This is the accessible text file for GAO report number GAO-08-210G entitled 'Government Auditing Standards: Implementation Tool: Professional Requirements Tool for Use in Implementing Requirements Identified by "Must" and "Should" in the July 2007 Revision of Government Auditing Standards' which was released on January 2, 2008. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: Government Auditing Standards: Implementation Tool: Professional Requirements Tool for Use in Implementing Requirements Identified by "Must" and "Should" in the July 2007 Revision of Government Auditing Standards: This Professional Requirements Tool lists the requirements for audit organizations and auditors included in the July 2007 Revision of Generally Accepted Government Auditing Standards (GAGAS), also commonly known as the Yellow Book. This tool lists professional responsibilities that are specifically identified in the standards by the words "must" and "should." This tool is divided into four sections. The general requirements section contains entity-wide requirements for the audit organization and is intended for use in addition to the specific sections for financial audits, attestation engagements, and performance audits, which contain engagement-specific requirements for the auditors conducting the engagement. Audit organizations and auditors should also refer to the complete text of the July 2007 Revision of GAGAS to understand the context for those requirements along with related guidance. This tool was prepared by GAO's government auditing standards staff to facilitate audit organizations' and auditors' implementation of the standards, and does not represent additional standards or requirements. The staff welcomes your feedback and comments. If you have questions or comments related to this tool, please contact Heather Keister, at (202) 512-2943 or keisterh@gao.gov. For other questions on GAGAS, please contact us at yellowbook@gao.gov. Signed by: Jeanette M. Franzel: Director, Financial Management and Assurance: Contents: Background: General Requirements For Audit Organizations: Specific Requirements For Financial Audits: Specific Requirements For Attestation Engagements: Specific Requirements For Performance Audits: Background: In July 2007, the Comptroller General issued a major revision to Government Auditing Standards.[Footnote 1] The July 2007 Revision uses clarified language to define the auditors' level of responsibility and distinguish between auditor requirements and additional guidance. As described in the July 2007 Revision (paragraphs 1.05 through 1.08), GAGAS use two categories of professional requirements to describe the degree of responsibility for auditors and audit organizations, as follows: * Unconditional requirements: Auditors and audit organizations are required to comply with an unconditional requirement in all cases in which the circumstances exist to which the unconditional requirement applies. GAGAS use the words must or is required to specify an unconditional requirement. * Presumptively mandatory requirements: Auditors and audit organizations are also required to comply with a presumptively mandatory requirement in all cases in which the circumstances exist to which the presumptively mandatory requirement applies; however, in rare circumstances, auditors and audit organizations may depart from a presumptively mandatory requirement provided they document their justification for the departure and how the alternative procedures performed in the circumstances were sufficient to achieve the objectives of the presumptively mandatory requirement. GAGAS use the word should to specify a presumptively mandatory requirement. For financial audits and attestation engagements, GAGAS incorporates the AICPA field work and reporting standards and the related Statements on Auditing Standards (SAS) and Statements on Standards for Attestation Engagements (SSAE). Therefore, in addition to the requirements contained in this tool, documentation of compliance with the requirements in the AICPA field work and reporting standards is required for financial audits and attestation engagements conducted in accordance with GAGAS. This tool is intended to assist auditors with documenting compliance with GAGAS. The columns to the right of the requirements may be used for auditor notations to indicate the location of audit documentation that supports compliance with the GAGAS requirement. The words "must" and "should" that are applicable to each section are bolded and underlined in this tool for emphasis. Explanatory material that identifies or describes other procedures does not represent a professional requirement for the audit organization or auditor to perform such procedures. How and whether to carry out such procedures depends on the exercise of professional judgment consistent with the objective of the standard. This tool does not include explanatory material from the July 2007 Revision of Government Auditing Standards. Therefore, audit organizations and auditors should read the entire text of the July 2007 Revision of GAGAS, including the explanatory material when planning the audit and making professional judgments about compliance with professional requirements. General Requirements for Audit Organizations: General Requirements - Audit organizations: Chapter 1 - Use and Application of GAGAS; Types of GAGAS Audits and Attestation Engagements; Professional Services Other Than Audits (Nonaudit Services) Provided by Audit Organizations; 1.33: GAGAS do not cover professional services other than audits or attestation engagements (nonaudit services)...Therefore, auditors must not report that the nonaudit services were conducted in accordance with GAGAS. When performing nonaudit services for an entity for which the audit organization performs a GAGAS audit or attestation engagement, audit organizations should communicate, as appropriate, with requestors and those charged with governance to clarify that the scope of work performed does not constitute an audit under GAGAS; Must: [Check]; Should: [Empty]. Chapter 1 - Use and Application of GAGAS; Types of GAGAS Audits and Attestation Engagements; Professional Services Other Than Audits (Nonaudit Services) Provided by Audit Organizations; 1.34: Audit organizations that provide nonaudit services must evaluate whether providing nonaudit services creates an independence impairment either in fact or appearance with respect to the entities they audit... Must: [Empty] Should: [Check]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; Independence; 3.02: In all matters relating to the audit work, the audit organization and the individual auditor, whether government or public, must be free from personal, external, and organizational impairments to independence, and must avoid the appearance of such impairments of independence; Must: [Empty] Should: [Check]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; Independence; 3.03: Auditors and audit organizations must maintain independence so that their opinions, findings, conclusions, judgments, and recommendations will be impartial and viewed as impartial by objective third parties with knowledge of the relevant information. Auditors should avoid situations that could lead objective third parties with knowledge of the relevant information to conclude that the auditors are not able to maintain independence and thus are not capable of exercising objective and impartial judgment on all issues associated with conducting the audit and reporting on the work; Must: [Empty] Should: [Check]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; Independence; 3.04: When evaluating whether independence impairments exist either in fact or appearance with respect to the entities for which audit organizations perform audits or attestation engagements, auditors and audit organizations must take into account the three general classes of impairments to independence--personal, external, and organizational. [Footnote not shown.] If one or more of these impairments affects or can be perceived to affect independence, the audit organization (or auditor) should decline to perform the work--except in those situations in which an audit organization in a government entity, because of a legislative requirement or for other reasons, cannot decline to perform the work, in which case the government audit organization must disclose the impairment(s) and modify the GAGAS compliance statement...; Must: [Empty]; Should: [Empty]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; Independence; 