This is the accessible text file for GAO report number GAO-01-765G 
entitled 'Financial Audit Manual: Volumes 1 and 2' which was released 
on August 01, 2001 and updated by GAO-03-466G entitled 'Financial 
Audit Manual: Update to Part II - Tools' which was released on April
01, 2003.

This text file was formatted by the U.S. General Accounting Office 
(GAO) to be accessible to users with visual impairments, as part of a 
longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov.

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately.

[This page intentionally left blank.]

GAO/PCIE Financial Audit Manual:

(including April 2003 update):

This page was last revised April 28 ,2003:

Volume 1 - Methodology [PDF 1.5mb]

Cover to Volume 1 [PDF 8.3mb]

Section 100 - Foreword, Table of Contents, Introduction:

Section 200 - Planning:

Section 300 - Internal Control:

Section 400 - Testing:

Section 500 - Reporting:

Section Appendixes - Appendixes, Glossary, Abbreviations, Index:

Volume 2 - Tools [PDF 3.0mb]

Cover to Volume 2 [PDF 8.3mb]

Section 600 - Planning and General:

Section 700 - Internal Control:

Section 800 - Compliance:

Section 900 - Substantive Testing:

Section 1000, except for CFO Act Checklist - Reporting:

CFO Act Checklist, Beginning - Overview, General Items, Balance Sheet:

CFO Act Checklist, End - Statements of Net Cost, Changes in Net 
Position, Budgetary Resources, Financing, Custodial Activity, Notes, 
and Supplementary Information:

Other Related Guidance:

GAO's FFMIA Reporting:

Download zipped files that allow users to enter data:

Sections 300, 400, and 500 - SCE (FAM 395 H - both transaction-related 
and line item-related), ARA (FAM 395 I), sampling documentation (FAM 
495 E), example audit report and summaries of misstatements (FAM 595 A, 
B, C, and D):

Sections 600 and 700 - example documentation and templates for using 
the work of others (FAM 650 B and C), agreed-upon procedures (FAM 660 
A, B, C, and D), and testing compliance with FFMIA (FAM 701 A and B):

Section 800 - general compliance checklist (FAM 802) and summary and 
audit procedures for other acts (FAM 803, 808, 809, 810, 812, 813, 814, 
816, and 817):

Sections 900 and 1000, except CFO Act checklist - example documentation 
and templates for related parties, including intragovernmental activity 
and balances (FAM 902 C), Fund Balance with Treasury (FAM 921 D), 
management representations (FAM 1001 A), inquiries of legal counsel 
(FAM 1002 A, B, C, and D), audit completion checklist (FAM 1003), and 
subsequent events review (FAM 1005):

CFO Act checklist (FAM 1004):

Financial Audit Manual:

Foreword:

On behalf of the General Accounting Office (GAO) and the President's 
Council on Integrity and Efficiency (PCIE), we are pleased to present 
the first-ever GAO/PCIE Financial Audit Manual.

With passage of the Government Management and Reform Act of 1994, 
executive branch Inspectors General and GAO gained statutory 
responsibility for auditing agency and government-wide consolidated 
financial statements, respectively. Since that time, GAO and the PCIE 
community have worked cooperatively to ensure that these audits are of 
the highest possible quality, consistency, and cost-effectiveness. This 
manual is a natural outgrowth of that cooperation. More importantly, 
the new manual represents our ongoing efforts to ensure that financial 
statement audits achieve their intended outcomes of providing enhanced 
accountability over taxpayer-provided resources.

We extend our thanks to the many individuals and organizations that 
provided comments and insights to make the manual stronger. The Task 
Force assembled by GAO and the PCIE also deserves much credit for its 
dedication to completing this project.

Jeffrey C. Steinhoff 

Managing Director 

U.S. General Accounting Office 

The Honorable Gregory H. Friedman:
Chair, Audit Committee:
President's Council on Integrity and Efficiency:

Signed by Jeffrey C. Steinhoff and Gregory H. Friedman:

[End of section]

CONTENTS:

:

100; INTRODUCTION.

200; PLANNING PHASE.

210; Overview.

220; Understand the Entity's Operations.

225; Perform Preliminary Analytical Procedures.

230; Determine Planning, Design, and Test Materiality.

235; Identify Significant Line Items, Accounts, Assertions, and RSSI.

240; Identify Significant Cycles, Accounting Applications, and 
Financial Management Systems.

245; Identify Significant Provisions of Laws and Regulations.

250; Identify Relevant Budget Restrictions.

260; Identify Risk Factors.

270; Determine Likelihood of Effective Information System Controls.

275; Identify Relevant Operations Controls to Evaluate and Test.

280; Plan Other Audit Procedures.

* Inquiries of Attorneys.

* Management Representations.

* Related Party Transactions.

* Sensitive Payments.

* Reaching an Understanding with Management and Requesters.

* Other Audit Requirements.

285; Plan Locations to Visit.

290; Documentation.

* Appendixes to Section 200:

295 A; Potential Inherent Risk Conditions.

295 B; Potential Control Environment, Risk Assessment, Communication, 
and Monitoring Weaknesses.

295 C; An Approach for Multiple-Location Audits.

295 D; Interim Substantive Testing of Balance Sheet Accounts.

295 E; Effect of Risk on Extent of Audit Procedures.

295 F; Types of Information System Controls.

295 G; Budget Controls.

295 H; Laws Identified in OMB Audit Guidance and Other General Laws.

295 I; Examples of Auditor Responses to Fraud Risk Factors.

295 J; Steps in Assessing Information System Controls.

300; INTERNAL CONTROL PHASE.

310; Overview.

320; Understand Information Systems.

330; Identify Control Objectives.

340; Identify and Understand Relevant Control Activities.

350; Determine the Nature, Timing, and Extent of Control Tests and of 
Tests for Systems' Compliance with FFMIA Requirements.

360; Perform Nonsampling Control Tests and Tests for Systems' 
Compliance with FFMIA Requirements.

370; Assess Controls on a Preliminary Basis.

380; Other Considerations.

390; Documentation.

Appendixes to Section 300:

395 A; Typical Relationships of Accounting Applications to Line Items/
Accounts.

395 B; Financial Statement Assertions and Potential Misstatements.

395 C; Typical Control Activities.

395 D; Selected Statutes Relevant to Budget Execution.

395 E; Budget Execution Process.

395 F; Budget Control Objectives.

395 F Sup; Budget Control Objectives - Federal Credit Reform Act 
Supplement.

395 G; Rotation Testing of Controls.

395 H; Specific Control Evaluation Worksheet.

395 I; Account Risk Analysis Form.

400; TESTING PHASE.

410; Overview.

420; Consider the Nature, Timing, and Extent of Tests.

430; Design Efficient Tests.

440; Perform Tests and Evaluate Results.

450; Sampling Control Tests.

460; Compliance Tests.

470; Substantive Tests - Overview.

475; Substantive Analytical Procedures.

480; Substantive Detail Tests.

490; Documentation.

Appendixes to Section 400:

495 A; Determining Whether Substantive Analytical Procedures Will Be 
Efficient and Effective.

495 B; Example Procedures for Tests of Budget Information.

495 C; Guidance for Interim Testing.

495 D; Example of Audit Matrix with Statistical Risk Factors.

495 E; Sampling.

495 F; Manually Selecting a Dollar Unit Sampling.

500; REPORTING PHASE.

510; Overview.

520; Perform Overall Analytical Procedures.

530; Determine Adequacy of Audit Procedures and Audit Scope.

540; Evaluate Misstatements.

550; Conclude Other Audit Procedures.

* Inquiries of Attorneys.

* Subsequent Events.

* Management Representations.

* Related Party Transactions.

560; Determine Conformity with Generally Accepted Accounting 
Principles.

570; Determine Compliance with GAO/PCIE Financial Audit Manual.

580; Draft Reports.

* Financial Statements.

* Internal Control.

* Financial Management Systems.

* Compliance with Laws and Regulations.

* Other Information in the Accountability Report.

590; Documentation.

Appendixes to Section 500:

595 A; Example Auditor's Report - Unqualified.

595 B; Suggested Modifications to Auditor's Report.

595 C; Example Summary of Possible Adjustments.

595 D; Example Summary of Unadjusted Misstatements.

APPENDIXES.

A; Consultations.

B; Instances Where the Auditor "Must" Comply with the FAM.

GLOSSARY.

ABBREVIATIONS.

INDEX.

[End of table]

SECTION 100:

Introduction:

Table 1: Methodology Overview:

Figure 100.1: Methodology Overview:

Planning Phase: 

Understand the entity's operations: Section: 220:

Perform preliminary analytical procedures: Section: 225:

Determine planning, design, and test materiality: Section: 230:

Identify significant line items, accounts, assertions, and RSSI: 
Section: 235:

Identify significant cycles, accounting applications, and financial 
management systems: Section: 240:

Identify significant provisions of laws and regulations: Section: 245:

Identify relevant budget restrictions: Section: 250:

Assess risk factors: Section: 260:

Determine likelihood of effective information system controls: 
Section: 270:

Identify relevant operations controls to evaluate and test: Section: 
275:

Plan other audit procedures: Section: 280:

Plan locations to visit: Section: 285:

Internal Control Phase:

Understand information systems: Section: 320:

Identify control objectives: Section: 330:

Identify and understand relevant control activities: Section: 340:

Determine the nature, timing, and extent of control tests and of tests 
for systems' compliance with FFMIA requirements: Section: 350:

Perform nonsampling control tests and tests for systems' compliance 
with FFMIA requirements: Section: 360:

Assess controls on a preliminary basis: Section: 370:

Testing Phase:

Consider the nature, timing, and extent of tests: Section: 420:

Design efficient tests: Section: 430:

Perform tests and evaluate results: Section: 440:

Sampling control tests: Section: 450:

Compliance tests: Section: 460:

Substantive tests: Section: 470:

Substantive analytical procedures: Section: 475:

Substantive detail tests: Section: 480:

Reporting Phase:

Perform overall analytical procedures: Section: 520:

Determine adequacy of audit procedures and audit scope: Section: 530:

Evaluate misstatements: Section: 540:

Conclude other audit procedures: Section: 550:

Inquire of attorneys:

Consider subsequent events:

Obtain management representations:

Consider related party transactions:

Determine conformity with generally accepted accounting 
principles: Section: 560:

Determine compliance with GAO/PCIE Financial Audit Manual: Section: 570:

Draft reports: Section: 580:

[End of table]

.01: This introduction provides an overview of the methodology of the 
General Accounting Office (GAO) and the President's Council on 
Integrity and Efficiency (PCIE) for performing financial statement 
audits of federal entities, describes how the methodology relates to 
relevant auditing and attestation standards and Office of Management 
and Budget (OMB) guidance, and outlines key issues to be considered in 
using the methodology.

OVERVIEW OF THE METHODOLOGY:

.02 The overall purposes of performing financial statement audits of 
federal entities include providing decisionmakers (financial statement 
users) with assurance as to whether the financial statements are 
reliable, internal control is effective, and laws and regulations are 
complied with. To achieve these purposes, the approach to federal 
financial statement audits involves four phases:

* Plan the audit to obtain relevant information in the most efficient 
manner.

* Evaluate the effectiveness of the entity's internal control and, for 
Chief Financial Officers (CFO) Act Agencies and components designated 
by OMB, whether financial management systems substantially comply with 
the requirements of the Federal Financial Management Improvement Act of 
1996 (FFMIA): federal financial management systems requirements, 
applicable federal accounting standards,[Footnote 1] and the U.S. 
Government Standard General Ledger (SGL) at the transaction 
level.[Footnote 2]

* Test the significant assertions related to the financial statements 
and test compliance with laws and regulations.

* Report the results of audit procedures performed.

These phases are illustrated in figure 100.1 and are summarized below. 
[Footnote 3]

Planning Phase:

.03: Although planning continues throughout the audit, the objectives 
of this initial phase are to identify significant areas and to design 
efficient audit procedures. To accomplish this, the methodology 
includes guidance to help in 

* understanding the entity's operations, including its organization, 
management style, and internal and external factors influencing the 
operating environment;

* identifying significant accounts, accounting applications, and 
financial management systems; important budget restrictions, 
significant provisions of laws and regulations; and relevant controls 
over the entity's operations;

determining the likelihood of effective information systems (IS) 
controls;

performing a preliminary risk assessment to identify high-risk areas, 
including considering the risk of fraud; and:

planning entity field locations to visit.

Internal Control Phase:

.04: This phase entails evaluating and testing internal control to 
support the auditor's conclusions about the achievement of the following 
internal control objectives:

Reliability of financial reporting--transactions are properly 
recorded, processed, and summarized to permit the preparation of the 
principal statements and required supplementary stewardship 
information (RSSI) in accordance with generally accepted accounting 
principles (GAAP), and assets are safeguarded against loss from 
unauthorized acquisition, use, or disposition.

