems’ compliance
with FFMIA requirements: Section 360:
* Assess controls on a preliminary basis: Section 370:
Testing Phase:
* Consider the nature, timing, and extent of tests: Section 420:
* Design efficient tests: Section 430:
* Perform tests and evaluate results: Section 440:
** Sampling control tests: Section 450:
** Compliance tests: Section 460:
** Substantive tests: Section 470:
*** Substantive analytical procedures: Section 475:
*** Substantive detail tests: Section 480:
Reporting Phase:
* Perform overall analytical procedures: Section 520:
* Determine adequacy of audit procedures and audit scope: Section 530:
* Evaluate misstatements: Section 540:
* Conclude other audit procedures: Section 550:
** Inquire of attorneys:
** Consider subsequent events:
** Obtain management representations:
** Consider related party transactions:
* Determine conformity with generally accepted accounting principles:
560:
* Determine compliance with GAO/PCIE Financial Audit Manual: Section
570:
* Draft reports: Section 580:
[End of figure]
310 - OVERVIEW:
.01:
In the internal control phase, the auditor should gain an understanding
of internal control and obtain evidence about the effectiveness of
internal control to (1) assess control risk, (2) determine the nature,
timing, and extent of control, compliance, and substantive testing, and
(3) form an opinion or report on internal control over financial
reporting and compliance. Control risk should be assessed separately
for each significant financial statement assertion in each significant
cycle/accounting application (including RSSI). (See figure 300.1.) The
auditor also should gain an understanding of the components of internal
control relating to the existence and completeness assertions (and
valuation for GAO audits) (see definitions of assertions in paragraph
235.02) relevant to the performance measures reported in the MD&A
(overview) of the Accountability Report in order to report on controls
that have not been properly designed and placed in operation. The
auditor is not required to test performance measures controls, but he
or she may decide to do so.
.02:
The entity's management is responsible for establishing and maintaining
internal control to provide reasonable assurance that the entity's
objectives will be met. In a financial statement audit, the auditor
evaluates those internal controls designed to provide reasonable
assurance that the following objectives are met (also see paragraph
310.10 for the auditor's responsibility for performance measures
controls):
* Reliability of financial reporting ("financial reporting controls")
--transactions are properly recorded, processed, and summarized to
permit the preparation of the financial statements and RSSI in
accordance with generally accepted accounting principles, and assets
are safeguarded against loss from unauthorized acquisition, use, or
disposition;
* Compliance with applicable laws and regulations ("compliance
controls") --transactions are executed in accordance with (a) laws
governing the use of budget authority and other laws and regulations
that could have a direct and material effect on the principal
statements or RSSI, and (b) any other laws, regulations, and
governmentwide policies identified by OMB in its audit guidance.
.03:
The auditor should determine whether such internal control provides
reasonable assurance that misstatements, losses, or noncompliance,
material in relation to the financial statements, would be prevented or
detected during the period under audit. In addition, if the auditor
intends to opine on internal control, he or she makes a separate
conclusion on internal control as of the end of the period.
Additionally, the auditor may test certain operations controls and
should understand performance measures controls, as discussed in the
planning phase (section 275).
.04:
Internal control over safeguarding assets constitutes a process,
effected by an entity's governing body, management, and other
personnel, designed to provide reasonable assurance regarding
prevention or timely detection of unauthorized acquisition, use, or
disposition of the entity's assets that could have a material effect on
the financial statements. As used in this manual, safeguarding
controls, a part of financial reporting controls, relate to protecting
assets from loss arising from misstatements in processing transactions
and handling the related assets. Section 395 C includes a list of
typical safeguarding controls. Safeguarding controls examined as part
of a financial statement audit do not relate to the loss of assets
arising from management's operating business decisions, such as
incurring expenditures for equipment or material that might prove to be
unnecessary. (Such controls are operations controls.) Safeguarding
controls consist of (1) controls that prevent or detect unauthorized
access (direct or indirect) to assets and (2) segregation of duties.
Safeguarding controls are considered as part of financial reporting
controls.
.05:
Just as safeguarding controls are part financial reporting and part
operations controls, budget controls are part financial reporting and
part compliance controls. Budget controls that provide reasonable
assurance that budgetary transactions, such as obligations and outlays,
are properly recorded, processed, and summarized to permit the
preparation of the financial statements, mainly the statements of
budgetary resources and financing, in accordance with GAAP, are
financial reporting controls. Budget controls are generally also
compliance controls in that they provide reasonable assurance that
transactions are executed in accordance with laws governing the use of
budget authority. Some budget controls may be compliance controls only;
for example, controls over allotments, to prevent Antideficiency Act
violations.
.06:
The auditor must evaluate and test certain controls. AU 319 (SAS 55
amended by SAS 78) permits the auditor to assess control risk at a high
(maximum) level and forgo evaluation and testing of financial reporting
controls if the auditor believes evaluating their effectiveness would
be inefficient. However, because OMB audit guidance requires the
auditor to perform sufficient tests of internal controls that have been
properly designed and placed in operation to support a low assessed
level of control risk, the auditor may not elect to forgo control tests
solely because it is more efficient to extend compliance and
substantive audit procedures.
.07:
The following are the types of controls to test:
* financial reporting controls (including certain safeguarding and
budget controls) for each significant assertion in each significant
cycle/accounting application (identified in section 240),
* compliance controls for each significant provision of laws and
regulations (identified in section 245), including budget controls for
each relevant budget restriction (identified in section 250), and:
* operations controls for each operations control (1) relied on in
performing financial audit procedures or (2) selected for testing by
the audit team. The auditor also should understand performance measures
controls, but is not required to test them. However, the auditor may
decide to test them (see section 275).
.08:
The auditor is not required to test controls that have not been
properly designed and placed in operation. Thus, internal controls that
are not effective in design (or in operation, based on prior years'
testing) do not need to be tested. If the auditor determined in a prior
year that controls in a particular accounting application were
ineffective and if management indicates that controls have not
improved, the auditor need not test them. On the other hand, if
controls have been determined to be effective in design and placed in
operation, the auditor must perform sufficient tests of their
effectiveness to support a low assessed level of control risk. In such
cases, the auditor may consider using a rotation approach to testing
controls over the various accounting applications, as described in
section 395 G. If the auditor expects to disclaim an opinion because of
scope limitations or inadequate controls, the auditor may limit
internal control work to updating the understanding of controls and
whether they have been placed in operation. The auditor may do this by
inquiring as to whether previously identified control weaknesses have
been corrected. In the year the auditor expects to issue an opinion on
the financial statements, the auditor needs a basis of sufficient work
on internal control.
.09:
In the internal control phase, the auditor should perform and document
the following procedures:
* Understand the entity's information systems for financial reporting,
compliance with laws and regulations, and relevant operations
(including reported performance measures) (see section 320).
* Identify control objectives (see section 330).
* Identify and understand relevant control activities that effectively
achieve the control objectives (see section 340).
* Determine the nature, timing, and extent of control testing (not
necessary for performance measures controls) (see section 350).
* Perform control tests that do not involve sampling (nonsampling
control tests - see section 360).[Footnote 1] (Sampling control tests,
if necessary, are performed in the testing phase, as discussed in
section 450.) Testing is not required for performance measures
controls.
* On a preliminary basis, based on the evidence obtained, assess (1)
the effectiveness of financial reporting, compliance, and relevant
operations controls and (2) control and combined risk (see section
370). (Combined risk, which includes inherent and control risk, is
discussed in paragraph 370.09).
.10:
OMB's audit guidance also defines internal control over performance
measures as a process, effected by management and other personnel,
designed to provide reasonable assurance that the following objective
is met:
* Reliability of performance reporting--transactions and other data
that support reported performance measures are properly recorded,
processed, and summarized to permit the preparation of performance
information in accordance with criteria stated by management.
OMB requires the auditor to obtain an understanding of the components
of internal control over performance measures included in the MD&A
relating to the existence and completeness assertions (for GAO audits,
the valuation assertion is also included in the understanding) and to
report deficiencies in the design of those controls that have not been
properly designed and placed in operation. Note that the auditor is not
required to test internal control over performance measures.
.11:
In gaining an understanding of an entity's internal control, the
auditor should obtain knowledge about the design of relevant controls
and whether they have been placed in operation. In obtaining knowledge
about whether controls have been placed in operation, the auditor
determines whether the entity is using them, rather than merely having
them written in a manual, for example. This differs from determining a
control's operating effectiveness, which is concerned with how the
control was applied, the consistency with which it was applied, and by
whom. Gaining an understanding of internal control does not require
that the auditor obtain knowledge about operating effectiveness.
[End of section]
320 - UNDERSTAND INFORMATION SYSTEMS:
.01:
The auditor should obtain an understanding of the entity's information
systems (including methods and records) for processing and reporting
accounting (including RSSI), compliance, and operations data (including
performance measures reported in the MD&A (overview) of the
Accountability Report).[Footnote 3] The information systems are part of
the information and communication component of internal control. The
communication portion of this component was considered in section 260.
The auditor should obtain sufficient knowledge of each type of system
to understand the information in paragraphs 320.03-.07. The auditor may
use an IS auditor to assist in understanding and documenting the IS
aspects of these systems. The understanding of the systems should be
documented in cycle memorandums or other narratives and flow charts.
.02:
The auditor should perform sufficient system walkthroughs to confirm
the understanding of significant information about such systems.
However, if the auditor already has a sufficient understanding of the
systems as a result of procedures performed in the preceding year,
discussion of any system changes with management may be substituted for
the walkthroughs. In a walkthrough of an accounting system, the auditor
traces one or more transactions from initiation through all processing
to inclusion in the general ledger, observing the processing in
operation and examining related documents. Because walkthroughs are
important in understanding the transaction process and in determining
appropriate audit procedures, they should be performed for all
significant accounting applications. Walkthroughs of budget
accounting, compliance, and operations systems (including reported
performance measures) should provide the auditor with evidence about
the functioning of such systems. This walkthrough is to confirm the
understanding of the system. The IS aspects of each system should be
incorporated into the audit workpapers, supplemented by additional flow
charts, narratives, and checklists, as considered necessary.
ACCOUNTING SYSTEM(S):
.03:
The auditor should obtain an understanding of and should document the
following for each significant cycle and accounting application
(including those dealing with RSSI):
* The manner in which transactions are initiated;
* The nature and type of records, journals, ledgers, and source
documents, and the accounts involved;
* The processing involved from the initiation of transactions to their
inclusion in the financial statements, including the nature of computer
files and the manner in which they are accessed, updated, and deleted;
and:
* The process used to prepare the entity's financial statements and
budget information, including significant accounting estimates,
disclosures, and computerized processing.
.04:
Understanding the processing involved will be important in determining
whether the financial management systems substantially comply with
federal financial management systems requirements, federal accounting
standards, and the SGL at the transaction level, so the auditor can
report as required by FFMIA. If the entity is likely to receive an
unqualified opinion and to have no material weaknesses in internal
control, the auditor should test, (for efficiency, this could be done
while performing nonsampling control tests (see section 350)),
significant information the entity provides to support its assertion
about the substantial compliance of its systems.
BUDGET ACCOUNTING SYSTEM(S):
.05:
Through discussions with individuals responsible for accounting for
budget execution, the auditor should understand and document the
entity's process for:
* Developing and requesting apportionments from OMB;
* Establishing and allocating allotments within the entity, including
reprogramming of allotments;
* Establishing and recording commitments, if applicable;
* Establishing, recording, and monitoring obligations (undelivered
orders);
* Establishing and recording expended authority (delivered orders);
* Establishing and recording outlays;
* Monitoring supplemental appropriations;
* Recording transactions in and adjustments to expired accounts; and:
* Monitoring canceled (closed) accounts.
COMPLIANCE SYSTEM(S):
.06:
The compliance system includes the entity's policies and procedures to
monitor overall compliance with laws and regulations applicable to the
entity. Through discussions with entity management, the auditor should
understand and document the entity's process for:
* Identifying and documenting all laws and regulations applicable to
the entity;
* Monitoring changes in applicable laws and regulations and responding
on a timely basis;
* Establishing policies and procedures for complying with specific laws
and regulations and clearly documenting and communicating these
policies and procedures to appropriate personnel;
* Assuring that an appropriate number of competent individuals at
appropriate levels within the entity monitor the entity's compliance
with applicable laws and regulations; and:
* Investigating, resolving, communicating, and reporting any
noncompliance with laws and regulations.
OPERATIONS SYSTEM(S) (INCLUDING REPORTED PERFORMANCE MEASURES):
.07:
Through discussions with appropriate entity personnel, the auditor
should understand and document any entity systems in which operations
controls to be evaluated and tested operate, and any systems that
produce the data used in performance measures reported in the MD&A
(overview) of the Accountability Report. For example, if the auditor
intends to evaluate and test an operations control that is dependent on
certain statistical information, the auditor should understand how such
statistical information is developed. Also, although the auditor is not
required to test controls over a system producing data used in
performance measures (unless it is an accounting or other system tested
for other reasons), he or she should understand the system and the
design of internal control related to the existence, completeness, and,
for GAO audits, valuation (see definition in paragraph 235.02)
assertions and whether they have been placed in operation. Thus, the
auditor should understand and document the following:
* How the entity determines the performance measures to report,
including their relationship to the entity's mission;
* The source of the information used in performance measures;
* The processing involved from the initial source information to its
inclusion in performance measures; and:
* The process used to prepare the performance measures from the system-
produced data.
[End of section]
330 - IDENTIFY CONTROL OBJECTIVES:
.01:
The auditor should identify control objectives for each type of control
that, if achieved, would provide the entity with reasonable assurance
that misstatements (whether caused by error or fraud), losses, or
noncompliance material in relation to the principal statements would be
prevented or detected. For RSSI, the objectives would relate to
controls that would provide reasonable assurance that misstatements,
losses, or noncompliance that would be considered material by users of
the information would be prevented or detected. Such objectives should
cover the following general areas:
* Financial reporting controls: Prevent or detect aggregate
misstatements in significant financial statement assertions, including
assertions relating to RSSI and the statements of budgetary resources
and financing. Also, Safeguarding controls: Safeguard assets against
loss from unauthorized acquisition, use, or disposition.
* Compliance controls: Comply with significant provisions of applicable
laws and regulations. Also, Budget controls: Execute transactions in
accordance with budget authority.
* Operations controls: For each relevant operations control, achieve
the performance level desired by management for the planning,
productivity, quality, economy, efficiency, or effectiveness of the
entity's operations. For performance measures controls, report the
data used to measure the entity's performance in accordance with
criteria stated by management.
Paragraphs 330.02-.11 describe the process for identifying control
objectives for each type of control.
FINANCIAL REPORTING CONTROLS:
.02: The auditor should evaluate and test financial reporting controls
for each significant assertion in each significant line item or
account, including RSSI and the statements of budgetary resources and
financing. (See paragraph 235.02 for a discussion of financial
statement assertions.) The first step in developing control objectives
for financial reporting controls is to consider the types of
misstatements that might occur in each significant assertion in each
significant line item or account. One or more potential misstatements
can occur in each financial statement assertion. For example, for the
existence or occurrence assertion, potential misstatements can occur
in the following four areas:
* Validity: Recorded transactions do not represent economic events that
actually occurred.
* Cutoff: Transactions are recorded in a different period from that in
which the economic events occurred.
* Summarization: Transactions are summarized improperly, resulting in
an overstated total.
* Substantiation: Recorded assets and liabilities of the entity do not
exist at a given date.
For each potential misstatement, there are one or more control
objectives that, if achieved, would prevent or detect the potential
misstatement. These potential misstatements and control objectives
provide the auditor the primary basis for assessing the effectiveness
of an entity's control activities.
Identifying Potential Misstatements and Control Objectives:
.03: As discussed in section 240, the auditor identifies the
significant accounting applications that provide a source of
significant entries to each significant line item or account. For
example, as illustrated in section 395 A, (1) sources of significant
entries to cash typically include the cash receipts, cash
disbursements, payroll, and cash accounting applications, and (2)
sources of significant entries to accounts receivable typically
include the billing, cash receipts, and accounts receivable accounting
applications. Such accounting applications should have been identified
in the cycle matrix or ARA or equivalent documentation.
.04: The auditor should understand how potential misstatements in
significant accounting applications could affect the related line item
or account at an assertion level. For example, an overstatement of cash
receipts typically results in (1) an overstatement of the cash account
(by overstating the debit to cash) and (2) an understatement of
accounts receivable (by overstating the credit to accounts receivable).
To illustrate this concept using the assertions, a misstatement in the
existence or occurrence assertion for cash receipts typically results
in misstatements in (1) the existence or occurrence assertion for the
cash account and (2) the completeness assertion for accounts
receivable.
.05:
The following general rules may be used to determine the effect of
transaction-related accounting applications on line items/accounts:
[See PDF for image]
[End of table]
.06: For each potential misstatement in the accounting application,
the auditor should identify related control objectives that prevent or
detect the potential misstatement. Section 395 B includes a list of
potential misstatements that could occur in each assertion in an
accounting application and related control objectives. The auditor
should exercise judgment in determining which potential misstatements
and control objectives to use. The list included in section 395 B
should be tailored to the accounting application and to the entity and
may be supplemented with additional objectives or subobjectives.
.07:
If the above procedures were performed and documented by line item or
account, a given application might be addressed two or more times. For
example (see section 395 A), the purchasing accounting application
typically would be addressed in evaluating controls relating to the
inventory, property, liabilities, and expenses accounts. To avoid such
duplication, the auditor should use a Specific Control Evaluation (SCE)
worksheet or equivalent to document the procedures discussed in
paragraphs 330.03-.06. The SCE groups potential misstatements and
control objectives by accounting application (within each cycle),
providing a format to perform and document the evaluation and testing
of internal controls efficiently. See section 395 H for an example of a
completed SCE worksheet. GAO has developed sample forms in WordPerfect
and MS Word for preparing the ARA and SCE worksheets.
The Need for Testing Safeguarding Controls and Segregation-of-Duties
Controls:
.08:
Safeguarding controls and segregation-of-duties controls are often
critical to the effectiveness of controls over liquid (easily sold or
traded), readily marketable assets (such as cash, inventories, or
property) that are highly susceptible to theft, loss, or
misappropriation in material amounts. These controls are also important
when there is an increased risk of fraud. Before selecting specific
control activities to test, the auditor should determine whether
safeguarding controls are relevant. If the auditor determines that (1)
the asset is highly liquid or marketable and (2) material amounts are
susceptible to theft, loss, or misappropriation, the auditor should
identify control objectives for safeguarding such assets and evaluate
and test safeguarding controls. On the other hand, if the asset is not
liquid or marketable or if material amounts are not readily susceptible
to theft, loss, or misappropriation, the need to test safeguarding
controls may be lessened. (Testing for segregation of duties is
discussed in paragraphs 360.11-.12. Other safeguarding controls are
considered in connection with financial reporting controls, as part of
the existence assertion.):
BUDGET CONTROLS:
.09:
The objectives of budget controls are to provide reasonable assurance
that the entity (1) properly records, processes, and summarizes
transactions to permit the preparation of the statements of budgetary
resources and financing in accordance with GAAP and (2) executes
transactions in accordance with budget authority. Section 395 F
presents a list of budget control objectives, organized by steps in the
budget process. In addition, section 395 D presents a list of selected
statutes relevant to the budget and section 395 E describes budget
steps of interest to the auditor in evaluating an entity's budget
controls. Budget control objectives may be documented in a separate SCE
worksheet for budget controls, in a memo, or incorporated in an SCE
with related financial reporting controls.
COMPLIANCE CONTROLS:
.10:
The objective of compliance controls is to provide reasonable assurance
that the entity complies with significant provisions of applicable laws
and regulations. Compliance control objectives should be tailored to
the related provision and may be documented in a separate SCE worksheet
for compliance controls, in a memo, or incorporated into an SCE with
related financial reporting controls.
OPERATIONS CONTROLS:
.11:
The objectives of operations controls are to provide reasonable
assurance that the entity effectively and efficiently meets its goals.
The objective of performance measures controls is to provide reasonable
assurance that the data that support performance measures reported in
the MD&A (overview) of the Accountability Report are properly recorded
and accounted for to permit the preparation of reliable and complete
performance information. Operations control objectives should be
tailored to the related provision and may be documented in a separate
SCE worksheet for operations controls, in a memo, or incorporated into
an SCE with related financial reporting controls.
[End of section]
340 - IDENTIFY AND UNDERSTAND RELEVANT CONTROL ACTIVITIES:
.01:
For each control objective, based on discussions with entity personnel,
the auditor should identify the control activities designed and
implemented to achieve the specific control objective.[Footnote 4] Such
controls may be recorded in the auditor's informal notes and/or
interview write-ups for use in the following procedure, but each
control activity need not be formally documented on the SCE worksheet
at this time. The auditor should first screen the activities to
identify those that are effective and efficient to test. An IS auditor
may assist the auditor in identifying and understanding IS controls.
BASIC UNDERSTANDING OF EFFECTIVENESS OF CONTROL ACTIVITIES:
.02:
The auditor should obtain a sufficient understanding of the identified
control activities to determine whether they are likely to achieve the
control objectives, assuming an effective control environment, risk
assessment, communication, and monitoring, appropriate segregation of
duties, and effective general controls. The purpose of this assumption
is to identify any weaknesses in the specific control activities that
should be corrected. When other internal control components are poor,
there is inadequate segregation of duties, or poor general controls
preclude the effectiveness of specific control activities that would
otherwise be effective, the testing of such specific control activities
may be limited to determining whether such controls are in place. To
accomplish this, the auditor might (1) discuss the cycle and specific
controls with management and then (2) perform walkthroughs by observing
the controls in place or examining several items of documentary
evidence of their existence.
FACTORS TO CONSIDER:
.03:
When evaluating whether controls are likely to achieve the control
objectives, the factors that the auditor should consider include (1)
directness, (2) selectivity, (3) manner of application, and (4) follow-
up. In determining whether control objectives are achieved, the auditor
should consider both manual and IS controls, if likely to be effective
(see section 270).
.04:
Directness refers to the extent that a control activity relates to a
control objective. The more direct the relationship, the more effective
that activity may be in achieving the objective. For example,
management reviews of inventory reports that summarize the inventory by
storage facility may be less effective in preventing or detecting
misstatements in the existence assertion for inventory than a periodic
physical inventory, which is more directly related to the existence
assertion.
.05:
Selectivity refers to the magnitude of the amount, or the significance
of other criteria or distinguishing characteristics, that a specific
control will identify as an exception condition. Examples of
selectivity thresholds are (1) a requirement for additional approvals
of all payments to vendors in excess of $25,000 and (2) management
reviews of all payments to vendors not on an entity's approved vendor
list. When determining whether a control is likely to be effective, the
auditor should consider the likelihood that items that do not meet the
selectivity threshold could, in the aggregate, result in material
misstatements of financial statements, material noncompliance with
budget authority, material noncompliance with significant provisions of
laws and regulations, or significant ineffective or inefficient use of
resources. The auditor also should consider the appropriateness of the
specified criteria used to identify items on a management or exception
report. For example, IS input controls (such as the matching of vendor
invoices with receiving reports and purchase orders) that require exact
matches of data from different sources before a transaction is accepted
for processing may be more effective than controls that accept
transactions that fall within a broader range of values. On the other
hand, controls based on exception reports that are limited to selected
information or use more selective criteria may be more effective than
lengthy reports that contain excessive information.
.06:
Manner of application refers to the way in which an entity places a
specific control into operation. The manner of application can
influence the effectiveness of a specific control. The auditor should
consider the following factors when determining the effectiveness of
controls:
* Frequency of application: This refers to the regularity with which
controls are applied. Generally, the more frequently a control is
applied, the greater the likelihood that it will be effective.
* Experience and skills of personnel: This refers to whether the person
applying a control has the necessary knowledge and expertise to
properly apply it. The lesser the person's experience and skills, the
less likely that the control will be effective. Also, the effective
application of a control is generally adversely affected if the
technique (1) is performed by an employee who has an excessive volume
of work or (2) is not performed carefully.
.07:
Follow-up refers to the procedures followed when a control identifies
an exception condition. A control's effectiveness is dependent on the
effectiveness of follow-up procedures. To be effective, these
procedures should be applied on a timely basis and should (1) determine
whether control exceptions represent misstatements and (2) correct all
misstatements noted. For example, as a control, an accounting system
may identify and put exception transactions into a suspense file or
account. Lack of timely follow-up procedures to (1) reconcile and
review the suspense file or account and (2) correct items in the
suspense file or account would render the control ineffective.
.08:
When evaluating whether controls are likely to be effective, the
auditor should consider whether the controls also are applied
effectively to adjustments/corrections made to the financial records.
Such adjustments/corrections may occur at the transaction level, during
summarization of the transactions, or may be posted directly to the
general ledger accounts.
.09:
Based on the understanding of control activities and the determination
as to whether they are likely to achieve the control objectives, the
auditor reassesses control risk to decide whether to test controls. If
control risk is high because the control activities for a particular
accounting application are not effective in design or not effective in
operation (based on prior years' testing of the control activities and
management's indication that they have not improved), the auditor does
not need to test the controls. If they are effective, the auditor must
test them, but may consider using a rotation approach to testing the
controls, as discussed in section 395 G.
[End of section]
350 - DETERMINE THE NATURE, TIMING, AND EXTENT OF CONTROL TESTS AND OF
TESTS FOR SYSTEMS' COMPLIANCE WITH FFMIA REQUIREMENTS:
.01:
For each control objective, the auditor should (1) identify specific
relevant control activities to test, (2) perform walkthroughs to be
sure that those controls are in operation, (3) document these control
activities on the SCE worksheet or equivalent, (4) determine the nature
and timing of control tests, and (5) determine the extent of control
tests. Internal control includes IS controls, as discussed further in
paragraphs 360.03-.10 and the FISCAM. For the controls over performance
measures reported in the MD&A (overview) of the Accountability Report,
the auditor does not need to test controls (although he or she may
decide to do so), but should identify the activities likely to achieve
the objectives, perform walkthroughs to be satisfied that the controls
have been placed in operation, and document the controls.
.02: The auditor also should determine the nature, timing, and extent
of tests for compliance of the entity's systems with federal financial
management systems requirements (these requirements are established by
OMB Circular A-127 and include the Joint Financial Management
Improvement Program's series of system requirements documents), federal
accounting standards (GAAP - see section 560), and the SGL at the
transaction level in order to report in accordance with FFMIA.
Substantial compliance includes the ability of the financial management
systems to routinely provide reliable and timely financial information
for managing day-to-day operations as well as to produce reliable
financial statements, have effective internal control, and comply with
legal and regulatory requirements.
.03: If it is likely that the financial statement opinion will be
unqualified and internal control will be determined to be effective,
the auditor should plan to test the systems' compliance with the
requirements. Many nonsampling control tests will also test for
compliance with the systems requirements and the SGL, although
determining compliance with federal accounting standards (GAAP) will
also require substantive testing. In designing control and substantive
tests, the auditor should keep in mind the need to report whether the
entity's financial management systems are in substantial compliance
with FFMIA requirements so that the control and other tests may serve
this dual purpose. In addition, for purposes of FFMIA financial
management systems include systems that produce the information
management uses day-to-day, not just systems that produce annual
financial statements. Thus, the auditor should test the financial
management systems used for managing financial operations and
supporting financial planning, management reporting, budgeting
activities, and systems accumulating and reporting cost information,
including the financial portion of mixed systems.
.04: For agencies with longstanding, well-documented financial
management
systems weaknesses that severely affect the systems' ability to comply
with FFMIA requirements, the auditor need not perform specific tests of
the systems' compliance with the FFMIA requirements. The auditor will
generally have adequate information about the systems to describe the
instances of lack of substantial compliance and make recommendations,
as required by FFMIA, by gaining an understanding of the systems and
performing internal control and substantive testing. The auditor also
should understand management's process for determining whether its
systems comply with the FFMIA requirements and report any deficiencies
in management's process (for example, management has not compared its
systems with JFMIP systems requirements). The auditor's report should
make clear that there may be other areas of noncompliance.