3.06: If an impairment to independence is identified after the audit report is issued, the audit organization should assess the impact on the audit. If the audit organization concludes that it did not comply with GAGAS, it should determine the impact on the auditors' report and notify entity management, those charged with governance, the requesters, or regulatory agencies that have jurisdiction over the audited entity and persons known to be using the audit report about the independence impairment and the impact on the audit. The audit organization should make such notifications in writing; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; Personal Impairments; 3.08: Audit organizations and auditors may encounter many different circumstances or combinations of circumstances that could create a personal impairment. Therefore, it is impossible to identify every situation that could result in a personal impairment. Accordingly, audit organizations should include as part of their quality control system procedures to identify personal impairments and help ensure compliance with GAGAS independence requirements. At a minimum, audit organizations should: a. establish policies and procedures to identify, report, and resolve personal impairments to independence, b. communicate the audit organization's policies and procedures to all auditors in the organization and promote understanding of the policies and procedures, c. establish internal policies and procedures to monitor compliance with the audit organization's policies and procedures, d. establish a disciplinary mechanism to promote compliance with the audit organization's policies and procedures, e. stress the importance of independence and the expectation that auditors will always act in the public interest, and; f. maintain documentation of the steps taken to identify potential personal independence impairments; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; Personal Impairments; 3.09: When the audit organization identifies a personal impairment to independence prior to or during an audit, the audit organization should take action to resolve the impairment in a timely manner. … If the personal impairment cannot be eliminated, the audit organization should withdraw from the audit. In situations in which auditors employed by government entities cannot withdraw from the audit, they should follow paragraph 3.04; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; External Impairments; 3.10: Audit organizations must be free from external impairments to independence. Factors external to the audit organization may restrict the work or interfere with auditors' ability to form independent and objective opinions, findings, and conclusions. External impairments to independence occur when auditors are deterred from acting objectively and exercising professional skepticism by pressures, actual or perceived, from management and employees of the audited entity or oversight organizations...; Must: [Empty]; Should: [Check]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; External Impairments; 3.11: Audit organizations should include policies and procedures for identifying and resolving external impairments as part of their quality control system for compliance with GAGAS independence requirements; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; Organizational Independence; 3.12: The ability of audit organizations in government entities to perform work and report the results objectively can be affected by placement within government, and the structure of the government entity being audited. Whether reporting to third parties externally or to top management within the audited entity internally, audit organizations must be free from organizational impairments to independence with respect to the entities they audit. Impairments to organizational independence result when the audit function is organizationally located within the reporting line of the areas under audit or when the auditor is assigned or takes on responsibilities that affect operations of the area under audit; Must: [Empty]; Should: [Check]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; Organizational Independence for External Audit Functions; 3.15:..For an external audit organization to be considered free from organizational impairments under a structure different from the ones [government entity structures] listed in paragraphs 3.13 and 3.14, the audit organization should have all of the following safeguards. In such situations, the audit organization should document how each of the following safeguards were satisfied and provide the documentation to those performing quality control monitoring and to the external peer reviewers to determine whether all the necessary safeguards have been met: a. statutory protections that prevent the audited entity from abolishing the audit organization; b. statutory protections that require that if the head of the audit organization is removed from office, the head of the agency report this fact and the reasons for the removal to the legislative body; c. statutory protections that prevent the audited entity from interfering with the initiation, scope, timing, and completion of any audit; d. statutory protections that prevent the audited entity from interfering with audit reporting, including the findings and conclusions or the manner, means, or timing of the audit organization's reports; e. statutory protections that require the audit organization to report to a legislative body or other independent governing body on a recurring basis; f. statutory protections that give the audit organization sole authority over the selection, retention, advancement, and dismissal of its staff; and; g. statutory access to records and documents related to the agency, program, or function being audited and access to government officials or other individuals as needed to conduct the audit. [Footnote not shown.]; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; Organizational Independence for Internal Audit Functions; 3.17: The internal audit organization should report regularly to those charged with governance; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; Organizational Independence for Internal Audit Functions; 3.19: The internal audit organization should document the conditions that allow it to be considered free of organizational impairments to independence for internal reporting and provide the documentation to those performing quality control monitoring and to the external peer reviewers to determine whether all the necessary safeguards have been met; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; Organizational Independence When Performing Nonaudit Services; 3.20:...Audit organizations that provide nonaudit services must evaluate whether providing the services creates an independence impairment either in fact or appearance with respect to entities they audit. [Footnote not shown.]...; Must: [Empty]; Should: [Check]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; Organizational Independence When Performing Nonaudit Services; 3.21: Audit organizations in government entities generally have broad audit responsibilities and, therefore, should establish policies and procedures for accepting engagements to perform nonaudit services so that independence is not impaired with respect to entities they audit...Independent public accountants may provide audit and nonaudit services (commonly referred to as consulting) under contractual commitments to an entity and should determine whether nonaudit services they have provided or are committed to provide have a significant or material effect on the subject matter of the audits; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; Overarching Independence Principles; 3.22: The following two overarching principles apply to auditor independence when assessing the impact of performing a nonaudit service for an audited program or entity: (1) audit organizations must not provide nonaudit services that involve performing management functions or making management decisions and (2) audit organizations must not audit their own work or provide nonaudit services in situations in which the nonaudit services are significant or material to the subject matter of the audits. [Footnote not shown.]; Must: [Empty]; Should: [Check]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; Overarching Independence Principles; 3.23: In considering whether audits performed by the audit organization could be significantly or materially affected