Compliance with applicable laws and regulations--transactions are 
executed in accordance with (a) laws governing the use of budget 
authority and other laws and regulations that could have a direct and 
material effect on the principal statements or RSSI and (b) any other 
laws, regulations, and governmentwide policies identified by OMB in its 
audit guidance.

OMB audit guidance requires the auditor to test controls that have been 
properly designed to achieve these objectives and placed in operation, 
to support a low assessed level of control risk. This may be enough 
testing to give an opinion on internal control. GAO audits should be 
designed to give an opinion on internal control.[Footnote 4] If the 
auditor does not give an opinion, generally accepted government 
auditing standards (GAGAS) require the report to state whether tests 
were sufficient to give an opinion.

.05:
OMB's audit guidance includes a third objective of internal control, 
related to performance measures. The auditor is required to understand 
the components of internal control relating to the existence and 
completeness assertions and to report on internal controls that have 
not been properly designed and placed in operation, rather than to test 
controls.

.06:
This manual also provides guidance on evaluating internal controls 
related to operating objectives that the auditor elects to evaluate. 
Such controls include those related to safeguarding assets from waste 
or preparing statistical reports.

.07:
To evaluate internal control, the auditor identifies and understands 
the relevant controls and tests their effectiveness. Where controls are 
considered to be effective, the extent of substantive testing can be 
reduced.

.08: The methodology includes guidance on:

* assessing specific levels of control risk,

* selecting controls to test,

* determining the effectiveness of IS controls, and:

* testing controls, including coordinating control tests with the 
testing phase.

.09:
Also, during the internal control phase, for CFO Act agencies and their 
components identified in OMB's audit guidance, the auditor should 
understand the entity's significant financial management systems and 
test their compliance with FFMIA requirements.

Testing Phase:

.10: The objectives of this phase are to (1) obtain reasonable assurance 
about whether the financial statements are free from material 
misstatements, (2) determine whether the entity complied with 
significant provisions of applicable laws and regulations, and (3) 
assess the effectiveness of internal control through control tests that 
are coordinated with other tests.

.11: To achieve these objectives, the methodology includes guidance on:

* designing and performing substantive, compliance, and control tests;

* designing and evaluating audit samples;

* correlating risk and materiality with the nature, timing, and extent 
of substantive tests; and:

* designing multipurpose tests that use a common sample to test several 
different controls and specific accounts or transactions.

Reporting Phase:

.12: This phase completes the audit by reporting useful information 
about the entity, based on the results of audit procedures performed in 
the preceding phases. This involves developing the auditor's report on 
the entity's (1) financial statements (also called Principal Statements) 
and other information (management's discussion and analysis [MD&A] or 
the overview, RSSI, other required supplementary information, and other 
accompanying information), (2) internal control, (3) whether the 
financial management systems substantially comply with FFMIA 
requirements, and (4) compliance with laws and regulations. To assist 
in this process, the methodology includes guidance on forming opinions 
on the principal statements and conclusions on internal control, as 
well as how to determine which findings should be reported. Also 
included is an example report designed to be understandable to the 
reader.

RELATIONSHIP TO APPLICABLE STANDARDS:

.13: The following section describes the relationship of this audit 
methodology to applicable auditing standards, OMB guidance, and other 
policy requirements. It is organized into three areas:

* relevant auditing standards and OMB guidance,

* audit requirements beyond the "yellow book," and:

* auditing standards and other policies not addressed in this manual.

Relevant Auditing Standards and OMB Guidance:

.14: This manual provides a framework for performing financial statement 
audits in accordance with Government Auditing Standards (also known as 
generally accepted government auditing standards or GAGAS) issued by 
the Comptroller General of the United States ("yellow book"); 
incorporated generally accepted auditing standards (GAAS) and 
attestation standards established by the American Institute of 
Certified Public Accountants (AICPA); and OMB's audit guidance.

.15: This manual describes an audit methodology that both integrates the 
requirements of the standards and provides implementation guidance. The 
methodology is designed to achieve:

* effective audits by considering compliance with the CFO Act, FFMIA, 
GAGAS, and OMB guidance;

* efficient audits by focusing audit procedures on areas of higher risk 
and materiality and by providing an integrated approach designed to 
gather evidence efficiently;

* quality control through an agreed-upon framework that can be followed 
by all personnel; and:

* consistency of application through a documented methodology.

.16:
The manual supplements GAGAS and OMB's audit guidance. References are 
made to Statements on Auditing Standards (preceded by the prefix "AU") 
and Statements on Standards for Attestation Engagements (SSAE) 
(preceded by the prefix "AT") of the Codification of Statements on 
Auditing Standards, issued by the AICPA, that are incorporated into 
GAGAS.

Audit Requirements Beyond the "Yellow Book":

.17: 
In addition to meeting GAGAS requirements, audits of federal entities 
to which OMB's audit guidance applies must be designed to achieve the 
following objectives described in OMB's audit guidance:

* responsibility for performing sufficient tests of internal controls 
that have been properly designed and placed in operation, to support a 
low assessed level of control risk;

* expansion of the nature of controls that are evaluated and tested to 
include controls related to RSSI, budget execution, and compliance with 
laws and regulations;

* responsibility to understand the components of internal control 
relating to the existence and completeness assertions relevant to the 
performance measures included in the MD&A, in order to report on 
controls that have not been properly designed and placed in operation;

* responsibility to consider the entity's process for complying with 31 
U.S.C. 3512 (the Federal Managers' Financial Integrity Act (FMFIA));

* responsibility to perform tests at CFO Act agencies and components 
identified by OMB to report on the entity's financial management 
systems' substantial compliance with FFMIA requirements;

* responsibility to test for compliance with laws, regulations, and 
governmentwide policies identified in OMB's audit guidance at CFO Act 
agencies (regardless of their materiality to the audit); and:

* responsibility to consider conformity of the MD&A, RSSI, required 
supplementary information, and other accompanying information with 
FASAB requirements and OMB guidance.

.18: 
To help achieve the goals of the CFO Act, GAO audits should be designed 
to achieve the following objectives,[Footnote 5] in addition to those 
described in OMB's audit guidance:

* Provide an opinion on internal control.

* Determine the effects of misstatements and internal control weaknesses 
on (1) the achievement of operations control objectives, (2) the 
accuracy of reports prepared by the entity, and (3) the formulation of 
the budget.

* Determine whether specific control activities are properly designed and 
placed in operation, even if a poor control environment precludes their 
effectiveness.

* Understand the components of internal control relating to the 
valuation assertion relevant to performance measures reported in the 
MD&A in order to report on controls that have not been properly 
designed and placed in operation.

Auditing Standards and Other Policies Not Addressed in the Manual:

.19: This manual was designed to supplement financial audit and other 
policies and procedures adopted by GAO and Inspectors General (IGs). As 
such, it was not intended to address in detail all requirements. For 
example, report processing is not addressed.

.20: Updates to this manual that include additional audit guidance and 
practice aids, such as checklists and audit programs, will be issued 
from time to time. GAO and a team representing the PCIE audit committee 
will be responsible for preparing the updates. There will be an 
exposure process for significant updates.

KEY IMPLEMENTATION ISSUES:

.21: The auditor should consider the following factors in applying the 
methodology to a particular entity:

* audit objectives,

* exercise of professional judgment,

* references to positions,

* use of IS auditors,

* compliance with policies and procedures in the manual,

* use of technical terms, and:

* reference to GAO/PCIE Financial Audit Manual (FAM).

Audit Objectives:

.22: 
While certain federal entities are not subject to OMB audit guidance, 
financial statement audits of all federal entities should be conducted 
in accordance with this guidance to the extent applicable to achieve 
the audit's objectives. The manual generally assumes that the objective 
of the audit is to render an opinion on the current year financial 
statements, a report on internal control, and a report on compliance. 
Where these are not the objectives, the auditor should use judgment in 
applying the guidance. In some circumstances, the auditor will expect 
to issue a disclaimer on the current year financial statements (because 
of scope limitations). In these circumstances, the auditor may develop 
a multiyear plan to be able to render an opinion when the financial 
statements are expected to become auditable.

Exercise of Professional Judgment:

.23: 
In performing a financial statement audit, the auditor should exercise 
professional judgment. Consequently, the auditor should tailor the 
guidance in the manual to respond to situations encountered in an 
audit. However, the auditor must exercise judgment properly, assuring 
that, at a minimum, the work meets professional standards. Proper 
application of professional judgment could result in additional or more 
extensive audit procedures than described in this manual.

.24: 
In addition, when exercising judgment, the auditor should consider the 
needs of, and consult in a timely manner with, other auditors who plan 
to use the work being performed. In turn, the auditor should coordinate 
with other auditors whose work he or she wishes to use so that the 
judgments exercised can satisfy the needs of both auditors. For 
example, auditors of a consolidated entity (such as the US Government 
or an entire department or agency) are likely to plan to use the work 
of auditors of subsidiary entities (such as individual departments and 
agencies or bureaus and components of a department). This coordination 
can result in more economy, efficiency, and effectiveness of government 
audits in general and avoid duplication of effort.

.25: Many aspects of the audit require technical judgments. The auditor 
should ensure a person(s) with adequate technical expertise is (are) 
available, especially in the following areas:

* quantifying planning materiality, design materiality, and test 
materiality and using materiality as one consideration in determining 
the extent of testing (see section 230);

* specifying a minimum level of substantive assurance based on the 
assessed combined risk, analytical procedures, and detail tests (see 
sections 470, 480, and 495 D);

* documenting whether selections are samples (intended to be 
representative and projected to populations) or nonsampling selections 
that are not projectible (see section 480);

* using sampling methods, such as dollar-unit sampling, classical 
variables estimation sampling, or classical probability proportional to 
size (PPS) sampling, for substantive or multipurpose testing (including 
nonstatistical sampling) (see section 480);

* using sampling for control testing, other than attribute sampling using 
the tables in section 450 to determine sample size when not performing 
a multipurpose test;

* using sampling for compliance testing of laws and regulations, other 
than attribute sampling using the tables in section 460 to determine 
sample size when not performing a multipurpose test; and:

* placing complete or partial reliance on analytical procedures, using 
test materiality to calculate the limit. The limit is the amount of 
difference between the expected and recorded amounts that can be 
accepted without further investigation (see section 475).

References to Positions:

.26: Various sections of this manual make reference to consultation with 
audit management and/or persons with technical expertise to obtain 
approval or additional guidance. Key consultations should be documented 
in the audit workpapers. Each audit organization should document, in 
the workpapers or its audit policy manual, the specific positions of 
persons who will perform these functions. An IG using a firm to perform 
an audit in accordance with this manual should clarify and document the 
positions of the persons the firm should consult in various 
circumstances.

* The Assistant Director is the top person responsible for the 
day-to-day conduct of the audit.

* The Audit Director is the senior manager responsible for the technical 
quality of the financial statement audit, reporting to the Assistant 
Inspector General for Audit or, at GAO, to the Managing Director.

* The Reviewer is the senior manager responsible for the quality of the 
auditor's reports, reporting to the Assistant Inspector General for 
Audit (or higher position) or, at GAO, is the Managing Director or the 
second partner. The Reviewer may consult with others.

* The Statistician is the person the auditor consults for technical 
expertise in areas such as audit sampling, audit sample evaluation, and 
selecting entity field locations to visit.

* The Data Extraction Specialist is the person with technical expertise 
in extracting data from agency records.

* The Technical Accounting and Auditing Expert is the senior manager 
reporting to the Assistant Inspector General for Audit or higher or, at 
GAO, is the Chief Accountant. The Technical Accounting and Auditing 
Expert advises on accounting and auditing professional matters and 
related national issues. The Technical Accounting and Auditing Expert 
reviews reports on financial statements and reports that contain 
opinions on financial information.

* The Office of General Counsel (OGC) provides assistance to the auditor 
in (1) identifying provisions of laws and regulations to test, 
(2) identifying budget restrictions, and (3) identifying and resolving 
legal issues encountered in the financial statement audit, such as 
evaluating potential instances of noncompliance.

* The Special Investigator Unit investigates specific allegations 
involving conflict-of-interest and ethics matters, contract and 
procurement irregularities, official misconduct and abuse, and fraud in 
federal programs or activities. In the offices of the IGs this is the 
investigation unit; at GAO, it is Special Investigations. The Special 
Investigator Unit provides assistance to the auditor by (1) informing 
the auditor of relevant pending or completed investigations of the 
entity and (2) investigating possible instances of federal fraud, 
waste, and abuse.