.05: Similarly, if it is likely that the opinion on the financial
statements will not be unqualified, that the entity has material
weaknesses or reportable conditions in internal control, or that it has
significant noncompliance with legal and regulatory requirements, then
the auditor may limit the scope of testing performed to support an
FFMIA assessment. However, if the auditor is concerned that he or she
may find it difficult to convince management of the systems'
noncompliance without specific tests, the auditor should perform them.
Also, the auditor should recognize that if controls have improved and/
or an unqualified opinion can be expressed, the auditor will need to
test systems for FFMIA compliance.
IDENTIFY RELEVANT CONTROL ACTIVITIES TO TEST:
.06: For each control objective identified in Section 330, the auditor
should identify the control activity, or combination of control
activities, that is likely to (1) achieve the control objective and (2)
maximize the overall efficiency of control tests. In doing this, the
auditor should consider (1) the extent of any inherent risk[Footnote 5]
and control environment, risk assessment, communication, or monitoring
weaknesses,[Footnote 6] including those related to IS (as documented in
the ARA and/or GRA document or equivalent (see section 260)) and (2)
the tentative determination of the likelihood that IS controls will be
effective, as determined in the planning phase (see section 270). The
auditor should test only the control activities necessary to achieve
the objective. For example, the entity may have several controls that
are equally effective in achieving an objective. In such a case, the
auditor should select and test the control activity that is most
efficient to test, considering such factors as (1) the extent to which
a control achieves several control objectives and thereby reduces the
number of controls that would ordinarily need to be tested and (2) the
time that will be required to test the control.
.07: For those control objectives for which the auditor preliminarily
determines that effective control activities exist or are likely to
exist, the auditor should test the selected control activities, as
discussed in sections 360 and 450. The auditor may test all, or only
certain control activities (because others are not likely to be
effective), related to a control objective. However, the auditor may
not elect to forgo control tests solely because it is more efficient to
extend substantive or compliance audit procedures. If, in any phase of
the audit, the auditor determines that control activities selected for
testing are, in fact, ineffective in design or operation, the auditor
should discontinue the specific control evaluation of related control
objectives and should report resulting weaknesses in internal control
as discussed in section 580. If the entity's management does not agree
with the auditor's conclusion that effective control activities do not
exist or are unlikely to exist, the auditor may need to perform
procedures sufficient to support that conclusion.
.08: Before testing controls the auditor believes will be effective,
the auditor may elect to complete the ARA or equivalent tentatively,
assuming that such controls are effective.
PERFORM WALKTHROUGHS TO DETERMINE WHETHER THOSE CONTROLS ARE IN
OPERATION:
.09: Before performing control tests, the auditor should perform one or
more walkthroughs to determine whether the control activities are
functioning in the manner understood by the auditor. These
walkthroughs, designed to confirm the auditor's understanding of the
control activities, differ from those performed to confirm the
auditor's understanding of the systems in which they operate (see
paragraph 320.02). Through observations, inspection, and discussions
with personnel responsible for applying or maintaining each control
(including walkthroughs), the auditor should determine whether each
control has, in fact, been placed in operation. If a control has not
been placed in operation, the auditor should consider whether other
controls are likely to achieve the related control objective(s) and
should consider testing such controls.
DOCUMENT CONTROL ACTIVITIES TO BE TESTED:
.10: The auditor should document the control activities to be tested on
the SCE worksheet or equivalent. (See an illustration in section 395
H.) (Other components of internal control are generally tested by
observation and inquiry in the planning phase. See paragraph 260.09.)
Controls that satisfy more than one control objective may be listed
(and evaluated) only once and referred to, when applicable, on
subsequent occasions. For each control to be tested, the auditor should
determine whether the control is an IS control. An IS auditor generally
should review and concur with the auditor's identification of IS
controls.
DETERMINE THE NATURE AND TIMING OF CONTROL TESTS:
.11: To obtain additional evidence of the effectiveness of specific
controls, the auditor should select the combination of control tests
(observation, inquiry, or inspection) to be performed and determine the
timing of such tests. No one specific control test is always necessary,
applicable, or equally effective in every circumstance. In fact, a
combination of these types of control tests is usually needed to
provide the necessary level of assurance. In determining the types of
tests to apply, the auditor should select the tests that are effective
and most efficient, as discussed in paragraphs 350.15-.18. Specific
types of control tests and methods to apply them are discussed below.
.12: Observation - The auditor conducts observation tests by observing
entity personnel actually performing control activities in the normal
course of their duties. Observation generally provides highly reliable
evidence that a control activity is properly applied when the auditor
is there to observe it; however, it provides no evidence that the
control was in operation at any other time. Consequently, observation
tests should be supplemented by corroborative evidence obtained from
other tests (such as inquiry and inspection) about the operation of
controls at other times.
.13: Inquiry - The auditor conducts inquiry tests by making either oral
or written inquiries of entity personnel involved in the application of
specific control activities to determine what they do or how they
perform a specific control activity. Such inquiries are typically open
ended. Generally, evidence obtained through inquiry is the least
reliable audit evidence and generally should be corroborated through
other types of control tests (observation or inspection). The
reliability of evidence obtained from inquiry depends on various
factors, such as the following:
The competence, experience, knowledge, independence, and integrity of
the person of whom the inquiry was made. The reliability of evidence is
enhanced when the person possesses these attributes.
Whether the evidence was general or specific. Evidence that is specific
is usually more reliable than evidence that is general.
The extent of corroborative evidence obtained. Evidence obtained from
several entity personnel is usually more reliable than evidence
obtained from only one.
Whether the evidence was provided orally or in writing. Generally,
evidence provided in writing is more reliable than evidence provided
orally.
.14: Inspection - The auditor conducts inspection tests by examining
documents and records for evidence (such as the existence of initials
or signatures) that a control activity was applied to those documents
and records. System documentation, such as operations manuals, flow
charts, and job descriptions, may provide evidence of control design
but do not provide evidence that controls are actually operating and
being applied consistently. To use system documentation as part of the
evidence of effective control activities, the auditor should obtain
additional evidence on how the controls were applied. Inspection is
generally a reliable source of audit evidence and is frequently used in
multipurpose testing. Because evidence of performance is documented,
this type of test can be performed at any time. The evidence previously
obtained from (1) the inspection of documents in walkthroughs (in which
inspection is performed to a lesser extent than in sampling control
tests) and (2) observation or inquiry tests may provide sufficient
evidence of control effectiveness. However, if the auditor needs
additional evidence, sampling items for inspection should be
considered. Since documentary evidence generally does not provide
evidence concerning how effectively the control was applied, the
auditor generally should supplement inspection tests with observation
and/or inquiry of persons applying the control. For example, the
auditor generally should supplement inspection of initials on documents
with observation and/or inquiry of the individual(s) who initialed the
documents to understand the procedures they followed before initialing
the documents. The auditor may also reperform the control being tested
to determine if it was properly applied.
.15: The type of control test or tests the auditor selects depends on
(1) the nature of the control to be tested and (2) the timing of and
period covered by the control test.
.16: The nature of the control influences the type of evidential matter
that is available. For example, if the control provides documentary
evidence, the auditor may decide to inspect the documentation. For
other controls, such documentation may not be available or relevant.
For example, segregation-of-duties controls generally do not provide
documentary evidence. In such circumstances, the auditor may obtain
evidential matter about the effectiveness of the control's operation
through observation or inquiry.
.17: The timing of and period covered by the control test require
consideration. The evidential matter should relate to the audit period
and, unless it is documentary evidence, should be obtained during the
audit period, when sufficient corroborative evidence is most likely to
be available. When the evidence relates to only a specific point in
time, such as evidence obtained from observation, the auditor should
obtain additional evidence that the control was effective during the
entire audit period. For example, the auditor may observe the control
in operation during the audit period and use inquiry and inspection of
procedures manuals to determine that the control was in operation
during the entire audit period. Paragraph 380.02 provides guidance
concerning situations when new controls are implemented during the
year.
.18: When selecting a particular control test from among equally
effective tests, the auditor should select the most efficient test. For
example, the auditor may find that inquiry, observation, and
walkthroughs (tests of controls that do not involve sampling) provide
sufficient evidence that the control was effective during the year and
are most efficient to test. When sampling is considered necessary, the
auditor should consider performing multipurpose tests to enhance audit
efficiency (see sections 430 and 450).
DETERMINE THE EXTENT OF NONSAMPLING CONTROL TESTS:
.19: After selecting the nature of control tests to be performed, the
auditor should determine the extent of control tests (including IS
controls). This determination is based on the information gathered in
developing an understanding of internal control, the nature of the
control to be tested, the nature and availability of evidential matter,
and the auditor's determination of the amount of additional evidence
needed. For each control activity considered necessary to achieve the
control objectives, the auditor should test the control activity to
determine whether it achieves the control objectives. Relevant
financial reporting, budget, compliance, and operations controls
generally should be tested to the same level of assurance. The extent
of this testing is discussed in section 360 for nonsampling control
tests and in section 450 for sampling control tests.
.20: Controls that do not leave documentary evidence of existence or
application generally cannot be tested with sampling procedures. When
control activities, such as segregation of duties, do not leave
documentary evidence, the auditor should test their effectiveness by
observation and/or inquiry. For example, the auditor may obtain
evidential matter about the proper segregation of duties by (1) direct
observation of the control activities being applied at a specific time
during the audit period and (2) inquiry of the individual(s) involved
about applying the activities at other times during the audit period.
The appropriate extent of observation and inquiry is not readily
quantifiable. To determine whether a control is effective, the auditor
should consider whether sufficient evidence has been obtained to
support the preliminary assessment of control effectiveness (see
section 370).
DETERMINE THE NATURE, TIMING, AND EXTENT OF TESTS FOR SYSTEMS'
COMPLIANCE WITH FFMIA REQUIREMENTS:
.21: If the auditor believes it is likely that the opinion on the
financial statements will be unqualified (or qualifications will not
relate to the entity's ability to prepare reliable financial statements
or provide reliable financial information when needed), that internal
control will be determined to be effective, and that the auditor will
find no instances of noncompliance with legal and regulatory
requirements, then the auditor should test each of the elements of
systems' compliance with FFMIA requirements. Also, the auditor may need
to test for systems' compliance with FFMIA requirements in other
circumstances, as discussed in paragraph 350.05.
.22: The determination of substantial compliance with the requirements
requires auditor judgment. To assist the auditor in making these
judgments, he or she should identify any management-developed
documentation for its assertion about the systems' conformance with
systems requirements in its FMFIA section 4 report and any work it may
have done for FFMIA. The documentation may include the Financial
Management Series of Checklists for Systems Reviewed Under the Federal
Financial Management Improvement Act of 1996 or other tools. The issues
discussed earlier in this section with regard to nature, timing, and
extent of control tests also apply to tests of systems' compliance with
FFMIA requirements. These tests generally should be done concurrently
with nonsampling control tests as described in section 360.
.23: Management's documentation may be the basis for tests of the
systems' compliance. If, for example, management provides the auditor
with a checklist detailing the functions the systems are able to
perform, the auditor generally should select some significant functions
from the checklist and determine whether the systems perform them. This
may be done based on knowledge the auditor has acquired from gaining an
understanding of the systems, as well as by additional observation,
inquiry, inspection, and walkthroughs as discussed earlier in this
section for control tests. If management has not provided
documentation, testing may be based directly on the FFMIA requirements.
If management is unable to provide any documentation, the auditor
should ask why there is no documentation and how management knows
whether it is in compliance. Lack of documentation often indicates that
the systems do not substantially comply with FFMIA.
[End of section]
360 - PERFORM NONSAMPLING CONTROL TESTS AND TESTS FOR SYSTEMS'
COMPLIANCE WITH FFMIA REQUIREMENTS:
.01:
The auditor should design and conduct tests of control activities that
are effective in design to confirm their effectiveness in operation.
(The auditor should refer to paragraph 380.02 if control activities
were not effective in design during the entire audit period.) The
auditor should perform the following procedures in connection with
control tests:
* Request an IS auditor to test IS controls.
* Perform nonsampling control tests. (Sampling control tests are
performed in the testing phase, as discussed in section 450.):
* Evaluate the results of nonsampling control tests.
.02:
Similarly, the auditor should design and conduct tests of the financial
management systems' compliance with the three FFMIA requirements, if he
or she determined such tests were necessary (see paragraphs 350.02-.05
and 350.21-.23). Many nonsampling control tests will also serve as
tests for compliance with FFMIA requirements, especially the systems
requirements and the SGL, although testing for federal accounting
standards (GAAP) will include substantive testing, done as part of the
testing phase.
TESTS OF IS CONTROLS:
.03:
In an entity that uses information systems to perform accounting
functions, the auditor might identify controls whose effectiveness
depends on the computer (IS controls). Such IS controls are discussed
in more detail in section 295 F. Due to the technical nature of certain
IS controls, an IS auditor should perform or supervise tests of such
controls and should document conclusions on the effectiveness of IS
controls during the audit period. The financial auditor may perform
tests of less technical IS controls but the IS auditor should supervise
such testing to evaluate the results and to consider such controls in
relation to other IS controls.
.04:
If IS controls are identified for testing, an IS auditor should
evaluate the effectiveness of:
* general controls at the entity or installation level;
* general controls as they relate to the application to be tested; and:
* specific application controls and/or user controls, unless the IS
controls that achieve the control objectives are general controls.
.05:
The IS auditor should determine whether overall or installation-level
general controls are effectively designed and operating by:
* identifying applicable general controls,
* determining how those controls function, and:
* evaluating and testing the effectiveness of those controls.
The IS auditor should consider knowledge obtained in the planning
phase. At the conclusion of this step, the IS auditor should document
the understanding of general controls and should conclude whether such
controls are effectively designed and operating as intended.
Tests of General Controls at the Installation Level:
.06:
General controls ordinarily are tested through a combination of
procedures, including observation, inquiry, inspection (which includes
a review of documentation on systems and procedures), and reperformance
using appropriate test software. Although sampling is generally not
used to test general controls, it may be used to test certain controls,
such as those involving approvals.
.07:
If general controls are not effectively designed and operating as
intended, the auditor will generally be unable to obtain satisfaction
that application controls are effective. In such instances, (1) the IS
auditor should discuss the nature and extent of risks resulting from
ineffective general controls with the audit team and (2) the auditor
should consider whether manual controls achieve the control objectives
that the IS controls were supposed to achieve. However, if manual
controls do not achieve the control objectives, the IS auditor should
determine whether any specific IS controls are designed to achieve the
objectives. If not, the auditor should develop appropriate findings
principally to provide recommendations to improve internal control. If
specific IS controls are designed to achieve the objectives, but are in
fact ineffective due to poor general controls, testing would typically
not be necessary, except to support findings.
Tests of General Controls at the Application Level:
.08:
Based on favorable conclusions reached on general controls at the
entity or installation level, the IS auditor should evaluate and test
the effectiveness of general controls for those applications within
which application controls or user controls are to be tested.
.09:
If general controls are not operating effectively within the
application, application controls and user controls generally will be
ineffective. In such instances, the IS auditor should discuss the
nature and extent of risks resulting from ineffective general controls
with the audit team and should determine whether to proceed with the
evaluation of application controls and user controls.
Tests of Application Controls and User Controls:
.10:
The IS auditor generally should perform or supervise tests of those
application controls and user controls necessary to achieve the control
objectives where the overall and application-level general controls
were determined to be effective.
NONSAMPLING CONTROL TESTS:
.11:
The auditor should (1) develop a detailed control test audit program
that incorporates the nature, timing, and extent of planned nonsampling
control tests, including tests for compliance with FFMIA requirements
and (2) perform nonsampling control tests according to the audit
program. The following paragraphs discuss the testing of segregation of
duties.
Segregation of Duties:
.12:
Nonsampling control tests relating to segregation of duties require
special consideration. Such controls are designed to reduce the
opportunities for any person to be in a position both to perpetrate and
to conceal misstatements, especially fraud, in the normal course of
duties. Typically, an entity achieves adequate segregation of duties by
establishing controls (such as segregating asset custody from
recordkeeping functions) to prevent any person from having uncontrolled
access to both assets and related records. Paragraph 330.08 describes
situations in which the auditor should test segregation of duties.
.13:
The auditor may use the following method to test segregation-of-duties
controls:
a. Identify the assets to be controlled through the segregation of
duties.
b. Identify the individuals who have authorized access (direct or
indirect) to the assets. Direct access exists when the individual is
authorized to handle the assets directly (such as during the processing
of cash receipts). Indirect access exists when the individual is
authorized to prepare documents that cause the release or transfer of
assets (such as preparing the necessary forms to request a cash
disbursement or transfer of inventory).
c. For each individual with authorized access to assets, determine
whether there are sufficient asset access controls. Asset access
controls are those controls that are designed to provide assurance that
actions taken by individuals with authorized access to assets are
reviewed and approved by other individuals. For example, an approval of
an invoice for payment generally provides asset access controls
(relating to cash) over those individuals authorized to prepare
supporting documentation for the transaction. If IS provides access to
assets, evaluation and testing of IS controls should be designed to
identify (1) individuals (including IS personnel) who may use the
computer to obtain access and (2) asset access controls over such
individuals.
d. For individuals with authorized access to assets over which asset
access controls are insufficient, determine whether such individuals
can affect any recording of transactions in the accounting records. If
so, segregation of duties is insufficient, unless such access to
accounting records is controlled. For example, the person who processes
cash receipts may also be able to record entries in the accounting
records. Such a person may be in a position to manipulate the
accounting records to conceal a shortage in the cash account, unless
another individual reviews all accounting entries made by that person.
In an IS accounting system, access to assets frequently provides access
to records. For example, generation of a check may automatically record
a related accounting entry. In such circumstances, a lack of asset
access controls would result in inadequate segregation of duties, and
the auditor should consider whether other controls would mitigate the
effects of this lack of asset access control.
EVALUATING THE RESULTS OF NONSAMPLING TESTS:
.14:
The auditor should investigate and understand the reasons for any
deviations from control activities noted during nonsampling control
tests. The auditor may find, for example, that significant
subpopulations were not subject to controls or that controls were not
applied during a specific period during the year. In such instances,
the auditor should conclude whether controls are effective for at least
some parts of the population. For example, an otherwise effective
control may not have been applied effectively in one month due to
personnel turnover. For all but that month, the auditor may assess
controls as effective and reduce related testing. The auditor also
should consider whether other controls can achieve the related control
objective(s).
.15:
Additionally, the auditor should gather sufficient evidence to report
the control weakness. As discussed in paragraphs 580.37-.58, the
significance of the weakness will determine how the auditor reports the
finding and therefore which elements of the finding (condition, cause,
criteria, effect, and recommendation or suggestion) need to be
developed.
.16:
Finally, the auditor may make preliminary conclusions as to whether the
entity's financial management systems substantially comply with federal
financial management systems requirements, federal accounting
standards (GAAP), and the SGL at the transaction level. However, a
final conclusion as to compliance, especially with federal accounting
standards, needs to wait for the results of substantive testing.
[End of section]
370 - ASSESS CONTROLS ON A PRELIMINARY BASIS:
.01:
Based on the evaluation of internal control and results of nonsampling
control tests, the auditor should preliminarily assess the
effectiveness of internal control during the period (for reporting on
internal control in a non-opinion report and for determining the extent
of procedures to be performed in the testing phase) and/or as of the
end of the period (for an opinion on internal control). Considerations
for assessing the effectiveness of IS controls and each type of control
(financial reporting (including safeguarding and budget), compliance,
and operations) are discussed in paragraphs 370.06-.14 below and in the
FISCAM.
.02:
To assess the effectiveness of internal control, the auditor considers
whether the control objectives are achieved. For each control objective
that is not fully achieved, the auditor should obtain sufficient (1)
information to develop comments in the auditor's report or management
letter (see paragraphs 580.32-.61) and (2) evidence to support the
preliminary assessment of the effectiveness of internal control.
INFORMATION SYSTEM RESULTS:
.03:
Based on the procedures performed, the IS auditor should discuss
conclusions on the effectiveness of IS controls with the audit team and
obtain concurrence. The auditor should (1) incorporate the IS auditor's
conclusions into the audit workpapers for each IS control tested and
(2) perform tests of application controls (principally manual follow-up
of exceptions) or user controls identified by the IS auditor for the
audit team to test.
.04:
If IS controls are determined to be effective, the auditor may also ask
the IS auditor to identify any IS controls within the applications
tested using the above procedures that were not previously identified
by the auditor. For example, such IS controls might achieve control
objectives not otherwise achieved through manual controls or might be
more efficient or effective to test than manual controls. The IS
auditor can assist the auditor in determining the cost effectiveness of
searching for and testing additional IS controls. Decisions made in
response to these considerations should be documented, including a
description of the expected scope of the IS auditor's work.
.05:
Audit programs and supporting workpapers should be prepared to document
the procedures for evaluating and testing the effectiveness of IS
controls. Such workpapers should be included in the audit workpapers.
FINANCIAL REPORTING CONTROLS:
.06:
Based on procedures performed and before sampling control
tests,[Footnote 7] if any, the auditor should form a preliminary
conclusion about (1) the effectiveness of financial reporting controls
as of the end of the period and (2) the assessed level of control and
combined risk during the period for each significant assertion in each
significant line item or account. Combined risk is the risk that, prior
to the application of substantive audit procedures, a material
misstatement exists in a financial statement assertion. Combined risk
consists of the risks that (1) a financial statement assertion is
susceptible to material misstatement (inherent risk) and (2) such
misstatement is not prevented or detected on a timely basis by the
entity's internal control (control risk). The use of professional
judgment is essential in assessing both control and combined risk.
.07:
Preliminary assessment of control risk. For each significant assertion
in each significant account, the auditor should assess control risk at
one of the following three levels:
* Low control risk: The auditor believes that controls will prevent or
detect any aggregate misstatements that could occur in the assertion in
excess of design materiality.
* Moderate control risk: The auditor believes that controls will more
likely than not prevent or detect any aggregate misstatements that
could occur in the assertion in excess of design materiality.
* High control risk: The auditor believes that controls will more
unlikely than likely prevent or detect any aggregate misstatements that
could occur in the assertion in excess of design materiality.
.08:
In assessing control risk in a line item/account assertion, the auditor
should consider the aggregate magnitude of misstatements that might not
be prevented or detected in significant accounting applications that
affect the line item or account. For example, the cash receipts, cash
disbursements, and payroll accounting applications typically affect the
cash account. Accordingly, the auditor should consider the risk that
aggregate misstatements could arise from a combination of those
accounting applications and not be prevented or detected by controls.
.09:
Preliminary assessment of combined risk. In assessing combined risk,
the auditor should consider the likelihood that a material misstatement
would occur (inherent risk) and not be prevented or detected on a
timely basis by the entity's internal control (control risk). This
preliminary assessment of combined risk should be consistent with the
auditor's assessment of inherent risk and control risk. For each
significant assertion in each significant account, the auditor should
assess combined risk at one of the following three levels:
* Low combined risk: Based on the evaluation of inherent risk and
control
risk, but prior to the application of substantive audit procedures, the
auditor believes that any aggregate misstatements in the assertion do
not exceed design materiality.
* Moderate combined risk: Based on the evaluation of inherent risk and
control risk, but prior to the application of substantive audit
procedures, the auditor believes that it is more likely than not that
any aggregate misstatements in the assertion do not exceed design
materiality.
* High combined risk: Based on the evaluation of inherent risk and
control risk, but prior to the application of substantive audit
procedures, the auditor believes that it is more unlikely than likely
that any aggregate misstatements in the assertion do not exceed design
materiality. As a result, the auditor will need to obtain most, if not
all, audit reliance from substantive tests.
.10: The minimum substantive assurance level required for substantive
tests
varies directly with combined risk. In other words, as combined risk
increases, so does the minimum substantive assurance level. Section 470
discusses the assurance level. The auditor should document the
preliminary assessment of control risk and combined risk in the ARA or
equivalent.
COMPLIANCE CONTROLS:
.11: Based on the results of compliance control tests and other audit
procedures, the auditor should:
* conclude whether the entity's internal control provides reasonable
assurance that the entity complied with the significant provisions of
laws and regulations and executed transactions in accordance with
budget authority during the period (to assess control risk, to test
compliance as discussed in section 460, and/or to report (non-opinion
report) on internal control) and/or as of the end of the period (to
support the opinion on internal control) and:
* report weaknesses in compliance controls that come to the auditor's
attention (see paragraphs 580.32-.61).
If compliance controls are effective in preventing or detecting
noncompliance with relevant provisions of laws and regulations during
the period, the extent of compliance testing can be less than if such
controls were not effective, as discussed in section 460.
.12: When forming conclusions on internal control related to budget
execution, the auditor should consider the impact of any unadjusted
misstatements noted in the proprietary accounts and should determine
any impact on the budgetary amounts. If the budgetary amounts are also
misstated, the auditor should consider whether these misstatements are
indications of weaknesses in internal control related to budget
execution. If audit evidence indicates that internal control might not
provide reasonable assurance that the entity executed transactions in
accordance with budget authority, the auditor should discuss the legal
implications with OGC.
OPERATIONS CONTROLS:
.13:
If the results of control tests indicate that operations controls were
not effective during the period, the auditor should not place reliance
on the ineffective operations controls when performing other audit
procedures. Based on gaining an understanding of performance measures
systems and other procedures (which may include optional tests of
controls), the auditor will have an understanding of the design of
performance measures controls as they relate to the existence and
completeness assertions (for GAO audits, the valuation assertion is
also included in the understanding) and whether they have been placed
in operation. The auditor should report weaknesses in performance
measures controls that come to his or her attention. See paragraphs
580.32-.61 regarding reporting of control weaknesses.
REEVALUATION OF CONTROL RISK AND COMBINED RISK ASSESSMENT:
.14: After completing the testing phase, discussed in section 400, the
auditor should reevaluate the preliminary assessment of control risk
for financial reporting controls and control effectiveness for
compliance and operations controls. If the test results are contrary to
the preliminary assessment, the auditor should reconsider the adequacy
of the audit procedures performed and perform additional procedures as
considered necessary.
[End of section]
380 - OTHER CONSIDERATIONS:
ROTATION TESTING OF CONTROLS:
.01:
When the entity's control environment, risk assessment, communication,
and monitoring are strong and inherent and fraud risk are low, using a
rotation approach for testing controls may be appropriate for IS
controls. When appropriate, based primarily on favorable results from
prior tests and limited work in the current year, the auditor may test
IS internal controls of certain cycles/applications on a rotating basis
rather than every year. Rotation is generally not appropriate for use
in first-time audits where an opinion is expressed or for audits of
entities that do not have strong control environments, risk assessment,
communication, and monitoring. Section 395 G provides additional
requirements and guidelines for rotation testing of controls.
PARTIAL-YEAR CONTROLS:
.02:
In certain situations, such as when new controls are implemented during
the year, the auditor may elect to test controls only for the period
that the new controls were operating. In such situations, the extent of
control testing should remain similar, but be concentrated over the
period the new controls are in place. For any portion of the audit
period that financial reporting, budget, and compliance controls were
not tested directly or through a rotation plan (see paragraph 380.01),
the auditor should assume that such controls were ineffective for
purposes of designing compliance and substantive tests.
PLANNED CHANGES IN CONTROLS:
.03:
The auditor may become aware of an entity's plans to implement new
accounting or control systems after the audit period ends. Even though
new systems or controls are planned, the auditor should evaluate and
test controls in effect through the end of the audit period to (1)
provide support for the report on internal controls, (2) recommend any
improvements to the current system that should be considered in
designing the new systems or controls, and/or (3) obtain audit evidence
to reduce substantive testing in the current audit. During the current
audit, the auditor may elect to review controls designed into the new
system.
[End of section]
390 - DOCUMENTATION:
.01:
In addition to preparing a control testing audit program and other
workpapers relevant to the internal control phase, the auditor should
prepare the documents described in paragraphs 390.04-.07 or their
equivalent.
.02:
In the audit program, the auditor generally should explain the
objectives of audit procedures. Also, written guidance, either within
or accompanying the audit program to explain possible exceptions, their
nature, and why they might be important, may help auditors focus on key
matters, more readily determine which exceptions are important, and
identify significant exceptions.
.03:
As the audit work is performed, the auditors may become aware of
possible reportable conditions or other matters that should be
communicated to the auditee. The auditor generally should document and
communicate these as described in paragraph 290.02.