by the nonaudit service, audit organizations should evaluate (1) ongoing audits; (2) planned audits; (3) requirements and commitments for providing audits, which includes laws, regulations, rules, contracts, and other agreements; and (4) policies placing responsibilities on the audit organization for providing audit services; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; Overarching Independence Principles; 3.24: If requested [footnote not shown] to perform nonaudit services that would impair the audit organization's ability to meet either or both of the overarching independence principles for certain types of audit work, the audit organization should inform the requestor and the audited entity that performing the nonaudit service would impair the auditors' independence with regard to subsequent audit or attestation engagements; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; Supplemental Safeguards for Maintaining Auditor Independence When Performing Nonaudit Services; 3.30: Performing nonaudit services described in paragraph 3.28 will not impair independence if the overarching independence principles stated in paragraph 3.22 are not violated. For these nonaudit services, the audit organization should comply with each of the following safeguards: a. document its consideration of the nonaudit services, including its conclusions about the impact on independence; b. establish in writing an understanding with the audited entity regarding the objectives, scope of work, and product or deliverables of the nonaudit service; and management's responsibility for (1) the subject matter of the nonaudit services, (2) the substantive outcomes of the work, and (3) making any decisions that involve management functions related to the nonaudit service and accepting full responsibility for such decisions; c. exclude personnel who provided the nonaudit services from planning, conducting, or reviewing audit work in the subject matter of the nonaudit service; [footnote not shown] and; d. do not reduce the scope and extent of the audit work below the level that would be appropriate if the nonaudit service were performed by an unrelated party; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; Competence; 3.41: The audit organization's management should assess skill needs to consider whether its workforce has the essential skills that match those necessary to fulfill a particular audit mandate or scope of audits to be performed. Accordingly, audit organizations should have a process for recruitment, hiring, continuous development, assignment, and evaluation of staff to maintain a competent workforce. The nature, extent, and formality of the process will depend on various factors such as the size of the audit organization, its structure, and its work; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; Continuing Professional Education; 3.48: Improving their own competencies and meeting CPE requirements are primarily the responsibilities of individual auditors. The audit organization should have quality control procedures to help ensure that auditors meet the continuing education requirements, including documentation of the CPE completed...; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; Quality Control and Assurance; 3.50: Each audit organization performing audits or attestation engagements in accordance with GAGAS must: a. establish a system of quality control that is designed to provide the audit organization with reasonable assurance that the organization and its personnel comply with professional standards and applicable legal and regulatory requirements, and; b. have an external peer review at least once every 3 years.[35]. [35] An audit organization's noncompliance with the peer review requirements (paragraph 3.50b and 3.55 through 3.60) results in a modified GAGAS compliance statement. The audit organization's compliance (or noncompliance) with the requirements for a system of quality control in paragraphs 3.50a and 3.51 through 3.54 are tested and reported on as part of the peer review process and do not impact the GAGAS compliance statement...; Must: [Empty]; Should: [Check]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; System of Quality Control; 3.52: Each audit organization must document its quality control policies and procedures and communicate those policies and procedures to its personnel. The audit organization should document compliance with its quality control policies and procedures and maintain such documentation for a period of time sufficient to enable those performing monitoring procedures and peer reviews to evaluate the extent of the audit organization's compliance with its quality control policies and procedures...; Must: [Empty]; Should: [Empty]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; System of Quality Control; 3.53 An audit organization should include policies and procedures in its system of quality control that collectively address: a. Leadership responsibilities for quality within the audit organization: Policies and procedures that designate responsibility for quality of audits and attestation engagements performed under GAGAS and communication of policies and procedures relating to quality...; b. Independence, legal, and ethical requirements: Policies and procedures designed to provide reasonable assurance that the audit organization and its personnel maintain independence, and comply with applicable legal and ethical requirements. [Footnote not shown.]; c. Initiation, [footnote not shown] acceptance, and continuance of audit and attestation engagements: Policies and procedures for the initiation, acceptance, and continuance of audit and attestation engagements, designed to provide reasonable assurance that the audit organization will undertake audit engagements only if it can comply with professional standards and ethical principles and is acting within the legal mandate or authority of the audit organization; d. Human resources: Policies and procedures designed to provide the audit organization with reasonable assurance that it has personnel with the capabilities and competence to perform its audits in accordance with professional standards and legal and regulatory requirements. [Footnote not shown.]; e. Audit and attestation engagement performance, documentation, and reporting: Policies and procedures designed to provide the audit organization with reasonable assurance that audits and attestation engagements are performed and reports are issued in accordance with professional standards and legal and regulatory requirements...; f. Monitoring of quality: An ongoing, periodic assessment of work completed on audits and attestation engagements designed to provide management of the audit organization with reasonable assurance that the policies and procedures related to the system of quality control are suitably designed and operating effectively in practice...The audit organization should perform monitoring procedures that enable it to assess compliance with applicable professional standards and quality control policies and procedures for GAGAS audits. Individuals performing monitoring should collectively have sufficient expertise and authority for this role; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; System of Quality Control; 3.54 The audit organization should analyze and summarize the results of its monitoring procedures at least annually, with identification of any systemic issues needing improvement, along with recommendations for corrective action. (Under GAGAS, reviews of the work and the report that are performed as part of supervision are not monitoring controls when used alone. However, these types of pre-issuance reviews may be used as a part of this analysis and summary.); Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; External Peer Review; 3.55 Audit organizations performing audits and attestation engagements in accordance with GAGAS must have an external peer review performed by reviewers independent of the audit organization being reviewed at least once every 3 years. [Footnote not shown.]; Must: [Empty]; Should: [Check]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; External Peer Review; 3.56 The audit organization should obtain an external peer review sufficient in scope to provide a reasonable basis for determining whether, for the period under review, [footnote not shown] the reviewed audit organization's system of quality control was suitably designed and whether the audit organization is complying with its quality control system