Use of Information Systems Auditors:

.27: The audit standards (SAS 94) require that the audit team possess 
sufficient knowledge of information systems (IS) to determine the 
effect of IS on the audit, to understand the IS controls, and to design 
and perform tests of IS controls and substantive tests. This is 
generally done by having IS auditors as part of the audit team. IS 
auditors should possess sufficient technical knowledge and experience 
to understand the relevant concepts discussed in the manual and to 
apply them to the audit. While the auditor is ultimately responsible 
for assessing inherent and control risk, assessing the effectiveness of 
IS controls requires a person with IS audit technical skills. 
Specialized technical skills generally are needed in situations where, 
(1) the entity's systems, automated controls, or the manner in which 
they are used in conducting the entity's business are complex, 
(2) significant changes have been made to existing systems or new 
systems implemented, (3) data are extensively shared among systems, (4) 
the entity participates in electronic commerce, (5) the entity uses 
emerging technologies, or (6) significant audit evidence is available 
only in electronic form. Appendix V of GAO's Federal Information System 
Controls Audit Manual (FISCAM) contains examples of knowledge, skills, 
and abilities needed by IS auditors. Certain financial auditors also 
may possess IS audit technical skills. In some cases, the auditor may 
require outside consultants to provide these skills.

Compliance With Policies and Procedures in the Manual:

.28: The following terms are used throughout the manual to describe the 
degree of compliance with the policy or procedure required.

* Must: Compliance with this policy or procedure is mandatory unless an 
exception is approved in writing by the Reviewer, [Footnote 6]such as 
in certain instances when a disclaimer of opinion is anticipated.

* Should: Compliance with this policy or procedure is expected unless 
there is a reasonable basis for departure from it. Any such departure 
and the basis for it are to be documented in a memorandum. The 
Assistant Director should approve this memorandum and copies should be 
sent to the Audit Director and the Reviewer.

Generally Should: Compliance with this policy or procedure is strongly 
encouraged. Departure from such policy or procedure should be discussed 
with the Assistant Director or the audit manager.

* May: Compliance with this policy or procedure is optional.

When the auditor deviates from a policy or procedure that is expressed 
by use of the term "must" or "should" in the FAM, he or she should 
consider the needs of, and consult in a timely manner with, other 
auditors who plan to use the work of the auditor and provide an 
opportunity for the other auditors to review the documentation 
explaining these deviation decisions.

Use of Technical Terms:

.29: The manual uses many existing technical auditing terms and 
introduces many others. To assist you, a glossary of significant terms 
is included in this manual.

Reference to GAO/PCIE Financial Audit Manual:

.30: When cited in workpapers, correspondence, or other communication, 
the letters "FAM" should precede section or paragraph numbers from this 
manual. For example, this paragraph should be referred to as FAM 
100.30.

FOOTNOTES

[1] In October 1999 the American Institute of Certified Public 
Accountants (AICPA) recognized the Federal Accounting Standards 
Advisory Board (FASAB) as the accounting standards-setting body for 
federal government entities under Rule 203 of the AICPA's Code of 
Professional Conduct. Thus, FASAB standards are recognized as generally 
accepted accounting principles (GAAP) for federal entities. FASAB 
standards (Statement of Federal Financial Accounting Standards No. 8, 
paragraph .40) allow government corporations and certain other federal 
entities to report using GAAP issued by the Financial Accounting 
Standards Board (FASB).

[2] Testing for FFMIA is most efficiently accomplished, for the most 
part, as part of the work done in understanding agency systems in the 
Internal Control phase of the audit.

[3] The methodology presented is for performance of a financial 
statement audit. If the auditor is to use the work of another auditor, 
see FAM section 650 (under revision).

[4] AICPA attestation standards allow the auditor to give an opinion on 
internal control or on management's assertion about the effectiveness 
of internal control (except that if material weaknesses are present, 
the opinion must be on internal control, not management's assertion). 
The example report in this manual assumes the opinion will be on 
internal control directly.

[5] The manual refers specifically to objectives of GAO audits in various sections. Such objectives are optional for other audit organizations.

[6] Capitalized positions are described in paragraph 100.25.

SECTION 200:

Planning Phase:

Table 1: Methodology Overview:

Planning Phase:

* Understand the entity's operations: 220; 

* Perform preliminary analytical procedures: 225; 

* Determine planning, design, and test materiality: 230; 

* Identify significant line items, accounts, assertions, and RSSI: 235;
 
* Identify significant cycles, accounting applications, and financial 
management systems: 240; 

* Identify significant provisions of laws and regulations: 245; 

* Identify relevant budget restrictions: 250; 

* Identify risk factors: 260; 

* Determine likelihood of effective information system controls: 270; 

* Identify relevant operations controls to evaluate and test: 275; 

* Plan other audit procedures: 280; 

* Plan locations to visit: 285.

Internal Control Phase:


* Understand information systems: 320; 

* Identify control objectives: 330; 

* Identify and understand relevant control activities: 340; 

* Determine the nature, timing, and extent of control tests and of 
tests for systems' compliance with FFMIA requirements: 350;
 
* Perform nonsampling control tests and tests for systems' compliance 
with FFMIA requirements: 360; 

* Assess controls on a preliminary basis: 370.

Testing Phase:

* Consider the nature, timing, and extent of tests: 420; 

* Design efficient tests: 430; 

* Perform tests and evaluate results: 440; 

* Sampling control tests: 450; 

* Compliance tests: 460; 

* Substantive tests: 470; 

* Substantive analytical procedures: 475; 

* Substantive detail tests: 480.

Reporting Phase: Section:

* Perform overall analytical procedures: 520; 

* Determine adequacy of audit procedures and audit scope: 530; 

* Evaluate misstatements: 540; 

* Conclude other audit procedures: 550; 

* Inquire of attorneys; 

* Consider subsequent events; 

* Obtain management representations; 

* Consider related party transactions; 

* Determine conformity with generally accepted accounting 
principles: 560; 

* Determine compliance with GAO/PCIE Financial Audit Manual: 570; 

* Draft reports: 580.

[End of table]

210: Overview:

.01: The auditor performs planning to determine an effective and 
efficient way to obtain the evidential matter necessary to report on 
the entity's Accountability Report (or annual financial statement). 
The nature, extent, and timing of planning varies with, for example, 
the entity's size and complexity, the auditor's experience with the 
entity, and the auditor's knowledge of the entity's operations. 
Procedures performed in the planning phase are shown in figure 200.1.

.02: 
A key to a quality audit, planning requires the involvement of senior 
members of the audit team. Although concentrated in the planning phase, 
planning is an iterative process performed throughout the audit. For 
example, findings from the internal control phase directly affect 
planning the substantive audit procedures. Also, the results of control 
and substantive tests may require changes in the planned audit 
approach.

.03: 
Auditors should consider the needs of, and consult in a timely manner 
with, other auditors who plan to use the work being performed, 
especially when making decisions that require the auditor to exercise 
significant judgment.

220: Understand the Entity's Operations:

.01: 
The auditor should obtain an understanding of the entity sufficient to 
plan and perform the audit in accordance with applicable auditing 
standards and requirements. In planning the audit, the auditor gathers 
information to obtain an overall understanding of the entity and its 
origin and history, size and location, organization, mission, business, 
strategies, inherent risks, fraud risks, control environment, risk 
assessment, communications, and monitoring. Understanding the entity's 
operations in the planning process enables the auditor to identify, 
respond to, and resolve accounting and auditing problems early in the 
audit.

.02: 
The auditor's understanding of the entity and its operations does not 
need to be comprehensive but should include:

* entity management and organization,

* external factors affecting operations,

* internal factors affecting operations, and:

* accounting policies and issues.

.03: 
The auditor should identify key members of management and obtain a 
general understanding of the organizational structure. The auditor's 
main objective is to understand how the entity is managed and how the 
organization is structured for the particular management style.

.04: 
The auditor should identify significant external and internal factors 
that affect the entity's operations. External factors might include (1) 
source(s) of funds, (2) seasonal fluctuations, (3) current political 
climate, and (4) relevant legislation. Internal factors might include 
(1) size of the entity, (2) number of locations, (3) structure of the 
entity (centralized or decentralized), (4) complexity of operations, 
(5) information system structure, (6) qualifications and competence of 
key personnel, and (7) turnover of key personnel.

.05: 
In identifying accounting policies and issues, the auditor should 
consider:

* generally accepted accounting principles, including whether the 
entity is likely to be in compliance;

* changes in GAAP that affect the entity; and:

* whether entity management appears to follow aggressive or 
conservative accounting policies.

.06:
The auditor also should consider whether the entity will report any 
required supplementary stewardship information (RSSI). This includes 
stewardship property, plant, and equipment (PP&E) (heritage assets, 
national defense assets, and stewardship land), stewardship investments 
(nonfederal physical property, human capital, and research and 
development), social insurance, and risk-assumed information. RSSI and 
deferred maintenance, which is considered required supplementary 
information, should be designated "unaudited.":

.07:
The auditor should develop and document a high-level understanding of 
the entity's use of information systems (IS) and how IS affect the 
generation of financial statement information, RSSI, and the data that 
support performance measures reported in the MD&A (overview) of the 
Accountability Report (CFO report). An IS auditor may assist the 
auditor in understanding the entity's use of IS. Appendix I of the GAO 
Federal Information System Controls Manual (FISCAM) can be used to 
document this understanding.

.08:
The auditor gathers planning information through different methods 
(observation, interviews, reading policy and procedure manuals, etc.) 
and from a variety of sources, including:

* top-level entity management,

* entity management responsible for significant programs,

* Office of Inspector General (IG) and internal audit management 
(including any internal control officer),

* others in the audit organization concerning other completed, planned 
or in-progress assignments,

* personnel in OGC,

* personnel in the Special Investigator Unit, and:

* entity legal representatives.

.09: 
The auditor gathers information from relevant reports and articles 
issued by or about the entity, including:

* the entity's prior Accountability Reports;

* other financial information;

* FMFIA reports and supporting documentation;

* reports by management or the auditor about systems' substantial 
compliance with FFMIA requirements;

* the entity's budget and related reports on budget execution;

* GAO reports;

* IG and internal audit reports (including those for performance audits 
and other reviews);

* congressional hearings and reports;

* consultant reports; and:

* material published about the entity in newspapers, magazines, internet 
sites, and other publications.

225: Perform Preliminary Analytical Procedures:

.01: 
During the planning phase, preliminary analytical procedures are 
performed to help the auditor:

* understand the entity's business, including current-year transactions 
and events;

* identify account balances or transactions that may signal inherent or 
control risks (see section 260);

* identify and understand the significant accounting policies;

* determine planning, design, and test materiality (see section 230); 
and:

* determine the nature, timing, and extent of audit procedures to be 
performed.

.02: 
GAAS requires the auditor to perform preliminary analytical procedures 
(AU 329). The resources spent in performing these procedures should be 
commensurate with the expected reliability of comparative information. 
For example, in a first-year audit, comparative information might be 
unreliable; therefore, preliminary analytical procedures generally 
should be limited.

.03: 
The auditor generally should perform the following steps to achieve the 
objectives of preliminary analytical procedures.

a. Compare current-year amounts with relevant comparative financial 
information: The financial data used in preliminary analytical 
procedures generally are summarized at a high level, such as the level 
of financial statements. If financial statements are not available, the 
budget or financial summaries that show the entity's financial position 
and results of operations may be used.

The auditor compares current-year amounts with relevant comparative 
financial information. Use of unaudited comparative data might not 
allow the auditor to identify significant fluctuations, particularly if 
an item consistently has been treated incorrectly. Also, the auditor 
may identify fluctuations that are not really fluctuations due to 
errors in the unaudited comparative data.

A key to effective preliminary analytical procedures is to use 
information that is comparable in terms of the time period presented 
and the presentation (i.e., same level of detail and consistent 
grouping of detail accounts into summarized amounts used for 
comparison).

The auditor may perform ratio analysis on current-year data and compare 
the current year's ratios with those derived from prior periods or 
budgets. The auditor does this to study the relationships among 
components of the financial statements and to increase knowledge of the 
entity's activities. The auditor uses ratios that are relevant 
indicators or measures for the entity. Also, the auditor should 
consider any trends in the performance indicators prepared by the 
entity.

b. Identify significant fluctuations: Fluctuations are differences 
between the recorded amounts and the amounts expected by the auditor, 
based on comparative financial information and the auditor's knowledge 
of the entity. Fluctuations refer to both unexpected differences 
between current-year amounts and comparative financial information as 
well as the absence of expected differences. The identification of 
fluctuations is a matter of the auditor's judgment.

The auditor establishes parameters for identifying significant 
fluctuations. When setting these parameters, the auditor generally 
considers the amount of the fluctuation in terms of absolute size and/
or the percentage difference. The amount and percentage used are left 
to the auditor's judgment. An example of a parameter is "All 
fluctuations in excess of $10 million and/or 15 percent of the prior-
year balance or other unusual fluctuations will be considered 
significant.":

c. Inquire about significant fluctuations: The auditor discusses the 
identified fluctuations with appropriate entity personnel. The focus of 
the discussion is to achieve the purposes of the procedures described 
in paragraph 225.01. For preliminary analytical procedures, the auditor 
does not need to corroborate the explanations since they will be tested 
later. However, the explanations should appear reasonable and 
consistent to the auditor. The inability of entity personnel to explain 
the cause of a fluctuation may indicate the existence of control, 
fraud, and/or inherent risks.