CYCLE MEMORANDUM AND FLOWCHART:
.04:
The auditor is required to document (AU 319.44) the understanding
gained of each component of internal control, among them, the
information system (AU 319.36). The auditor should prepare sufficient
documentation to clearly describe and illustrate the accounting system;
such documentation may include memorandums and flowcharts. Flowcharts
provide a good mechanism to document the process and need not be
extremely detailed. In some systems, particularly IS, it is difficult
to understand the system without a flowchart. For each significant
cycle, the auditor should prepare a cycle memorandum or equivalent, and
a complementary flowchart of the cycle and component accounting
application(s) is also recommended. To the extent relevant, these
documents should include the following accounting systems information
for financial reporting controls:
* The cycle memorandum or equivalent should (1) identify the cycle
transactions, each significant accounting application, and each
significant financial management system included in the cycle, (2)
describe interfaces with other cycles, (3) identify financial statement
line items and general ledger accounts included in the cycle, (4)
describe the operating policies and procedures relating to the
processing of cycle transactions (see paragraph 320.03),[Footnote 8]
and (5) identify major internal controls (overview only). The cycle
memorandum may also include information on FFMIA requirements
considered to this point, such as systems requirements and the SGL.
* The flowchart should complement the related cycle memorandum and
summarize the significant transaction flows in terms of (1) input and
report documents, (2) processing steps, (3) files used, (4) units
involved, and (5) interfaces with other cycles and accounting
applications.[Footnote 9]
.05: The auditor should document the understanding of compliance and
relevant operations (including performance measures) control systems in
a memorandum and, if applicable, a flowchart addressing each point
discussed in paragraphs 320.05-.07.
SPECIFIC CONTROL EVALUATION WORKSHEET:
.06: The auditor should document the evaluation of specific control
activities in the SCE worksheet or equivalent. Control tests should be
documented in a control test audit program and in accompanying
workpapers. Any IS control tests should also be documented in the audit
workpapers, as discussed in paragraph 370.05. Section 395 H presents an
example of a completed SCE worksheet.
UPDATING THE ACCOUNT RISK ANALYSIS FORM:
.07:
The auditor should update the ARA form or equivalent by completing the
internal control phase columns, as illustrated in section 395 I.
[End of section]
395 A - TYPICAL RELATIONSHIPS OF ACCOUNTING APPLICATIONS TO LINE ITEMS/
ACCOUNTS:
This section illustrates the typical relationships between accounting
applications and line items or accounts. For example, sources of
significant accounting entries to cash typically include the cash
receipts, cash disbursements, payroll, and cash accounting
applications. For each significant line item or account, the auditor
should develop an understanding of how potential misstatements in
significant accounting applications could affect the related line item
or account. In turn, control objectives and relevant control techniques
to achieve those objectives should be identified.
[See PDF for image]
[End of table]
[End of section]
395 B - FINANCIAL STATEMENT ASSERTIONS AND POTENTIAL MISSTATEMENTS:
This section lists potential misstatements that could occur in each
financial statement assertion within an accounting application,
together with related control objectives. The auditor should use
judgment to tailor this information to the accounting application and
to the entity and should consider supplementing this list with other
control objectives or subobjectives. The assertions, potential
misstatements, and control objectives illustrated in this section can
be used in preparing the first, fourth, and fifth columns of the SCE
worksheet, which is illustrated in section 395 H. However, this section
is provided as a reference and does not require completion as a form.
[See PDF for image]
Note: Segregation-of-duties controls are a type of safeguarding control
and are often crucial to the effectiveness of controls, particularly
over liquid, readily marketable assets that are highly susceptible to
theft, loss, or misappropriation. Such controls are designed to reduce
the opportunities for any person to be in a position to both perpetrate
and conceal fraud. The lack of segregation-of-duties controls may be
pervasive and affect several misstatements. Paragraph 330.08 discusses
when segregation-of-duties controls should be tested.
[End of table]
[End of section]
395 C - TYPICAL CONTROL ACTIVITIES:
AUTHORIZATION:
.01:
Authorization controls are designed to provide reasonable assurance
that (1) transactions, (2) events from which they arise, and (3)
procedures under which they are processed are authorized in accordance
with laws, regulations, and management policy. Typical authorization
controls include:
* documented policies establish events or transactions that the
entity is authorized to engage in by law, regulation, or management
policy;
* documented policies and procedures exist for processing transactions
in accordance with laws, regulations, or management policy; and:
* master files include only authorized employees, customers, or
suppliers.
APPROVAL:
.02:
Approval controls are designed to provide reasonable assurance that
appropriate individuals approve recorded transactions in accordance
with management's general or specific criteria. Typical approval
controls include the following:
* Specific transactions are approved by persons having the authority to
do so (such as the specific approval of purchases by the procurement
officer or other designated individual with procurement authority) in
accordance with established policies and procedures.
* Transactions are compared with predetermined expectations (invoice
terms are compared with agreed-upon prices, input is checked for valid
data type for a particular field, etc.), and exceptions are reviewed by
someone authorized to approve them.
* Transactions are compared with approved master files (such as
approved customer credit limits or approved vendors) before approval
or acceptance, and exceptions are reviewed by someone authorized to
approve them.
* Key records are matched before a transaction is approved (such as
the matching of purchase order, receiving report, and vendor invoice
records before an invoice is approved for payment).
* Before acceptance, changes to data in existing files are
independently approved, evidenced by either documentary or on-line
approval of input before processing.
SEGREGATION OF DUTIES:
.03:
Segregation-of-duties controls are designed to reduce the opportunities
for someone to both perpetrate and conceal errors or fraud in the
normal course of duties. Typically, an entity achieves adequate
segregation of duties by establishing controls (such as segregating
asset custody from recordkeeping functions) to prevent any person from
having uncontrolled access to both assets and records. See paragraphs
330.08 and 360.11 for additional discussions of segregation-of-duties
controls.
DESIGN AND USE OF DOCUMENTS AND RECORDS:
.04:
The purpose of controls over the design and use of records is to help
provide reasonable assurance that transactions and events are properly
recorded. Such controls typically include the following.
* Prenumbered forms are used to record all of an entity's transactions,
and accountability is maintained for the sequence of all numbers used.
(For example, prenumbered billing documents, vouchers, purchase orders,
etc., are accounted for in numerical sequence when they are used, and
any numbers missing from the sequence are investigated).
* Receiving reports, inspection documents, etc., are matched with
billing notices, such as vendor invoices, or other documents used to
record delivered orders and related liabilities to provide assurance
that all and only valid transactions are recorded.
* Transaction documents (such as vendor invoices or shipping documents)
are stamped with the date and tracked (through periodic supervisory
reviews) to provide assurance that transactions are recorded promptly.
* Source documents are canceled after processing (for example, invoices
are stamped, perforated, or written on after they are paid) to provide
assurance that the same documents will not be reused and will not
result in recording transactions more than once. Also, only original
documents are used to process transactions.
ADEQUATE SAFEGUARDS OVER ACCESS TO AND USE OF ASSETS AND RECORDS:
.05: Access controls are designed to protect assets and records against
physical harm, theft, loss, misuse, or unauthorized alteration. These
controls restrict unauthorized access to assets and records. Evaluation
of segregation of duties is also required for persons who have
authorized access to assets and records. Typical access controls
follow:
* Cash receipt totals are recorded before cash is transmitted for
deposit.
* Secured facilities (locked rooms, fenced areas, vaults, etc.) are
used. Access to critical forms and equipment (such as check signing
machines and signature stamps) is limited to authorized personnel.
* Access to programs and data files is restricted to authorized
personnel. (For example, manual records, computer terminals, and backup
files are kept in secured areas to which only authorized persons can
gain access.):
* Assets and records are protected against physical harm. (For example,
intruder alarms, security guards, fire walls, a sprinkler system, etc.,
are used to prevent intentional or accidental destruction of assets and
records).
* Incoming and outgoing assets are counted, inspected, and received or
given up only on the basis of proper authorization (such as a purchase
order, contract, or shipping order) in accordance with established
procedures.
* Procedures are established to provide reasonable assurance that
current files can be recovered in the event of a computer failure. (For
example, the entity has implemented a backup and recovery plan, such as
using on-premises or off-premises file backup, off-site storage of
duplicate programs and operating procedures, and standby arrangements
to use a second processing facility if the entire data center is
destroyed).
* Access to critical forms and records is restricted. (For example,
secured conditions are established and maintained for manual records
and media used to access assets, such as blank checks or forms for the
release of inventory).
INDEPENDENT CHECKS:
.06:
Controls in this category are designed to provide independent checks
on the validity, accuracy, and completeness of processed data. The
following procedures are typical of this category of controls:
* Calculations, extensions, additions, and accounting classifications
are independently reviewed. (For example, arithmetic on vouchers is
independently recomputed, and transactions and accounting
classifications are subsequently reviewed).
* Assets on hand are periodically inspected and counted, and the results
are compared with asset records. (For example, inventories are
inspected and physically counted at the end of each year and compared
with inventory records).
* Subsidiary ledgers and records are reconciled to general ledgers.
* The entity promptly follows up on complaints from vendors, customers,
employees, and others.
* Management reviews performance reports. (For example, the warehouse
manager reviews performance reports on the accuracy and timeliness of
fulfilling shipping orders and recording them in the sales processing
system).
* Data from different sources are compared for accuracy and completeness.
(For example, the cash journal entry is compared with the authenticated
bank deposit slip and with the detailed listing of cash receipts
prepared independently when mail was opened, and units billed are
compared with units shipped).
* Actual operating results (such as personnel cost or capital
expenditures for a particular organizational component or an entity as
a whole) are compared with approved budgets, and variances are
explained.
VALUATION OF RECORDED AMOUNTS:
.07:
Controls in this category are designed to provide assurance that assets
are valued at appropriate amounts. Typical valuation controls follow:
* Periodically, the condition and marketability of assets are evaluated.
(For example, inventory is periodically reviewed for physical damage,
deterioration, or obsolescence, or receivables are evaluated for
collectibility).
* Recorded data are compared with information from an independent third
party. (For example, recorded cash is reconciled to bank statements,
and suppliers' accounts are reconciled to monthly statements from
suppliers).
* Assessed values (such as independent appraisals of assets) are
compared with the accounting records.
SUMMARIZATION OF ACCOUNTING DATA:
.08: Controls in this category are designed to provide assurance that
transactions are accurately summarized and that any adjustments are
valid. Typical controls in this category include the following:
* The sources of summarized data (such as subsidiary ledgers, journals,
and/or other records) are compared with the underlying subsidiary
records and/or documents before the data are accepted for inclusion in
summarized records and reports. (For example, journal entries are
compared to source documents, and the daily summaries of journal
entries are compared with to the individual journal entries before the
summarized entries are posted to the general ledger.):
* Procedures are followed to check the completeness and accuracy of
data summarization, and exceptions are reviewed and resolved by
authorized persons. (For example, batch totals are compared with
appropriate journals, hash totals are compared at the beginning and
end of processing, and totals passed from one system or application to
another are compared).
RIGHTS AND OBLIGATIONS:
.09:
Controls in this category are designed to provide assurance that (1)
the entity owns recorded assets, with the ownership supported by
appropriate documentation, (2) the entity has the rights to its assets
at a given date, and (3) recorded liabilities reflect the entity's
legal obligations at a given date. The following procedures are typical
of this category of controls:
* Policies and procedures are documented (such as policy, procedures,
and training manuals, together with organization charts) for initiating
transactions and for identifying and monitoring those transactions and
accounts warranting attention with respect to ownership.
* Policies and procedures are documented for initiating and monitoring
transactions and accounts related to obligations.
* Significant transactions require the approval of senior management.
* Reported results and balances are compared with plans and
authorizations.
PRESENTATION AND DISCLOSURE:
.10:
Controls in this category are designed to provide assurance that (1)
accounts are properly classified and described in the financial
statements, (2) the financial statements are prepared in conformance
with GAAP, and (3) footnotes contain all information required to be
disclosed. The following procedures are typical of this category of
controls:
* Policies and procedures are documented for accumulating and
disclosing financial information in the financial statements by
appropriate personnel. Responsibility is assigned to specific
individuals.
* Policies and procedures are documented for preparing financial
statements by authorized personnel having sufficient experience and
expertise to assure compliance with GAAP.
* Policies and procedures are documented (such as policy and procedures
manuals, together with organization charts) for properly classifying
and describing financial information in the financial statements.
* Reports are periodically substantiated and evaluated by supervisory
personnel. Procedures are implemented to detect errors and omissions
and to evaluate recorded balances.
* A written chart of accounts containing a description of each account
is used, such as the SGL. Journal entries are prepared, reviewed,
compared with supporting details where necessary, and approved each
accounting period.
* Appropriate processing procedures are used, including control or
batch totals, etc. Written cutoff and closing schedules are also used.
* The same chart of accounts is used for both budgeting and reporting,
and variances between actual and planned results are analyzed.
[End of section]
395 D - SELECTED STATUTES RELEVANT TO BUDGET EXECUTION:
.01:
Antideficiency Act: This statute places limitations on the obligation
and expenditure of government funds. Expenditures and obligations may
not exceed the amounts available in the related appropriation or fund
accounts. Unless allowed by law, amounts may not be obligated before
they are appropriated. Additionally, the amount of obligations and
expenditures may not exceed the amount of the apportionments received.
(See 31 U.S.C. sections 1341-1342, 1349-1351, and 1511-1517 for further
information.):
.02: Purpose statute: This statute states that appropriations may be
obligated and expended only for the purposes stated in the
appropriation. (See 31 U.S.C. 1301 for further information.):
.03:
Time statute: This statute states that appropriations may be obligated
or expended only during the period of availability specified by law.
(See 31 U.S.C. 1502 for further information.) Annual or multiple year
appropriations often are referred to as "fixed accounts." Fixed
accounts are available for obligation for a definite period of time.
"No year" authority or accounts are resources that are available for
obligation for an indefinite period of time, usually until the purposes
for which they were provided are carried out.
[End of section]
395 E - BUDGET EXECUTION PROCESS:
The steps of a simplified budget process are illustrated in the
following table.
[See PDF for table]
[End of table]
.02:
The following budget execution process is of interest to the auditor
when testing the statement of budgetary resources and when evaluating
an entity's internal control relating to budget execution:[Footnote 10]
* Congress provides an entity with an appropriation (or other budget
authority), which is authority provided by law to enter into
obligations that result in immediate or future outlays (2 U.S. 622(2)).
The Secretary of the Treasury issues warrants, which establish the
amount of moneys authorized to be withdrawn from the central accounts
maintained by Treasury.
* OMB makes an apportionment, which is a distribution of amounts
available for obligation. Apportionments divide amounts available for
obligation by specific periods (usually quarters), activities,
projects, or objects, or a combination thereof. The amounts so
apportioned limit the amount of obligations that may be incurred.
* The entity head (or other authorized employee) makes an allotment,
which is an authorization to subordinates to incur obligations within a
specified amount. The total amount allotted by an entity may not exceed
the amount apportioned by OMB. The entity, through its fund control
regulations, establishes allotments at a legally binding level for
complying with the Antideficiency Act. Suballotments and allowances are
further administrative divisions of funds, usually at a more detailed
level (i.e., suballotments are divisions of allotments established as
needed).
* The entity may make a commitment, which is an administrative
reservation of an allotment or of other funds in anticipation of their
obligation. Commitments are not required by law or regulation nor are
they considered formal/official use of budget authority. Rather,
commitments are used by entities for financial planning in the
acquisition of goods and services and control over obligations and the
use of budget authority.
* The entity incurs an obligation, which is the amount of orders placed,
contracts awarded, services received, and similar transactions during a
given period that will require payments during the same or future
periods. Obligations need to comply with legal requirements before they
may be properly recorded against appropriation accounts (title 7 of the
GAO Policies and Procedures Manual). These legal requirements include
consideration of whether the purpose, the amount, and the timing of
when the obligation was incurred are in accordance with the
appropriation. Additionally, there are legal requirements concerning
the documentary evidence necessary for recording an obligation. The
term "obligation" in this manual refers to orders for goods and
services that have not been delivered (undelivered orders).
The entity records expended authority, which is the reduction of an
obligation by the receipt and acceptance of goods and services ordered.
Expended authority means that the budget authority has been used to
acquire goods or services.[Footnote 11]
* The entity records an "outlay," which, as used in the President's
budget, Congressional budget documents, and the statement of budgetary
resources, refers to payments made to liquidate obligations for goods
and services. The statement of budgetary resources reconciles
obligations incurred net of offsetting collections to net outlays.
* The appropriation account expires when, according to the restrictions
contained in the appropriation, the appropriation is no longer
available for new obligations. Adjustments may be made for valid
obligations that were either (1) recorded at an estimated amount that
differs from the actual amount[Footnote 12] or (2) incurred before the
authority expired, but were not recorded. Adjustments may be recorded
for 5 years after the appropriation expires. For both expired accounts
and closed accounts, the entity's obligations and expenditures may not
exceed the related budget authority. The auditor should refer to OMB
Circular A-34 (2000), sections 30.6-.10, for additional guidance on
these types of adjustments and transactions.
Examples of valid adjustments to expired accounts within the 5-year
period include adjustments for (1) canceled orders or orders for which
delivery is no longer likely, (2) refunds received in the current
period that relate to recovery of erroneous payments or accounting
errors, (3) legal and valid obligations that were previously
unrecorded, and (4) differences between the estimated and actual
obligation amounts.
* After the 5-year period, the budget authority
for the expired accounts
is canceled and the expired accounts are closed. No further adjustments
or outlays may be made in those closed accounts. Payments for any
outstanding unliquidated obligations in closed accounts may be made
from unexpired appropriations that have the same general purpose (but
are limited in aggregate to 1 percent of the current year
appropriation). For both expired accounts and closed accounts, the
entity's obligations and expenditures may not exceed the related budget
authority. The auditor should refer to OMB Circular A-34 (2000),
sections 30.6-10, for additional guidance on these types of adjustments
and transactions.
[End of section]
395 F - BUDGET CONTROL OBJECTIVES:
.01:
This section lists budget control objectives by steps in the budget
process. The auditor may consider these control objectives for either
or both of the audit of the statement of budgetary resources
(evaluation of financial reporting controls) and/or as part of the
compliance control evaluation. The auditor may evaluate many of these
controls at the same time as controls over expenses, disbursements, and
liabilities.
a. Appropriations (or other forms of budget authority): The recorded
appropriation (or other form of budget authority) is the same as that
made available in the appropriation or other appropriate legislation,
including restrictions on amount, purpose, and timing.
b. Apportionments: The recorded apportionments agree with the OMB
apportionments (as indicated on the apportionment schedules), and the
total amount apportioned does not exceed the total amount
appropriated.[Footnote 13]
c. Allotments/suballotments: The total amount allotted does not exceed
the total amount apportioned.
d. Commitments: The auditor may not be concerned with controls over
budgetary commitments because commitments are not required by law or
regulation nor are they considered formal/official use of budget
authority. Controls over budgetary commitments are considered a type of
operations control.
The auditor should consider evaluating controls over commitments if the
entity is using commitments and relying on controls over commitments to
achieve the control objectives relating to obligations. If controls
over commitments are evaluated, the auditor should apply the same
control objectives used for obligations and expenditures, as discussed
below.
e. Obligation transactions: The following control objectives relate to
obligation transactions (undelivered orders):
* Validity: Obligations recorded are valid. An obligation is considered
valid only if it meets these criteria:
The obligation has been incurred. This is usually evidenced by
appropriate supporting documentation, such as a purchase order or
binding contract.
The auditor should be alert for instances of "block obligating" or
"block dumping," which occur when an entity records obligations to
"reserve" funds even though the goods or services have not been
ordered. This is most likely to occur near the expiration of the
appropriation. The auditor should be alert for such signs as large,
even-amount obligations near the end of the fiscal year for annual
appropriations or during the last year of a multiyear appropriation
account.
The purpose of the obligation is one for which the appropriation was
made.
The obligation was incurred within the time that the appropriation was
made available for new obligations.
The obligation did not exceed the amount allotted or appropriated by
statute, nor was it incurred before the appropriation became law,
unless otherwise provided by law.
The obligation complies with any other legally binding restrictions,
such as obligation ceilings, identified in the planning phase.
The obligation has not subsequently been canceled nor the goods or
services received.
For adjustments to obligations in expired accounts, the following
objectives also are to be met:
If the adjustment represents a "contract change" as defined in OMB
Circular A-34 (2000), the auditor should refer to section 30.7 of that
circular for reporting and approval requirements.
The adjustment does not cause the entity to exceed the amount allotted
or appropriated by statute.
The adjustment is recorded during the period when the account is
available for adjustments (5 years) and was made for a valid obligation
incurred before the authority expired.
New obligations may not be recorded in expired accounts.
* Completeness: All obligation transactions are recorded.
* Valuation: Obligations are recorded at the best available estimate of
actual cost.
* Cutoff: Obligations are recorded in the proper period.
* Classification: Obligations are recorded in the proper appropriation
or fund accounts (also by program and by object, if applicable),
including
the proper appropriation year if the account has multiple years.
Examples of programmatic account classifications are "school lunch
program" and "nutrition education and training." Examples of object
account classifications are "salaries," "rent," and "travel.":
f. Expended authority transactions: The following control objectives
relating to expended authority transactions, as defined in section 395
E, are generally the same as those for obligation transactions:
* Validity: For all expended authority transactions, recorded expended
authority transactions have occurred. This occurrence is usually
evidenced by appropriate supporting documentation. For expended
authority transactions (or adjustments to expended authority
transactions) in expired accounts, the following objectives also are to
be met:
The expended authority transaction does not cause the entity to exceed
the amount appropriated by statute:
The expended authority transaction is recorded during the period when
the account is available for adjustments (5 years).
The expenditure is not made out of a closed account.
* Completeness: All expended authority transactions and adjustments are
recorded.
* Valuation: Expended authority transactions and adjustments are
recorded at the correct amount.
* Cutoff: Expended authority transactions and adjustments are recorded
in the proper period.
* Classification: Expended authority transactions and adjustments are
recorded in the proper appropriation or fund accounts (also by program
and by object, if applicable), including the proper appropriation year
if the account has multiple years.
g. Outlay transactions: The following control objectives relate to
outlay transactions (to be considered while auditing cash
disbursements):
* Validity: Outlays are supported by sufficient evidence such as
contractor invoices and receiving reports. The outlay is recorded
against an obligation made during the period of availability of the
appropriation (not made out of a closed account) and is for a purpose
for which the appropriation was provided as evidenced by being in an
amount not exceeding the obligation, as adjusted, authorizing the
outlay. Use of "first-in, first-out" or other arbitrary means to
liquidate obligations based on outlays is not generally acceptable
unless supporting evidence demonstrates that, in fact, these estimating
techniques reasonably represent the manner in which costs are incurred
and should be charged to unliquidated obligations. Accrual of
liabilities based on incurred but unbilled contractor costs alone is
not sufficient evidence of validity (i.e., it does not ensure that the
purpose, time, and amount provisions of an appropriation are met).
Internal control over liquidation of the corresponding obligation by
outlays is a safeguard against improper payments, including erroneous,
duplicative, or fraudulent contractor billings.
* Completeness: All outlays and adjustments are recorded in a timely
manner.
* Classification: Outlays are recorded in the proper accounts (both by
program and by object, if applicable), including the proper
appropriation year if the account has multiple years. This is evidenced
by "matching" the outlay to the underlying obligation.
h. Obligation and expended authority balances: The following control
objectives relate to obligation and expended authority balances as of a
point in time:
* Summarization: Recorded balances of obligation and expended authority
accounts as of a given date are supported by appropriate detailed
records that are accurately summarized and reconciled to the
appropriation or fund account balance, by year, for each account.
* Substantiation: Recorded account balances are supported by valid
obligations and expended authority transactions.
* Limitation: Total undelivered orders plus total expended authority
transactions do not exceed the amount of the appropriation or other
statutory limitations (such as obligation ceilings) that may exist by
appropriation period. These other statutory limitations may limit the
amount of obligations that can be incurred by program or object
classification. In addition, total payments of outstanding unliquidated
obligations that relate to closed accounts cannot exceed the limits
described in A-34 (2000), section 30.10 (for annual accounts, 1 percent
of the account's current year appropriation, for multiyear accounts, 1
percent of all appropriations that are available for obligation for the
same purpose - this is a single, cumulative limit).
i. Appropriation account balances: The following control objectives
relate to appropriation account balances as of a point in time:
* Fixed appropriation accounts are identified by fiscal year after the
end of the period in which they are available for obligation until they
are closed. (31 USC 1553(a)):
* Fixed appropriation accounts are closed on September 30th of the 5th
fiscal year after the end of the period that they are available for
obligation. Any remaining balance (whether obligated or unobligated) in
the account is canceled and is no longer available for obligation or
expenditure for any purpose. (31 USC 1552(a)). For example, at the end
of fiscal year 1995, the entity should only have accounts for fixed
appropriations that expired at the end of fiscal years 1991, 1992,
1993, 1994, and 1995. All fixed appropriations that expired prior to
these dates should have been closed and canceled as of the end of
fiscal year 1995.
* Appropriation accounts that are available for obligation for an
indefinite period are closed if (1) the entity head or the President
determines that the purposes for which the appropriation was made have
been carried out and (2) no disbursement has been made against the
appropriation for two consecutive fiscal years. (31 USC 1555):
j. Recording of cash receipts related to closed appropriation accounts:
(to be considered only if such amounts are expected to exceed design
materiality):
* Collections authorized or required to be credited to an
appropriation account but not received before the account is closed
are deposited in the Treasury as miscellaneous receipts. (31 USC 1552
(b)):
[End of section]
395 F Sup - BUDGET CONTROL OBJECTIVES - FEDERAL CREDIT REFORM ACT
SUPPLEMENT:
.01:
The Federal Credit Reform Act (FCRA) contains many provisions regarding
the recording and reporting of activity related to direct loans, loan
guarantees, and modifications of these items for budget accounting
purposes. (Definitions of these and other FCRA terms are included in
the notes to this supplement.) For transactions and account balances
related to these types of activities, the auditor should consider each
of the budget control objectives listed in FAM 395 F and supplement
them with the following budget control objectives related to FCRA.
Additional guidance on FCRA accounting for budget purposes is included
in OMB Circular A-34 (2000), section 70, Federal Credit Programs. Also,
see Federal Financial Accounting and Auditing Technical Release No. 3,
Preparing and Auditing Direct Loan and Loan Guarantee Subsidies Under
the Federal Credit Reform Act, issued by FASAB's Accounting and
Auditing Policy Committee (AAPC) in July 1999.
a.
Obligation transactions: Obligation transactions include direct loan
obligations, loan guarantee commitments, and modifications that change
the cost of an outstanding direct loan or loan guarantee (except
modifications within the terms of existing contracts or through other
existing authorities). The following are supplemental control
objectives related to obligation transactions under FCRA:
* Valuation: Obligations are recorded at the best available estimate of
actual cost.
** The cost of a direct loan is recorded as the net present value, at
the time when the loan is disbursed, of the following cash flows:
*** loan disbursements,
*** estimated principal repayments,
*** estimated interest payments, and:
*** estimated amounts and timing of any other payments by or to the
government over the life of the loan. These amounts include fees,
penalties, and other recoveries. Administrative costs and any
incidental effects on governmental receipts and outlays are excluded.
(2 USC 661a(5)(A) and (B)):
These estimated cash flows include the effects of the timing and
amounts of expected defaults and prepayments. These cash flows are
discounted using the appropriate rate as described below.
** The cost of a loan guarantee is recorded as the net present value,
at the time when the related guaranteed loan is disbursed, of the
following cash flows:
*** estimated amounts and timing of payments by the government for
defaults, delinquencies, interest subsidies, or other payments,
excluding administrative costs; and:
*** estimated amounts and timing of payments to the government for
origination and other fees, penalties, and recoveries. (2 USC
661a(5)(A) and (C)):
Any incidental effects on governmental receipts and outlays are
excluded. These cash flows are discounted using the appropriate rate as
described below.