in order to provide the audit organization with reasonable assurance of conforming with applicable professional standards; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; External Peer Review; 3.57: The peer review team should include the following elements in the scope of the peer review: a. review of the audit organization's quality control policies and procedures; b. consideration of the adequacy and results of the audit organization's internal monitoring procedures; c. review of selected audit and attestation engagement reports and related documentation; d. review of other documents necessary for assessing compliance with standards, for example, independence documentation, CPE records, and relevant human resource management files; and; e. interviews with a selection of the reviewed audit organization's professional staff at various levels to assess their understanding of and compliance with relevant quality control policies and procedures; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; External Peer Review; 3.58: The peer review team should perform a risk assessment to help determine the number and types of engagements to select. Based on the risk assessment, the team should use one or a combination of the following approaches to selecting individual audits and attestation engagements for review: (1) select GAGAS audits and attestation engagements that provide a reasonable cross-section of the GAGAS assignments performed by the reviewed audit organization or (2) select audits and attestation engagements that provide a reasonable cross- section from all types of work subject to the reviewed audit organization's quality control system, including one or more assignments performed in accordance with GAGAS. [Footnote not shown.]; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; External Peer Review; 3.59: The peer review team should prepare one or more written reports communicating the results of the peer review, including the following: a. description of the scope of the peer review, including any limitations; b. an opinion on whether the system of quality control of the reviewed audit organization's audit and/or attestation engagement practices was adequately designed and compiled with during the period reviewed to provide the audit organization with reasonable assurance of conforming with applicable professional standards; c. specification of the professional standards to which the reviewed audit organization is being held; d. for modified or adverse opinions, [footnote not shown] a description of reasons for the modification or adverse opinion, along with a detailed description of the findings and recommendations, in the peer review report, to enable the reviewed audit organization to take appropriate actions; and; e. reference to a separate letter of comments, if such a letter is issued; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; External Peer Review; 3.60: The peer review team should meet the following criteria: a. The review team collectively has current knowledge of GAGAS and government auditing; b. The organization conducting the peer review and individual review team members are independent (as defined in GAGAS) of the audit organization being reviewed, its staff, and the audits and attestation engagements selected for the peer review; c. The review team collectively has sufficient knowledge of how to perform a peer review. Such knowledge may be obtained from on-the-job training, training courses, or a combination of both. Having personnel on the peer review team with prior experience on a peer review or internal inspection team is desirable; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; External Peer Review; 3.61: An external audit organization [footnote not shown] should make its most recent peer review report[45] publicly available; for example, by posting the peer review report on an external Web site or to a publicly available file designed for public transparency of peer review results. If neither of these options is available to the audit organization, then it should use the same transparency mechanism it uses to make other information public, and also provide the peer review report to others upon request. Internal audit organizations that report internally to management should provide a copy of the external peer review report to those charged with governance. Government audit organizations should also communicate the overall results and the availability of their external peer review reports to appropriate oversight bodies. [45] This requirement does not include the letter of comment; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; External Peer Review; 3.62:...audit organizations seeking to enter into a contract to perform an audit or attestation engagement in accordance with GAGAS should provide the following to the party contracting for such services: a. the audit organization's most recent peer review report and any letter of comment, and; b. any subsequent peer review reports and letters of comment received during the period of the contract; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; 3.63:...Auditors who are using another audit organization's work should request a copy of the audit organization's latest peer review report and any letter of comment, and the audit organization should provide these documents when requested...; Must: [Check]; Should: [Empty]. Chapter 4 - Field Work Standards for Financial Audits; Additional Government Auditing Standards; Audit Documentation; 4.22: Audit organizations should establish policies and procedures for the safe custody and retention of audit documentation for a time sufficient to satisfy legal, regulatory, and administrative requirements for record retention...For audit documentation that is retained electronically, the audit organization should establish information systems controls concerning accessing and updating the audit documentation; Must: [Check]; Should: [Empty]. Chapter 4 - Field Work Standards for Financial Audits; Additional Government Auditing Standards; Audit Documentation; 4.24: Audit organizations should develop policies to deal with requests by outside parties to obtain access to audit documentation, especially when an outside party attempts to obtain information indirectly through the auditor rather than directly from the audited entity. In developing such policies, audit organizations should determine what laws and regulations apply, if any; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Distributing Reports; 5.44: Distribution of reports completed under GAGAS depends on the relationship of the auditors to the audited organization and the nature of the information contained in the report. If the subject of the audit involves material that is classified for security purposes or contains confidential or sensitive information, auditors may limit the report distribution. Auditors should document any limitation on report distribution. The following discussion outlines distribution for reports completed under GAGAS: [One of the following will apply depending on the type of audit organization.]; a. Audit organizations in government entities should distribute audit reports to those charged with governance, to the appropriate officials of the audited entity, and to the appropriate oversight bodies or organizations requiring or arranging for the audits. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority or who may be responsible for acting on audit findings and recommendations, and to others authorized to receive such reports; b. Internal audit organizations in government entities may follow the Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing. Under GAGAS and IIA standards, the head of the internal audit organization should communicate results to the parties who can ensure that the results are given due consideration. If not otherwise mandated by statutory or regulatory requirements, prior to releasing results to parties outside the organization, the head of the internal audit organization should: (1) assess the potential risk to the organization, (2) consult with senior management and/or legal counsel as appropriate, and (3) control dissemination by indicating the intended users in the report; c. Public accounting firms contracted to perform an audit under GAGAS should clarify report distribution responsibilities with the engaging organization. If the contracted firm is to make the distribution, it should reach agreement with the party contracting for the audit about which officials or organizations will receive the report and the steps being taken to make the report available to the public; Must: [Check]; Should: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Additional Government Auditing Standards; Attest Documentation; 6.24: Audit organizations should establish policies and procedures for the safe custody and retention of documentation for a time sufficient to satisfy legal, regulatory, and administrative requirements for records retention...For attest documentation that is retained electronically, the audit organization should establish information systems controls concerning accessing and updating the attest documentation; Must: [Check]; Should: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Additional Government Auditing Standards; Attest Documentation; 6.26: Audit organizations should develop policies to deal with requests by outside parties to obtain access to attest documentation, especially when an outside party attempts to obtain information indirectly through the auditor rather than directly from the entity. In developing such policies, audit organizations should determine what laws and regulations apply, if any; Must: [Check]; Should: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Distributing Reports; 6.56: Distribution of reports completed under GAGAS depends on the relationship of the auditors to the entity and the nature of the information contained in the report. If the subject matter or the assertion involves material that is classified for security purposes or contains confidential or sensitive information, auditors may limit the report distribution. Auditors should document any limitation on report distribution. The following discussion outlines distribution for reports completed under GAGAS: [One of the following will apply depending on the type of audit organization.]; a. Audit organizations in government entities should distribute reports to those charged with governance, to the appropriate entity officials, and to the appropriate oversight bodies or organizations requiring or arranging for the engagements. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority or who may be responsible for acting on engagement findings and recommendations, and to others authorized to receive such reports; b. Internal audit organizations in government entities may follow the Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing. Under GAGAS and IIA standards, the head of the internal audit organization should communicate results to the parties who can ensure that the results are given due consideration. If not otherwise mandated by statutory or regulatory requirements, prior to releasing results to parties outside the organization, the head of the internal audit organization should: (1) assess the potential risk to the organization, (2) consult with senior management and/or legal counsel as appropriate, and (3) control dissemination by indicating the intended users in the report; c. Public accounting firms contracted to perform an engagement under GAGAS should clarify report distribution responsibilities with the engaging organization. If the contracting firm is to make the distribution, it should reach agreement with the party contracting for the engagement about which officials or organizations will receive the report and the steps being taken to make the report available to the public; Must: [Check]; Should: [Empty]. Chapter 7 - Field Work Standards for Performance Audits; Audit Documentation; 7.82: Audit organizations should establish policies and procedures for the safe custody and retention of audit documentation for a time sufficient to satisfy legal, regulatory, and administrative requirements for records retention...For audit documentation that is retained electronically, the audit organization should establish information systems controls concerning accessing and updating the audit documentation; Must: [Check]; Should: [Empty]. Chapter 7 - Field Work Standards for Performance Audits; Audit Documentation; 7.84: Audit organizations should develop policies to deal with requests by outside parties to obtain access to audit documentation, especially when an outside party attempts to obtain information indirectly through the auditor rather than directly from the audited entity. In developing such policies, audit organizations should determine what laws and regulations apply, if any; Must: [Check]; Should: [Empty]. Chapter 8 - Reporting Standards for Performance Audits. Distributing Reports; 8.43: Distribution of reports completed under GAGAS depends on the relationship of the auditors to the audited organization and the nature of the information contained in the report. If the subject of the audit involves material that is classified for security purposes or contains confidential or sensitive information, auditors may limit the report distribution. … Auditors should document any limitation on report distribution. The following discussion outlines distribution for reports completed under GAGAS: [One of the following will apply depending on the type of audit organization.]; a. Audit organizations in government entities should distribute audit reports to those charged with governance, to the appropriate officials of the audited entity, and to the appropriate oversight bodies or organizations requiring or arranging for the audits. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority or who may be responsible for acting on audit findings and recommendations, and to others authorized to receive such reports; b. Internal audit organizations in government entities may follow the Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing. Under GAGAS and IIA standards, the head of the internal audit organization should communicate results to parties who can ensure that the results are given due consideration. If not otherwise mandated by statutory or regulatory requirements, prior to releasing results to parties outside the organization, the head of the internal audit organization should: (1) assess the potential risk to the organization, (2) consult with senior management and/or legal counsel as appropriate, and (3) control dissemination by indicating the intended users of the report; c. Public accounting firms contracted to perform an audit under GAGAS should clarify report distribution responsibilities with the engaging organization. If the contracted firm is to make the distribution, it should reach agreement with the party contracting for the audit about which officials or organizations will receive the report and the steps being taken to make the report available to the public; Must: [Check]; Should: [Empty]. Specific Requirements for Financial Audits: GAGAS incorporate the AICPA field work and reporting standards and the related Statements on Auditing Standards (SAS). The requirements listed in this professional requirements tool for financial audits represent the supplemental GAGAS requirements for financial audits. In addition to the requirements contained in this tool, documentation of compliance with the requirements in the AICPA field work and reporting standards is required for financial audits conducted in accordance with GAGAS. Auditors are advised to refer to the entire text of both GAGAS and the AICPA field work and reporting standards and the related Statements on Auditing Standards to obtain a comprehensive understanding of all the requirements for financial audits conducted in accordance with GAGAS. See paragraph 4.01a. Chapter 1 - Use and Application of GAGAS; Stating Compliance with GAGAS in the Auditors' Report; 1.11 When auditors are required to follow GAGAS or are representing to others that they followed GAGAS, they should follow all applicable GAGAS requirements and should refer to compliance with GAGAS in the auditors' report as set forth in paragraphs 1.12 and 1.13; Must: [Check]; Should: [Empty]. Chapter 1 - Use and Application of GAGAS; Stating Compliance with GAGAS in the Auditors' Report; 1.12: Auditors should include one of the following types of GAGAS compliance statements in reports on GAGAS audits and attestation engagements, as appropriate. [Footnote not shown.]; a. Unmodified GAGAS compliance statement: Stating that the auditor performed the audit or attestation engagement in accordance with GAGAS. Auditors should include an unmodified GAGAS compliance statement in the audit report when they have (1) followed all applicable unconditional and presumptively mandatory GAGAS requirements, or (2) have followed all unconditional requirements and