230: Determine Planning, Design, and Test Materiality:

.01: 
Materiality is one of several tools the auditor uses to determine that 
the planned nature, timing, and extent of procedures are appropriate. 
As defined in Financial Accounting Standards Board (FASB) Statement of 
Financial Concepts No. 2., materiality represents the magnitude of an 
omission or misstatement of an item in a financial report that, in 
light of surrounding circumstances, makes it probable that the judgment 
of a reasonable person relying on the information would have been 
changed or influenced by the inclusion or correction of the item.

.02: 
Materiality is based on the concept that items of little importance, 
which do not affect the judgment or conduct of a reasonable user, do 
not require auditor investigation. Materiality has both quantitative 
and qualitative aspects. Even though quantitatively immaterial, certain 
types of misstatements could have a material impact on or warrant 
disclosure in the financial statements for qualitative reasons.

.03: 
For example, intentional misstatements or omissions (fraud) usually are 
more critical to the financial statement users than are unintentional 
errors of equal amounts. This is because the users generally consider 
an intentional misstatement more serious than clerical errors of the 
same amount.

.04: 
GAGAS and incorporated GAAS require the auditor to consider materiality 
in planning, designing procedures, and considering need for disclosure 
in the audit report. AU 312 requires the auditor, in planning the 
audit, to consider his/her preliminary judgment about materiality 
levels. The "yellow book" states that materiality is a matter of 
professional judgment influenced by the needs of the reasonable person 
relying on the financial statements. Materiality judgments are made in 
the light of surrounding circumstances and involve both quantitative 
and qualitative considerations, such as the public accountability of 
the auditee and the visibility and sensitivity of government programs, 
activities, and functions.

.05: 
The term "materiality" can have several meanings. In planning and 
performing the audit, the auditor uses the following terms that relate 
to materiality:

* Planning materiality is a preliminary estimate of materiality, in 
relation to the financial statements taken as a whole, used to 
determine the nature, timing, and extent of substantive audit 
procedures and to identify significant laws and regulations for 
compliance testing.

* Design Materiality is the portion of planning materiality that has 
been allocated to line items, accounts, or classes of transactions 
(such as disbursements). This amount will be the same for all line 
items or accounts (except for certain intragovernmental or offsetting 
balances as discussed in paragraph 230.10).

* Test materiality is the materiality actually used by the auditor in 
testing a specific line item, account, or class of transactions. Based 
on the auditor's judgment, test materiality can be equal to or less 
than design materiality, as discussed in paragraph 230.13. Test 
materiality may be different for different line items or accounts.

.06:
The following other uses of the term "materiality" relate principally 
to the reporting phase:

* Disclosure materiality is the threshold for determining whether an 
item should be reported or presented separately in the financial 
statements or in the related notes. This value may differ from 
planning materiality.

* FMFIA materiality is the threshold for determining whether a matter 
meets OMB criteria for reporting matters under FMFIA as described in 
paragraphs 580.35-.37.

* Reporting materiality is the threshold for determining whether an 
unqualified opinion can be issued. In the reporting phase, the auditor 
considers whether unadjusted misstatements are quantitatively or 
qualitatively material. If considered to be material, the auditor would 
be precluded from issuing an unqualified opinion on the financial 
statements. See section 540.

Unless otherwise specified, such as through using the terms above, the 
term "materiality" in this manual refers to the overall financial 
statement materiality as defined in paragraph 230.01.

.07: 
The following guidelines provide the auditor with a framework for 
determining planning materiality. However, this framework is not a 
substitute for professional judgment. The auditor has the flexibility 
to determine planning materiality outside of these guidelines. In such 
circumstances, the Audit Director should discuss the basis for the 
determination with the Reviewer. The planning materiality selected and 
method of determining planning materiality should be documented and 
approved by the Audit Director.

.08: 
The auditor should estimate planning materiality in relation to the 
element of the financial statements that is most significant to the 
primary users of the statements (the materiality base). The auditor 
uses judgment in determining the appropriate element of the financial 
statements to use as the materiality base. Also, since the materiality 
base normally is based on unaudited preliminary information determined 
in the planning phase, the auditor usually has to estimate the year-end 
balance of the materiality base. To provide reasonable assurance that 
sufficient audit procedures are performed, any estimate of the 
materiality base should use the low end of the range of estimated 
materiality so that sufficient testing is performed.

.09:
For capital-intensive entities, total assets may be an appropriate 
materiality base. For expenditure-intensive entities, total expenses 
may be an appropriate materiality base. Based on these concepts, the 
materiality base generally should be the greater of total assets or 
expenses (net of adjustments for intragovernmental balances and 
offsetting balances). (See discussion of these adjustments in next 
paragraph.) Other materiality bases that might be considered include 
total liabilities, equity, revenues, and net cost to the government 
(appropriations).

.10: 
In considering a materiality base, the auditor should consider how to 
handle significant intragovernmental balances (such as funds with the 
U.S. Treasury, U.S. Treasury securities, and interentity balances) and 
offsetting balances (such as future funding sources that offset certain 
liabilities and collections that are offset by transfers to other 
government entities). The auditor should establish a separate 
materiality base for significant intragovernmental or offsetting 
balances because combining all accounts may improperly distort the 
nature, timing, and extent of audit procedures. For example, an entity 
that collects and remits funds on behalf of other federal entities 
could have operating accounts that are small in comparison to the funds 
processed on behalf of other entities. In this example, the auditor 
would compute separate planning materiality for auditing (1) the 
offsetting accounts, using the balance of the offsetting accounts as 
the materiality base and (2) the rest of the financial statements using 
the materiality base guidance in paragraph 230.09.

.11: 
Planning materiality generally should be 3 percent of the materiality 
base. Although a mechanical means might be used to compute planning 
materiality, the auditor should use judgment in evaluating whether the 
computed level is appropriate. The auditor also should consider 
adjusting the materiality base for the impact of such items as 
unrecorded liabilities, contingencies, and other items that are not 
incorporated in the entity's financial statements (and not reflected in 
the materiality base) but that may be important to the financial 
statement user.

.12: 
Design materiality for the audit should be one-third of planning 
materiality to allow for the precision of audit procedures. This 
guideline recognizes that misstatements may occur throughout the 
entity's various accounts. The design materiality represents the 
materiality used as a starting point to design audit procedures for 
line items or accounts so that an aggregate material misstatement in 
the financial statements will be detected, for a given level of audit 
assurance (discussed in paragraph 260.04).

.13: 
Generally, the test materiality used for a specific test is the same as 
the design materiality. However, the auditor may use a test materiality 
lower than the design materiality for substantive testing of specific 
line items and assertions (which increases the extent of testing) when:

* the audit is being performed at some, but not all, entity locations 
(requiring increased audit assurance for those locations visited - see 
section 285);

* the area tested is deemed to be sensitive to the financial statement 
users; or:

* the auditor expects to find a significant amount of misstatements.
[Footnote 1]

235: Identify Significant Line Items, Accounts, Assertions, and RSSI:

.01: 
The auditor should identify significant line items and accounts in the 
financial statements and significant related financial statement 
assertions. The auditor should also identify significant RSSI.[Footnote 
2] In the internal control and testing phases, the auditor performs 
control and substantive tests for each significant assertion for each 
significant account. By identifying significant line items, accounts, 
and the related assertions early in the planning process, the auditor 
is more likely to design efficient audit procedures. Some insignificant 
line items, accounts, and assertions may not warrant substantive audit 
tests to the extent that they are not significant in the aggregate. 
However, some line items and accounts with zero or unusual balances may 
warrant testing, especially with regard to the completeness assertion.

.02: 
Financial statement assertions, as defined by AU 326, are management 
representations that are embodied in financial statement components. 
Most of the auditor's work in forming an opinion on financial 
statements consists of obtaining and evaluating evidential matter 
concerning the assertions in such financial statements. The assertions 
can be either explicit or implicit and can be classified into the 
following broad categories:

* Existence or occurrence: An entity's assets or liabilities exist at a 
given date, and recorded transactions have occurred during a given 
period.

* Completeness: All transactions and accounts that should be presented 
in the financial statements are so included.

* Rights and obligations: Assets are the rights of the entity, and 
liabilities are the obligations of the entity at a given date.

* Valuation or allocation: Asset, liability, revenue, and expense 
components have been included in the financial statements at 
appropriate amounts.

* Presentation and disclosure: The particular components of the 
financial statements are properly classified, described, and disclosed.

.03: 
A line item or an account in the financial statements or RSSI should be 
considered significant if it has one or more of the following 
characteristics:

* Its balance is material (exceeds design materiality) or comprises a 
significant portion of a material financial statement or RSSI amount.

* A high combined risk (inherent and control risk, as discussed in 
paragraph 260.02) of material misstatement (either overstatement or 
understatement) is associated with one or more assertions relating to 
the line item or account. For example, a zero or unusually small 
balance account may have a high risk of material understatement.

* Special audit concerns, such as regulatory requirements, warrant 
added consideration.

The auditor should determine that any accounts considered insignificant 
are not significant in the aggregate.

.04: 
An assertion is significant if misstatements in the assertion could 
exceed test materiality for the related line item, account, or 
disclosure. Certain assertions for a specific line item or account, 
such as completeness and disclosure, could be significant even though 
the recorded balance of the related line item or account is not 
material. For example, (1) the completeness assertion could be 
significant for an accrued payroll account with a high combined risk of 
material understatement even if its recorded balance is zero and (2) 
the disclosure assertion could be significant for a contingent 
liability even if no amount is recordable.

.05: 
Assertions are likely to vary in degree of significance, and some 
assertions may be insignificant or irrelevant for a given line item or 
account. For example:

* The completeness assertion for liabilities may be of greater 
significance than the existence assertion for liabilities.

* All assertions related to an account that is not significant (as 
defined in paragraph 235.03) are considered to be insignificant.

The rights and obligations assertion for a revenue or expense account 
is irrelevant.

.06: Significant line items, accounts, and assertions should be 
identified in the Account Risk Analysis (ARA) or other appropriate 
audit planning workpapers.

240: Identify Significant Cycles, Accounting Applications, and 
Financial Management Systems:

.01:
In the internal control phase, the auditor evaluates controls for each 
significant cycle and accounting application and determines whether 
significant financial management systems substantially comply with 
federal financial management systems requirements, federal accounting 
standards, and the SGL at the transaction level. A cycle or an 
accounting application should be considered significant if it processes 
an amount of transactions in excess of design materiality or if it 
supports a significant account balance in the financial statements or 
significant RSSI. A financial management system generally consists of 
one or more accounting applications. If one or more of the accounting 
applications making up a financial management system are considered 
significant, then that financial management system generally should be 
considered significant for determining whether the system substantially 
complies with FFMIA requirements. The auditor may identify other 
cycles, accounting applications, or financial management systems as 
significant based on qualitative considerations. For example, financial 
management systems covered by FFMIA include not only systems involved 
in processing financial transactions and preparing financial 
statements, but also systems supporting financial planning, management 
reporting, or budgeting activities, systems accumulating and reporting 
cost information, and the financial portion of mixed systems, such as 
benefit payment, logistics, personnel, and acquisition systems.

.02: 
The entity's accounting system may be viewed as consisting of logical 
groupings of related transactions and activities, or accounting 
applications. Each significant line item/account is affected by input 
from one or more accounting applications (sources of debits or 
credits). Related accounting applications may be grouped into cycles by 
the auditor and into financial management systems by the entity. 
Accounting applications are classified as (1) transaction-related or 
(2) line item/account-related.

.03: 
A transaction-related accounting application consists of the methods 
and records established to identify, assemble, analyze, classify, and 
record (in the general ledger) a particular type of transaction. 
Typical transaction-related accounting applications include billing, 
cash receipts, purchasing, cash disbursements, and payroll. A line 
item/account-related accounting application consists of the methods and 
records established to report an entity's recorded transactions and to 
maintain accountability for related assets and liabilities. Typical 
line item/account-related accounting applications include cash 
balances, accounts receivable, inventory control, property and 
equipment, and accounts payable.

.04: 
Within a given entity, there may be several examples of each accounting 
application. For example, a different billing application may exist for 
each program that uses a billing process. Accounting applications that 
process a related group of transactions and accounts comprise cycles. 
For instance, the billing, returns, cash receipts, and accounts 
receivable accounting applications might be grouped to form the revenue 
cycle. Similarly, related accounting applications also comprise 
financial management systems.