** The cost of a modification is recorded as the difference between the
current estimated net present value of the cash flows under the
existing direct loan or guarantee contract and the estimated net
present value of the cash flows under the modified contract. The cash
flows for each of these calculations is discounted at the rate for
modifications described below. (2 USC 661a(5)(D)):
** The discount rate used to estimate the net present values described
above is the average interest rate, in effect when the obligation is
incurred, for marketable Treasury securities of similar maturity to the
related loan. For modifications, the discount rate used is the average
rate, in effect at the time of modification, for marketable Treasury
securities with a maturity similar to the remaining maturity of the
modified loan. (2 USC 661a(5)(E)):
b. Expended authority transactions: Expended authority transactions
include transactions that occur when loans are disbursed. The following
are supplemental control objectives related to expended authority
transactions under FCRA:
* Valuation: Expended authority transactions are recorded at the proper
amount. The same specific criteria for the amounts of FCRA obligations
are also applicable to expended authority transactions.
* Cutoff: Expended authority transactions are recorded in the proper
period.
** Expended authority transactions for the cost of loans or guarantees
are recorded in the fiscal year in which the direct or guaranteed
loan is disbursed or its costs altered. (2 USC 661c(d)(2)):
* Classification/Presentation and Disclosure: Amounts are recorded in
the proper account and reported appropriately.
** Differences in subsequent years between original estimated cost and
reestimated costs are recorded in a separately identified subaccount in
the credit program account and shown as a change in program costs and a
change in net interest. (2 USC 661c(f)):
** Funding for the administration of a direct loan or loan guarantee
program is recorded in separately identified subaccounts within the
same budget account as the program's cost. (2 USC 661c(g)):
** Cash disbursements for direct loan obligations or loan guarantee
commitments made on or after October 1, 1991, are made out of the
financing account. (2 USC 661a(7)):
c. Obligation and expended authority balances: The following are
supplemental control objectives related to obligation and expended
authority balances under FCRA as of a point in time:
* Limitation: Total obligations plus total expended authority
transactions do not exceed the amount of the appropriation or other
statutory limitations that may exist by appropriation period.
** Direct loan obligations made on or after October 1, 1991, do not
exceed the available appropriation or other budget authority.
** Modifications made to direct loan obligations or direct loans do
not exceed the available appropriation or other budget authority. (The
auditor should discuss applicability of this budget restriction to
direct loans and direct loan obligations that were outstanding prior to
October 1, 1991, with OGC prior to performing control or compliance
tests.):
** Obligations for new loan guarantee commitments made on or after
October 1, 1991, do not exceed the available appropriation or other
budget authority.
** Modifications made to loan guarantee commitments or outstanding loan
guarantees do not exceed the available appropriation or other budget
authority. (The auditor should discuss applicability of this budget
restriction to loan guarantees, or loan guarantee commitments that were
outstanding prior to October 1, 1991, with OGC prior to performing
control or compliance tests.):
d. Cash receipts: The following are supplemental control objectives
related to cash receipts under FCRA:
* Classification: Cash receipts are recorded in the proper account.
** Cash receipts related to direct loans obligated or loan guarantees
committed prior to October 1, 1991, are recorded in the liquidating
accounts. (2 USC 661f(b)):
** Cash receipts related to direct loan obligated or loan guarantees
committed on or after October 1, 1991, are recorded in the financing
account. (2 USC 661a(7)):
Note 1: A direct loan is a disbursement of funds by the government to
a nonfederal borrower under a contract that requires the repayment of
such funds with or without interest. The term also includes the
purchase of, or participation in, a loan made by another lender. The
term does not include the acquisition of a federally guaranteed loan in
satisfaction of default claims or the price support loans of the
Commodity Credit Corporation. (2 USC 661a(1)):
Note 2: A direct loan obligation is a binding agreement by a federal
agency to make a direct loan when specified conditions are fulfilled by
the borrower. (2 USC 661a(2)):
Note 3: A loan guarantee is any guarantee, insurance, or other pledge
with respect to the payment of all or a part of the principal or
interest on any debt obligation of a nonfederal borrower to a
nonfederal lender, but does not include the insurance of deposits,
shares, or other withdrawable accounts in financial institutions. (2
USC 661a(3)):
Note 4: A loan guarantee commitment is a binding agreement by a federal
agency to make a loan guarantee when specified conditions are fulfilled
by the borrower, the lender, or any other party to the guarantee
agreement. (2 USC 661a(4)):
Note 5: Costs are defined as the estimated long-term cost to the
government of a direct loan or loan guarantee, calculated on a net
present value basis, or modification thereof, excluding administrative
costs and any incidental effects on governmental receipts or outlays (2
USC 661a(5)). These calculations are described in further detail under
the valuation control objective for obligations in FAM 395 F.
Note 6: A credit program account is a budget account associated with
each program account into which an appropriation to cover the cost of a
direct loan or loan guarantee program is made and from which such cost
is disbursed to the financing account. (2 USC 661a(6)):
Note 7: A liquidating account is a budget account that includes all
cash flows to and from the government resulting from direct loan
obligations or loan guarantee commitments made prior to October 1,
1991. These accounts are required to be shown on a cash basis. (2 USC
661a(8)):
Note 8: A financing account is a nonbudget account(s) associated with
each credit program account that holds balances, receives the cost
payment from the credit program account, and also includes all other
cash flows to and from the government resulting from direct loan
obligations or loan guarantee commitments made on or after October 1,
1991. (2 USC 661a(7)):
Note 9: Modifications are government actions that alter the estimated
cost of an outstanding direct loan or loan guarantee from the current
estimate of cash flows (2 USC 661c(9)); for example, a policy change
affecting the repayment period or interest rate for a group of existing
loans. Changes within the terms of existing contracts or through other
existing authorities are not considered modifications under FCRA. In
addition, "work outs" of individual loans, such as a change in the
amount or timing of payments to be made, are not considered
modifications. The effects of these changes should be included in the
annual reestimates of the estimated net present value of the
obligations.
Note 10: OMB Circular A-34, section 70.2(x) instructs agencies to make
annual reestimates to adjust the net present value of direct loans and
loan guarantee obligations for changes in the estimated amounts of
items such as defaults and the timing of payments. Permanent indefinite
authority has been provided for reestimates.
[End of section]
395 G - ROTATION TESTING OF CONTROLS:
OVERVIEW:
.01:
Rotation testing of controls, as discussed in paragraph 380.01, may be
considered for testing financial reporting controls of an entity with
multiple significant accounting cycles/applications, provided that
effective financial reporting controls within all significant cycles/
applications have been evaluated and tested within a sufficiently
recent period of years. Under a rotation plan, such controls are tested
in different cycles/applications each year such that each cycle/
application is selected for testing, as described in sections 310-380,
at least once during a rotation period of several years, but not
necessarily every year. For example, a rotation plan for an entity with
five significant cycles/applications might include tests of two or
three cycles/applications annually, covering all cycles/applications
in a two or three year period. Rotation testing should be limited to
computerized applications that have strong computer general controls
because computer programs ordinarily function consistently in the
absence of programming changes, reducing the probability of random
errors.
.02:
Less extensive work must be performed annually for financial reporting
controls in significant cycles/applications not selected for testing.
This work consists of:
*
updating the auditor's understanding of the control environment, risk
assessment, communication, and monitoring, accounting system, and
financial reporting control activities, including performing
walkthroughs, and:
* performing any other procedures that may be necessary under the
specific circumstances to support the report on internal control and
the evaluation of internal controls relied on in performing certain
audit procedures.
.03:
The auditor's decision to use rotation is made on a cycle-by-cycle or
application-by-application basis, so some cycles/applications might be
tested annually and others by rotation. In rotation testing, the
auditor relies on cumulative audit evidence and knowledge, including
that gathered in prior years, to support the assessment of and report
on internal control. Accordingly, rotation may be used only when all
the following conditions exist:
* The auditor possesses a "foundation" of audit evidence on which to
develop current audit conclusions.
* Control risk is low; the control environment, risk assessment,
communication, and monitoring are strong; and inherent and fraud risk
factors are reasonably low.
* Financial reporting controls over all significant cycles/applications
have been evaluated and tested during a sufficiently recent period
(generally within 3 years).
* Recurring audits of the entity enable a rotation plan to be effective.
* No specific reporting or risk issues preclude the use of rotation.
(For example, cycles/applications do not affect such sensitive areas
as loan loss reserves.):
.04:
Ordinarily, the following cycles/applications should be subjected to
tests of financial reporting controls and should be excluded from
rotation testing:
* any cycle/application that is disproportionately significant.
* any cycle/application that has undergone major change since financial
reporting controls were most recently tested.
The auditor should consider whether assets susceptible to loss or
theft, such as cash on hand or imprest funds, also should be excluded
from rotational testing.
.05:
The foundation of audit evidence to support a rotation plan, which is
updated and increased through limited tests and other relevant audit
evidence, may be obtained from one or a combination of the following:
* evidence gathered in one or more prior audits and:
* the current or prior work of another auditor, after the auditor
considers the requirements of FAM section 650.
CIRCUMSTANCES UNDER WHICH ROTATION TESTING MAY BE USED:
.06:
The auditor should exercise judgment in determining whether to use
rotation. Factors that the auditor should consider include the
following:
* The results and extent of the auditor's prior experiences with the
entity and its cycles/applications, including the length of time since
financial reporting controls were tested.
The effectiveness of prior evidence ordinarily diminishes with the
passage of time.
* The importance of the cycles/applications to the overall entity and
the nature of the audit assertion or assertions involved.
As the significance of cycles/applications and assertions increases,
the frequency of testing thereof ordinarily increases.
* The auditor's assessment of inherent and fraud risk.
The effectiveness of rotation ordinarily diminishes as inherent and
fraud risk increase.
* The auditor's preliminary assessment of control risk.
The effectiveness of rotation ordinarily diminishes rapidly as control
risk increases.
* The extent to which control is centralized or decentralized.
The effectiveness of rotation ordinarily diminishes rapidly as control
becomes more decentralized.
* The number and relative sizes of the respective cycles/applications.
The efficiency of rotation ordinarily increases as the number and size
of cycles/applications increase.
* The nature and extent of audit evidence about internal controls that
may result from substantive testing in the current audit.
Information obtained concurrently with substantive testing might
provide evidence about the functioning of cycles/applications.
* The extent of oversight provided by others.
Work performed by others might be used to reduce tests of financial
reporting controls. (See FAM section 650.):
* Any special reporting or entity requirements.
The auditor should perform sufficient tests to meet any special
requirements, such as a special report on the functioning of a specific
cycle/application.
.07:
For any rotation testing plan, the auditor should document in a
memorandum approved by the Reviewer:
* the schedule for testing all significant cycles/applications;
* the reasons for using such a plan;
* any limitations on the use of such a plan; and:
* any other significant aspects, including descriptions of any
modifications to rotation plans established in previous years. A
rotation plan should be reevaluated annually.
[End of section]
395 H - SPECIFIC CONTROL EVALUATION WORKSHEET:
The auditor should use the SCE worksheet or equivalent to document the
evaluation of control activities in the internal control phase. This
section illustrates an SCE worksheet for the cash receipts application
for a hypothetical federal government entity, "XYZ Agency" (XYZ). (See
page 395 H-3.):
An SCE worksheet should be prepared for each significant accounting
application. The auditor generally should use the SCE worksheet to
document the evaluation of compliance (including budget) and operations
controls. The worksheet may be completed for financial reporting
controls as follows:
1. List each assertion that is relevant to the accounting application.
While all five financial statement assertions relate to line item/
account-related accounting applications, the existence or occurrence,
completeness, and valuation assertions relate principally to
transaction-related accounting applications, as illustrated at section
395 B. Therefore, assertions relevant to cash receipts would be
existence or occurrence, completeness, and valuation.
2. From the Account Risk Analysis (see section 240), list the
significant line items or accounts that the accounting application
affects. For example, cash and accounts receivable are ordinarily
affected by cash receipts.
3. Document the assertions for each of the line items or accounts
identified in step 2 that relate to each accounting application
assertion (see section 330).
4. For each significant account assertion, identify the potential
misstatements that could occur in the accounting application and the
related control objectives, based on the generic list of potential
misstatements and control objectives included in section 395 B. This
list should be tailored to the accounting application and the entity
and, if necessary, should be supplemented with additional objectives or
subobjectives.[Footnote 14]
5. List control activities selected for testing that achieve each
control objective identified above and indicate whether each is an IS
control. Section 395 C illustrates typical control activities to
achieve financial reporting control objectives. User controls where the
user would be able to detect misstatements in the computer-generated
information independently of IS is not an IS control.
6. Document the effectiveness of control activities in achieving the
control objectives in relation to each potential misstatement and
cross-reference to the audit procedures in the testing program. (The
overall assessment of financial reporting controls should be documented
in the ARA document, as illustrated in section 395 I.):
[See PDF for image]
[End of table]
FOOTNOTES
[1] The auditor should consider coordinating sampling control tests
with substantive audit procedures and/or tests of compliance with laws
and regulations (multipurpose tests) to maximize efficiency. See
section 450 for further discussion.
[2] The auditor should consider coordinating sampling control tests
with substantive audit procedures and/or tests of compliance with laws
and regulations (multipurpose tests) to maximize efficiency. See
section 450 for further discussion.
[3] As indicated in paragraphs 260.27-.31, the FMFIA report and its
supporting documentation may be considered as a starting point for
evaluating internal control. The auditor may use management's
documentation of systems and internal control where appropriate.
Management's tests of controls may be used by the auditor in testing
controls, if such tests were executed by competent individuals
independent of the controls. (See AU 322 (SAS 65) and section 650 for
further information.)
[4] Section 395 C presents a list of typical control activities that an
entity may establish to help prevent or detect misstatements in
financial statement assertions.
[5] Assertions that have high inherent risk normally require stronger
or more extensive controls to prevent or detect misstatements than
assertions without such risk.
[6] Control environment, risk assessment, communication, and monitoring
weaknesses may result in ineffective control activities. If so, the
auditor should still identify and test specific control activities, but
the extent of such testing should be limited, as discussed in paragraph
340.02.
[7] The auditor may assess control and combined risk on a preliminary
basis at an earlier point in the audit, if preferred.
[8] Specific relevant control activities will be documented later in
the specific control evaluation worksheet or equivalent, after related
control objectives have been identified. (See paragraphs 330.02-.11.)
[9] Although the auditor may gather information on control activities
in preparing the flowchart, such techniques should be documented in the
SCE worksheet or equivalent, if applicable, and need not be documented
in the flowchart.
[10] For additional information on budget execution, see OMB Circular
A-34, Instructions on Budget Execution, November 3, 2000.
[11] In the normal flow of business, when obligations are incurred, a
credit to "undelivered orders" or "unexpended obligations - unpaid" is
recorded. When the goods or services are received, the obligation is
reduced and a credit to "expended authority - unpaid" (a payable) is
recorded. When the obligation is paid and the outlay is made, the
transaction is credited to "expended authority - paid." For additional
transaction details, see the U.S. Standard General Ledger Accounting
Transactions Supplement of the Treasury Financial Manual.
[12] Amounts of commitments, obligations, and expended authority may
differ for a particular item acquired. Commitments are made at
"initial" estimates, obligations at "later" estimates," and expended
authority at "actual" amounts.
[13] OMB apportionments may, as a result of impoundments (rescissions
or deferrals), be less than the amount of the apportionments requested
by the entity. The auditor should notify OGC of any impoundments that
come to his or her attention. OMB may also approve amounts available
different from those requested by time period, activities, projects, or
objects.
[14] In the SCE worksheet, the auditor may either commingle the
documentation of compliance (including budget) and operations controls
with that of financial reporting controls to the extent relevant or
present each of these types of controls in a separate SCE. To complete
the SCE worksheet for these controls, the auditor begins by inserting
relevant control objectives and performs steps 5 and 6 above.
[End of section]
SECTION 400:
Testing Phase:
Figure 400.1: Methodology Overview
Planning Phase:
* Understand the entity's operations: Section 220:
* Perform preliminary analytical procedures: Section 225:
* Determine planning, design, and test materiality: Section 230:
* Identify significant line items, accounts, assertions, and RSSI:
Section 235:
* Identify significant cycles, accounting applications, and financial
management systems: Section 240:
* Identify significant provisions of laws and regulations: Section 245:
* Identify relevant budget restrictions: Section 250:
* Assess risk factors: Section 260:
* Determine likelihood of effective information system controls:
Section 270:
* Identify relevant operations controls to evaluate and test: Section
275:
* Plan other audit procedures: Section 280:
* Plan locations to visit: Section 285:
Internal Control Phase:
* Understand information systems: Section 320:
* Identify control objectives: Section 330:
* Identify and understand relevant control activities: Section 340:
* Determine the nature, timing, and extent of control tests and of
tests for systems’ compliance with FFMIA requirements: Section 350:
* Perform nonsampling control tests and tests for systems’ compliance
with FFMIA requirements: Section 360:
* Assess controls on a preliminary basis: Section 370:
Testing Phase:
* Consider the nature, timing, and extent of tests: Section 420:
* Design efficient tests: Section 430:
* Perform tests and evaluate results: Section 440:
** Sampling control tests: Section 450:
** Compliance tests: Section 460:
** Substantive tests: Section 470:
*** Substantive analytical procedures: Section 475:
*** Substantive detail tests: Section 480:
Reporting Phase:
* Perform overall analytical procedures: Section 520:
* Determine adequacy of audit procedures and audit scope: Section 530:
* Evaluate misstatements: Section 540:
* Conclude other audit procedures: Section 550:
** Inquire of attorneys:
** Consider subsequent events:
** Obtain management representations:
** Consider related party transactions:
* Determine conformity with generally accepted accounting principles:
560:
* Determine compliance with GAO/PCIE Financial Audit Manual: Section
570:
* Draft reports: Section 580:
[End of figure]
410 - OVERVIEW:
.01:
During the testing phase, the auditor gathers evidence to report on the
financial statements, internal control, whether the entity's systems
are in substantial compliance with the three requirements of FFMIA, and
the entity's compliance with significant provisions of laws and
regulations. (See figure 400.1.) The following types of tests are
performed in the testing phase:
* Sampling control tests may be performed to obtain evidence about the
achievement of specific control objectives. If the auditor obtains
sufficient evidence regarding control objectives through the use of
nonsampling control tests (such as observation, inquiry, and
walkthroughs including inspection of documents), sampling control tests
are not necessary, as discussed in section 350. Further guidance on
sampling control tests begins in section 450.
* Compliance tests are performed to obtain evidence about compliance
with significant provisions of laws and regulations. Further guidance
on compliance tests is in section 460.
* Substantive tests are performed to obtain evidence that provides
reasonable assurance about whether the financial statements and related
assertions are free of material misstatement. Further guidance on
substantive tests is in section 470.
.02:
Sampling is often used in these tests. Sampling requires the exercise
of professional judgment as well as knowledge of statistical sampling
methods. The following sections provide a framework for applying
sampling to financial audit situations, but are not meant to be a
comprehensive discussion. Additional background and guidance on
sampling is provided in the Audit Guide Audit Sampling (2001
issue),[Footnote 1] published in 1999 by the American Institute of
Certified Public Accountants and in Using Statistical Sampling
published by GAO (accession number 129810). The auditor should consider
whether he or she needs to consult with the Statistician for assistance
in designing and evaluating samples. The auditor should consider the
costs and benefits in determining which type of sampling to use.
.03:
During this phase, the auditor performs the following activities for
each type of test:
* Consider the nature, timing, and extent of tests:
* Design efficient tests:
* Perform tests:
* Evaluate results:
Each of these processes is discussed below.
[End of section]
420 - CONSIDER THE NATURE, TIMING, AND EXTENT OF TESTS:
CONSIDER THE NATURE OF TESTS:
.01:
The auditor determines the testing methods that will best achieve the
audit objectives for sampling control tests, compliance tests, and
substantive tests. Testing methods generally can be classified as
either analytical procedures or detail tests. Analytical procedures
involve the comparison of the recorded test amount with the auditor's
expectation of the recorded amount and the investigation of any
significant differences between these amounts. Detail tests can be
classified in two general categories: sampling and nonsampling.
Sampling methods involve the selection of individual items from a
population with the objective of reaching a conclusion on all the items
in the population (including those not selected for testing).
Nonsampling methods involve selections to reach a conclusion only on
the items tested. Nonsampling requires the auditor to assess the risk
of misstatement in the items not tested.
.02:
The testing method selected by the auditor is a matter of the auditor's
judgment, considering the objectives of the test, the nature of the
population, the results of procedures performed during the planning and
internal control phases (including combined risk assessment and test
materiality), and possible efficiencies. For tests that involve
sampling, efficiencies can be achieved by using a common sample for
each test. These potential efficiencies are discussed further in
section 430.
CONSIDER THE TIMING OF TESTS:
.03:
As discussed in section 295 D, the auditor may choose to conduct tests
before or after the balance sheet date (interim testing) or to conduct
all tests as of the balance sheet date. Section 495 C provides guidance
on interim testing, tests of the period between the interim date and
the balance sheet date (the rollforward period), and related
documentation.
CONSIDER THE EXTENT OF TESTS:
.04:
For each type of test, the auditor determines, based on judgment, the
extent of tests to be performed. Generally, the extent of sampling
control tests is a function of the auditor's preliminary assessment of
the effectiveness of controls and the number of control deviations
expected. The extent of compliance tests is a function of the
effectiveness of compliance controls. The extent of substantive tests
is a function of combined risk and test materiality.
[End of section]
430 - DESIGN EFFICIENT TESTS:
.01:
After considering the general nature, timing, and extent of the tests
to be performed, the auditor should design specific tests. The auditor
should coordinate similar tests to maximize efficiency. For tests that
involve sampling, efficiencies can be realized by performing numerous
tests on a common sample (multipurpose testing).[Footnote 2] The
auditor generally should minimize the number of separate sampling
applications performed on the same population by attempting to
effectively achieve as many objectives as possible using the items
selected for testing.
.02:
As discussed in section 480, there are several methods of selecting
items for testing. When determining the selection method to use during
a multipurpose test, the auditor generally should use the method
considered most appropriate for substantive detail tests in the
particular situation. Use of this selection method is usually the most
efficient because sampling control and compliance tests generally can
be based on any type of sample.
.03:
For example, the auditor might use a sample of property additions to
(1) substantively test the amount of additions and (2) test financial
reporting controls over property acquisition. If a substantive test
would require 135 sample items and if the test of financial reporting
controls would require 45 sample items, the auditor should select 135
items in the sample but test controls relating only to 45. The 45 items
for control testing should be selected randomly or systematically (with
a random start) from the 135 sample items. For example, beginning from
a random start, every third item selected for substantive testing
should be tested for controls. If appropriate, the auditor may test
controls relating to all sample items to provide additional assurance
concerning controls.
[End of section]
440 - PERFORM TESTS AND EVALUATE RESULTS:
.01:
The auditor should perform the planned tests and should evaluate the
results of each type of test separately, without respect to whether the
items were chosen as part of a multipurpose test. Guidance on
performing and evaluating the results is presented for each type of
test in the following sections:
* Section 450 - Sampling control tests,
* Section 460 - Compliance tests, and
* Section 470 - Substantive tests.
.02:
Sometimes, tests performed with the expectation of obtaining certain
results give other results. When this happens, the auditor may wish to
expand a sample to test additional items. Unless planned for in
advance, this generally cannot be done simply, as discussed in
paragraphs 450.17, 460.02, and 480.28; the auditor should consult with
the Statistician in such cases.
.03:
The auditor should keep in mind that the consideration of the risk of
material misstatement due to fraud (discussed in section 260 for
planning) is a cumulative process that should be ongoing throughout the
audit. During testing, the auditor may become aware of additional fraud
risk factors or other conditions that may affect the auditor's
consideration of fraud risk factors identified during planning, such as
discrepancies in the accounting records, conflicting or missing
evidential matter, or problematic or unusual relationships between the
auditor and the entity being audited. The auditor should consider
whether fraud risk factors or other conditions identified require
additional or different audit procedures. (See section 540.):
.04:
For CFO Act agencies and components listed in OMB audit guidance the
auditor is required to report on the substantial compliance of their
financial management systems with the requirements of FFMIA. The
auditor should conclude on substantial compliance at the completion of
the audit work based on work done in the internal control and testing
phases, as discussed in section 540.
[End of section]
450 - SAMPLING CONTROL TESTS:
.01:
Controls that leave documentary evidence of their existence and
application may be tested by inspecting this evidence. If sufficient
evidence cannot be obtained through walkthroughs in combination with
other observation and inquiry tests, the auditor generally should
obtain more evidence by inspecting individual items selected using
sampling procedures. The auditor may use multipurpose testing to use
the same sample to test controls and/or compliance and/or balances
(substantive test). This is usually more efficient. Alternatively, the
auditor may design a sample to test controls alone. In this case, the
auditor generally should use random attribute sampling (described
beginning in paragraph 450.05) to select items for sampling control
tests.
.02:
When planning sampling control tests, the auditor should determine (1)
the objectives of the test (including what constitutes a deviation),
(2) the population (including sampling unit and frame), (3) the method
of selecting the sample, and (4) the sample design and resulting sample
size. The auditor should document the sampling plan in the workpapers.
See section 495 E for example workpapers for documenting samples.
OBJECTIVES OF THE TEST:
.03:
The auditor should clearly indicate the objectives of the specific
control test. In designing samples for control tests, the auditor
ordinarily should plan to evaluate operating effectiveness in terms of
the rate of deviations in units or dollars from prescribed controls.
This involves defining (1) the specific control to be tested and (2)
the deviation conditions. The auditor should define control deviations
in terms of control activities not followed. For example, the auditor
might define a deviation in cash disbursements as "invoice not approved
and initialed by authorized individual.":
POPULATION:
.04:
In defining the population, the auditor should identify the whole set
of items on which the auditor needs to reach a conclusion and from
which the sample should be drawn. This includes (1) describing the
population, (2) determining the source document or the transaction
documents to be tested, and (3) defining the period covered by the
test. When multiple locations are involved, the auditor may consider
all or several locations as one population for sampling if the controls
at each location are components of one overall control system. Before
combining locations into one population, the auditor should consider
such factors as (1) the extent of uniformity of the controls and their
applications at each location, (2) whether significant changes can be
made to the controls or their application at the local level, (3) the
amount and nature of centralized oversight or control over local
operations, and (4) whether there could be a need for separate
conclusions for each location. If the auditor concludes that the
locations should be separate populations, he or she should select
separate samples at each location; he or she should evaluate the
results of each sample separately.
METHOD OF SELECTION:
.05:
The auditor should select a sample that he or she expects to be
representative of the population. For tests of controls, attribute
sampling achieves this objective. Attribute sampling requires random
selection of sample items without considering the transactions' dollar
amount or other special characteristics. IDEA or other software may be
used to make random selections.
SAMPLE SIZE:
.06:
In designing attribute samples for which inspection is the principal
source of evidence of control effectiveness, the auditor should
determine the objectives of the sample. For financial reporting control
tests, the objective is to support the preliminary assessment of
control risk as either moderate or low. For compliance and operations
control tests, the objective is to support the preliminary assessment
of the control as effective. In addition, for financial reporting and
compliance control tests, there is an objective of obtaining evidence
to support the auditor's report on internal control.
.07:
To determine the sample size, the auditor uses judgment to determine
three factors: the confidence level, the tolerable rate (maximum rate
of deviations from the prescribed control that the auditor is willing
to accept without altering the preliminary assessment of control
effectiveness), and the expected population deviation rate (expected
error rate). Once the auditor determines these factors, he or she may
use software (such as IDEA) or tables to determine sample size and to
determine how many deviations the auditor may find without having to
change the control risk assessment. GAO uses Tables I and II. Table I
on the following page may be used to determine the sample sizes
necessary to support these preliminary assessments of controls and to
conclude on the effectiveness of the controls. Tables I and II are used
to evaluate the test results. The AICPA has other examples in its
guidance, and the GAO factors are within the range of the AICPA
examples. If an auditor chooses to use factors other than Tables I and
II, he or she should consult with the Statistician.
.08:
Tables I and II are based on a 90 percent confidence level. (This
confidence level used at GAO is generally appropriate because the
auditor obtains additional satisfaction regarding controls through
other tests such as substantive tests, inquiry, observation, and
walkthroughs.):
.09:
Tables I and II are each based on different tolerable rates. Table I is
based on a tolerable rate of 5 percent, and Table II is based on a
tolerable rate of 10 percent. Each table shows various sample sizes and
the maximum number of deviations that may be detected in each sample to
rely on the controls at the determined control risk level. (See
paragraphs 450.13-.15 for a discussion of the evaluation of test
results.)[Footnote 3]
Figure 450.1: Sample Sizes and Acceptable Numbers of Deviations; (90%
Confidence Level).