documented justification for any departures from applicable presumptively mandatory requirements, and have achieved the objectives of those requirements through other means; b. Modified GAGAS compliance statement: Stating either that (1) the auditor performed the audit or attestation engagement in accordance with GAGAS, except for specific applicable requirements that were not followed or, (2) because of the significance of the departure(s) from the requirements, the auditor was unable to and did not perform the audit or attestation engagement in accordance with GAGAS. Situations when auditors use modified compliance statements include scope limitations, such as restrictions on access to records, government officials, or other individuals needed to conduct the audit. When auditors use a modified GAGAS statement, they should disclose in the report the applicable requirement(s) not followed, the reasons for not following the requirement(s), and how not following the requirements affected, or could have affected, the audit and the assurance provided; Must: [Check]; Should: [Empty]. Chapter 1 - Use and Application of GAGAS; Stating Compliance with GAGAS in the Auditors' Report; 1.13: When auditors do not comply with any applicable requirements, they should (1) assess the significance of the noncompliance to the audit objectives, (2) document the assessment, along with their reasons for not following the requirement, and (3) determine the type of GAGAS compliance statement. [Footnote not shown.] The auditors' determination will depend on the significance of the requirements not followed in relation to the audit objectives; Must: [Check]; Should: [Empty]. Chapter 1 - Use and Application of GAGAS; Relationship between GAGAS and Other Professional Standards; 1.14: Auditors may use GAGAS in conjunction with professional standards issued by other authoritative bodies. Auditors may also cite the use of other standards in their audit reports, as appropriate. If the auditor is citing compliance with GAGAS and inconsistencies exist between GAGAS and other standards cited, the auditor should use GAGAS as the prevailing standard for conducting the audit and reporting the results; Must: [Check]; Should: [Empty]. Chapter 1 - Use and Application of GAGAS; Types of GAGAS Audits and Attestation Engagements; 1.19: In some audits and attestation engagements, the standards applicable to the specific audit objective will be apparent...However, some engagements may have multiple or overlapping objectives...In cases in which there is a choice between applicable standards, auditors should evaluate users' needs and the auditors' knowledge, skills, and experience in deciding which standards to follow; Must: [Check]; Should: [Empty]. Chapter 1 - Use and Application of GAGAS; Professional Services Other Than Audits (Nonaudit Services) Provided by Audit Organizations; 1.33: GAGAS do not cover professional services other than audits or attestation engagements (nonaudit services). … Therefore, auditors must not report that the nonaudit services were conducted in accordance with GAGAS. When performing nonaudit services for an entity for which the audit organization performs a GAGAS audit or attestation engagement, audit organizations should communicate, as appropriate, with requestors and those charged with governance to clarify that the scope of work performed does not constitute an audit under GAGAS; Must: [Empty]; Should: [Check]. Chapter 3 - General Standards; Independence; 3.02: In all matters relating to the audit work, the audit organization and the individual auditor, whether government or public, must be free from personal, external, and organizational impairments to independence, and must avoid the appearance of such impairments of independence; Must: [Empty]; Should: [Check]. Chapter 3 - General Standards; Independence; 3.03: Auditors and audit organizations must maintain independence so that their opinions, findings, conclusions, judgments, and recommendations will be impartial and viewed as impartial by objective third parties with knowledge of the relevant information. Auditors should avoid situations that could lead objective third parties with knowledge of the relevant information to conclude that the auditors are not able to maintain independence and thus are not capable of exercising objective and impartial judgment on all issues associated with conducting the audit and reporting on the work; Must: [Empty]; Should: [Empty]. Chapter 3 - General Standards; Independence; 3.04: When evaluating whether independence impairments exist either in fact or appearance with respect to the entities for which audit organizations perform audits or attestation engagements, auditors and audit organizations must take into account the three general classes of impairments to independence--personal, external, and organizational. [Footnote not shown.] If one or more of these impairments affects or can be perceived to affect independence, the audit organization (or auditor) should decline to perform the work--except in those situations in which an audit organization in a government entity, because of a legislative requirement or for other reasons, cannot decline to perform the work, in which case the government audit organization must disclose the impairment(s) and modify the GAGAS compliance statement...; Must: [Empty]; Should: [Empty]. Chapter 3 - General Standards; Independence; 3.05: When auditors use the work of a specialist, [footnote not shown] auditors should assess the specialist's ability to perform the work and report results impartially as it relates to their relationship with the program or entity under audit. If the specialist's independence is impaired, auditors should not use the work of that specialist; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Personal Impairments; 3.07: Auditors participating on an audit assignment must be free from personal impairments to independence. [Footnote not shown.] Personal impairments of auditors result from relationships or beliefs that might cause auditors to limit the extent of the inquiry, limit disclosure, or weaken or slant audit findings in any way. Individual auditors should notify the appropriate officials within their audit organizations if they have any personal impairment to independence...; Must: [Empty]; Should: [Empty]. Chapter 3 - General Standards; Organizational Independence; Organizational Independence When Performing Nonaudit Services; Nonaudit Services That Would Not Impair Independence if Supplemental Safeguards Are Implemented; 3.28: Services that do not impair the audit organization's independence with respect to the entities they audit so long as they comply with supplemental safeguards include the following: a. providing basic accounting assistance limited to services such as preparing draft financial statements that are based on management's chart of accounts and trial balance and any adjusting, correcting, and closing entries that have been approved by management; preparing draft notes to the financial statements based on information determined and approved by management; … (If the audit organization has prepared draft financial statements and notes and performed the financial statement audit, the auditor should obtain documentation from management in which management acknowledges the audit organization's role in preparing the financial statements and related notes and management's review, approval, and responsibility for the financial statements and related notes in the management representation letter...); Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Professional Judgment; 3.31: Auditors must use professional judgment in planning and performing audits and attestation engagements and in reporting the results; Must: [Empty]; Should: [Check]. Chapter 3 - General Standards; Professional Judgment; 3.38: Auditors should document significant decisions affecting the audit objectives, scope, and methodology; findings; conclusions; and recommendations resulting from professional judgment; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Competence; 3.40: The staff assigned to perform the audit or attestation engagement must collectively possess adequate professional competence for the tasks required; Must: [Empty]; Should: [Check]. Chapter 3 - General Standards; Technical Knowledge and Competence; 3.43: The staff assigned to conduct an audit or attestation engagement under GAGAS must collectively possess the technical knowledge, skills, and experience necessary to be competent for the