.05: 
For each significant line item and account, the auditor should use the 
Account Risk Analysis form (ARA) (see section 395 I) or an equivalent 
workpaper to document the significant transaction cycles (such as 
revenue, purchasing, and production) and the specific significant 
accounting applications that affect these significant line items and 
accounts. For example, the auditor might determine that billing, 
returns, cash receipts, and accounts receivable are significant 
accounting applications that affect accounts receivable (a significant 
line item). The Account Risk Analysis form provides a convenient way 
for documenting the specific risks of misstatement for significant line 
items for consideration in determining the nature, timing, and extent 
of audit procedures. If an equivalent workpaper is used, rather than 
the ARA, it should document the information discussed in section 395 I.

.06: 
Related accounting applications may be grouped into cycles to aid in 
preparing workpapers. This helps the auditor design audit procedures 
that are both efficient and relevant to the reporting objectives. The 
auditor may document insignificant accounts in each line item on the 
ARA or equivalent, indicating their insignificance and consequent lack 
of audit procedures applied to them. In such instances, the cycle 
matrix may not be necessary. Otherwise, the auditor should prepare a 
cycle matrix or equivalent document that links each of the entity's 
accounts (in the chart of accounts) to a cycle, an accounting 
application, and a financial statement or RSSI line item.

.07: 
Based on discussions with entity personnel, the auditor should 
determine the accounting application that is the best source of the 
financial statement information. When a significant line item has more 
than one source of financial data, the auditor should consider the 
various sources and determine which is best for financial audit 
purposes. The auditor needs to consider the likelihood of misstatement 
and auditability in choosing the source to use. For audit purposes, the 
best source of financial information sometimes may be operational 
information prepared outside the accounting system.

.08: 
Once the significant accounting applications are identified, the 
auditor determines which computer systems are involved in those 
applications. Those particular computer systems are then considered in 
assessing computer-related controls using an appropriate methodology.

.09: 
An appropriate methodology would require the auditor to obtain 
sufficient knowledge of the information system relevant to financial 
reporting to understand the accounting processing from initiation of a 
transaction to its inclusion in the financial statements, including 
electronic means used to transmit, process, maintain, and access 
information (see AU 319.49, SAS 94). AU 319.61 requires documentation 
of this understanding. OMB audit guidance notes that the components of 
internal control include general and application controls. General 
controls are the entitywide security management program, access 
control, application software development and change control, system 
software control, segregation of duties, and service continuity 
control. Application controls are authorization control, completeness 
control, accuracy control, and control over integrity of processing and 
data files. OMB audit guidance also requires that, for controls that 
have been properly designed and placed in operation, the auditor shall 
perform sufficient tests to support a low assessed level of control 
risk. The auditor should document the basis for believing that the 
methodology used is appropriate to satisfy these requirements for 
assessing general and application controls. The GAO Federal Information 
System Controls Audit Manual (FISCAM) is designed to meet these 
requirements. See section 295 J for a flowchart of steps generally 
followed in assessing information system controls in a financial 
statement audit. IS security controls are also addressed in OMB 
Circular A-130, Management of Federal Information Resources, in the 
National Institute of Standards and Technology's An Introduction to 
Computer Security: The NIST Handbook, and in other publications.

245: Identify Significant Provisions of Laws and Regulations:

.01: 
To design relevant compliance-related audit procedures, the auditor 
identifies the significant provisions of laws and regulations. To aid 
the auditor in this process, this manual classifies provisions of laws 
and regulations into the following categories:

* Transaction-based provisions are those for which compliance is 
determined on individual transactions. For example, the Prompt Payment 
Act requires that late payments be individually identified and interest 
paid on such late payments.

* Quantitative-based provisions are those that require the accumulation/
summarization of quantitative information for measurement. These 
provisions may contain minimum, maximum, or targeted amounts 
(restrictions) for the accumulated/summarized information. For 
example, the Comprehensive Environmental Response, Compensation, and 
Liability Act of 1980 prohibits the Environmental Protection Agency 
from exceeding certain spending limits on specific projects.

* Procedural-based provisions are those that require the entity to 
implement policies or procedures to achieve certain objectives. For 
example, the Single Audit Act, as amended, requires the awarding entity 
to review certain financial information on awardees.

.02: 
The auditor should identify the significant provisions of laws and 
regulations. For each significant provision, the auditor should study 
and evaluate related compliance controls and should test compliance 
with the provision. To identify such significant provisions, the 
auditor should take these steps:

a. The auditor should review the lists of laws and regulations that OMB 
and the entity have determined might be significant to others. The OMB 
list is provided in an appendix of OMB's audit guidance and is included 
in section 295 H. The entity is expected to develop a list that, for 
CFO Act agencies and components listed in OMB audit guidance, should 
include laws and regulations in OMB audit guidance, whether or not they 
are material to the entity, because they have been determined to be 
material to the consolidated financial statements of the United States 
Government. In addition, the auditor should identify (with OGC 
assistance) any laws or regulations (in addition to those identified by 
OMB and the entity) that have a direct effect on determining amounts in 
the financial statements. The meaning of direct effect is discussed 
below in paragraph 245.03.

b. For each such law or regulation, the auditor should identify those 
provisions that are significant. A provision should be considered 
significant if (1) compliance with the provision can be measured 
objectively and (2) it meets one of the following criteria for 
determining that the provision has a material effect on determining 
financial statement amounts:

* Transaction-based provisions: Transactions processed by the entity 
that are subject to the provision exceed planning materiality in the 
aggregate.

* Quantitative-based provisions: The quantitative information required 
by the provision or by established restrictions exceeds planning 
materiality.

* Procedural-based provisions: The provision broadly affects all or a 
segment of the entity's operations that process transactions exceeding 
planning materiality in the aggregate. For example, a provision may 
require that the entity establish procedures to monitor the receipt of 
certain information from grantees; in determining whether to test 
compliance with this provision, the auditor should consider whether the 
total amount of money granted exceeded planning materiality.

.03: A direct effect means that the provision specifies:

* the nature and/or dollar amount of transactions that may be incurred 
(such as obligation, outlay, or borrowing restrictions),

* the method used to record such transactions (such as revenue 
recognition policies), or:

* the nature and extent of information to be reported or disclosed in the 
annual financial statements (such as the statement of budgetary 
resources).

For example, entity-enabling legislation may contain provisions that 
limit the nature and amount of obligations or outlays and therefore 
have a direct effect on determining amounts in the financial 
statements. If a provision's effect on the financial statements is 
limited to contingent liabilities as a result of noncompliance 
(typically for fines, penalties, and interest), such a provision does 
not have a direct effect on determining financial statement amounts. 
Laws identified by the auditor that have a direct effect might include 
(1) new laws and regulations (not yet reflected on OMB's list) and (2) 
entity-specific laws and regulations. The concept of direct effect is 
discussed in AU 801 (SAS 74) and AU 317.

.04: 
In contrast, indirect laws relate more to the entity's operating 
aspects than to its financial and accounting aspects, and their 
financial statement effect is indirect. In other words, their effect 
may be limited to recording or disclosing liabilities arising from 
noncompliance. Examples of indirect laws and regulations include those 
related to environmental protection and occupational safety and health.

.05: 
The auditor is not responsible for testing compliance controls over or 
compliance with any indirect laws and regulations not otherwise 
identified by OMB or the entity (see paragraph 245.02.a.). However, as 
discussed in AU 317, the auditor should make inquiries of management 
regarding policies and procedures for the prevention of noncompliance 
with indirect laws and regulations. Unless possible instances of 
noncompliance with indirect laws or regulations come to the auditor's 
attention during the audit, no further procedures with respect to 
indirect laws and regulations are necessary.

.06: 
The auditor may elect to test compliance with indirect laws and 
regulations. For example, if the auditor becomes aware that the entity 
has operations similar to those of another entity that was recently in 
noncompliance with environmental laws and regulations, the auditor may 
elect to test compliance with such laws and regulations. The auditor 
may also elect to test provisions of direct laws and regulations that 
do not meet the materiality criteria in paragraph 245.02.b. but that 
are deemed significant, such as laws and regulations that have 
generated significant interest by the Congress, the media, or the 
public.

.07: 
The significant provisions identified by the above procedures are 
intended to include provisions of all laws and regulations that have a 
direct and material effect on the determining of financial statement 
amounts and therefore comply with GAGAS, AU 801 (SAS 74), and OMB audit 
guidance.

.08: 
In considering regulations to test for compliance, the auditor should 
consider externally imposed requirements issued pursuant to the 
Administrative Procedures Act, which has a defined due process. This 
would include regulations in the Code of Federal Regulations, but would 
not include OMB circulars and bulletins. Such circulars and bulletins 
generally implement laws, and the provisions of the laws themselves 
could be considered for compliance testing. Internal policies, manuals, 
and directives may be the basis for internal controls, but are not 
regulations to consider for testing for compliance.

250: Identify Relevant Budget Restrictions:

.01: To evaluate budget controls (see section 295 G) and to design 
compliance-related audit procedures relevant to budget restrictions, 
the auditor should understand the following information (which may be 
obtained from the entity or OGC):

* the Antideficiency Act (title 31 of the U.S. Code, sections 1341, 
1342, 1349-1351, 1511-1519);

* the Purpose Statute (title 31 of the U.S. Code, section 1301);

* the Time Statute (title 31 of the U.S. Code, section 1502);

* OMB Circular A-34;

* title 7 of the GAO Policy and Procedures Manual for Guidance of Federal 
Agencies;

* the Impoundment Control Act; and:

* the Federal Credit Reform Act of 1990.

.02: The auditor should read the following information relating to the 
entity's appropriation (or other budget authority) for the period of 
audit interest:

* authorizing legislation;

* enabling legislation and amendments;

* appropriation legislation and supplemental appropriation legislation;

* apportionments and budget execution reports (including OMB forms 132 
and 133 and supporting documentation);

* Impoundment Control Act reports regarding rescissions and deferrals, 
if any;

* the system of funds control document approved by OMB; and:

* any other information deemed by the auditor to be relevant to 
understanding the entity's budget authority, such as legislative 
history contained in committee reports or conference reports.

Although legislative histories are not legally binding, they may help 
the auditor understand the political environment surrounding the entity 
(i.e., why the entity has undertaken certain activities and the 
objectives of these activities).

.03: Through discussions with OGC and the entity and by using the above 
information, the auditor should identify all legally binding 
restrictions on the entity's use of appropriated funds that are 
relevant to budget execution, such as restrictions on the amount, 
purpose, or timing of obligations and outlays ("relevant budget 
restrictions"). Additionally, the auditor should consider any legally 
binding restrictions that the entity has established in its fund 
control regulations, such as lowering the legally binding level for 
compliance with the Antideficiency Act to the allotment level.

.04: 
The auditor should obtain an understanding of the implications if the 
entity were to violate these relevant budget restrictions. In the 
internal control phase, the auditor identifies and tests the entity's 
controls to prevent or detect noncompliance with these relevant 
restrictions. The auditor may elect to evaluate controls over budget 
restrictions that are not legally binding but that may be considered 
sensitive or otherwise important.

.05: 
During these discussions with OGC and the entity, the auditor should 
determine whether any of these relevant budget restrictions relate to 
significant provisions of laws and regulations for purposes of testing 
compliance.

.06: 
For those entities that do not receive appropriated funds, the auditor 
should identify budget-related requirements that are legally binding on 
the entity. These requirements, if any, are usually found in the 
legislation that created the entity or its programs (such as the 
authorizing and enabling legislation) as well as any subsequent 
amendments. Although budget information on these entities may be 
included in the President's budget submitted to the Congress, this 
information usually is not legally binding. In general, certain budget-
related restrictions (such as the Antideficiency Act) apply to 
government corporations but not to government-sponsored enterprises. 
Regardless, the auditor should consider the entity's budget formulation 
and execution as part of the control environment, as discussed in 
section 260.

260: IDENTIFY RISK FACTORS: 

.01: 
The auditor's consideration of inherent risk, fraud risk, control 
environment, risk assessment, communication, and monitoring (parts of 
internal control) affects the nature, timing, and extent of substantive 
and control tests. This section describes (1) the impact of risk 
factors identified during this consideration on substantive and control 
tests, (2) the process for identifying these risk factors, and (3) the 
auditor's consideration of the entity's process for reporting under 
FMFIA (both for internal control (section 2 of FMFIA) and for financial 
management systems' conformance with system requirements (section 4 of 
FMFIA)) and for formulating the budget.

IMPACT ON SUBSTANTIVE TESTING:

.02: 
AU 312 provides guidance on the consideration of audit risk and defines 
"audit risk" as the risk that the auditor may unknowingly fail to 
appropriately modify an opinion on financial statements that are 
materially misstated. Audit risk can be thought of in terms of the 
following three component risks:

* Inherent risk is the susceptibility of an assertion to a material 
misstatement, assuming that there are no related internal controls.