TABLE I: (Tolerable rate of 5%):
(Use for determining sample sizes in all cases):
Sample size: 45; Acceptable Number of Deviations: 0.
Sample size: 78; Acceptable Number of Deviations: 1
Sample size: 105; Acceptable Number of Deviations: 2.
Sample size: 132; Acceptable Number of Deviations: 3.
Sample size: 158; Acceptable Number of Deviations: 4.
Sample size: 209; Acceptable Number of Deviations: 6
[End of table]
TABLE II: (Tolerable rate of 10%)
(Use for evaluating sample results only if preliminary assessment of
financial reporting control risk is low and deviations exceed Table I):
Sample size: 45; Acceptable Number of Deviations: 1.
Sample size: 78; Acceptable Number of Deviations: 4.
Sample size: 105; Acceptable Number of Deviations: 6.
Sample size: 132; Acceptable Number of Deviations: 8.
Sample size: 158; Acceptable Number of Deviations: 10.
Sample size: 209; Acceptable Number of Deviations: 14.
[End of table]
[End of table]
.10:
For financial reporting controls, if the preliminary assessment of
control risk is low or moderate, Table I may be used to determine
sample size. OMB audit guidance requires the auditor to perform
sufficient control tests to justify a low assessed level of control
risk, if controls have been properly designed and placed in operation.
.11:
For compliance and operations controls, sample sizes may also be
determined using Table I.
.12:
The auditor may use the sample size indicated for 0 acceptable
deviations (45 items). If no deviations are expected, the sample size
will be the most efficient for assessing control effectiveness; if no
deviations are found, the sample will be sufficient to support the
assessment of control risk. However, the auditor may use a larger
sample size if control deviations are expected to occur but not exceed
the acceptable number of deviations for the table.
EVALUATING TEST RESULTS:
Financial Reporting Controls:
.13:
To evaluate sample results, the auditor needs the sample size, the
number of deviations, and the confidence level. The auditor may use
software (such as IDEA) or tables to evaluate results.[Footnote 4] If
the auditor used Table I to determine sample size, and deviations are
noted that exceed the acceptable number for the sample size, the
auditor should follow the guidance below in deciding how to revise the
preliminary assessment of control risk:
* Low control risk: If the preliminary assessment of control risk is
low and if deviations are noted that exceed the acceptable number for
Table I, but not Table II, control risk may be assessed as moderate.
For example, if the original sample was 45 items, the auditor may
reduce the assessment of control risk to a moderate level if there is
not more than 1 deviation. If the auditor finds more than 1 deviation
with a sample size of 45 items, the auditor concludes that the
controls being tested are not operating effectively and should
reassess control risk as high.
* Moderate control risk: If the preliminary assessment of control risk
is moderate and if control deviations exceed the acceptable number for
Table I, the auditor should conclude that control risk is high. The
preliminary assessment of control risk is based on the assumption that
the controls operate as designed. If the preliminary assessment of
control risk is moderate and if control tests indicate that the control
is not operating as designed (deviations exceed the acceptable number
in Table I), the auditor should conclude that the control is
ineffective and revise the control risk assessment to high.
Compliance Controls:
.14:
If Table I is used to determine sample size and deviations are noted
that exceed the acceptable number for the sample sizes shown in Table
I, the auditor should conclude that the compliance control is not
effective. The auditor also should determine whether any deviations
noted ultimately resulted in noncompliance with a budget-related or
other law or regulation.
Operations Controls:
.15:
If Table I is used to determine sample size and deviations are noted
that exceed the acceptable number for the sample sizes shown in Table
I, the auditor should conclude that the operations control is not
effective. The auditor should not place reliance on ineffective
operations controls when performing other auditing procedures.
OTHER CONSIDERATIONS:
.16:
If, during the testing of sample items, the number of deviations
exceeds the acceptable number of deviations in Table I or II (as
applicable), the auditor concludes that the controls are not operating
as designed. However, the auditor should consider whether there are
other reasons for continuing to test the remaining sample items. For
example, audit team management should determine whether additional
information (such as an estimate of the population rate of occurrence)
is needed to report control weaknesses as described in paragraphs
580.31-.57. The significance of the weakness will determine how the
auditor reports the finding and, therefore, which elements of the
finding (condition, cause, criteria, possible effect, and
recommendation or suggestion) need to be developed. Or, the auditor may
want to include an interval estimate in the report. The auditor should
consult with audit team management and the Statistician in deciding
whether to complete the testing of the sample.
.17:
If an unacceptable number of deviations is noted in the original sample
and the auditor believes the use of a larger sample size might result
in an acceptable number of deviations, the auditor should consult with
the Statistician before selecting additional sample items. The
selection and evaluation of additional sample items cannot be based on
Tables I or II or on the formulas used by IDEA.
.18:
The auditor should consult with the Statistician when projecting the
rate of sample control deviations to a population for disclosure in a
report. While typically stated as a percentage of transactions, the
deviation rate is expressed as a percentage of dollars in the
population if sampling control tests are performed on a sample selected
using DUS (see paragraphs 480.14-.23).
[End of section]
460 - COMPLIANCE TESTS:
.01:
The type of provision of a law or regulation and the assessment of the
effectiveness of compliance controls affect the nature and extent of
compliance testing. Based on the type of provision (as discussed in
paragraph 245.01) the compliance tests discussed below should be
performed.
TRANSACTION-BASED PROVISIONS:
.02:
To test transaction-based provisions, the auditor should use sampling
to select specific transactions for testing compliance. The selection
of transactions to test may be combined with tests of financial
reporting, compliance, or operations controls and/or with substantive
tests, as appropriate. If the selection is solely for compliance
testing, the auditor generally should use a random attribute sample
(see paragraph 450.05). To determine sample size, the auditor needs to
make judgments as to confidence level, tolerable rate, and expected
population deviation rate. Confidence level should be related to
compliance control risk. For example, if the auditor determines
compliance controls are effective, he or she may use an 80 percent
confidence level; if ineffective, a 95 percent confidence level.
Tolerable rate is the rate of transactions not in compliance that could
exist in the population without causing the auditor to believe the
noncompliance rate is too high. GAO auditors should use 5 percent for
this. Since the auditor will assess the impact of all identified
noncompliance, many auditors use zero as the expected population
deviation rate. Using the above factors yields the following sample
sizes:
[See PDF for image]
[End of figure]
Since the auditor usually reports compliance on an entitywide basis,
the auditor may use these sample sizes on an entitywide basis.
Evaluation of test results is discussed in paragraph 460.07. The
auditor should test the entire sample, even if instances of
noncompliance are detected. If compliance controls were assessed on a
preliminary basis as effective and the results of testing indicated
that this assessment is not appropriate, in the above example, the
auditor should consult with the Statistician to determine the
appropriate sample size and selection procedures. The auditor cannot
merely choose the other sample size, but may, for example, increase the
sample size from 32 to 65 by using sequential sampling and randomly
selecting 33 additional items. The Statistician should also evaluate
the results when a test is expanded.
QUANTITATIVE-BASED PROVISIONS:
.03:
Generally, effective compliance controls should provide reasonable
assurance that the accumulation/summarization of information is
accurate and complete. If the compliance controls do not provide such
reasonable assurance, the auditor should test the accumulation of
information directly for existence, completeness, and summarization.
Such tests may be either samples or nonsampling selections and
generally should be designed to detect misstatements that exceed an
auditor-determined percentage of the total amount of the summarized
information or the amount of the restriction stated in the provision,
if any (GAO generally uses 5 percent for this test materiality). (The
amount of the restriction is described in paragraph 245.01.) Such tests
may be discontinued if significant misstatements are noted that would
preclude compliance. The test for compliance is the comparison of the
accumulated/summarized information with any restrictions on the amounts
stated in the identified provision.
.04:
For example, if provisions of budget-related laws and regulations are
considered significant and if related budget and consequently
compliance controls are ineffective, the auditor should test the
summarized information directly for the following potential
misstatements in budget execution information:
* Validity: Recorded amounts are not valid. (See section 395 F for
validity criteria for obligations, expended authority, and outlays.):
* Completeness: Not all amounts are recorded.
* Cutoff: Obligations, expended authority, and outlays are not recorded
in the proper period.
* Recording: Obligations, expended authority, and outlays are not
recorded at the proper amount.
* Classification: Obligations, expended authority, and outlays are not
recorded in the proper account by program and by object, if applicable,
including the proper appropriation year if the account has multiple
years. (Examples of program and object classifications are provided in
section 395 F.):
* Summarization: Transactions are not properly summarized to the
respective account totals.
.05:
An example of audit procedures to test for these misstatements is
included in section 495 B.
PROCEDURAL-BASED PROVISIONS:
.06:
In testing compliance controls relating to a procedural-based
provision, the auditor generally would obtain sufficient evidence to
conclude whether the entity performed the procedure and therefore
complied with the provision. For example, the auditor's tests of
compliance controls concerning receipt of information from grantees
generally would provide evidence of whether such information was
received and therefore whether the entity complied. If compliance
control tests do not provide sufficient evidence to determine
compliance, the auditor should perform additional procedures, as
considered necessary, to obtain such evidence.
EVALUATING TEST RESULTS:
.07:
For any possible instances of noncompliance noted in connection with
the procedures described above or other audit procedures, the auditor
should:
* discuss such possible instances with OGC and, when appropriate, the
Special Investigator Unit and conclude whether noncompliance has
occurred and the implications of any noncompliance;
* identify the weakness in compliance controls that allowed the
noncompliance to occur, if not previously identified during compliance
control testing;
* report the nature of any weakness in compliance controls and consider
modification of the report on internal control as appropriate (see
paragraphs 580.31-.55);
* consider the implications of any instances of noncompliance on the
financial statements; and:
* report instances of noncompliance, as appropriate. (See paragraphs
580.67-.75.):
[End of section]
470 - SUBSTANTIVE TESTS - OVERVIEW:
.01:
In the internal control phase, the auditor preliminarily assesses the
level of combined (inherent and control) risk for each significant
assertion within each significant line item or account (see section
370). Substantive audit procedures should be applied to all significant
assertions in significant financial statement line items and accounts.
The auditor's objective during substantive tests is to determine
whether the assertions are materially misstated and to form an opinion
about whether the financial statements are presented fairly in
accordance with GAAP. To determine if significant assertions are
misstated, the auditor should consider designing substantive tests to
detect each of the potential misstatements in assertions that were
developed in the internal control phase (see section 330). In addition,
the auditor should consider whether efficiencies can be achieved by
using the concepts of directional testing, as discussed in paragraphs
470.14-.16.
.02:
Based on the level of expected overall audit assurance determined in
the planning phase of the audit (see paragraph 260.04), the auditor
should establish the minimum levels of substantive assurance for each
level of combined risk. For example, based on the audit risk model in
AU 350 and a desired overall audit assurance of 95 percent, GAO
considers the following minimum levels of substantive assurance for
each level of combined risk to be appropriate:
Low combined risk: 63%:
Moderate combined risk: 86%:
High combined risk: 95%:
Substantive assurance is the auditor's judgment that all of the
auditor's substantive tests will detect misstatements that in total
exceed materiality. Substantive assurance, which relates to the entire
audit and correlates directly with the level of combined risk, is not
the same as confidence level, which is for a specific sample. The
higher the risk, the more substantive assurance required.
TYPES OF SUBSTANTIVE TESTS:
.03:
There are two general types of substantive tests: (1) substantive
analytical procedures and (2) tests of details. To achieve the required
substantive assurance (discussed above) the auditor may use either of
these tests or a combination of the two. The type of test to use and
the amount of reliance to place on each type of procedure, within the
framework of the audit matrix (discussed in paragraph 470.10), is a
matter of the auditor's judgment and should be based on effectiveness
and efficiency considerations.
Substantive analytical procedures:
.04:
Substantive analytical procedures involve the comparison of a recorded
amount with the auditor's expectation of that amount and investigation
of any significant differences to reach a conclusion on the recorded
amount. Analytical procedures involve a study of plausible
relationships among both financial and nonfinancial data. A basic
premise is that plausible relationships among data may reasonably exist
and continue in the absence of errors, fraud, or changes in
circumstances. (See AU 329.):
.05:
Substantive analytical procedures may be performed at one of three
levels for an assertion, as follows:
* Complete: The auditor relies solely on analytical procedures for all
of the assurance required from substantive procedures. The procedure
is so persuasive that the auditor believes that it will detect any
aggregate misstatements that exceed test materiality.
* Partial: The auditor relies on a combination of analytical procedures
and tests of details to obtain an appropriate level of substantive
assurance. For partial assurance, the auditor believes that the
analytical procedures should detect any aggregate misstatements that
exceed test materiality.
* None: The auditor does not rely on analytical procedures for
substantive assurance. All substantive assurance will be obtained from
tests of details. In this situation, supplemental analytical
procedures may be performed to increase the auditor's understanding of
account balances and transactions, but not to provide any additional
substantive assurance. These procedures are similar in scope to those
performed on an overall basis at the financial statement level (see
section 520).
.06:
To determine whether to perform complete or partial substantive
analytical procedures, the auditor should consider the effectiveness or
persuasiveness and efficiency of such procedures. In so doing, the
auditor should consider the factors discussed in detail in section 495
A.
Detail tests:
.07:
Detail tests are test procedures that are applied to individual items
selected for testing and include:
* Confirming a balance or transaction or the related terms, such as
accounts receivable or accounts payable, by obtaining and evaluating
direct communication from a third party.
* Physically observing, inspecting, or counting tangible assets, such
as inventory or property, plant, and equipment, and applying related
procedures.
* Examining supporting documents to determine whether a balance is
properly stated. For example, the auditor might examine invoices for
property and equipment purchases.
* Recalculating, or checking mathematical accuracy of entity records by
footing or crossfooting or by recomputing amounts and tracing journal
postings, subsidiary ledger balances, and other details to
corresponding general ledger accounts. For example, the auditor might
recalculate unit cost extensions in an inventory list, foot the list
(whether prepared manually or by computer), and trace the total to the
general ledger amount.
.08:
Detail tests are generally used in combination to provide sufficient
substantive assurance about an assertion. For example, to test the
valuation of accounts receivable, the auditor might confirm balances,
recalculate the aging schedule, examine documents supporting the aging
and specific delinquent accounts, and discuss collectibility with
management. On the other hand, a single detail test procedure might
provide substantive assurance about more than one of the five financial
statement assertions. For example, a physical observation of inventory
might provide evidence about existence, valuation, and presentation and
disclosure.
.09:
The minimum extent of detail testing to be performed is based on the
combined risk assessment and the amount of assurance obtained from
substantive analytical procedures, as illustrated in the Audit Matrix
(figure 470.1).
DETERMINING MIX OF SUBSTANTIVE TESTS:
.10:
In determining an appropriate mix of analytical procedures and detail
tests, the auditor should consider the following matrix (figure 470.1)
which illustrates the integration of such tests for each level of
combined risk, when the auditor is using a desired overall audit
assurance of 95 percent. GAO auditors should use this audit matrix.
Figure 470.1: Audit Matrix:
Assessed combined risk level: Low; Substantive assurance: 63%;
Substantive assurance from analytical procedures[A]: Complete; Minimum
substantive assurance from detail tests: 0%; Substantive assurance
from analytical procedures[A]: Partial; Minimum substantive assurance
from detail tests: 50%; Substantive assurance from analytical
procedures[A]: None; Minimum substantive assurance from detail tests:
86%.
Assessed combined risk level: Moderate; Substantive assurance: 86%;
Substantive assurance from analytical procedures[A]: Complete; Minimum
substantive assurance from detail tests: 0%; Substantive assurance
from analytical procedures[A]: Partial; Minimum substantive assurance
from detail tests: 77%; Substantive assurance from analytical
procedures[A]: None; Minimum substantive assurance from detail tests:
86%.
Assessed combined risk level: High; Substantive assurance: 95%;
Substantive assurance from analytical procedures[A]: Complete; Minimum
substantive assurance from detail tests: 0%; Substantive assurance
from analytical procedures[A]: Partial; Minimum substantive assurance
from detail tests: 92%; Substantive assurance from analytical
procedures[A]: None; Minimum substantive assurance from detail tests:
95%.
[A] Complete assurance from analytical procedures requires procedures
that are extremely effective and persuasive to serve as the sole source
of audit evidence for achieving the audit objective. This level of
effectiveness or persuasiveness is very difficult to achieve when
combined risk is assessed as high. Therefore, complete reliance on
analytical procedures for substantive assurance in these situations is
rare, particularly for balance sheet accounts.
[End of table]
.11:
Additional factors to consider in determining an appropriate mix of
analytical procedures and detail tests include the following:
* The nature and significance of the assertion being tested: Analytical
procedures are generally more likely to be effective for assertions
related to net cost statement accounts than for those related to
balance sheet accounts. Significant assertions generally require more
or higher quality audit evidence that may not be available from
analytical procedures.
* The nature of the combined risk: Substantive tests should be designed
to address the specific type and level of combined risk for each
assertion. For example, for certain loss claim liabilities, detail
tests might be used to search subsequent claim payments for potential
liabilities in testing the completeness assertion, while analytical
procedures might be applied to test the related valuation assertion by
evaluating the amounts per claim.
* The availability of different types of evidence: Using evidence that
can be readily obtained may be more efficient. For example, in federal
government audits, the availability of budgets and other information
may assist in performing analytical procedures.
* The quality of the respective types of evidence available: The higher
the quality of a type of evidence, the greater the level of assurance
the auditor may derive from that type (see paragraph 470.13).
* The anticipated effectiveness of analytical procedures: Detail tests
should be used if analytical procedures are not expected to be
effective.
.12:
When determining the types of substantive tests to use, the auditor's
goal should be to choose the mix of effective procedures that are
considered to be the most efficient in combination with sampling
control tests and compliance tests. The auditor should exercise
judgment when assessing the effectiveness or persuasiveness of all
audit procedures, particularly analytical procedures.
.13:
When considering a procedure's relative effectiveness, the auditor is
concerned about the expected quality of the evidence. The quality of
evidence obtained in a substantive test depends highly on the
circumstances under which it is obtained and should be evaluated with
professional skepticism. The following are generalizations about
evidence:
* Evidence obtained from independent third parties provides a higher
level of assurance than that obtained from sources in the entity.
* Evidence obtained directly by the auditor through confirmation,
physical examination, vouching, or recalculation provides a higher
level of assurance than that obtained indirectly, such as through
inquiry.
* Documentary evidence provides a higher level of assurance than oral
representations.
* Evidence obtained at or near the balance sheet date concerning an asset
or liability balance provides a higher level of assurance than that
obtained before or after the balance sheet date, because the audit risk
generally increases with the length of the intervening period.
* The lower the control risk associated with an entity's internal
control, the higher the assurance concerning the information subject to
that internal control.
OTHER EFFICIENCIES:
.14: In planning tests, the auditor should consider the relationships
between recorded amounts to help in achieving efficiencies. For
example, in double-entry accounting, a misstatement in one account
affects at least one other (related) account. This relationship gives
rise to the opportunity for testing more than one account with a single
test. Similarly, the relationship between budgetary and
proprietary[Footnote 6] accounts may provide the opportunity for
efficiencies in testing.
.15:
In double-entry accounting, a misstatement in one account affects at
least one other (related) account. For example, a misstatement of
accrued payroll typically results in a misstatement of payroll expense.
In this example, a substantive test of accrued payroll should detect
misstatements in both accrued payroll and payroll expense. In designing
substantive tests, after considering combined risk and developing an
understanding of each related account, the auditor should consider the
effect of such tests on related accounts. For example, a test of
revenue for completeness may provide substantive evidence about the
completeness of accounts receivable. In many instances where double-
entry accounting is used, it may be efficient to (1) design an overall
strategy that tests certain accounts substantively for either existence
or completeness (the two assertions most affected by testing related
accounts) and (2) rely on such tests to detect misstatements in the
related accounts. For example, the auditor might test (1) assets and
expenses directly for existence and (2) liabilities, equity, and
revenue for completeness, thereby indirectly testing the related
accounts for existence or completeness, as applicable. This logic is
called a directional testing approach.
.16:
In some instances, the auditor may need to supplement a directional
testing approach to address specific combined risks. For example, if
inherent and control risk factors warrant, the auditor might test both
existence and completeness in a test of cutoff as of the balance sheet
date. During initial financial statement audits, the auditor generally
should test both existence and completeness directly, when those
assertions are significant, because the cumulative knowledge about the
interaction of accounts may be limited.
.17:
The audit assurance that can be obtained from directional testing is
diminished in balance-sheet-only audits if related accounts are not
also tested and in audits of entities having single-entry accounting
systems (since double-entry account interrelationships do not exist).
In these instances, the auditor should test both existence and
completeness directly when those assertions are significant.
.18:
To maximize efficiency, the auditor should combine the testing of
budgetary and proprietary accounts where the combination is
appropriate. For example, the auditor may combine tests of outlays (on
the statement of budgetary resources) with tests of cash disbursements
(used to test net costs).
.19:
If an entity has budget accounting records but does not maintain
separate proprietary accounting records, or the proprietary records are
incomplete, the auditor should directly test expended authority
produced by the budget system and the items necessary to reconcile the
budget to the proprietary accounts.
.20:
Also, if (1) relevant budget restrictions relate to significant
quantitative-based provisions of laws and regulations and (2) budget
controls are not effective, the auditor should test the accumulation of
budget amounts (see paragraphs 460.03-.05).
[End of section]
475 - SUBSTANTIVE ANALYTICAL PROCEDURES:
.01:
This section provides guidance on the application of substantive
analytical procedures. Analytical procedures are sometimes referred to
as fluctuation analysis, flux analysis, predictive tests, or analytical
review. These procedures consist of comparing recorded account balances
with the auditor's expectations. The auditor develops an expectation or
estimate of what the recorded amount should be based on an analysis and
understanding of relationships between the recorded amounts and other
data. This estimate is then used to form a conclusion on the recorded
amount. A basic premise underlying analytical procedures is that
plausible relationships among data may reasonably be expected to
continue unless conditions are known that would change the
relationship. (For further information, refer to AU 329 or the Audit
Guide Analytical Procedures.):
.02:
Scanning account detail and recomputation are two other audit
procedures related to analytical procedures. Scanning consists of
searching for unusual items in the detail of account balances. Scanning
is an appropriate tool to investigate the cause of a significant
fluctuation, but it is not considered a substantive analytical
procedure on its own. Unusual items identified through scanning should
be investigated to obtain substantive assurance about the unusual
items. The auditor may independently compute an estimate of an account
balance, which is sometimes referred to as recomputation or an overall
test of reasonableness. These recomputations are considered substantive
analytical procedures. When making recomputations, the auditor should
assess the reliability of the data used and should follow the steps
used for performing substantive analytical procedures.
.03:
The risk of forming the incorrect conclusion on the account balance
tested may be higher for substantive analytical procedures than for
detail tests because of the procedures' extensive use of the auditor's
judgment. Accordingly, quality control is of critical importance. To
help maintain a high level of quality in these procedures, the
assessment of the amount of reliance to place on the procedures, the
design of the procedures, and the formulation of conclusions on the
results of these procedures should be performed or closely supervised
and reviewed by experienced audit team personnel.
PERFORMING SUBSTANTIVE ANALYTICAL PROCEDURES:
.04:
If substantive analytical procedures are used, the auditor should
perform steps a. through l. below:
a. Determine the amount of the limit. The limit is the amount of
difference between the auditor's expectation and the recorded amount
that the auditor will accept without investigation. The determination
of the limit is a matter of the auditor's judgment; some guidelines are
provided in paragraph 475.05. The guidelines consider the amount of
substantive assurance desired from analytical procedures.
b. Identify a plausible, predictable relationship and develop a model
to calculate an expectation of the recorded amount. Consider the type
of misstatements that could occur and how those misstatements would be
detected by the model.
c. Gather data for developing the expectation, and perform appropriate
procedures to establish the reliability of the data. The reliability of
these base data is subject to the auditor's judgment. The reliability
of data is discussed further in section 495 A.
d. Develop the expectation of the recorded amount using the information
obtained during the previous steps. The preciseness of the expectation
is subject to the auditor's judgment and is discussed further in
section 495 A.
e. Compare the expectation with the recorded amount, and note the
difference.
f. Obtain explanations for differences that exceed the limit, since such
differences are considered significant.
g. Corroborate explanations for significant differences.
h. Determine whether the explanations and corroborating evidence
provide sufficient evidence for the desired level of substantive
assurance. If unable to obtain a sufficient level of substantive
assurance from analytical procedures, perform additional procedures as
discussed in paragraphs 475.12-.17 and consider whether the difference
represents a misstatement.
i. Consider whether the assessment of combined risk remains appropriate,
particularly in light of any misstatements identified. Revise the
assessment of combined risk, if necessary, and consider the effects on
the extent of detail tests.
j. Document (on the Summary of Possible Adjustments as discussed in
540.04) the amount of any misstatements detected by substantive
analytical procedures and their estimated effects. The limit (the
amount of the difference between the recorded amount and the
expectation that does not require explanation) is not considered a
known or likely misstatement and is not posted to the Summary of
Possible Adjustments.
k. Conclude on the fair presentation of the recorded amount.
l. Include documentation of work performed, results, and conclusions in
the workpapers. Required documentation is discussed in section 490.
GUIDELINES FOR ESTABLISHING THE LIMIT:
.05:
As discussed above, the limit is the amount of the difference between
the expected and recorded amounts that can be accepted without further
investigation. GAO uses the following guidelines in establishing the
limit for each level of reliance on analytical procedures for
substantive assurance:
* Complete reliance: The limit is 20 percent or less of test
materiality.
* Partial reliance: The limit is 30 percent or less of test materiality.
* No reliance: Substantive analytical procedures are not needed.
Auditors using different limits should document the basis for the limit
used.
INVESTIGATING SIGNIFICANT DIFFERENCES:
Causes of significant differences:
.06:
Differences between the expectation and the recorded amount typically
relate to either factors not included in the model (such as specific
unusual transactions or changes in accounting policies), a lack of
preciseness of the model, or misstatements (either errors or fraud).
Amount of Difference to Be Explained:
.07:
When obtaining explanations, it is usually helpful to review with
entity personnel the model and assumptions used to develop the
expectation. Entity personnel will then be in a better position to
provide the auditor with a relevant explanation. If the amount of the
difference exceeds the limit, the auditor generally should try to
obtain an explanation for the entire difference between the recorded
amount and the expectation. The portion of the difference that exceeds
the limit must be explained (see figure 475.1). If the difference does
not exceed the limit, an explanation is not required. The auditor
should identify and corroborate all significant factors that may cause
the expectation to differ from the actual amount, regardless of whether
the factors increase or decrease the difference.
Figure 475.1: Amount of Difference Explained When:
Recorded Amount Exceeds Limit:
[See PDF for image]
[End of figure]
Corroboration of explanations:
.08:
The relevance and reliability of corroborating evidence may vary
significantly; therefore, the extent of corroboration of explanations
is left to the auditor's judgment. Corroboration may consist of
examining supporting documentation or corroborating explanations
received from accounting department personnel with personnel from the
appropriate operating department, who should be knowledgeable about the
entity's operations. The explanations for the fluctuations should be
quantified and should address the direction and magnitude of the event
causing the fluctuation. The auditor should corroborate all
explanations received. In determining whether sufficient corroborating
evidence has been obtained, the auditor should consider the guidelines
for complete and partial assurance discussed in paragraph 470.05. In
evaluating explanations the auditor should consider whether the
difference could be caused by error or fraud.
Example of an adequate explanation for a significant fluctuation:
.09:
Assume that the auditor determined test materiality to be $25 million.
Additionally, assume that the auditor has determined, after considering
any inherent and control risks, that a substantive analytical procedure
should be performed with a limit of $5 million. The auditor estimated
interest expense at $80 million by multiplying the average loan balance
of $1 billion by the average interest rate of 8 percent. Both of these
averages were computed through a simple average of beginning-of-year
and end-of-year amounts. The recorded amount of interest expense, $94.5
million, is higher than the estimated amount by $14.5 million and
exceeds the limit by $9.5 million.
.10:
An explanation from entity personnel that "we borrowed more money this
year and interest rates are higher than last year" would not be
adequate. This explanation needs to be quantified and corroborated.
.11:
An example of an adequate explanation follows:
Based on a review of correspondence from lenders, interest rates
increased during the year and then fell and were computed to average 9
percent based on a monthly average. Additionally, loan statements from
lenders indicate that $100 million was borrowed and repaid during the
year, and the additional borrowings were outstanding for 6 months.
Therefore, the average loan balance was actually $50 million higher and
the average interest rate was 1 percent higher than the figures used in
the auditor's original estimate.
Therefore, the interest expense in excess of the expectation can be
explained as follows (in thousands):
$1,000,000 X 1% = $10,000 + 50,000 X 9% = 4,500:
Total difference explained: $14,500:
Course of action in the event of inadequate explanations or
corroborating evidence:
.12:
If an explanation and/or corroborating evidence does not adequately
explain the fluctuation sufficient to provide either complete or
partial assurance, the auditor must perform additional substantive
procedures. These procedures may consist of:
* increasing the effectiveness of the substantive analytical procedures
by making the expectation more precise in order to obtain the amount of
desired assurance,
* performing tests of details and placing no reliance on the
substantive analytical procedures that were ineffective, or:
* treating the difference as a misstatement.
.13:
The auditor should consider the relative efficiency of each of these
options. Deciding whether to perform additional substantive procedures
is a matter of the auditor's judgment. The additional procedures must
provide the auditor with adequate assurance that aggregate
misstatements that exceed test materiality have been identified.
.14:
To increase the persuasiveness or effectiveness of an analytical
procedure, the auditor generally needs to make the expectation more
precise. The auditor can do so by:
* building a more sophisticated model by identifying more key factors
and relationships,
* disaggregating the data (such as using monthly instead of annual
data[Footnote 7]), or
* using more reliable data or obtaining greater confidence in the
data's reliability by corroborating the data to a greater extent.
Measuring the precision of the expectation and the impact of changing
each of these factors on the procedure's effectiveness is difficult and
is left to the auditor's judgment.
.15:
If detail tests are used to test the account balance because adequate
explanations cannot be obtained or corroborated, the auditor still must
obtain an overall understanding of the current-year financial
statements when applying the required overall analytical procedures at
the financial statement level. As discussed in section 520,
significantly less work is needed to obtain this overall understanding
of the financial statements than when using analytical procedures as a
substantive test.
.16:
Additionally, if analytical procedures originally performed as a
substantive test do not provide the required assurance, the auditor may
be able to use those procedures to supplement an understanding of the
account balances or transactions after obtaining substantive assurance
through detail tests.
.17:
When the auditor places no reliance on substantive analytical
procedures, all substantive assurance is provided by detail tests. In
this situation, less rigorous, supplemental analytical procedures may
be used to increase the auditor's understanding of the account balances
and transactions after performing the detail tests. When using
supplemental analytical procedures, the auditor uses judgment to
determine which fluctuations require explanations.
[End of section]
480 - SUBSTANTIVE DETAIL TESTS:
POPULATION TO BE TESTED:
.01:
In designing detail tests, the assertion tested affects the choice of
the population (an account balance or a portion of an account balance)
from which items are selected. For example, the existence assertion
deals with whether recorded assets or liabilities exist as of a given
date and whether recorded transactions have occurred during a given
period. To detail test the existence assertion, the auditor should test
the recorded account balance by (1) selecting items from those that
compose the account balance and (2) then testing those items to
evaluate whether such inclusion in the account balance is proper. For
example, to test an expense account for existence, the auditor might
select individual expense amounts included in the balance from a detail
general ledger and then examine invoices that support the expense
amount. It would be inappropriate to select invoices directly and then
trace invoice amounts to inclusion in the general ledger balance.
.02:
For the existence assertion, the test population should agree with or
be reconciled to the recorded amount of the account balance being
tested. The auditor should test reconciling items, if any, in an
appropriate manner. If this is not done, the conclusion applies only to
the test population (the available items), not the recorded population.
.03:
Conversely, the completeness assertion deals with whether all
transactions and accounts that should be presented in the financial
statements are so included. To detail test the completeness assertion,
the auditor should select from an independent population of items that
should be recorded in the account. The auditor should (1) select items
that should be recorded from a source that is likely to contain all the
items that should be recorded and (2) determine whether they are
included in the recorded balance. For example, to test completeness of
recorded revenue, the auditor might select shipments from a shipping
log (which is believed to be reasonably complete), trace them to
recorded revenue amounts, and then test the summarization of those
amounts to inclusion in the general ledger revenue balance. To test
completeness of recorded accounts payable, the auditor might select
from payments made subsequent to year-end plus invoices on hand but not
yet paid and trace those in which the receipt of goods or services
occurred before year-end to inclusion in year-end accounts payable
(those where the receipt occurred after year-end should be tested for
exclusion from accounts payable).
SELECTION METHODS FOR DETAIL TESTS:
.04:
Detail tests may be applied to any of the following:
* all items composing the population;
* a nonrepresentative selection (nonsampling selection) of items; and:
* a representative selection (sample) of items composing the population.
Flowchart 1 (section 495 E) illustrates the process of deciding the
selection method.
.05:
Detail testing of all items composing the population is generally most
appropriate for populations consisting of a small number of large
items. For example, several large accounts receivable or investments
might compose an entire balance.
.06:
Detail testing of a nonrepresentative selection (nonsampling selection)
is appropriate where the auditor knows enough about the population to
identify a relatively small number of items of interest, usually
because they are likely to be misstated or otherwise have a high risk.
(Nonrepresentative selections may also be used to test controls by
using inquiry, observation, and walkthrough procedures and to obtain
planning information, for example, by performing a walkthrough to
understand the items in the population.) While the dollar amount is
frequently the characteristic that indicates that an item is of
interest, other relevant characteristics might include an unusual
nature (such as an item identified on an exception report), an
association with certain entities (such as balances due from high-risk
financially troubled entities), or a relationship to a particular
period or event (such as transactions immediately before and after the
year-end date). The effects of any misstatements found should be
evaluated; however, unlike sampling, the results of procedures applied
to items selected under this method apply only to the selected items
and must not be projected to the portion of the population that was not
tested. Accordingly, the auditor must apply appropriate analytical and/
or other substantive procedures to the remaining items, unless those
items are immaterial in total or the auditor has already obtained
enough assurance that there is a low risk of material misstatement in
the population.
.07:
Detail testing of a representative selection (sample) of items
composing the population is necessary where the auditor cannot
efficiently obtain sufficient assurance (based on the assessed combined
risk and other substantive procedures including analytical procedures)
about the population from nonrepresentative selections. The auditor
selects sample items in such a way that the sample and its results are
expected to be representative of the population. Each item in the
population must have an opportunity to be selected, and the results of
the procedures performed are projected to the entire population. (In
random selection, each item has an equal chance of selection (see
glossary for further discussion of definition); in dollar-unit sampling
(DUS), each dollar has an equal chance of selection; in classical
variables estimation sampling, each item in a stratum has an equal
chance of selection.):
.08:
The auditor may use a nonrepresentative selection for part of the
population and a sample for the remainder of the population. For
example, the auditor might select all inventory items with a book
amount greater than $10,000,000, all items that have not had any
activity in the previous 6 months, and a statistical sample of the
balance of the population. The auditor would project the misstatements
in the statistical sample to the population of items less than
$10,000,000 with activity in the last 6 months. The auditor would also
compute a combined evaluation for the three selections by adding the
results of the 100 percent selections to the conclusion for the
statistical selections.
.09:
The auditor should document in the workpapers (usually in the audit
program) whether a selection is intended to be a representative
selection (a sample projectable to the population) or a
nonrepresentative selection (not projectable to the population); if it
is a nonrepresentative selection, the auditor also should document the
basis for concluding that enough work has been done to obtain
sufficient assurance that the items not tested are free from aggregate
material misstatement.
REPRESENTATIVE SELECTIONS (SAMPLING):
.10:
The following paragraphs provide an overview of sampling, primarily
with respect to the existence and valuation assertions. Similar
concepts and methods apply to the completeness assertion, except that
the population for selection differs. (See paragraphs 480.01-.03.):
.11:
AU 350.45 indicates that samples may be either statistical or
nonstatistical. In statistical sampling, the auditor uses probability
theory to determine sample size, select the sample, and evaluate the
results for the purpose of reaching a conclusion about the population.
Statistical sampling permits the auditor to objectively determine
sample size (based on subjective decisions about risk and materiality),
objectively select the sample items, and objectively evaluate the
results; thus, the auditor using statistical sampling determines
objectively whether enough work has been performed. Because of these
advantages, when a sample is necessary, the auditor should use
statistical sampling. Software such as Interactive Data Extraction and
Analysis (IDEA)[Footnote 8] allows the auditor to quickly perform the
calculations necessary for statistical sampling.
.12:
In nonstatistical sampling, the auditor considers statistical concepts,
but does not explicitly use them to determine sample size, select the
sample,[Footnote 9] or evaluate the results. Because the auditor using
statistical sampling objectively considers the same factors that the
auditor using nonstatistical sampling should subjectively consider, the
size of a nonstatistical sample should not be less than the size of a
properly calculated statistical sample.
.13:
The auditor who uses nonstatistical sampling generally should first
calculate a statistical sample size (generally using dollar-unit
sampling), then add at least 25 percent. The 25 percent is protection
because the nonstatistical sample is not as objective as the
statistical sample. The auditor who wishes to use nonstatistical
sampling for a particular test should obtain the approval of the
Reviewer, in consultation with the Statistician, before performing the
test. Approval is not needed to use nonrepresentative selections
(nonsampling) since they do not involve projections.
.14:
In sampling, the sample must be selected from all the items that
compose the population so that each item has an opportunity for
selection (in statistical sampling, the auditor can determine the
probability of selection). For example, the auditor might select sample
items from a list of all accounts receivable balances that is
reconciled to the related account balance. Selecting sample items from
file drawers is not a valid selection method for any type of sampling
unless the auditor has determined that all items composing the
population are included in the drawers.
.15:
For statistical samples, sample items should be selected using random
or dollar-unit selection methods. Computer software may be used. Manual
selection should be based on random number tables, a computer-based
random number generator, or through use of systematic selection (every
nth item with a random start between 1 and n). For example, the auditor
might begin with a random start and then choose every nth item, where n
is the sampling interval. The sampling interval would be determined by
dividing the number of items in the population by the desired number of
selections.
.16:
The sample size is a function of the size of the population, the
desired confidence level (based on the amount of substantive assurance
the auditor requires from detail tests, as shown on the audit matrix in
section 495 D), test materiality (based on design materiality, expected
misstatements, and other factors discussed in paragraph 230.13), and
the sample selection method.
.17:
Once the auditor decides that a sample is necessary, the choice of the
sample selection method to be used is a matter of the auditor's
judgment concerning the most efficient method to achieve the audit
objectives. The following methods of sample selection are available for
substantive testing:
* dollar-unit sampling (DUS)--see paragraph 480.21,
* classical variables estimation sampling--see paragraph 480.32, and:
* classical probability proportional to size (PPS) sampling (evaluating a
PPS sample using a classical variables sampling approach)--see
paragraph 480.34.
Attributes sampling may be used for tests of controls and for tests of
compliance with laws and regulations. To use any sampling method for
substantive testing that is not listed in this paragraph, the auditor
should consult with the Statistician. (Stratification and/or use of
ratio estimates and regression estimates often lead to smaller sample
sizes. Multistage samples may reduce time and travel costs.):
.18:
Each of these methods yields a valid projected (likely) misstatement,
and a valid upper limit at the desired confidence level. In addition,
classical PPS and classical variables sampling yield a valid two-sided
confidence interval (DUS yields a valid upper limit). The auditor
chooses the method based on the test objectives and efficiency.
.19:
When deciding the sampling method, the auditor should consider whether
the dollar amounts of the individual items composing the population are
available (such as on a detail listing or a computer file), the
expected amount of misstatements, and the relative cost and efficiency
of each appropriate sampling method. Flowchart 2 (section 495 E)
summarizes the process of choosing the sampling method once the auditor
has decided a sample is necessary. The subsequent pages of the
flowchart indicate the steps that the auditor generally should perform
for each sampling method. Example workpapers to document attribute,
dollar-unit, and classical variables sampling are in section 495 E.
.20:
If the dollar amounts of the individual items composing the population
are known, the auditor should use DUS, classical PPS, or classical
variables estimation sampling. If dollar amounts of these individual
items are not known, see paragraph 480.36.
SAMPLE SELECTION:
Dollar-unit sampling (DUS):
.21:
Dollar-unit sampling (DUS)[Footnote 10] is a type of statistical
sampling that the auditor generally should use when:
a. the dollar amounts of individual items in the population are known,
b. the primary objective is to test the overstatement of the population
(see below for testing a population related to the line item),
c. the auditor expects that the total dollar amount of misstatement in
the population is not large,[Footnote 11] and:
d. the amount of misstatement in an individual item cannot exceed the
selected amount.[Footnote 12]
DUS is also known as probability proportional to size (PPS) and
monetary unit sampling (MUS). DUS works best in populations where the
total misstatement is not large and where the objective is to test for
overstatement of a population. When the objective is understatement of
a line item, the auditor often is able to define a related population
to test for overstatement. For example, to test for understatement of
accounts payable, the auditor would select a DUS of subsequent
disbursements. See also paragraph 480.36.
.22:
In a manually applied DUS, a sampling interval (n) is used to select
every nth dollar from the dollars in the individual items that compose
the population. These items might be recorded amounts for individual
receivable balances, inventory items, invoices, or payroll expenses.
The item that contains the nth dollar is selected for testing. DUS is
representative of all dollars in the population; however, larger items
have a higher probability of selection (for example, a $2,000 item has
an approximately twenty times greater probability of selection than a
$100 item).
.23:
When the total misstatement in the population is not large, DUS will
yield the smallest sample size for a given population, test
materiality, and desired confidence level when all statistical sampling
methods are considered. When the auditor expects that the population
contains a large amount of misstatement, he or she should use classical
variables sampling (see footnote 3 and paragraph 480.33).
.24:
In DUS, the auditor may compute the sample size manually (paragraphs
480.24-.26) or by using computer software (paragraph 480.27). To
calculate a dollar-unit sample size manually, the auditor uses the
dollar amount of the population, test materiality (see section 230),
and required confidence level. The auditor calculating sample size
manually may use the statistical risk factor from figure 480.1 to
determine sample sizes for the appropriate confidence level, as
discussed below.
Figure 480.1: Statistical Risk Factors:
Confidence Level: 50%; Statistical; Risk Factor[A]: 0.7.
Confidence Level: 63%; Statistical; Risk Factor[A]: 1.0.
Confidence Level: 77%; Statistical; Risk Factor[A]: 1.5.
Confidence Level: 86%; Statistical; Risk Factor[A]: 2.0.
Confidence Level: 92%; Statistical; Risk Factor[A]: 2.5.
Confidence Level: 95%; Statistical; Risk Factor[A]: 3.0.
[A] These are based on the Poisson distribution, which approximates the
binomial distribution. Therefore, the sample size computed using this
table may differ slightly from the sample size computed using IDEA.
[End of table]
Section 495 D contains the audit matrix with the appropriate risk
factor for each level of combined risk and reliance on substantive
analytical procedures. See paragraph 480.27 for guidance on using IDEA
to compute sample size.
.25:
The statistical risk factors are used in the following formulas to
determine the sampling interval and sample size for DUS:
1. sampling interval = test materiality ÷ statistical risk factor:
2. sample size = recorded amount ÷ sampling interval:
Sample sizes should be stated in whole numbers. Uneven amounts should
be rounded up to the next whole number. For example, a sample size of
40.2 items should be rounded up to 41 items.
.26:
For example, to test a recorded amount of $30 million with a test
materiality of $900,000 and a 95 percent confidence level, the
statistical risk factor would be 3.0. The sampling interval would be
$300,000 (test materiality of $900,000 divided by the statistical risk
factor of 3.0). Essentially, from a random start, every 300,000th
dollar is selected. Therefore, the preliminary estimate of sample size
of 100 items is calculated by dividing the recorded amount of $30
million by the sampling interval of $300,000. Because the amount of
certain items might equal or exceed the sampling interval, a selection
might include more than 1 sample item (for example, a $600,000
selection would include 2 of the 100 estimated sample items: $600,000/
$300,000 = 2), thereby making the actual number of items tested fewer
than 100.
.27:
When the auditor uses the IDEA software to calculate sample size, the
inputs are materiality, expected total dollar amount of misstatements
in the population, confidence level, and the dollar amount of the
population. Whether the auditor should input design materiality or test
materiality depends on why the auditor reduced design materiality to
get test materiality (see paragraph 230.13). If the auditor reduced
design materiality to test materiality because not all entity locations
are being tested or because the area is sensitive to financial
statement users, the auditor should input test materiality. If the
auditor reduced design materiality to test materiality solely because
misstatements were expected, the auditor should input design
materiality rather than test materiality. The reason for this is that
the auditor inputs the expected dollar amount of misstatements in the
population, and the software considers it in adjusting materiality (if
the auditor inputs test materiality, the adjustment will have been made
twice).
.28:
It is difficult to select additional items for a dollar-unit sample
after the original sample is selected. If the auditor believes that
extension of the sample might be necessary, the auditor generally
should plan for that possibility and consult with the Statistician. For
example, the auditor might use a 95 percent confidence level
(statistical risk factor of 3.0) to select the sample but test only the
number of items necessary to achieve the planned confidence level. The
items tested should be spread evenly throughout all of the items
selected. For example, in a manual selection, if a statistical risk
factor of 1.5 is appropriate based on the planned confidence level, the
auditor would make selections using a statistical risk factor of 3.0
(twice as many selections as the factor of 1.5) and initially test
every other selection (beginning with a random start).
.29:
If the preliminary assessment of combined risk or reliance on
substantive analytical procedures is not supported by the results of
testing, the substantive assurance needed from detail tests increases,
and the auditor would then test the additional items selected in the
initial sample.
.30:
If additional sample items are not selected during the initial sample
and it is necessary to select additional items, the auditor should
consult with the Statistician to determine how to select the additional
sample items. Selection of these additional items may be more complex
and less efficient than if they were chosen during the initial sample.
.31:
Section 495 F describes how to manually select items using DUS.
Computer software, such as IDEA, generally should be used to select a
dollar-unit sample.[Footnote 13] The choice of selection method used
should be based on efficiency considerations.
Classical variables estimation sampling:
.32:
Classical variables estimation sampling is a type of statistical
sampling that the auditor should consider when the auditor expects that
one or more of the following exist in the population: the dollar amount
of misstatement in the population is large (see footnote 3); individual
misstatements may exceed the selected amount of sampling units;
significant understatements cannot be identified using other tests;
there are no book amounts for each sampling unit; or the auditor cannot
add the dollar amounts in the population (see flowchart 2 in section
495 E).
.33:
Classical variables estimation sampling is useful because it frequently
results in smaller sample sizes in higher misstatement situations than
those that would be obtained using DUS. Because applying this method is
somewhat complex, the auditor should consult with the Statistician
before using it. Classical variables sampling and classical PPS require
knowledge of the population to determine sample size. In many audits,
the auditor learns about the population over several audits and
improves the plan each time.
Classical PPS Sampling:
.34:
Classical PPS Sampling is a type of statistical sampling that the
auditor should use when he or she is testing for overstatement of the
defined population and finds a large misstatement rate. The sample is
selected the same way as a dollar-unit sample (proportional to size).
Since there is no exact way to determine sample size, the auditor uses
DUS to calculate sample size. However, since classical PPS sampling is
used when there are large misstatement rates, the auditor uses a
conservative (high) estimate of the expected misstatement to avoid
needing subsequently to expand the sample size to obtain a sufficient
sample size.
.35:
Since classical PPS yields a valid measure of likely misstatement and
precision, it may be used whenever the only reason for using classical
variables sampling otherwise is the expected large misstatement rate.
Sampling when dollar amounts are not known:
.36:
DUS cannot be used if the dollar amounts of individual items in the
population are not known. Classical variables estimation sampling might
be used, but this has some difficulties: there is no way to accurately
calculate the sample size without the individual dollar amounts, and
the method is inefficient unless the auditor finds a large misstatement
rate. Lack of individual dollar amounts usually occurs when testing the
completeness assertion where the selection is made from a population
independent of the population being tested (see paragraphs 480.01-.03).
In one approach, the auditor might select a random or systematic sample
of the individual items. For example, items might be randomly selected
from a shipping log to test the completeness assertion for revenue.
.37:
For this type of test, the sample size may be approximated from the
total dollar amount of either the population that the auditor is
sampling from (the total dollars of the shipping log if the total
dollar amount is available) or the dollar amount of the population that
the auditor is testing (the total recorded revenue). Because this
method is less efficient than DUS, the preliminary estimate of sample
size for this sample should exceed the sample size that would result
from using DUS. GAO auditors should use at least a 25 percent increase
in sample size.[Footnote 14]
.38:
The auditor should consult with the Statistician in performing the
evaluation. If the misstatement rate is large, they should consider
using classical variables estimation sampling. While attribute sampling
may be used to estimate the misstatement rate in the population, this
will yield acceptable results only if just one or two misstatements are
found. The auditor generally should use the upper limit of the
misstatement rate to make a conservative estimate of the dollar amount
of misstatement in the population. If the upper limit is less than
materiality, the auditor has evidence that the population is free of
material misstatement.
EVALUATION OF SAMPLE RESULTS:
.39:
Evaluation involves several steps:
a. Projecting the results of the sample to the population (for
nonstatistical samples, making a judgment about likely misstatement in
the population).
b. Calculating either the upper limit of misstatement in the
population or an interval estimate of misstatement or of the
population audited value at the desired confidence level (for
nonstatistical samples, considering the risk of further misstatement).
c. Considering the qualitative aspects of misstatements.
d. Reaching a conclusion as to whether the population is fairly stated.
e. Considering the effect of misstatements on the financial statements
taken as a whole.
Steps a. and b. are usually done with software such as IDEA in
consultation with the Statistician.
.40:
The effects of any misstatements detected in a sample should be
projected to the population. In doing so, the auditor should ask the
auditee to determine the cause of any misstatement found. The auditor
should project all misstatements unless he or she has obtained highly
persuasive evidence that the misstatement is not representative of the
entire population. If the evidence is highly persuasive that a
misstatement is not representative of the population, the auditor
should (1) perform procedures to test that the same type of
misstatement does not exist elsewhere in the population, (2) evaluate
the misstatement that is not representative, (3) evaluate the sample,
excluding the misstatement that is not representative, and (4) obtain
the approval of the Audit Director that the evidence is highly
persuasive. The projected misstatement amount should be included in the
Summary of Possible Adjustments as a likely misstatement, the
evaluation of which is discussed in section 540.
.41:
At the conclusion of the test, the auditor also should consider whether
the assessment of combined risk remains appropriate, particularly in
light of any misstatements identified. If the preliminary combined risk
assessment was not appropriate, the auditor should consult with the
Reviewer to determine whether the extent of substantive procedures is
adequate.
.42:
When understated amounts are detected in any sample designed primarily
to test the existence assertion (i.e., designed to test primarily for
overstatement), the auditor should consult with the Statistician in
evaluating the sample results.
Calculating the projected misstatement for DUS:
.43:
If the auditor does not use software to evaluate sample results, he or
she may calculate projected misstatement as follows. For a misstatement
detected in which the item equals or exceeds the amount of the sampling
interval (each of which is selected for testing), the projected
misstatement is the amount of the misstatement detected. For any other
misstatement detected, the projected misstatement is computed as
follows: (1) divide the amount of misstatement by the recorded amount
of the sample item and (2) multiply the result by the amount of the
sampling interval. The sum of all projected misstatements represents
the aggregate projected misstatement for the sample. For example,
assume the following two misstatements are detected in a sample for
which the sampling interval is $300,000: (1) a $50,000 misstatement
detected in a $500,000 item (which exceeds the amount of the sampling
interval) results in a projected misstatement of $50,000, and (2) a
$100 misstatement in a $1,000 sample item represents a 10 percent
misstatement, which results in a projected misstatement of $30,000 (10
percent of the $300,000 sampling interval). In this case, the aggregate
projected misstatement is $80,000.
Converting a DUS to a Classical PPS sample:
.44:
If a dollar-unit sample results in a large number of misstatements, it
is likely that the evaluation calculated using the method illustrated
above would indicate that the upper limit of misstatement in the
population exceeds materiality (IDEA indicates the number of
misstatements that would yield acceptable results). However, if there
are a large number of misstatements,[Footnote 15] the auditor, in
consultation with the Statistician, should evaluate the sample using
classical PPS. This evaluation is complex and cannot be done directly
using IDEA.
Evaluating the results of a classical variables estimation sample:
.45:
The auditor should consult with the Statistician in evaluating the
results of a classical variables estimation sample.
Evaluating the results of other samples:
.46:
When misstatements are detected in a sample for which guidance on
evaluation is not described above, the auditor should consult with the
Statistician.
EFFECTS OF MISSTATEMENTS ON THE FINANCIAL STATEMENTS:
.47:
The quantitative and qualitative effects of all misstatements detected
in the audit --both known and likely --must be evaluated in relation to
the financial statements as a whole. Section 540 provides guidance on
this evaluation.
[End of section]
490 - DOCUMENTATION:
.01:
The auditor should document the nature, timing, and extent of tests
performed during this phase of the audit, as well as the conclusions
reached. The auditor should specifically identify the procedures used
to obtain substantive assurance for an account balance. This
identification is particularly important if detail tests are relied on
for complete substantive assurance and supplemental analytical
procedures are performed to increase the auditor's understanding of the
account balances and transactions.
.02:
For example, assume an entity incurs and accounts for operating
expenses at 50 locations. After considering the guidance in section 295
C regarding multiple-location audits, the auditor decides to obtain all
the required substantive assurance from detail tests. The auditor
subjects all operating expenses to a statistical sample and visits only
the locations for which selections were made. Assume that the auditor
decides to obtain additional knowledge of the current-year operations,
particularly for locations not visited, through supplemental analytical
procedures at all locations. These procedures consist of comparing
current-year operating expenses with prior-year audited information by
location and between locations.
.03:
In the above situation, the auditor is obtaining the entire required
amount of substantive assurance from detail tests. The comparison of
the current-and prior-year amounts is considered a supplemental
analytical procedure and does not provide substantive audit assurance
that the auditor may use to reduce the detail tests. During this
supplemental analytical procedure, the auditor may detect misstatements
that were not detected during the detail tests. The auditor must
consider the implications of these misstatements to determine if the
original assessment of combined risk was appropriate and if the amount
of substantive testing performed (the detail tests) was adequate. Even
though misstatements may be detected during supplemental analytical
procedures, these procedures cannot be relied on for substantive
assurance.
.04:
In the audit program, the auditor generally should explain the
objectives of audit procedures. Also, written guidance either within or
accompanying the audit program to explain possible exceptions, their
nature, and why they might be important, may help auditors focus on key
matters, more readily determine which exceptions are important, and
identify significant exceptions.
.05:
The auditor also should document, usually in the audit program, whether
a selection is intended to be a representative selection (a sample
projectable to the population) or a nonrepresentative selection (not
projectable to the population). If it is a nonrepresentative selection,
the auditor also should document the basis for concluding that enough
work has been done to obtain sufficient assurance that the items not
tested are free from aggregate material misstatement.
.06:
As the audit work is performed, the auditors may become aware of
possible reportable conditions or other matters that should be
communicated to the auditee. The auditor generally should document and
communicate these as described in paragraph 290.02.
.07:
Documentation of this phase should specifically include (see section
495 E for example workpapers):
For tests involving sampling:
** the sampling method used and any key factors regarding selection;
** the sample size and the method of determining it;
** the audit procedures performed; and:
** the results of tests, including evaluations of sample results, and
conclusions.