* Control risk is the risk that a material misstatement that could occur 
in an assertion will not be prevented or detected and corrected on a 
timely basis by the entity's internal control. Internal control 
consists of five components: (1) the control environment, (2) risk 
assessment, (3) monitoring, (4) information and communication, and (5) 
control activities (defined in paragraph 260.08 below). This section 
will discuss the first three of the components and communication and 
section 300 (Internal Control Phase) will discuss the information 
systems and control activities.

* Detection risk is the risk that the auditor will not detect a material 
misstatement that exists in an assertion.

AU 316 (SAS 82) requires the auditor to consider fraud risk, which is a 
part of audit risk, making up a portion of inherent and control risk. 
Fraud risk consists of the risk of fraudulent financial reporting and 
the risk of misappropriation of assets that cause a material 
misstatement of the financial statements. The auditor should 
specifically consider and document the risk of material misstatements 
of the financial statements due to fraud and keep in mind the 
consideration of fraud risk in designing audit procedures. Considering 
the risk of material fraud generally should be done concurrently with 
the consideration of inherent and control risk, but it should be a 
separate conclusion. The auditor also should consider the risk of fraud 
throughout the audit. Section 290 includes documentation requirements 
for the consideration of fraud risk.

.03: 
Based on the level of audit risk and an assessment of the entity's 
inherent and control risk, including the consideration of fraud risk, 
the auditor determines the nature, timing, and extent of substantive 
audit procedures necessary to achieve the resultant detection risk. For 
example, in response to a high level of inherent and control risk, the 
auditor may perform:

* additional audit procedures that provide more competent evidential 
matter (nature of procedures);

* substantive tests at or closer to the financial statement date (timing 
of procedures); or:

* more extensive substantive tests (extent of procedures), as discussed 
in section 295 E.

.04: 
Audit assurance is the complement of audit risk. The auditor can 
determine the level of audit assurance obtained by subtracting the 
audit risk from 1. (Assurance equals 1 minus risk).[Footnote 3] AU 
350.48 uses 5 percent as the allowable audit risk in explaining the 
audit risk model (95 percent audit assurance). The audit organization 
should determine the level of assurance to use, which may vary between 
audits based on risk. GAO auditors should use 95 percent. In other 
words, the GAO auditor, in order to provide an opinion, should design 
the audit to achieve at least 95 percent audit assurance that the 
financial statements are not materially misstated (5 percent audit 
risk). Section 470 provides guidance to the auditor on how to combine 
(1) the assessment of inherent and control risk (including fraud risk) 
and (2) substantive tests to achieve the audit assurance required by 
the audit organization.

.05: 
The auditor may consider it necessary to achieve increased audit 
assurance if the entity is politically sensitive or if the Congress has 
expressed concerns about the entity's financial reporting. In this 
case, the level of audit assurance should be approved by the Reviewer.

RELATIONSHIP TO CONTROL ASSESSMENT:

.06: 
Internal control, as identified in AU 319 (SAS 55 amended by SAS 78), 
is a process--effected by an entity's governing body, management, and 
other personnel--designed to provide reasonable assurance regarding the 
achievement of objectives in the following categories (OMB audit 
guidance expands the category definitions as noted):[Footnote 4]

* Reliability of financial reporting--transactions are properly 
recorded, processed, and summarized to permit the preparation of the 
financial statements and RSSI in accordance with generally accepted 
accounting principles, and assets are safeguarded against loss from 
unauthorized acquisition, use, or disposition. (Note that safeguarding 
controls (see paragraphs 310.02-.04) are considered as part of 
financial reporting controls, although they are also operations 
controls.):

* Compliance with applicable laws and regulations--transactions are 
executed in accordance with (a) laws governing the use of budget 
authority and other laws and regulations that could have a direct and 
material effect on the financial statements or RSSI, and (b) any other 
laws, regulations, and governmentwide policies identified by OMB in its 
audit guidance. (Note that budget controls are part of financial 
reporting controls as they relate to the statements of budgetary 
resources and of financing, but that they are also part of compliance 
controls in that they are used to manage and control the use of 
appropriated funds and other forms of budget authority in accordance 
with applicable law. These controls are described in more detail in 
section 295 G.):

* Effectiveness and efficiency of operations. These controls include 
policies and procedures to carry out organizational objectives, such as 
planning, productivity, programmatic, quality, economy, efficiency, 
and effectiveness objectives. Management uses these controls to provide 
reasonable assurance that the entity (1) achieves its mission, 
(2) maintains quality standards, and (3) does what management directs 
it to do. (Note that performance measures controls (those designed to 
provide reasonable assurance about reliability of performance 
reporting--transactions and other data that support reported 
performance measures are properly recorded, processed, and summarized 
to permit the preparation of performance information in accordance with 
criteria stated by management) are included in operations controls.):

.07: 
Some control policies and procedures belong in more than one category 
of control. For example, financial reporting controls include controls 
over the completeness and accuracy of inventory records. Such controls 
are also necessary to provide complete and accurate inventory records 
to allow management to analyze and monitor inventory levels to better 
control operations and make procurement decisions (operations 
controls).

.08: 
The five components of internal control relate to objectives that an 
entity strives to achieve in each of the three categories: financial 
reporting (including safeguarding), compliance, and operations 
(including performance measures) controls. The components are defined 
in AU 319 as:

* The control environment sets the tone of an organization, influencing 
the control consciousness of its people. It is the foundation for all 
other components of internal control, providing discipline and 
structure.

* Risk assessment is the entity's identification and analysis of 
relevant risks to achievement of its objectives, forming a basis for 
determining how the risks should be managed.

* Information and communication are the identification, capture, and 
exchange of information in a form and time frame that enable employees 
to carry out their responsibilities.

* Monitoring is a process that assesses the quality of internal control 
performance over time.

* Control activities are the policies and procedures that help ensure 
that management directives are carried out.

PROCESS FOR IDENTIFYING RISK FACTORS:

.09: In the planning phase, the auditor should (1) identify conditions 
that significantly increase inherent, fraud, and control risk (based on 
identified control environment, risk assessment, communication, or 
monitoring weaknesses) and (2) conclude whether any identified control 
risks preclude the effectiveness of specific control activities in 
significant applications. The auditor identifies specific inherent 
risks, fraud risks, and control environment, risk assessment, 
communication, and monitoring weaknesses based on information obtained 
earlier in the planning phase, primarily from understanding the 
entity's operations and preliminary analytical procedures. The auditor 
considers factors such as those listed in paragraphs 260.16-.51 in 
identifying such risks and weaknesses. These factors are general in 
nature and require the auditor's judgment in determining (1) the extent 
of procedures (testing) to identify the risks and weaknesses and (2) 
the impact of such risks and weaknesses on the entity and its financial 
statements. Because this risk consideration requires the exercise of 
significant audit judgment, it should be performed by experienced audit 
team personnel.

.10: 
The auditor considers the implications of these risk factors on related 
operations controls. For example, inherent risk may be associated with 
a material liability for loan guarantees because it is subject to 
significant management judgment. In light of this inherent risk, the 
entity should have strong operations controls to monitor the entity's 
exposure to losses from loan guarantees. Potential weaknesses in such 
operations controls could significantly affect the ultimate program 
cost. Therefore, the need for operations controls in a particular area 
or the awareness of operations control weaknesses related to these risk 
factors should be identified and considered for further review, as 
discussed in section 275.

.11: 
Specific conditions that may indicate inherent or fraud risks or 
control environment, risk assessment, communication, or monitoring 
weaknesses are provided in sections 295 A and 295 B, respectively. 
These sections are designed to aid the auditor in identifying these 
risks and weaknesses but are not intended to be all inclusive. The 
auditor should consider any other factors and conditions deemed 
relevant.

.12: 
The auditor identifies and documents any significant risk factors after 
considering (1) his/her knowledge of the entity (obtained in previous 
steps in the planning phase); (2) the risk factors discussed in 
paragraphs 260.16-.51 and in sections 295 A and 295 B; and (3) other 
relevant factors. These risks and weaknesses and their impact on 
proposed audit procedures should be documented on the General Risk 
Analysis (GRA) or equivalent (see section 290). The auditor also should 
summarize and document any account-specific risks on the Account Risk 
Analysis (ARA) or equivalent (see sections 290 and 395 I).

.13: 
For each risk factor identified, the auditor documents the nature and 
extent of the risk or weakness; the condition(s) that gave rise to that 
risk or weakness; and the specific cycles, accounts, line items, and 
related assertions affected (if not pervasive). For example, the 
auditor may identify a significant risk that the valuation of the net 
receivables line item could contain a material misstatement due to (1) 
the materiality of the receivables and potential allowance, (2) the 
subjectivity of management's judgment related to the loss allowance 
(inherent risk), and (3) management's history of aggressively 
challenging any proposed adjustments to the valuation of the 
receivables (control environment weakness). The auditor should also 
document other considerations that may mitigate the effects of 
identified risks and weaknesses. For example, the use of a lock box (a 
control activity) may mitigate inherent risks associated with the 
completeness of cash receipts.

.14: 
The auditor also should document, in the GRA or equivalent, the overall 
effectiveness of the control environment, risk assessment, 
communication, and monitoring, including whether weaknesses preclude 
the effectiveness of specific control activities. The focus should be 
on management's overall attitude, awareness, and actions, rather than 
on specific conditions related to a control environment, risk 
assessment, communication, or monitoring factor. This assessment will 
be considered when determining the control risk associated with the 
entity.

.15: 
In assessing the control environment, risk assessment, communication, 
and monitoring, the auditor should specifically assess the quality of 
the entity's process for compliance with FMFIA (see paragraphs 260.43-
.47) and should obtain an overall understanding of the budget 
formulation process (see paragraph 260.51).

INHERENT RISK FACTORS:

.16: 
Inherent risk factors incorporate characteristics of an entity, a 
transaction, or account that exist due to:

* the nature of the entity's programs,

* the prior history of audit adjustments, or:

* the nature of material transactions and accounts.

The assessment of inherent risk generally should be limited to 
significant programs, transactions, or accounts. For each factor listed 
below, section 295 A lists conditions that may indicate inherent risk.

a. Nature of the entity's programs: The mission/business of an entity 
includes the implementation of various programs or services. The 
characteristics of these programs or services affect the entity's 
susceptibility to errors and fraud and sensitivity to changes in 
economic conditions. For example, student loan guarantee programs may 
be more susceptible to errors and fraud because of loans issued and 
serviced by third parties.

b. Prior history of significant audit adjustments: Significant audit 
adjustments identified in previous financial statement audits or other 
audits often identify problem areas that may result in financial 
statement misstatements. For example, the prior year's audit may have 
identified the necessity for recording a contingent liability as the 
result of certain economic conditions. The auditor could then focus on:

* determining whether similar conditions continue to exist;

* understanding management's response to such conditions (including 
implementation of controls), if any; and:

* assessing the nature and extent of the related inherent risk.

c. Nature of material transactions and accounts: The nature of an 
entity's transactions and accounts has a direct relation to the risk of 
errors or fraud. For example, accounts involving subjective management 
judgments, such as loss allowances, are usually of higher risk than 
those involving objective determinations.

INFORMATION SYSTEMS (IS) EFFECTS ON INHERENT RISK:

Information systems (IS) do not affect the audit objectives for an 
account or a cycle. However, IS can introduce inherent risk factors not 
present in a manual accounting system. The auditor should (1) consider 
each of the following IS factors and (2) assess the overall impact of 
IS processing on inherent risk. The impact of these factors typically 
will be pervasive in nature. An IS auditor may assist the auditor in 
considering these factors and making this assessment. More detail on 
assessing IS controls in a financial statement audit is available in 
FISCAM, and a flowchart of the steps to follow is in section 295 J.

a. Uniform processing of transactions: Because IS process groups of 
identical transactions consistently, any misstatements arising from 
erroneous computer programming will occur consistently in similar 
transactions. However, the possibility of random processing errors is 
reduced substantially in computer-based information systems.

b. Automatic processing: The information system may automatically 
initiate transactions or perform processing functions. Evidence of 
these processing steps (and any related controls) may or may not be 
visible.

c. Increased potential for undetected misstatements: Computers use and 
store information in electronic form and require less human involvement 
in processing. This increases the potential for individuals to gain 
unauthorized access to sensitive information and to alter data without 
visible evidence. Due to the electronic form, changes to computer 
programs and data are not readily detectible. Also, users may be less 
likely to challenge the reliability of computer output than manual 
reports.

d. Existence, completeness, and volume of the audit trail: The audit 
trail is the evidence that demonstrates how a specific transaction was 
initiated, processed, and summarized. For example, the audit trail for 
a purchase could include a purchase order, a receiving report, an 
invoice, invoice register (purchases summarized by day, month, and/or 
account), and general ledger postings from the invoice register. Some 
computerized financial management systems are designed so that the 
audit trail exists for only a short period (such as in on-line 
systems), only in an electronic format, or only in summary form. Also, 
the information generated may be too voluminous to allow effective 
manual review. For example, one posting to the general ledger may 
result from the computer summarization of information from hundreds of 
locations.

e. Nature of the hardware and software used in IS: The nature of the 
hardware and software can affect inherent risk, as illustrated below:

* The type of computer processing (on-line, batch-oriented, or 
distributed) presents different levels of inherent risk. For example, 
the inherent risk of unauthorized transactions and data entry errors 
may be greater for on-line processing than for batch-oriented 
processing.