For substantive analytical procedures:
** the model used to develop the expectation and the basis for the
model;
** the data used and the data sources;
** the auditor's assessment of the reliability of the data used and
procedures performed to establish or increase the amount of
reliability, if applicable;
** the amount of the limit and the criteria for establishing the limit;
** explanations for fluctuations considered significant, sources of
these explanations, and corroborating evidence obtained;
** the additional procedures performed and related conclusions if
misstatements are detected or if the initial procedures are not
considered adequate; and:
** conclusions regarding findings, including proper treatment of any
misstatements detected and assessment of any other effects of these
misstatements.
Interim testing procedures (see section 495 C for documentation
guidance).
Any misstatements detected (which also should be referenced to their
posting on the Summary of Possible Adjustments (see section 540) where
they will be considered further).
[End of section]
495 A - DETERMINING WHETHER SUBSTANTIVE ANALYTICAL PROCEDURES WILL BE
EFFICIENT AND EFFECTIVE:
.01:
The following factors should be considered when determining whether
analytical procedures will be effective and efficient as a substantive
test:
* nature of the account balance, the specific audit objective
(including the assertions being tested), and any identified inherent
or control risks;
* expected availability and reliability of explanations for fluctuations
and related corroborating evidence;
* plausibility and predictability of the relationship;
* availability and reliability of data; and:
* preciseness of the expectation.
NATURE OF THE ACCOUNT BALANCE, THE SPECIFIC AUDIT OBJECTIVE, AND ANY
IDENTIFIED INHERENT OR CONTROL RISKS:
.02:
Analytical procedures are usually more effective for testing net cost
statement amounts than balance sheet amounts. Balance sheet amounts are
more difficult to predict because they are as of a specific point in
time. Additionally, net cost statement amounts generally have
relationships with various types of other data, such as cost of sales
as a percentage of sales, interest expense as a function of the debt
balance and interest rates, or sales revenue as a function of the
number of units shipped and the average sales price. Analytical
procedures are usually less effective for testing amounts that are
subject to management discretion or are unpredictable, such as repairs
or miscellaneous expenses.
.03:
The auditor should consider the specific audit objective, including the
assertions being tested, and any identified inherent and control risks
to determine whether substantive analytical procedures will be
effective and efficient in achieving the audit objective and level of
assurance. The procedures need to be more effective if fraud, inherent,
and control risks have been identified. The auditor can obtain three
levels of substantive assurance from analytical procedures--complete,
partial, or none. The effectiveness and the amount of assurance
provided by an individual procedure are matters of the auditor's
judgment and are difficult to measure.
.04:
As discussed, the auditor may choose to rely completely on analytical
procedures when the level of combined risk has been assessed as high.
In these cases, the analytical procedures should be extremely effective
and persuasive to serve as the sole source of audit evidence for
achieving the audit objective. This level of effectiveness is very
difficult to achieve when combined risk is assessed as high; therefore,
complete reliance on analytical procedures for substantive assurance in
these situations is rare, particularly for balance sheet accounts.
EXPECTED AVAILABILITY AND RELIABILITY OF EXPLANATIONS FOR FLUCTUATIONS
AND RELATED CORROBORATING EVIDENCE:
.05:
Explanations for fluctuations and related, reliable corroborating
evidence may not always be readily available. This audit evidence is
essential to using analytical procedures as a substantive test. The
relative ease of obtaining explanations for significant differences and
relevant, reliable corroborating evidence should be considered when
determining whether analytical procedures will be the most efficient
and effective substantive test.
PLAUSIBILITY AND PREDICTABILITY OF THE RELATIONSHIP:
.06:
Relationships between the amount being tested (the recorded amount) and
other data are an essential component of substantive analytical
procedures. The relationships identified and used for these procedures
should be good indicators of the account balance of the item being
tested. To be considered a good indicator of the recorded balance, the
relationship between the recorded amount and the other data should be
plausible and predictable.
Plausibility:
.07:
If one set of data provides a reasonable basis for predicting another
set of data, the relationship between the two sets of data is
considered to be plausible. As the plausibility of the relationship
increases, so does the effectiveness of analytical procedures as a
substantive test.
.08:
For example, there is a plausible relationship between payroll expense,
the average number of employees, and the average pay rate. This
relationship generally is effective for estimating payroll expense for
salaried employees. Alternatively, there is not usually a plausible
relationship between revenue and interest expense; therefore, this
relationship would not be used for testing.
Predictability:
.09:
The more predictable the relationship is, the more effective the
substantive analytical procedure will be. Relationships are more
predictable in a stable environment. As relationships become more
complex as a result of increases in the number and type of contributing
factors, related amounts become more difficult to effectively and
efficiently predict.
.10:
For example, payroll expense generally is very predictable if there is
little employee turnover during the period, if all employees receive
the same percentage raise at the same time, and if all employees are
salaried. Payroll expense becomes more difficult to predict if any of
these factors changes (e.g., high turnover resulting in a different mix
of employee pay, a wide range of raises awarded at different times, or
a mix of hourly and salaried employees). Therefore, to effectively
estimate payroll expense, the auditor may need to use a more complex
relationship that considers these factors.
.11:
The relationships identified may be between the recorded amount and
either prior-year or current-year data, using financial or nonfinancial
data, including underlying business factors. For example, the auditor
may estimate current-year (1) interest expense using current-year
audited, long-term debt amounts and interest rate information or (2)
sales revenue based on the auditor's estimate of the expected gross
margin percentage applied to the audited cost of sales amounts. When
using current-year relationships, the data used to estimate the
recorded amount must be audited by a method other than a substantive
analytical procedure that uses a relationship with the recorded amount.
.12:
The auditor should exercise caution when using prior-year amounts as
the basis for the expectation of the current-year recorded amount. The
workpapers must document why, in the auditor's judgment, the prior-year
amount, and any adjustments to that amount, have a plausible and
predictable relationship with the current-year recorded amount. Any
adjustments to the prior amount, such as for the effects of inflation,
must be supported by reliable data and must be corroborated.
Additionally, the prior-year amount must meet the criteria discussed
below for reliable data. The easiest way to meet these criteria is if
the prior-year amount is audited.
.13:
As an example of prior-year relationship, assume that the payroll
raises for the year were authorized at 5 percent and that the number
and salary mix of employees have remained relatively stable. In this
example, the auditor might reasonably expect current-year payroll
expense to be 5 percent higher than the prior-year's payroll expense.
However, the auditor would need to test the reliability of the
percentage pay increase and the assumptions regarding the number and
mix of employees.
AVAILABILITY AND RELIABILITY OF DATA:
Availability of Data:
.14:
Data needed to perform analytical procedures as a substantive test may
not always be readily available. The relative ease of obtaining
relevant, reliable data should be considered when determining whether
analytical procedures will be the most efficient and effective
substantive test.
Reliability of Data:
.15:
The reliability of the data used is important in determining the
effectiveness of the substantive analytical procedures. The more
reliable the data are, the more effective these procedures will be as a
substantive test. In assessing the reliability of data, which is a
matter of auditor judgment, the auditor should consider the following:
* the source of the data, including whether the data are audited or
unaudited;
* conditions under which the data were gathered, including related
internal controls; and:
* other knowledge the auditor may have about the data.
Sources of Data:
.16:
Data obtained from an independent source outside the entity are
generally more reliable than data obtained from inside the entity;
however, the auditor should determine if the outside information is
comparable to the item being tested. This issue of comparability is
particularly important if the auditor is using industry statistics.
.17:
Data obtained from entity sources are considered more reliable if the
sources are independent of the accounting function and if the data are
not subject to manipulation by personnel in the accounting function. If
multiple data sources are used, the reliability of all sources should
be considered.
Audited versus unaudited data:
.18:
The auditor should consider whether the data are audited or unaudited
because audited data are considered more reliable than unaudited data.
If data are audited by the entity's IG office, they may be as reliable
as data audited by independent auditors if the IG's work is considered
adequate. (See FAM section 650.):
.19:
Unaudited data are not considered reliable unless procedures are
followed to establish their reliability. These procedures could consist
of either tests of controls over data production or tests of the data.
The extent of such procedures is left to the auditor's judgment. For
example, interest rates from an entity's loan register may be used to
estimate interest income. The reliability of this information may be
established by including the interest rate on loan confirmations that
are sent to the borrowers or by reviewing original loan documents.
Conditions under which the data were gathered:
.20:
Another consideration of internal data is whether the data were
developed under a reliable system with adequate financial reporting or
operations controls. In some instances, testing operations controls may
be appropriate to assess the reliability of the data used for
substantive analytical procedures. The extent of this testing is a
matter of the auditor's judgment.
.21:
If the system used to develop internal data is computerized rather than
manual, the auditor must perform additional procedures before relying
on the data. The auditor must test either (1) the general controls and
the specific application controls over the IS system that generated the
report or (2) the data in the report.
.22:
An auditor might choose to test operations controls when using entity-
prepared statistics for a substantive analytical procedure. For
example, the auditor might choose to use Air Force statistics to test
the reasonableness of its Airlift Services aircraft operating costs.
The auditor might compare the per hour fuel and maintenance costs for
Airlift Services cargo and passenger aircraft with the "block hour"
costs incurred by major airlines for similar aircraft as published by
Aviation Week and Space Technology. The auditor should first determine
if the industry statistics are comparable, e.g., if the statistics are
for the same or similar types of aircraft and if the types of items
included in maintenance costs are similar. If appropriate, the auditor
should identify and test the internal controls over the production of
these operating statistics.
PRECISENESS OF THE EXPECTATION:
.23:
The expectation, the auditor's estimate of the account balance, should
be precise enough to provide the desired level of substantive
assurance. When determining how precise the expectation should be, the
auditor should determine the proper balance between effectiveness and
efficiency. Any work to make the expectation more precise than the
desired level of assurance is unnecessary and inefficient.
.24:
To maximize efficiency, the auditor should conduct procedures at the
minimum level of effort that can reasonably be expected to provide the
assurance needed. If the audit objective cannot be achieved with the
original expectation, the auditor may be able to perform additional
procedures to make the expectation more precise. The preciseness of the
expectation and changes in this preciseness are difficult to measure in
quantifiable terms, unless the auditor uses regression analysis for the
analytical procedures. If the auditor uses regression analysis, he or
she should consult with the Statistician.
.25:
Factors that influence the expectation's preciseness follow:
* The identification and use of key factors when building the model
based on the relationships identified by the auditor: The expectation
generally becomes more precise as additional key factors are
identified.
* The reliability of the data used to develop the expectation: The
expectation becomes more precise as the reliability of the data
increases.
* The degree of disaggregation of the data: The expectation becomes
more precise as the disaggregation of the data increases.
[End of section]
495 B - EXAMPLE PROCEDURES FOR TESTS OF BUDGET INFORMATION:
.01:
This section includes example procedures auditors may perform in
testing budget information for the statements of budgetary resources
and financing.
.02:
In addition, if budget controls are ineffective and quantitative
provisions of budget-related laws and regulations are considered
significant, the auditor should perform audit procedures sufficient to
detect the types of budget information misstatements listed in
paragraph 460.04. Following is an example of procedures for testing
obligation and expended authority transactions for these misstatements.
(Test materiality for determination of sample sizes is discussed in
paragraph 460.03.):
* Validity, cutoff, recording, and classification: Select obligations
recorded as of the end of the audit period and expended authority
transaction recorded during the audit period. Determine if each
selected item is a valid obligation or expended authority transaction
based on the criteria set forth in section 395 F and if each is
recorded in the appropriate period. If the obligation or expended
authority transaction is not recorded or is recorded in the incorrect
period, determine the effects of this misstatement on budget amounts
and consider whether the auditor's evaluation of budget controls is
affected.
Also determine if each selected item is:
** recorded at the proper amount and:
** classified in the proper appropriation or fund account (also by
program and by object, if applicable), including the proper
appropriation year.
* Completeness and cutoff: First, select obligations and expended
authority transactions recorded during the period following the balance
sheet date. Second, examine open purchase orders, unpaid invoices, and
contracts as of the report date. Third, select items representing
payments by Treasury or cash disbursements by the entity during the
audit period. (Substantive detail test selections of expenses and
additions to inventory, property, and prepaid accounts may be used for
this purpose if the populations from which they are selected are
complete.) For each selection, determine whether the obligation or
expended authority transaction is recorded in the proper period. If it
is not recorded or is recorded in the incorrect period, determine the
effects of this misstatement on budget amounts and consider any impact
on the evaluation of budget controls.
If the selected obligation or expended authority transaction relates to
the audit period and is recorded in that period, determine if it is:
** recorded at the proper amount and:
** classified in the proper appropriation or fund account (also by
program and by object, if applicable), including the proper
appropriation year.
* Summarization: Test the footing of the detail of the obligation
account balance recorded as of the end of the audit period and expended
authority accounts recorded during the audit period. Then reconcile the
total of these details to the recorded totals for obligation and
expended authority accounts as of the end of the audit period. (Audit
software is often an effective tool for footing the transactions
recorded in the accounts and for simultaneously selecting items for
this test.):
.03:
The audit procedures discussed above for testing expended authority
transactions should be coordinated with the audit of the other
financial statement amounts. For example, if appropriate, the tests of
accounts payable for completeness may be coordinated with the selection
of subsequent obligations and expended authority transactions described
above.
.04:
Following is an example of procedures for testing outlay transactions.
These audit procedures also should be coordinated with the audit of the
other financial statement amounts, chiefly cash disbursements.
* Validity and classification: Select outlays recorded during the audit
period. Determine if an invoice and receiving report supports each
selected outlay and determine the obligation that was liquidated by the
outlay. Examine the support for the obligation and determine if the
invoice billed for goods or services is related to (or properly
"matches") the obligation (and, in turn, the appropriation). Obtain the
accounting data of the matched obligation to include appropriation and
year. Match these data to the type of services paid for of the selected
outlay. Determine if the related appropriation authorizes payment for
the services billed and paid.
.05:
The auditor also generally should audit upward and downward adjustments
of prior year obligations. If any of these adjustments relate to closed
accounts, the auditor generally should determine whether the
adjustments are in compliance with the requirements of the National
Defense Authorization Act for fiscal year 1991, section 1405(a),
Closing Appropriation Accounts, 31 U.S.C. 1551-1558.
[End of section]
495 C - MISSTATEMENTS IN INTERIM TESTING:
MISSTATEMENTS IN INTERIM BALANCES:
.01:
The auditor should use judgment to determine whether any misstatements
detected in interim tests (see section 295 D for a discussion of
factors to consider in deciding whether to use interim substantive
testing of balance sheet accounts) warrant a revision of (1) the
auditor's combined risk assessment and (2) the nature, timing, and
extent of planned audit procedures. In determining the effects of such
misstatements, the auditor should consider all relevant factors,
including:
* the nature and cause of the misstatement,
* the estimated effects on the overall line item/account balance,
* whether the entity has subsequently corrected the misstatement, and
* the impact of the misstatement on other parts of the audit.
.02:
Any financial statement misstatements detected should be discussed with
entity management. Based on the nature and cause of the misstatements
detected, the auditor should determine, and obtain supporting evidence
on, whether the misstatements are isolated or are likely to occur in
the remainder of the line item/account balance at the interim testing
date and at the year's end. (See paragraph 480.40 for a discussion of
the need to project all misstatements unless evidence is highly
persuasive that a misstatement is isolated and the Audit Director
approves.) The auditor should encourage management to correct any such
misstatements in the population. Based on the following guidance, the
auditor should use judgment to determine the extent, if any, that
interim testing can be relied on, in conjunction with substantive tests
of the rollforward period, to provide evidence on the year-end line
item/account balance:
* If the misstatements are not material when projected to the entire
population and are expected to be representative of the misstatements
of the year-end balance, the auditor may rely on the results of the
interim testing.
* If the auditor has obtained highly persuasive evidence that the
misstatements are isolated (generally by nature, cause, or extent), the
auditor may be able to rely on unaffected parts of the interim testing
and apply procedures at the year's end to test only those financial
statement assertions associated with the misstatements. For example, in
interim testing of inventory, the auditor might determine that the
misstatements concern only the costing of inventory; accordingly,
reliance could be placed on other parts of the interim testing, such as
those for the accuracy of the physical count, and only cost testing and
related procedures would be required at the year's end.
* If the misstatements are material or pervasive, it might be necessary
to place no reliance on the interim testing and to perform extensive
substantive testing of the line item/account balance as of the balance
sheet date.
.03:
For any misstatements found during interim testing, the auditor should
use judgment to evaluate, in a manner appropriate for the
circumstances, the effects on the year-end balance.
TESTING THE ROLLFORWARD PERIOD:
.04:
Because the auditor reports on the financial statements as of the
year's end, not the interim test date, additional procedures must be
performed to extend the interim conclusions to the year's end. The
auditor should perform substantive tests of the rollforward period
activity or the year-end balance. For example, after interim testing of
the accounts receivable balance, the auditor might examine supporting
documents for selected debits and credits to the balance during the
rollforward period and/or might apply analytical procedures to compare
the amount of rollforward activity, on a month-by-month basis, with
that of preceding months or similar periods of preceding years.
.05:
The auditor should determine the extent of the required substantive
procedures based on the assessment of combined risk and test
materiality, in substantially the same manner as for other substantive
tests. In some instances, the auditor may determine that specific
combined risk warrants additional substantive procedures at the year's
end (such as cutoff tests). If control risk is moderate or low, the
auditor should determine whether the internal controls as of the
interim testing date were in place and were functioning effectively
during the rollforward period (generally by reference to the results of
tests of financial reporting controls which generally cover the entire
year under audit for significant systems).
DOCUMENTATION:
.06:
The auditor should document:
* the line items/accounts (and assertions, where applicable) to which
interim testing is applied;
* the factors considered when determining whether to use interim
testing;
* the audit procedures used to test interim balances and the rollforward
period (including tests of controls, findings, and conclusions); and:
* the effects of any misstatements found during interim testing.
The following table illustrates the correlation between combined risk
and the substantive assurance obtained from substantive analytical
procedures and detail test. This example is based on 95 percent audit
assurance.[Footnote 16] The table also provides the statistical risk
factors to be used when the auditor manually computes sample size using
DUS (see paragraph 480.17).
[End of section]
495 D - EXAMPLE OF AUDIT MATRIX WITH STATISTICAL RISK FACTORS:
Figure 495 D.1: Example Audit Matrix:
Assessed combined risk level: Low; Substantive assurance: 63%;
Substantive assurance from analytical procedures[A]: Complete; Minimum
confidence level for detail tests: 0%; Statistical risk factor[B]:
N/A[C]; Substantive assurance from analytical procedures[A]: Partial;
Minimum confidence level for detail tests: 50%; Statistical risk
factor[B]: 0.7; Substantive assurance from analytical
procedures[A]: None; Minimum confidence level for detail tests:
63%; Statistical risk factor[B]: 1.0.
Assessed combined risk level: Moderate; Substantive assurance: 86%;
Substantive assurance from analytical procedures[A]: Complete; Minimum
confidence level for detail tests: 0%; Statistical risk factor[B]:
N/A; Substantive assurance from analytical procedures[A]: Partial;
Minimum confidence level for detail tests: 77%; Statistical risk
factor[B]: 1.5; Substantive assurance from analytical
procedures[A]: None; Minimum confidence level for detail tests:
86%; Statistical risk factor[B]: 2.0.
Assessed combined risk level: High; Substantive assurance: 95%;
Substantive assurance from analytical procedures[A]: Complete; Minimum
confidence level for detail tests: 0%; Statistical risk factor[B]:
N/A; Substantive assurance from analytical procedures[A]: Partial;
Minimum confidence level for detail tests: 92%; Statistical risk
factor[B]: 2.5; Substantive assurance from analytical procedures[A]:
None; Minimum confidence level for detail tests: 95%; Statistical risk
factor[B]: 3.0.
[A] Complete assurance from analytical procedures requires procedures
that are extremely effective and persuasive to serve as the sole source
of audit evidence for achieving the audit objective. This level of
effectiveness or persuasiveness is very difficult to achieve when
combined risk is assessed as high. Therefore, complete reliance on
analytical procedures for substantive assurance in these situations is
rare, particularly for balance sheet accounts.
[B] Based on the Poisson distribution; used if sample size computed
manually.
[C] Not applicable.
[End of table]
[End of section]
495 E - SAMPLING:
SAMPLING FLOWCHARTS AND EXAMPLE WORKPAPERS:
.01:
This section contains sampling flowcharts (pages 495 E-2 through 495 E-
6) and example workpapers for sampling (pages 495 E-7 through 495 E-
19).
.02:
Flowchart 1 (page 495 E-2) is to assist the auditor in deciding
selection method: nonrepresentative selections versus sampling
(statistical or nonstatistical). Flowchart 2 (page 495 E-3) is to help
the auditor determine which type of sampling to use in various
situations. The second, third, and fourth pages of this flowchart are
to assist the auditor in performing attribute, dollar unit, and
classical variables estimation sampling.
.03:
Example workpapers for documenting sampling are given for attribute
sampling (pages 495 E-7 through 495 E-10), for dollar unit sampling
(pages 495 E-11 through 495 E-15), and for classical variables sampling
(pages 495 E-16 through 495 E-19).
[See PDF for images]
[End of figures]
[End of section]
495 F - MANUALLY SELECTING A DOLLAR UNIT SAMPLE:
.01:
Even though auditors usually use software (such as IDEA) to select a
dollar-unit sample, it is helpful to understand the process for
manually selecting a dollar-unit sample. To select a dollar-unit sample
manually, the following steps should be performed:
a. Determine the sampling interval using the following formula:
sampling interval = test materiality ¸ statistical risk factor:
b. Clear the calculator:
c. Select and document a random start and enter as a negative number in
the calculator. The random start should be a number between 1 and the
sampling interval.
d. Enter the positive amounts in the test population (items) until the
calculator's running subtotal becomes positive. The item that caused
the subtotal to become positive is the item selected for testing.
[See page 495 F-3. Note that the calculator subtotals were positive for
invoices #3, 10, 17, 19, and 24.]
Do not enter into the calculator any items in the population with zero
or credit balances. These items should be accumulated separately and
tested in conjunction with tests of completeness of the account balance
or class of transactions if they are expected to be significant.
e. After each selection, subtract the sampling interval until the
subtotal is negative. Even if the last item in the population is
selected, the sampling interval should be subtracted until the
subtotal is negative.
[See page 495 F-3. For invoice #19, the auditor had to subtract the
sampling interval twice to get a negative subtotal.]
f. Repeat steps d. and e. until all items in the test population have
been entered into the calculator and the ending subtotal is negative.
g. To test the footing of the population, reconcile the sample to the
recorded amount of the test population as follows:
Add:
(a) Random start:
(b) Sampling interval multiplied by the number of times the sampling
interval was subtracted during selection of the sample:
(c) The remaining subtotal on the calculator.
The total should equal the test population amount.
If the total on the reconciliation is not equal to the population
amount, there is either an error in the total population amount or
there was an error in entering the population items into the adding
machine.
The auditor should consider the amount of any difference when
determining whether investigation of the difference is necessary.
Immaterial amounts generally do not require investigation.
[See page 495 F-4 for an example reconciliation to test the footing.]
[PAGE 495 F-3]: Example of Systematic Selection for DUS:
[See PDF for image]
[End of table]
PAGE 495 F-4:
Reconciliation of book amounts footed to test population:
Random start: $6,000:
+ Sampling interval x number of times subtracted: 300,000:
($50,000 x 6):
+ Remaining subtotal: (14,400):
Population total: $291,600:
[End of section]
FOOTNOTES
[1] The FAM generally uses the same terminology as the Audit Guide.
[2] Many factors influence efficiency in addition to number of sampling
applications, such as sample size, number of locations it is necessary
to visit to achieve audit objectives, nature of the audit procedures,
extent of review required, whether rework can be avoided by designing
easy-to-follow procedures.
[3] Tables I and II assume a large population (generally over 5,000
items). If the population is small, the auditor may ask the
Statistician to calculate a reduced sample size and to evaluate the
results. Generally, the effect is small unless the sample size per the
table is more than 10 percent of the population.
[4] Using the AICPA guidance, the auditor computes the deviation rate
and the upper limit at the desired confidence level (usually the same
confidence level used to determine sample size). If the upper limit of
deviations is less than the tolerable rate, the results support the
control risk assessment. If not, the control risk should be increased
in designing substantive tests.
[5] Tolerable rate of 5 percent, expected population deviation rate of
0, and a large population (see footnote on page 450-3). If the
population is small, the auditor may ask the Statistician to compute a
reduced sample size and to evaluate the results.
[6] The proprietary accounting system supports the accrual basis of
accounting.
[7] If the data are disaggregated, the limit is still applied on an
annual basis.
[8] IDEA is the primary software GAO uses. It is distributed by
Audimation Services, Inc., Houston, Texas.
[9] Usually the auditor applying nonstatistical sampling will select a
"haphazard sample." A haphazard sample is a sample consisting of
sampling units selected without conscious bias, that is, without any
special reason for including or excluding items from the sample. It
does not consist of sampling units selected in a careless manner;
rather it is selected in a way the auditor expects to be representative
of the population.
Since a haphazard sample is not the same as a statistical sample, the
auditor using a haphazard sample cannot calculate precision at a given
confidence level. However, AICPA guidance indicates that the auditor
may use the haphazard sample to make a judgment of what a statistical
sample might have shown. For example, he or she might use the haphazard
sample to make a judgment as to the likely misstatement in areas that
are not very significant. Even though the judgment will not be a
statistical projection, it may assist the auditor in determining
whether the possible misstatement could be material. Thus, the auditor
should not avoid making the judgment.
Professional standards and the FAM do not use the term "judgment
sample." All selections (including statistical selections) require
judgment. The term "judgment sample" is often used to refer to
nonrepresentative selections, although it sometimes refers to
nonstatistical samples.
[10] See Dollar Unit Sampling, by Leslie, Teitlebaum, and Anderson
(Copp Clark Pitman, 1979), for a more technical discussion of DUS.
[11] This expectation affects the efficiency of the sample, not its
effectiveness. GAO auditors who use IDEA to calculate sample size
(based on the binomial distribution) generally use classical variables
estimation sampling when they expect that more than 30 percent of the
sampling units contain misstatements (no matter what the size of the
misstatement). When GAO auditors expect that 10 percent or fewer of the
sampling units contain misstatements, GAO auditors generally use
dollar-unit sampling. When GAO auditors expect between 10 and 30
percent of the sampling units contain misstatements, GAO auditors
consult with the Statistician. If a large misstatement rate is found,
the auditor, in consultation with the Statistician, should consider
whether to use classical PPS to evaluate the sample to obtain a smaller
precision. Other auditors, in consultation with their Statisticians,
may use different rules of thumb in deciding when to use DUS versus
classical variables estimation sampling.
[12] This means, for example, that an item that has a selected amount
of $1,000 cannot be misstated by more than $1,000. This is usually not
an issue in testing existence or valuation (overstatement). However, it
might be an issue in testing completeness (understatement). Thus, if
understatements larger than the selected amount are expected, classical
variables estimation sampling generally should be used.
[13] IDEA offers two methods of selecting a dollar-unit sample. The
auditor generally should use the cell method rather than the fixed
interval method. In the cell method, the program divides the population
into cells such that each cell is equal in size to an interval. Then
the program selects a random dollar in each cell. The random dollar
selected identifies the transaction, account, or line item to be tested
(sometimes called the logical unit).
[14] The 25 percent is a rough estimate that is used because there is
no way to calculate the correct sample size.
[15] As a general rule, this means 10 misstatements if the sample size
is between 75 and 100, 10 percent if the sample size is between 100 and
300, and 30 if the sample size is over 300. Minimum sample size for
classical PPS is 75.
[16] Audit assurance is not the same as statistical confidence level.
Assurance is a combination of quantitative measurement and auditor
judgment.
[End of section]
SECTION 500: Reporting Phase:
Figure 500.1: Methodology Overview:
Planning Phase:
* Understand the entity's operations: Section 220:
* Perform preliminary analytical procedures: Section 225:
* Determine planning, design, and test materiality: Section 230:
* Identify significant line items, accounts, assertions, and RSSI:
Section 235:
* Identify significant cycles, accounting applications, and financial
management systems: Section 240:
* Identify significant provisions of laws and regulations: Section 245:
* Identify relevant budget restrictions: Section 250:
* Assess risk factors: Section 260:
* Determine likelihood of effective information system controls:
Section 270:
* Identify relevant operations controls to evaluate and test: Section
275:
* Plan other audit procedures: Section 280:
* Plan locations to visit: Section 285:
Internal Control Phase:
* Understand information systems: Section 320:
* Identify control objectives: Section 330:
* Identify and understand relevant control activities: Section 340:
* Determine the nature, timing, and extent of control tests and of
tests for systems’ compliance with FFMIA requirements: Section 350:
* Perform nonsampling control tests and tests for systems’ compliance
with FFMIA requirements: Section 360:
* Assess controls on a preliminary basis: Section 370:
Testing Phase:
* Consider the nature, timing, and extent of tests: Section 420:
* Design efficient tests: Section 430:
* Perform tests and evaluate results: Section 440:
** Sampling control tests: Section 450:
** Compliance tests: Section 460:
** Substantive tests: Section 470:
*** Substantive analytical procedures: Section 475:
*** Substantive detail tests: Section 480:
Reporting Phase:
* Perform overall analytical procedures: Section 520:
* Determine adequacy of audit procedures and audit scope: Section 530:
* Evaluate misstatements: Section 540:
* Conclude other audit procedures: Section 550:
** Inquire of attorneys:
** Consider subsequent events:
** Obtain management representations:
** Consider related party transactions:
* Determine conformity with generally accepted accounting principles:
560:
* Determine compliance with GAO/PCIE Financial Audit Manual: Section
570:
* Draft reports: Section 580:
[End of figure]
[End of section]
510 - OVERVIEW:
.01:
Based on the work in the preceding phases, the auditor must form
conclusions on the information in the financial statements, the
entity's internal control, the financial management systems'
substantial compliance with the three FFMIA requirements, the entity's
compliance with laws and regulations, and other information
(management's discussion and analysis (or the overview of the reporting
entity), required supplementary information (unaudited RSSI is
considered required supplementary information), and other accompanying
information). Additionally, findings coming to the auditor's attention
should be reported in an appropriate manner. The following sections
provide guidance to assist the auditor in making these determinations
and in formulating the report type and form. Guidance is also provided
on other activities that should be performed by the auditor during the
reporting phase. (See figure 500.1.):
[End of section]
520 - PERFORM OVERALL ANALYTICAL PROCEDURES:
PURPOSES OF OVERALL ANALYTICAL PROCEDURES:
.01:
As the audit nears completion, the auditor must perform overall
analytical procedures as required by GAAS (AU 329). These procedures,
which are part of the reporting phase, have the following purposes:
* to determine if an adequate understanding of all fluctuations and
relationships in the financial statements has been obtained from other
audit procedures,
* to determine if other audit evidence is consistent with explanations
for fluctuations documented during overall analytical procedures, and:
* to assist the auditor in forming an opinion on the financial
statements
that is consistent with the conclusions reached during tests of
individual account balances and classes of transactions.
.02:
If overall analytical procedures indicate that an adequate
understanding of relationships and fluctuations has not been obtained
or if there are inconsistencies in audit evidence gathered from other
audit procedures, further inquiries and testing are necessary to obtain
an adequate understanding or to resolve the inconsistencies.
.03:
The auditor may find it effective and efficient to perform overall
analytical procedures in more detail than the financial statement level
(supplemental analytical procedures) and then use the results of these
procedures to "roll up" into and support the overall analytical
procedures at the financial statement level. For example, the auditor
might perform overall analytical procedures at the account level and
roll them up to the financial statement line item to which they belong.
.04:
The auditor may choose to use analytical procedures to obtain complete
or partial substantive assurance for certain accounts or to perform
supplemental analytical procedures when detail tests are used
exclusively to obtain substantive assurance. The information obtained
during these procedures can be used as the basis for explanations of
fluctuations for overall analytical procedures.
.05:
Having the auditor who conducted the detail tests on an account also
conduct supplemental analytical procedures usually maximizes
efficiency and effectiveness by building on the knowledge of the
account obtained during detail tests.
.06:
Overall analytical procedures should be coordinated with the auditor's
evaluation of the MD&A (overview of the entity) included in the
Accountability Report (annual financial statement). For example, the
auditor should use the MD&A, if available, to assist in performing
overall analytical procedures and should use the results of the
analytical procedures to assist in forming conclusions about the
information in the MD&A.
PERFORMANCE OF OVERALL ANALYTICAL PROCEDURES:
.07:
The auditor should take the following steps to achieve the purposes of
overall analytical procedures described above:
* Compare current-year amounts with comparative financial information
and with budget execution information: This information may be on a
summarized level, such as the level of financial statements, or a more
detailed level, as discussed in paragraph 520.03. If available, audited
prior-year information that is comparable to the current-period
information should be used for comparison. If audited prior-year
information is not available, the auditor should use any other
information that provides a reasonable basis for comparison. The
audited, final amounts for the current year must be used for these
procedures. The auditor may also perform ratio analysis on current-year
data and compare these with ratios derived from prior periods or
budgets.
* Identify significant fluctuations: The auditor should establish
parameters for determining if a fluctuation is significant.
Fluctuations identified are a matter of the auditor's judgment. The
auditor should also consider the absence of expected fluctuations when
identifying significant fluctuations.
* Understand identified fluctuations: The auditor should understand all
significant fluctuations identified. The causes for the fluctuations
should be briefly described and referenced to corroborating evidence in
the workpapers. If the auditor does not understand the cause of the
fluctuation or if the understanding is not consistent with the evidence
in the workpapers, the auditor should perform appropriate procedures to
obtain an understanding or to resolve any inconsistencies.
* Consider the results of overall analytical procedures: The auditor
should consider these results to determine if an adequate understanding
of significant fluctuations was obtained and evidence is consistent and
adequate to support the report on the financial statements.
[End of section]
530 - DETERMINE ADEQUACY OF AUDIT PROCEDURES AND AUDIT SCOPE:
.01:
In the planning phase, the auditor determined planning materiality
based on preliminary information. Based on planning materiality, the
auditor determined design and test materialities, which affected the
extent of testing. In light of the final assessment of combined risk,
the overall level of audit assurance used, and the audited materiality
base, the auditor should consider whether the extent of substantive
audit procedures was sufficient (i.e. appropriateness of sample sizes
for detail tests and the limit for investigation of differences during
substantive analytical procedures). When there are questions regarding
the adequacy of work performed, the auditor should consult with the
Reviewer to determine the necessity of additional procedures.
.02:
When determining whether an opinion can be expressed on the financial
statements, any limitations on the nature, timing, or extent of work
performed should be considered. Additional guidance on scope
limitations and their impact is provided in paragraphs 580.14-.18.
[End of section]
540 - EVALUATE MISSTATEMENTS:
OVERVIEW:
.01:
The auditor may detect misstatements during substantive tests or other
procedures. These misstatements should be evaluated in both
quantitative and qualitative terms. Based on this evaluation, the
auditor should determine the type of report to issue on the financial
statements.
.02:
Additionally, the auditor needs to consider the implications of
misstatements on the following.
* The auditor's evaluation of internal control (see paragraphs 580.32-
.61):
Consider whether the misstatements indicate control weaknesses that had
not been previously identified, whether the assessment of the controls
remains appropriate, and whether the categorization of control
weaknesses for reporting purposes is appropriate.
* The consideration of the risk of material misstatement due to fraud
(see paragraphs 540.18-.21):
Consider whether the accumulated results of audit procedures and other
observations would change the risk of material misstatement due to
fraud identified during planning.
* The auditor's evaluation of the financial management systems'
substantial compliance with the three FFMIA requirements (see paragraph
580.62-.66):
Consider whether the misstatements would have a significant impact on
the auditor's conclusions with respect to the financial management
systems' substantial compliance with the three FFMIA requirements.
* The entity's compliance with laws and regulations (see paragraphs
580.67-.75):
Consider whether the misstatements would change the auditor's
conclusions with respect to the entity's compliance with laws and
regulations.
* budget formulation and execution:
Consider whether the misstatements would have a significant impact on
budget related matters for purposes of reporting budget control
weaknesses, reporting on the statements of budgetary resources and
financing, and reporting on compliance with budget-related provisions
of laws and regulations.
* Other reports:
Consider whether the misstatements and any underlying internal control
weaknesses affect reported performance measures or other reports
prepared by the entity that are (1) used for management decision-making
or (2) distributed outside the entity.
.03:
The auditor should follow the guidance in sections 475 (substantive
analytical procedures) and 480 (substantive detail tests) regarding
evaluation of individual misstatements from a quantitative standpoint.
Following that guidance, the auditor should quantify the effects of the
misstatements and classify them as follows:
* known misstatement: the amount of misstatement actually found or
* likely misstatement: the auditor's best estimate of the amount of the
misstatement (including the known misstatement). For sampling
applications, this amount is the projected misstatement. (Also see
paragraph 540.11.):
ACCUMULATION OF MISSTATEMENTS:
.04:
To evaluate the aggregate effects of misstatements on the financial
statements, the auditor should accumulate the adjustments necessary to
correct all known and likely misstatements on the Summary of Possible
Adjustments. This schedule should include all misstatements detected by
the auditor, including any that the entity corrected during the audit.
It is important to consider all misstatements to have a record of the
impact of the audit, bring all misstatements to the attention of the
appropriate level of management, and assist the auditor in evaluating
the risk of further misstatement as a part of the consideration of
unadjusted misstatements (paragraphs 540.11-.12). An example format is
included as section 595 C. The Reviewer should review the Summary of
Possible Adjustments. Per AU 312.40, the auditor may designate an
amount below which misstatements need not be accumulated. This amount
should be set so that any such misstatements, either individually or
when aggregated with other such misstatements, would not be material to
the financial statements, after the possibility of further undetected
misstatements is considered.
.05:
The financial statements usually include various estimates made by
management, such as the recoverability of assets (allowances for
doubtful accounts receivable or loans) and liabilities for loan
guarantees. If the recorded amount falls outside of a range of amounts
that the auditor considers reasonable, the auditor should consider the
difference between the recorded amount and the closest end of the
auditor's range to be a likely misstatement to be included in the
Summary of Possible Adjustments and should discuss the difference with
entity management.
.06:
Additionally, the auditor should consider whether management's
estimates consistently overstate or understate components of the
financial statements, such as total assets or total expenditures. If
so, the auditor should consider the effects on the financial statements
in addition to any unadjusted misstatements when determining the
appropriate type of opinion. Further guidance on evaluating estimates
is provided in AU 312.36 and AU 342.
REVIEW OF MISSTATEMENTS WITH MANAGEMENT:
.07:
After accumulating and summarizing the adjustments, the auditor:
* must bring all misstatements found (except those below the auditor-
designated amount at which misstatements need not be accumulated) to
the attention of appropriate entity management;
* should encourage entity management to adjust the entity's records to
correct all known misstatements; and:
* should encourage entity management to determine the cause of the
likely misstatements and to make appropriate adjustments; unless the
entity's analysis determines another adjustment is appropriate, the
auditor should encourage entity management to establish valuation
allowances for likely misstatements, net of known misstatements (since
the likely misstatement represents the best estimate of the correction
needed).
.08:
In presenting the proposed adjustments to management, the auditor
should remind management that SAS 89 requires the audited entity to
indicate in the management representation letter that the unadjusted
misstatements, individually or in the aggregate, are not material to
the financial statements taken as a whole. SAS 89 also requires that a
summary of the unadjusted misstatements be attached to the
representation letter. Thus, management may consider some of the same
factors presented in paragraphs 540.09-.16.
CONSIDERATION OF UNADJUSTED MISSTATEMENTS:
.09:
If entity management declines to record adjustments for any
misstatements, the auditor considers the potential effects of these
misstatements on the auditor's report in both quantitative and
qualitative terms. The auditor should prepare a Summary of Unadjusted
Misstatements, following the format provided in section 595 D or
equivalent. Overall guidance on evaluating misstatements is provided in
AU 312.34-.40. If total unadjusted likely misstatements are material,
the auditor should modify the opinion on the financial statements (see
paragraph 580.22). Misstatements, individually or in the aggregate, are
material if, in light of surrounding circumstances, it is probable that
the judgment of a reasonable person relying on the information would
have been changed or influenced by the correction of the items. The
concept of materiality includes both quantitative and qualitative
considerations. Deciding whether and how to modify the opinion based on
the materiality of total unadjusted likely misstatements is a
significant auditor's judgment. The decision and the basis for it
should be documented. The Audit Director should be involved in the
decision and review the documentation related to it. Also, the Reviewer
should review and approve the documentation of the decision.
Quantitative Considerations:
.10:
Although there is some point where unadjusted likely misstatements
would generally be considered material, there is no single amount that
can be used for deciding to modify the opinion. Instead, the auditor
should follow a process that considers a number of quantitative factors
in reaching this decision.
.11:
The auditor should add an allowance for further misstatement to the
unadjusted likely misstatement. This risk of further misstatement
relates to the imprecision of audit procedures. This risk includes the
allowance for sampling risk (the combined precision of all sampling
applications), an allowance for imprecision of analytical and other
substantive audit procedures, and an allowance for unaudited immaterial
account balances. The Statistician should compute the combined
precision for all sampling applications.
.12:
This total of likely misstatement plus allowance for further
misstatement should then be considered in relation to planning
materiality and the relative importance of the misstated items to
readers of the financial statements to determine whether the financial
statements as a whole may be materially misstated. For example, if the
aggregate unadjusted likely misstatement is $10 million and the
allowance for imprecision of audit procedures is probably no more than
$15 million, the auditor should determine whether the total
($25 million) materially misstates the financial statements taken as a
whole. The Reviewer should be consulted in considering these issues.
.13:
The auditor's report addresses the fair presentation of the financial
statements as a whole. When considering the effects of any unadjusted
misstatements on the financial statements, the auditor should bear in
mind that he/she is taking less responsibility for individual line
items in the financial statements and in any combining statements and
supplemental schedules than for the financial statements as a whole.
Qualitative Considerations:
.14:
The auditor should consider numerous qualitative factors when
determining the effect of unadjusted misstatements on the auditor's
report. The auditor may choose to modify or qualify the report on the
financial statements, even if the amounts of any unadjusted
misstatements are not quantitatively material. Examples of
misstatements for which the auditor may consider issuing a modified or
qualified report include:
* misstatements of account balances or transactions that are considered
sensitive to the financial statement users;
* misstatements that offset one another in the aggregate but are
individually significant; and:
* misstatements that have a significant effect on the MD&A (overview)
presented by management, including the entity's performance indicators.
Treatment of Unadjusted Misstatements Detected in Prior Periods:
15
The auditor should consider the effects on the current-period financial
statements of any misstatements detected in prior periods. If corrected
in the current period, the auditor should record the impact on current-
period financial statements in the Summary of Possible Adjustments. If
uncorrected, the auditor should consider the misstatement in
combination with current-period misstatements. Guidance is provided in
AU 312.37.
Treatment of Misstatements That Arose in Prior Periods But Were
Detected in the Current Period:
16
If, during the audit of the current period, the auditor detects a
misstatement that arose in a prior period but was not previously
detected, the auditor should determine if the misstatement is material
to the prior-or current-period financial statements. If the
misstatement is considered to be material, the auditor should consult
the Reviewer to determine the effects on the current-period statements
and the auditor's report. Any material misstatements of this type
should be discussed with entity management and should be included on
the Summary of Possible Adjustments if not corrected through a prior-
period adjustment to the financial statements.
MANAGEMENT DISAGREEMENT WITH LIKELY MISSTATEMENTS:
17
If management disagrees with the auditor's likely misstatements and if
the disagreement involves amounts that are material, the auditor may
consider the following options:
* The entity may perform procedures, such as reviewing all or
substantially all of the items in the relevant population, to refine
the estimated amount of the misstatement. In these situations, the
auditor should test management's procedures and conclusions.
* The auditor may believe that sufficient evidence has already been
obtained and may form his/her opinion on the financial statements based
on his/her estimate.
* The auditor may want to increase assurance in the likely misstatements
in order to convince entity management of the amount or to support the
report on the financial statements. For example, the auditor may choose
to increase his/her assurance in the likely misstatement by testing
additional items. These additional procedures will most likely increase
the auditor's assurance in the previous findings but generally will not
materially affect the amount of the likely misstatement. Before
deciding to perform additional procedures, the auditor should obtain
agreement from entity management on the extent of additional evidence
needed to be persuasive to them. The auditor also should consult with
the Reviewer before beginning any of these additional procedures.
* The Audit Director may decide not to expend additional resources to
resolve the disagreement, for example, because additional testing is
unlikely to provide different conclusions. If the auditor believes the
estimate is sufficiently accurate, he or she would express a qualified
or adverse opinion, depending on the materiality of the item to the
financial statements taken as a whole. If the auditor believes the
estimate is not sufficiently accurate, he or she would qualify or
disclaim an opinion for a scope limitation, depending on the
materiality of the item to the financial statements taken as a whole.
RECONSIDERATION OF FRAUD RISK:
18
The consideration of the risk of material misstatement due to fraud is
a cumulative process that should be ongoing throughout the audit. The
auditor should consider whether the audit test results indicate the
need for a change in the original consideration of fraud risk made in
planning (see section 260) or whether the results indicate a need for
additional or different audit procedures.
19
When audit tests identify misstatements, the auditor should consider
whether these may be indicative of fraud. If the auditor determines
that misstatements are or may be the result of fraud, he or she should
consult with the Audit Director and the Reviewer who will determine
whether to seek help from the Special Investigator Unit and/or OGC. If
the effect is not material to the financial statements, the auditor
should consider the implications, especially regarding the
organizational position of the individual(s) involved. If the person
involved in the fraud is a relatively low-level employee, there is
little significance to the audit, although the misstatement should be
reported at least to the next level of management. However, if the
person is of a higher level of management, even though the amount of
misstatement found is immaterial, the auditor should consider whether
it may indicate a more pervasive problem and should reevaluate fraud
risk as well as the assessment of inherent and control risk; the
assignment of personnel; and the nature, timing, and extent of
substantive testing.
20
If the misstatement is or may be the result of fraud and the effect
could be material or the auditor is unable to evaluate whether the
effect is material, he or she, in consultation with the issue area
director, should (1) consider the implications on other aspects of the
audit (see previous paragraph), (2) discuss the matter with at least
the next level of entity management and with senior management, (3)
consider whether to attempt to obtain additional evidence to determine
whether material fraud has occurred or is likely to have occurred and
the effect on the financial statements and the audit report, and (4)
consider whether to advise entity management to consult with its
general counsel.
21
Fraud involving senior management and fraud that causes a material
misstatement of the financial statements should be included in the
audit report in the compliance section and in the report on the
financial statements section if the financial statements are misstated.
When the auditor identifies evidence of these cases, the Special
Investigator Unit and/or OGC should be consulted. If the auditor has
identified fraud risk factors that have continuing control
implications, the auditor should consider whether these risk factors
represent reportable conditions that should then be included in the
audit report in the internal control section.
FINANCIAL MANAGEMENT SYSTEMS:
22
For audits of the CFO Act agencies and components identified by OMB in
its audit guidance, the auditor should determine whether the entity's
financial management systems comply substantially with the three
requirements of FFMIA. Federal financial management systems
requirements and the SGL at the transaction level were considered in
sections 350 and 360. At this point, the auditor should reassess those
preliminary conclusions and conclude on the federal accounting
standards based on the results of control, compliance, and substantive
testing and evaluation of misstatements found. If the auditor concludes
that the systems do not comply with the requirements, he or she should
report the noncompliance. In addition, if the auditor concluded the
systems were not in substantial compliance with FFMIA based on limited
testing, he or she should report that the work on FFMIA would not
necessarily disclose all instances of lack of substantial compliance
with FFMIA requirements. (See section 580.):
[End of section]
550 - CONCLUDE OTHER AUDIT PROCEDURES:
.01:
To issue the auditor's report, procedures in the following areas should
be concluded during the reporting phase:
* inquiries of attorneys (see paragraphs 550.02.-.03),
* subsequent events (see paragraphs 550.04.-.06),
* management representations (see paragraphs 550.07-.11), and:
* related party transactions (see paragraph 550.12).
INQUIRIES OF ATTORNEYS:
.02:
In considering any contingent liabilities or uncertainties that may
affect the entity or its financial statements, the auditor should make
inquiries of the entity's counsel regarding litigation, claims, and
assessments. Guidance on these inquiries, as well as on interpreting
and using responses received from counsel, is provided in AU 337 and
9337 and OMB audit guidance (see also section 280).
.03:
The inquiries and responses should cover the entire period under audit
and the subsequent period through completion of fieldwork (the date of
the auditor's report). A response should be obtained from counsel at
the approximate end of fieldwork. If a long period elapses from end of
fieldwork to report issuance, a subsequent update generally should be
obtained, either written or oral (and documented in the workpapers),
for material events to report issuance.
SUBSEQUENT EVENTS:
.04:
Events or transactions may occur after the balance sheet date but
before the audit report is issued. Such events or transactions that
have a material effect on the financial statements and therefore
require adjustment to or disclosure in the financial statements are
referred to as subsequent events. AU 560 provides guidance on
determining whether a particular subsequent event requires adjustment
to or disclosure in the financial statements (see also section 1005).
.05:
To identify subsequent events that would require either adjustment to
or disclosure in the financial statements, the auditor should follow
the procedures described in AU 560.10-12 (see also section 1005). These
procedures should be performed at or near the completion of fieldwork.
If a long period elapses from end of fieldwork to report issuance, the
procedures generally should be updated for material events through the
issuance of the auditor's report. The auditor should follow the
guidance in AU 530 on dating the auditor's report if any subsequent
events are identified that affect the report.
.06:
The auditor generally has no obligation to perform procedures to
identify subsequent events after the report is issued. If the auditor
becomes aware of facts that might have affected the report if they had
been known before issuance, the auditor should follow the guidance in
AU 561.
MANAGEMENT REPRESENTATIONS:
.07:
The auditor is required to obtain written representations from
management as part of the audit. These representations supplement the
other audit procedures performed by the auditor but are not a
substitute for them. Written representations help avoid any
misunderstandings that could arise if only oral representations were
received from management. In some circumstances, corroborating evidence
for representations may not be readily available, such as for those
involving management's intent concerning a future transaction or
business decision. AU 333.06, AT 501.44 (SSAE 10, paragraph 5.44), and
AU 801.07 provide examples of the written representations usually
obtained from management (see also sections 1001 and 1001 A).
Additionally, the auditor may request representations on other matters.
.08:
Federal government auditors should obtain further representations from
management in addition to those required by generally accepted auditing
standards. These are management assertions about the effectiveness of
internal control and about substantial compliance of financial
management systems with the three requirements of FFMIA.
.09:
If management refuses to provide the requested written representations,
the auditor considers this a limitation on the audit scope and modifies
the report (see paragraphs 580.14-.18). In these situations, the
auditor should consider the reliability of other representations
received from management during the audit.
.10:
The representation letter should be signed by members of management
who, in the auditor's view, are responsible for and knowledgeable,
directly or through others, about the matters in the representation
letter, as discussed in AU 333.09.
.11:
The representation letter should be dated as of the date of the
auditor's report. If there is a significant delay between the report
date and the issuance of the report, the auditor should consider
obtaining updated management representations.
RELATED PARTY TRANSACTIONS:
.12:
The auditor should be aware of the possible existence of relationships
with related parties and material related party transactions that could
affect the financial statements. AU 334 provides guidance on
identifying related parties, examining related party transactions, and
considerations for disclosure (see also section 1006).
[End of section]
560 - DETERMINE CONFORMITY WITH GENERALLY ACCEPTED ACCOUNTING
PRINCIPLES:
.01:
Generally accepted accounting principles (GAAP) for federal government
entities are developed by the Federal Accounting Standards Advisory
Board (FASAB), an entity created by GAO, OMB, and Treasury. FASAB was
recognized by the American Institute of Certified Public Accountants
(AICPA) as the body to establish GAAP for federal governmental entities
under Rule 203, "Accounting Principles," of the AICPA's Code of
Professional Conduct. Pursuant to the resolution adopted by the AICPA
Council on October 19, 1999, Statements of Federal Financial Accounting
Standards (SFFAS) issued by FASAB are recognized as GAAP for the
applicable federal governmental entities. FASAB develops federal
accounting concepts or standards and transmits them to the Comptroller
General, the Secretary of the Treasury, and the Director of OMB (the
three principals). The accounting concepts or standards become final 90
days after transmittal, provided no principal advises FASAB of an
objection during the 90 days. The concepts or standards are then issued
by FASAB.
.02:
Federal executive agencies are to follow the hierarchy of accounting
principles given below. This means that the entity is to use the
guidance in item "a" unless that item is silent about a particular
topic. In that case, the entity is to use the guidance in item "b,"
unless it also does not address the topic, and so on to item "c," or
"d," until guidance addressing the topic is found. This hierarchy is
recognized by the AICPA as GAAP for applicable federal entities,
according to SAS 91:
a. FASAB Statements and Interpretations plus AICPA and FASB
pronouncements if made applicable to federal governmental entities by a
FASAB Statement or Interpretation.
b. FASAB Technical Bulletins and the following pronouncements if
specifically made applicable to federal governmental entities by the
AICPA and cleared by FASAB: AICPA Industry Audit and Accounting Guides
and AICPA Statements of Position.
c. AICPA AcSEC Practice Bulletins if specifically made applicable to
federal governmental entities and cleared by FASAB and Technical
Releases of its Accounting and Auditing Policy Committee.
d. Implementation guides published by FASAB staff and practices that are
widely recognized and prevalent in the federal government.
.03:
In the absence of a pronouncement in the above hierarchy, the auditor
may consider other accounting literature, including FASAB Concepts
Statements; pronouncements in categories "a" through "d" above when not
specifically made applicable to federal governmental entities; FASB and
GASB Concepts Statements; GASB Statements, Interpretations, and
Technical Bulletins; AICPA Issues Papers; International Accounting
Standards of the International Accounting Standards Committee;
pronouncements of other professional associations or regulatory
agencies; AICPA Technical Practice Aids; and accounting textbooks,
handbooks, and articles.
.04:
Entities are required to summarize the significant accounting policies
used in the notes to the principal statements.
.05:
The auditor should review the financial statements for conformity with
GAAP and should identify any instances of nonconformity. Such
nonconformity may include incomplete disclosure or use of an accounting
principle that is contrary to GAAP. A Checklist for Reports Prepared
Under the CFO Act is in section 1004 (Part II) for reviewing the
financial statements for appropriate and adequate disclosure in
accordance with GAAP.
.06:
The auditor should consider the impact of nonconformity with GAAP on
the financial statements and should determine the effects, if any, on
the auditor's report (see paragraph 580.22).
[End of section]
570 - DETERMINE COMPLIANCE WITH GAO/PCIE FINANICAL AUDIT MANUAL:
.01:
The auditor must determine whether the audit was conducted in
accordance with GAGAS, OMB audit guidance, and GAO/PCIE financial audit
methodology. The auditor should use the audit completion checklist
included in section 1003 (Part II) for determining and documenting
compliance.
[End of section]
580 - DRAFT REPORTS:
.01:
At the conclusion of the audit, the auditor finalizes the draft of the
auditor's report(s), which includes the auditor's conclusions on:
* the financial statements (see paragraphs 580.10-.31);
* internal control (see paragraphs 580.32-.61);
* whether the financial management systems substantially comply with
the requirements of FFMIA: federal financial management systems
requirements, federal accounting standards (GAAP), and the SGL at the
transaction level (see paragraphs 580.62-.66); and:
* compliance with laws and regulations (see paragraphs 580.67-.75);
* the MD&A (see requirements in SFFAS No. 15) and other information
included in the Accountability Report (including RSSI) (see paragraphs
580.76-.81).
.02:
The auditor's report should clearly identify the entity audited, the
Accountability Report on which the auditor is reporting, and the period
covered by the Accountability Report.
.03:
The report should be dated as of the completion of fieldwork. If a
subsequent event occurs after that time that requires disclosure in the
report, the auditor should follow the guidance in AU 530 with respect
to dating the report.
REPORT FORMAT:
.04:
An example of an unqualified auditor's report is presented in section
595 A. The auditor may use another reporting format, such as issuing
separate reports on the financial statements (see AU 508) and on
internal control and compliance (see AICPA Audit and Accounting Guide:
Audits of State and Local Governmental Units or OMB audit guidance) and
should document the reasons for deviations from