* Peripheral access devices or system interfaces can increase inherent 
risk. For example, Internet and dial-up access to a system increases 
the system's accessibility to additional persons and therefore 
increases the risk of unauthorized access to computer resources.

* Distributed networks enable multiple computer processing units to 
communicate with each other, increasing the risk of unauthorized access 
to computer resources and possible data alteration. On the other hand, 
distributed networks may decrease the risk of conflicting computerized 
data between multiple processing units.

* Applications software developed in-house may have higher inherent risk 
than vendor-supplied software that has been thoroughly tested and is in 
general commercial use.

f. Unusual or nonroutine transactions: As with manual systems, unusual 
or nonroutine transactions increase inherent risk. Programs developed 
to process such transactions may not be subject to the same procedures 
as programs developed to process routine transactions. For example, the 
entity may use a utility program to extract specified information in 
support of a nonroutine management decision.

FRAUD RISK FACTORS:

.18: 
The auditor is concerned with fraud that causes a material misstatement 
of the financial statements. Fraud is distinguished from error in that 
the action causing the misstatement in fraud is intentional. Two types 
of misstatements are relevant in the auditor's consideration of fraud 
in a financial statement audit--misstatements arising from fraudulent 
financial reporting and misstatements arising from misappropriation of 
assets.

.19: 
Misstatements arising from fraudulent financial reporting are 
intentional misstatements or omissions of amounts or disclosures in 
financial statements to deceive financial statement users. 
Misstatements arising from misappropriation of assets involve the theft 
of an entity's assets causing the financial statements not to be 
presented in conformity with GAAP.

.20: 
Both types of fraud usually involve a pressure or incentive to commit 
fraud and a perceived opportunity to do so. Many experts believe that 
fraud requires that both be present. Fraud may be concealed through 
falsified documentation. In a financial statement audit, the auditor 
does not have a responsibility to authenticate documents. Fraud also 
may involve collusion, which may cause evidence to appear persuasive 
when it is not. Although fraud is usually concealed, the presence of 
risk factors or other conditions may alert the auditor to a possibility 
of fraud. For example, documents may be missing or records out of 
balance. However, these conditions may be the result of errors rather 
than fraud.

Identification of Fraud Risk Factors:

.21: 
The auditor should specifically consider and document the risk of 
material misstatement of the financial statements due to fraud and keep 
the consideration in mind in designing audit procedures. Considering 
the risk of material fraud generally should be done concurrently with 
the consideration of inherent and control risk, but it should result in 
specific identification of fraud risk factors that are present and the 
auditor's response to the factors. Although fraud risk factors do not 
necessarily indicate the presence of fraud, they have often been found 
in situations where fraud has occurred.

.22: 
As part of the consideration of fraud risk, in addition to obtaining 
representations about fraud risk in the management representation 
letter (see section 1001), the auditor should inquire of management (a) 
to obtain management's understanding regarding the risk of fraud in the 
entity and (b) to learn whether management has knowledge of fraud 
perpetrated on or within the entity. In addition, if the entity has 
established a program to prevent, deter, and detect fraud, the auditor 
should ask the fraud prevention program managers whether the program 
has identified fraud risk factors.

.23: 
Inspectors general often report numerous cases of fraud and have 
significant experience in this area. The auditor should obtain 
information about instances of fraud identified by the IG, ask the 
Special Investigator Unit to summarize how cases of reported fraud were 
committed, and ask management whether controls have been strengthened, 
to consider whether there is a risk of material fraud.

.24: 
Fraud risk factors that relate to misstatements arising from fraudulent 
financial reporting may be grouped in three categories as follows:

* Industry conditions. These factors involve the economic and regulatory 
environment in which the entity operates.

* Operating characteristics and financial stability. These factors 
pertain to the nature and complexity of the entity and its 
transactions, the entity's financial condition, and its profitability.

* Management's characteristics and influence over the control 
environment. These factors pertain to management's abilities, 
pressures, style, and attitude relating to internal control and the 
financial reporting process.

The first two of these categories contain factors that are also 
inherent risk factors mentioned in the earlier paragraphs of this 
section and the third category contains factors that are also control 
risk factors as discussed in subsequent paragraphs. Examples of fraud 
risk factors in each of these three categories in the federal 
government are included in sections 295 A and B.

.25: Fraud risk factors that relate to misstatements arising from 
misappropriation of assets may be grouped in two categories as follows:

* Susceptibility of assets to misappropriation. These factors pertain to 
the nature of an entity's assets and the degree to which they are 
subject to theft.

* Controls. These factors involve the lack of controls designed to 
prevent or detect misappropriations of assets.

Examples of fraud risk factors in the first of these two categories in 
the federal government are also included in section 295 A, and examples 
of the second category are included in section 295 B.

.26: It is not necessary for the auditor to search for indications of 
financial or other stress on employees that might make them likely to 
commit fraud. However, if the auditor becomes aware of such 
information, he or she should keep it in mind in considering the risk 
of material misstatement due to fraud. Other similar information would 
include disgruntled employees, anticipated layoffs, and known unusual 
changes in behavior or lifestyle of employees with access to assets 
susceptible to misappropriation.

The Auditor's Response to the Fraud Risk Consideration:

.27: 
The risk of material misstatement due to fraud always exists to some 
degree. The auditor should decide whether the audit procedures already 
planned are sufficient to respond to the fraud risk factors found or 
whether there is a need to modify the planned audit procedures. If 
audit procedures need to be modified, the auditor should decide whether 
an overall response is appropriate or whether the response should be 
specific to a particular account balance, class of transactions, or 
assertion or whether both an overall and a specific response are called 
for. If it is not practicable, as part of a financial statement audit, 
to modify planned audit procedures sufficiently to address the fraud 
risk, the auditor should consider requesting assistance from the 
Special Investigator Unit. See section 290 for documentation 
re* quirements.

.28: 
The auditor may decide that an overall response covering one or more of 
the following is appropriate:

* Professional skepticism. Due professional care requires the exercise 
of professional skepticism--an attitude that includes a questioning mind 
and critical assessment of audit evidence. With an increased risk of 
material misstatement due to fraud, professional skepticism may cause 
the auditor to examine documentation of a different nature and greater 
extent in support of material transactions, or to corroborate 
management representations more extensively.

* Assignment of audit personnel. The qualifications and extent of 
supervision of personnel assigned on an audit generally should be 
commensurate with the level of fraud risk.

* Accounting principles and policies. With a greater risk of material 
misstatement due to fraud, the auditor may have a greater concern about 
whether management may apply accounting principles and policies in an 
inappropriate manner to create a material misstatement of the financial 
statements and may need to test more extensively.

* Controls. If increased fraud risk exists because of risk factors that 
have control implications, the auditor may have to assess control risk 
as high. However, understanding controls in this situation may be even 
more important than otherwise. The auditor generally should understand 
how controls (or lack thereof) relate to the fraud risk factors, while 
noting the extent of management's ability to override controls.

.29: Also in an overall response, the nature, timing, and extent of 
procedures related to certain accounts and assertions may be modified 
as follows:

* The nature may be changed to obtain more reliable evidence or further 
corroboration, such as from independent sources outside the entity. For 
example, physical observation of certain assets may become more 
important.

* The timing of substantive tests may be closer to or at year end.

* The extent of procedures may involve larger sample sizes or more 
extensive analytical procedures.

.30: 
The auditor may determine that a specific response is required due to 
the types of risk factors identified and the accounts and assertions 
that may be affected. Examples of specific responses are in section 295 
I.

.31: 
The consideration of fraud risk is a cumulative process that should be 
ongoing throughout the audit. Fraud risk factors may be identified at 
any time during the audit. Also, other conditions may be identified 
during fieldwork that change or support a judgment regarding fraud 
risk, such as discrepancies in the accounting records, conflicting or 
missing evidential matter, or problematic or unusual relationships 
between management and the auditor. Thus the auditor should continue to 
be aware of the risk of fraud, and at the conclusion of the audit, the 
auditor should consider whether the accumulated results of audit 
procedures and other observations affect the consideration of the risk 
of material misstatement due to fraud. (See section 540.):

CONTROL ENVIRONMENT FACTORS:

.32: As discussed in AU 319 (SAS 55 amended by SAS 78), control environment 
risk factors incorporate management's attitude, awareness, and actions 
concerning the entity's control environment. These factors include:

* integrity and ethical values,

* commitment to competence,

* management's philosophy and operating style,

* organizational structure,

* assignment of authority and responsibility,

* human resource policies and practices,

* management's control methods over budget formulation and execution,

* management's control methods over compliance with laws and 
regulations, and:

* the functioning of oversight bodies (including congressional 
committees).

.33: The auditor should obtain sufficient knowledge of the control 
environment to determine whether the collective effect of these factors 
establishes, enhances, or mitigates the effectiveness of specific 
control activities. In making this determination, the auditor should 
consider the following factors and their effect on internal control. 
For each factor listed below, section 295 B lists conditions that may 
indicate control environment weaknesses.

a. Integrity and ethical values: Control effectiveness cannot rise above 
the integrity and ethical values of those who create, administer, and 
monitor the controls. Integrity and ethical values are essential 
elements of the control environment, affecting the design, 
administration, and monitoring of the other components. Integrity and 
ethical behavior result when the entity and its leaders have high 
ethical and behavioral standards and properly communicate them and 
reinforce them in practice. The standards include management's actions 
to remove or reduce incentives and temptations that might prompt 
personnel to engage in dishonest, illegal, or unethical acts. The 
communication of entity values and behavioral standards to personnel 
takes place through policy statements and codes of conduct and by 
example.

b. Commitment to competence: Competence is the knowledge and skills 
necessary to accomplish tasks required by an individual's job. 
Commitment to competence includes management's consideration of the 
competence levels for various jobs and the requisite skills and 
knowledge.

c. Management's philosophy and operating style: Management's philosophy 
and operating style encompass a broad range of beliefs, concepts, and 
attitudes. Such characteristics may include management's approach to 
taking and monitoring operational/program risks, attitudes and actions 
toward financial reporting, emphasis on meeting financial and operating 
goals, and management's attitude toward information processing, 
accounting, and personnel.

d. Organizational structure: An entity's organizational structure 
provides the overall framework for planning, directing, and controlling 
operations. The organizational structure should appropriately assign 
authority and responsibility within the entity. An organizational 
structure includes the form and nature of an entity's organizational 
units, including the data processing organization, and related 
management functions and reporting relationships.

e. Assignment of authority and responsibility: An entity's policies or 
procedures for assigning authority for operating activities and for 
delegating responsibility affect the understanding of established 
reporting relationships and responsibilities. This factor includes 
policies relating to appropriate business practices, knowledge and 
experience of key personnel, and resource allocations. It also includes 
policies and communications to ensure that all personnel understand the 
entity's objectives, how they contribute to these objectives, and how 
and for what they will be held accountable.

f. Human resource policies and practices: Human resource policies and 
practices affect an entity's ability to employ sufficient competent and 
trustworthy personnel to accomplish its goals and objectives. Such 
policies and practices include hiring, training, evaluating, promoting, 
compensating, and assisting employees in the performance of their 
assigned responsibilities by giving them the necessary resources.

g. Management's control methods over budget formulation and execution: 
Management's budget control methods affect the authorized use of 
appropriated funds. Budget formulation is discussed in more detail in 
paragraph 260.51, and controls over budget execution (budget controls) 
are addressed in more detail in section 300.

h. Management's control methods over compliance with laws and 
regulations: Such methods have a direct impact on an entity's 
compliance with applicable laws and regulations. (Compliance controls 
are addressed in more detail in section 300).

i. The functioning of oversight groups: An entity's oversight groups 
typically are responsible for overseeing both business activities and 
financial reporting. The effectiveness of an oversight group is 
influenced by its authority and its role in overseeing the entity's 
business activities. In the federal government, oversight groups are 
the Congress and the central agencies (OMB, Treasury, GSA, OPM, and 
GAO). Within agencies, senior management councils may also have a role 
in overseeing operations and programs.

RISK ASSESSMENT FACTORS:

.34: Risk assessment is an entity's internal process for identifying, 
analyzing, and managing risks relevant to achieving the objectives of 
reliable financial reporting, safeguarding of assets, and compliance 
with budget and other laws and regulations. For example, risk 
assessment may address how the entity analyzes significant estimates 
recorded in the financial statements or how it considers the 
possibility of unrecorded transactions. Risks can arise due to both 
internal and external circumstances such as:

* changes in the operating or statutory environment,

* new personnel who may have a different focus on internal control,

* new or significantly changed information systems,

* rapid growth of programs which can strain controls,

* new technology which may change risks,

* new programs or activities which may introduce new control risks,

* restructurings or budget cutbacks which may include downsizing and 
changes in supervision and segregation of duties, or:

* adoption of new accounting principles which may affect risks in 
preparing financial statements.

.35: The auditor should gain sufficient knowledge of the entity's risk 
assessment process to understand how management considers risks 
relevant to the objectives of financial reporting (including 
safeguarding), and compliance with budget and other laws and decides 
what actions to take. This understanding may include how management 
identifies risks, estimates their significance, assesses the likelihood 
of occurrence, and relates them to financial reporting.

COMMUNICATION FACTORS:

.36: 
Communication involves providing an understanding of individual roles 
and responsibilities pertaining to internal control. It includes the 
extent to which personnel understand how their activities relate to the 
work of others and the means of reporting exceptions to an appropriate 
higher level within the entity. Open communication channels help ensure 
that exceptions are reported and acted on. Communication takes such 
forms as policy manuals, accounting and financial reporting manuals, 
and memoranda. Communication also may be electronic, oral, and through 
the actions of management in demonstrating acceptable behavior.

.37: 
The auditor should obtain sufficient knowledge of the means the entity 
uses to communicate roles and responsibilities for, and significant 
matters relating to financial reporting, safeguarding, and compliance 
with budget and other laws and regulations.

MONITORING FACTORS:

.38: 
Monitoring is the process by which management assesses the quality of 
internal control performance over time. This may include ongoing 
activities, such as regular management and supervision, or 
communications from external parties, such as customer complaints or 
regulator comments that may indicate areas in need of improvement. This 
also may include separate evaluations, such as FMFIA work and IG or 
internal auditor work, or a combination of ongoing activities and 
separate evaluations.

.39: 
The auditor should gain sufficient knowledge of the major types of 
activities the entity uses to monitor internal control over financial 
reporting, including safeguarding, and compliance with budget and other 
laws and regulations and how those activities are used to initiate 
corrective actions.

.40: The IG's office or internal audit is often an important part of 
monitoring. The IG's office is responsible for (1) conducting and 
supervising audits and investigations relating to programs and 
operations, (2) providing leadership and coordination, including 
recommending policies for programs and operations, and (3) keeping the 
entity head and the Congress informed about problems and deficiencies, 
including the progress of corrective actions. The auditor should assess 
the effectiveness of the IG or internal audit as a monitoring control. 
However, if the auditor is the IG, the office should not attempt to 
assess its effectiveness as a control. Evaluating an IG's office or 
internal audit includes consideration of its authority and reporting 
relationships, the qualifications of its staff, and its resources. (In 
using the work of the IG or internal auditors, refer to section 650.):

IS EFFECTS ON THE CONTROL ENVIRONMENT, RISK ASSESSMENT, COMMUNICATION, 
AND MONITORING:

.41: IS affects the effectiveness of the control environment, risk 
assessment, communication, and monitoring. For example, controls that 
normally would be performed by separate individuals in manual systems 
may be concentrated in one computer application and pose a potential 
segregation-of-duties problem.

.42: The auditor should consider the following IS factors in making an 
overall assessment of the control environment, risk assessment, 
communication, and monitoring. An IS auditor may assist the auditor in 
considering these factors:

a. Management's attitudes and awareness with respect to IS: Management's 
interest in and awareness of IS functions is important in establishing 
an organizationwide consciousness of control issues. Management may 
demonstrate such interest and awareness by:

* considering the risks and benefits of computer applications;

* communicating policies regarding IS functions and responsibilities;

* overseeing policies and procedures for developing, modifying, 
maintaining, and using computers and for controlling access to programs 
and files;

* considering the inherent and control risk, including fraud risk, 
related to IS;

* responding to previous recommendations or concerns;

* quickly and effectively planning for, and responding to, computerized 
processing crises; and:

* depending on computer-generated information for key operating 
decisions.

b. Organization and structure of the IS function: The organizational 
structure affects the control environment. Centralized structures often 
have a single computer processing organization and use a single set of 
system and applications software, enabling tighter management control 
over IS. In decentralized structures, each computer center generally 
has its own computer processing organization, application programs, and 
system software, which may result in differences in policies and 
procedures and various levels of compliance at each location.

c. Clearly defined assignment of responsibilities and authority: 
Appropriate assignment of responsibility according to typical IS 
functional areas can affect the control environment. Factors to 
consider include:

* how the position of the Chief Information Officer (CIO) fits into the 
organizational structure;

* whether duties are appropriately segregated within the IS function, 
since lack of segregation typically affects all systems;

* the extent to which management external to the IS function is involved 
in major systems development decisions; and:

* the extent to which policies, standards, and procedures are documented, 
understood, followed, and enforced.

d. Management's ability to identify and to respond to potential risk: 
Computer processing, by its nature, introduces additional risk factors. 
The entity should be aware of these risks and should develop 
appropriate policies and procedures to respond to any IS issues that 
might occur. Factors to consider include:

* the methods for monitoring incompatible functions and for enforcing 
segregation of duties and:

* management's mechanism for identifying and responding to unusual or 
exceptional conditions.

FEDERAL MANAGERS' FINANCIAL INTEGRITY ACT OF 1982:

.43: 
In considering the control environment, risk assessment, communication, 
and monitoring, the auditor should assess the quality of the FMFIA 
process to provide evidence of management's control consciousness and 
the overall quality of the control environment, risk assessment, 
communication, and monitoring. In this regard, the quality of the FMFIA 
process is a good indicator of management's (1) philosophy and 
operating style, (2) assignment of authority and responsibility, and 
(3) control methods for monitoring and follow-up. The FMFIA process 
also may be the basis for management's assertion about the 
effectiveness of internal control (section 2) and about the entity's 
financial management systems' substantial compliance with FFMIA 
requirements (section 4).

.44: 
In considering the quality of the FMFIA process, the auditor generally 
should perform the following procedures. If the entity does not issue 
its own FMFIA report, the auditor should perform the following with 
respect to information the entity contributes to the FMFIA report in 
which the entity is included.

Read:

* the FMFIA report,

* important workpapers prepared by the entity in support of the FMFIA 
report,

* IG reports on FMFIA compliance,

* OMB's most recent annual letter concerning FMFIA reporting, and:

* management's description of the FMFIA process.

Discuss the FMFIA process with appropriate entity management (including 
management's opinion of the quality of the process).

Understand:

* how the FMFIA process is organized;

* who is assigned to manage the process, including the staffing level, 
experience and qualifications of assigned personnel, and reporting 
responsibilities; and:

* how the process finds and evaluates weaknesses.

* Identify the entity's actions on previously reported weaknesses and 
examine agency documentation that demonstrates the results/
effectiveness of those actions.

* Determine whether the audit finds different issues from those 
identified in the FMFIA process. (If so, see section 580 for reporting 
on FMFIA.):

.45: 
In assessing the quality of the FMFIA process, the auditor should 
consider whether management procedures and supporting documentation are 
sufficient to (1) provide management with reasonable assurance that 
FMFIA objectives have been achieved and (2) meet OMB requirements. This 
assessment is based on the auditor's overview and is not a result of 
extensive tests. Factors for the auditor to consider may include:

* evidence of efforts to rectify previously identified material 
weaknesses;

* management's commitment of resources to the FMFIA process, as 
reflected in the skills, objectivity, and number of personnel 
assigned to manage the process;

* extent to which management's methodology and assessment process 
conform to the guidance in Circulars A-123 ( June 21, 1995) and A-127 
(July 23, 1993 and revisions in Transmittal Memorandum No. 2, dated 
June 10, 1999) and related OMB guidelines;

* IG and internal auditor involvement (if any);

* the process used to identify and screen material weaknesses as FMFIA 
reports are consolidated and moved up the entity's hierarchy; and:

* the sources that identify material weaknesses, since items 
identified by management personnel, rather than from IG, GAO, or 
other external reports, demonstrate that the process can detect and 
report weaknesses.

.46: 
The auditor's assessment of the quality of the FMFIA process will 
affect the auditor's ability to use information in the FMFIA report and 
supporting documentation when identifying risks, testing controls, and 
preparing workpapers. The higher the quality of the FMFIA process, the 
more likely the auditor will be able to use the FMFIA findings in the 
financial audit. The auditor should document the assessment of the 
quality of the FMFIA process in the audit workpapers. Regardless, any 
material weaknesses identified in the FMFIA report should be considered 
in considering risk.

.47: 
The reliance that the auditor places on management's FMFIA work depends 
on a number of factors as discussed in FAM 650 (under revision).

Federal Financial Management Improvement Act of 1996:

.48: 
As part of its FMFIA work, management determines whether its financial 
management systems comply with the requirements found in OMB 
Circular A-127, Financial Management Systems. Under FFMIA, the auditor 
is required to report whether the financial management systems' 
substantially comply with those requirements. Further, OMB issues 
guidance that agencies and auditors should consider when addressing 
compliance with FFMIA.

.49: 
During the planning phase, the auditor generally should understand what 
management did to determine that the entity's systems were in 
substantial compliance in order to report under FMFIA. The entity may 
have used the OMB FFMIA guidance, the GAO Financial Management Series 
of checklists for Systems Reviewed Under the Federal Financial 
Management Improvement Act of 1996, the draft JFMIP Financial 
Management Systems Compliance Review Guide (http://www.financenet.gov/
financenet/fed/jfmip/fmscrg.pdf), or other tools. The auditor 
generally should review this documentation in the internal control 
phase of the audit to determine the degree to which he or she may rely 
on it as discussed in section 650 (under revision). (See section 320.):

.50: 
If the entity previously had an assessment made of its financial 
management systems' substantial compliance with these requirements that 
resulted in lack of substantial compliance, the auditor should read the 
remediation plan required by FFMIA and note whether the plan appears 
feasible and likely to remedy the deficiencies.

BUDGET FORMULATION:

.51: While assessing the control environment, risk assessment, 
communication, and monitoring, the auditor should obtain an overall 
understanding of the budget formulation process. The auditor does this 
to understand better how misstatements and internal control weaknesses 
affect the budget formulation process and, possibly, to consider the 
budget process as a control. Based on discussions with entity 
management responsible for the budget formulation process and review of 
budget documents, the auditor should consider:

* the entity's process for developing and summarizing the budget,

* the nature and sufficiency of instructions and training provided to 
individuals responsible for developing the budget,

* the extent that individuals involved in approving budget requests are 
also involved in the budget formulation process,

* the general extent to which the budget is based on historical 
information,

* the reliability of information on which the budget is based,

* the extent to which the budget formulation system is integrated with 
the budget execution system, and:

* the extent of correlation between information developed in the budget 
formulation process and the allotments and suballotments in the budget 
execution system.

[End of section]

270 - DETERMINE LIKELIHOOD OF EFFECTIVE INFORMATION SYSTEM CONTROLS:

.01: 
Controls are considered IS controls if their effectiveness depends on 
computer processing. In the planning phase, the auditor (with the 
assistance of the IS auditor and using FISCAM or another appropriate 
methodology) should determine whether IS controls are likely to be 
effective and should therefore be considered in the internal control 
phase. The auditor may coordinate work done to meet the requirements of 
Division A, Title X, Subtitle G (Government Information Security 
Reform) of the National Defense Authorization Act for Fiscal Year 2001 
(P.L. 106-398) with work done as part of the financial statement audit. 
(See section 295 J for a flowchart of steps in assessing IS controls in 
a financial statement audit.) The procedures to be performed build on 
those procedures performed while understanding the entity's operations 
and assessing the effects of IS on inherent risk and the control 
environment, risk assessment, communication, and monitoring. AU 319 
(SAS 55, as amended by SAS 78 and SAS 94) requires the auditor to 
sufficiently understand each of the five components of internal 
control--control environment, risk assessment, information and 
communications, monitoring, and control activities--to plan the audit. 
This understanding should include relevant IS aspects.

.02: 
Computerized financial management systems are used extensively in the 
federal government. While many of these systems are mainframe based, 
numerous other technologies also exist. Some of these systems share 
programs and data files with one another. Others may be networked into 
major subsystems. In addition to producing financial and accounting 
information, such systems typically generate other information used in 
management decision-making.

.03: 
As discussed in paragraph 260.06, the auditor evaluates and tests the 
following types of controls in a financial statemen