type of work being performed before beginning work on that assignment. The staff assigned to a GAGAS audit or attestation engagement should collectively possess; a. knowledge of GAGAS applicable to the type of work they are assigned and the education, skills, and experience to apply this knowledge to the work being performed; b. general knowledge of the environment in which the audited entity operates and the subject matter under review; c. skills to communicate clearly and effectively, both orally and in writing; and; d. skills appropriate for the work being performed. For example, staff or specialist skills in; (1) statistical sampling if the work involves use of statistical sampling; (2) information technology if the work involves review of information systems; (3) engineering if the work involves review of complex engineering data; (4) specialized audit methodologies or analytical techniques, such as the use of complex survey instruments, actuarial-based estimates, or statistical analysis tests, as applicable; or; (5) specialized knowledge in subject matters, such as scientific, medical, environmental, educational, or any other specialized subject matter, if the work calls for such expertise; Must: [Empty]; Should: [Empty]. Chapter 3 - General Standards; Additional Qualifications for Financial Audits and Attestation Engagements; 3.44: Auditors performing financial audits should be knowledgeable in generally accepted accounting principles (GAAP), the American Institute of Certified Public Accountants (AICPA) generally accepted auditing standards for field work and reporting and the related Statements on Auditing Standards (SAS), and the application of these standards. Also, if auditors use GAGAS in conjunction with any other standards, they should be knowledgeable and competent in applying those standards. Auditors engaged to perform financial audits or attestation engagements should be licensed certified public accountants or persons working for a licensed certified public accounting firm or a government audit organization. [Footnote not shown.]; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Continuing Professional Education; 3.46: Auditors performing work under GAGAS, including planning, directing, performing field work, or reporting on an audit or attestation engagement under GAGAS, should maintain their professional competence through continuing professional education (CPE). Therefore, each auditor performing work under GAGAS should complete, every 2 years, at least 24 hours of CPE that directly relates to government auditing, the government environment, or the specific or unique environment in which the audited entity operates. For auditors who are involved in any amount of planning, directing, or reporting on GAGAS assignments and those auditors who are not involved in those activities but charge 20 percent or more of their time annually to GAGAS assignments should also obtain at least an additional 56 hours of CPE (for a total of 80 hours of CPE in every 2-year period) that enhances the auditor's professional proficiency to perform audits or attestation engagements. Auditors required to take the total 80 hours of CPE should complete at least 20 hours of CPE in each year of the 2-year period; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Continuing Professional Education; 3.49: External specialists assisting in performing a GAGAS assignment should be qualified and maintain professional competence in their areas of specialization but are not required to meet the GAGAS CPE requirements described. However, auditors who use the work of external specialists should assess the professional qualifications of such specialists and document their findings and conclusions. Internal specialists who are part of the audit organization and perform as a member of the audit team should comply with GAGAS, including the CPE requirements; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Quality Control and Assurance; External Peer Review; 3.63: Auditors who are using another audit organization's work should request a copy of the audit organization's latest peer review report and any letter of comment, and the audit organization should provide these documents when requested...; Must: [Check]; Should: [Empty]. Chapter 4 - Field Work Standards for Financial Audits; Introduction; 4.01: This chapter establishes field work standards and provides guidance for financial audits conducted in accordance with generally accepted government auditing standards (GAGAS). This chapter identifies the American Institute of Certified Public Accountants (AICPA) field work standards and prescribes additional standards for financial audits performed in accordance with GAGAS; a. For financial audits, GAGAS incorporate the AICPA field work and reporting standards and the related statements on auditing standards (SAS) unless specifically excluded or modified by GAGAS; b. Under AICPA standards and GAGAS, auditors must plan and perform the audit to obtain sufficient appropriate audit evidence so that audit risk will be limited to a low level that is, in his or her professional judgment, appropriate for expressing an opinion on the financial statements. The high, but not absolute, level of assurance that is intended to be obtained by auditors is expressed in the auditor's report as obtaining reasonable assurance about whether the financial statements are free of material misstatement (whether caused by error or fraud). Absolute assurance is not attainable because of the nature of audit evidence and the characteristics of fraud. Therefore, an audit conducted in accordance with generally accepted auditing standards may not detect a material misstatement; Must: [Empty]; Should: [Check]. Chapter 4 - Field Work Standards for Financial Audits; AICPA Field Work Standards; 4.03 The three AICPA generally accepted standards of field work are as follows: [Footnote not shown.]; [Documentation of compliance with the field work requirements in the AICPA standards and the related statements on auditing standards (SAS) is required for financial audits conducted in accordance with GAGAS. These AICPA standards and SAS contain requirements in addition to the requirements in 4.03 a-c below. Use of a checklist for the AICPA standards may be helpful for auditors to ensure compliance with these standards.]; Must: [Check]; Should: [Check]. Chapter 4 - Field Work Standards for Financial Audits; AICPA Field Work Standards; a. The auditor must adequately plan the work and must properly supervise any assistants; Must: [Empty]; Should: [Check]. Chapter 4 - Field Work Standards for Financial Audits; AICPA Field Work Standards; b. The auditor must obtain a sufficient understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement of the financial statements whether due to error or fraud, and to design the nature, timing, and extent of further audit procedures; Must: [Empty]; Should: [Check]. Chapter 4 - Field Work Standards for Financial Audits; AICPA Field Work Standards; c. The auditor must obtain sufficient appropriate audit evidence by performing audit procedures to afford a reasonable basis for an opinion regarding the financial statements under audit; Must: [Empty]; Should: [Check]. Chapter 4 - Field Work Standards for Financial Audits; Additional Government Auditing Standards; 4.04: GAGAS establish field work standards for financial audits in addition to the requirements contained in the AICPA standards. Auditors should comply with these additional standards when citing GAGAS in their audit reports. The additional government auditing standards relate to: a. auditor communication during planning (see paragraphs 4.05 through 4.08); b. previous audits and attestation engagements (see paragraph 4.09); c. detecting material misstatements resulting from violations of provisions of contracts or grant agreements, or from abuse (see paragraphs 4.10 through 4.13); d. developing elements of a finding (see paragraphs 4.14 through 4.18); and; e. audit documentation (see paragraphs 4.19 through 4.24); Must: [Check]; Should: [Empty]. Chapter 4 - Field Work Standards for Financial Audits; Auditor Communication During Planning; 4.05: Under AICPA standards and GAGAS, auditors should communicate with the audited entity their understanding of the services to be performed for each engagement and document that understanding through a written communication. [Footnote not shown.] GAGAS broaden the parties included in the communication and the items for the auditors to communicate; Must: [Check]; Should: [Empty]. Chapter 4 - Field Work Standards for Financial Audits; Auditor Communication During Planning; 4.06: Under GAGAS, when planning the audit, auditors should communicate certain information in writing to management of the audited entity, those charged with governance, [footnote not shown] and to the individuals contracting for or requesting the audit. When auditors perform the audit pursuant to a law or regulation or they conduct the work for the legislative committee that has oversight of the audited entity, auditors should communicate with the legislative committee. In those situations where there is not a single individual or group that both oversees the strategic direction of the entity and the fulfillment of its accountability obligations or in other situations where the identity of those charged with governance is not clearly evident, auditors should document the process followed and conclusions reached for identifying the appropriate individuals to receive the required auditor communications. Auditors should communicate the following additional information under GAGAS: a. The nature of planned work and level of assurance to be provided related to internal control over financial reporting and compliance with laws, regulations, and provisions of contracts or grant agreements; b. Any potential restriction on the auditors' reports, in order to reduce the risk that the needs or expectations of the parties involved may be misinterpreted; Must: [Check]; Should: [Empty]. Chapter 4 - Field Work Standards for Financial Audits; Auditor Communication During Planning; 4.08: If an audit is terminated before it is completed and an audit report is not issued, auditors should document the results of the work to the date of termination and why the audit was terminated...; Must: [Check]; Should: [Empty]. Chapter 4 - Field Work Standards for Financial Audits; Previous Audits and Attestation Engagements; 4.09: Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a material effect on the financial statements. When planning the audit, auditors should ask management of the audited entity to identify previous audits, attestation engagements, and other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work, including determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives; Must: [Check]; Should: [Empty]. Chapter 4 - Field Work Standards for Financial Audits; Detecting Material Misstatements Resulting from Violations of Provisions of Contracts or Grant Agreements, or from Abuse; 4.10: Auditors should design the audit to provide reasonable assurance of detecting misstatements that result from violations of provisions of contracts or grant agreements and could have a direct and material effect on the determination of financial statement amounts or other financial data significant to the audit objectives; Must: [Check]; Should: [Empty]. Chapter 4 - Field Work Standards for Financial Audits; Detecting Material Misstatements Resulting from Violations of Provisions of Contracts or Grant Agreements, or from Abuse; 4.11: If specific information comes to the auditors' attention that provides evidence concerning the existence of possible violations of provisions of contracts or grant agreements that could have a material indirect effect on the financial statements, the auditors should apply audit procedures specifically directed to ascertaining whether such violations have occurred When the auditors conclude that a violation of provisions of contracts or grant agreements has or is likely to have occurred, they should determine the effect on the financial statements as well as the implications for other aspects of the audit; Must: [Check]; Should: [Empty]. Chapter 4 - Field Work Standards for Financial Audits; Detecting Material Misstatements Resulting from Violations of Provisions of Contracts or Grant Agreements, or from Abuse; 4.13: If during the course of the audit, auditors become aware of abuse that could be quantitatively or qualitatively material to the financial statements, auditors should apply audit procedures specifically directed to ascertain the potential effect on the financial statements or other financial data significant to the audit objectives...; Must: [Check]; Should: [Empty]. Chapter 4 - Field Work Standards for Financial Audits; Developing Elements of a Finding; 4.14:... When auditors identify deficiencies, auditors should plan and perform procedures to develop the elements of the findings that are relevant and necessary to achieve the audit objectives...; Must: [Check]; Should: [Empty]. Chapter 4 - Field Work Standards for Financial Audits; Audit Documentation; 4.19: Under AICPA standards and GAGAS, auditors must prepare audit documentation in connection with each audit in sufficient detail to provide a clear understanding of the work performed (including the nature, timing, extent, and results of audit procedures performed), the audit evidence obtained and its source, and the conclusions reached. [Footnote not shown.] Under AICPA standards and GAGAS, auditors should prepare audit documentation that enables an experienced auditor, [footnote not shown] having no previous connection to the audit, to understand: a. the nature, timing, and extent of auditing procedures performed to comply with GAGAS and other applicable standards and requirements; b. the results of the audit procedures performed and the audit evidence obtained; c. the conclusions reached on significant matters; and; d. that the accounting records agree or reconcile with the audited financial statements or other audited information; Must: [Check]; Should: [Empty]. Chapter 4 - Field Work Standards for Financial Audits; Audit Documentation; 4.20 Under GAGAS, auditors also should document, before the audit report is issued, evidence of supervisory review of the work performed that supports findings, conclusions, and recommendations contained in the audit report; Must: [Check]; Should: [Empty]. Chapter 4 - Field Work Standards for Financial Audits; Audit Documentation; 4.21: When auditors do not comply with applicable GAGAS requirements due to law, regulation, scope limitations, restrictions on access to records, or other issues impacting the audit, the auditors should document the departure from the GAGAS requirements and the impact on the audit and on the auditors' conclusions. This applies to departures from both mandatory requirements and presumptively mandatory requirements where alternative procedures performed in the circumstances were not sufficient to achieve the objectives of the standard...; Must: [Check]; Should: [Empty]. Chapter 4 - Field Work Standards for Financial Audits; Audit Documentation; 4.23 ...Subject to applicable laws and regulations, auditors should make appropriate individuals, as well as audit documentation, available upon request and in a timely manner to other auditors or reviewers to satisfy these objectives...; Must: [Check]; Should: [Empty]. Chapter 4 - Field Work Standards for Financial Audits; Additional Considerations for GAGAS Financial Audits; Consideration of Fraud and Illegal Acts; 4.27: Under both the AICPA standards [footnote not shown] and GAGAS, auditors should plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud. [Footnote not shown.]...; Must: [Check]; Should: [Empty]. Chapter 4 - Field Work Standards for Financial Audits; Additional Considerations for GAGAS Financial Audits; Consideration of Fraud and Illegal Acts; 4.28: Under both the AICPA standards [footnote not shown] and GAGAS, auditors should design the audit to provide reasonable assurance of detecting material misstatements resulting from illegal acts that could have a direct and material effect on the financial statements. [Footnote not shown.] If specific information comes to the auditors' attention that provides evidence concerning the existence of possible illegal acts [footnote not shown] that could have a material indirect effect on the financial statements, the auditors should apply audit procedures specifically directed to ascertaining whether an illegal act has occurred. When an illegal act has or is likely to have occurred, auditors should determine the effect on the financial statements as well as the implications for other aspects of the audit; Must: [Check]; Should: [Empty]. Chapter 4 - Field Work Standards for Financial Audits; Additional Considerations for GAGAS Financial Audits; Ongoing Investigations or Legal Proceedings; 4.29: ...When investigations or legal proceedings are initiated or in process, auditors should evaluate the impact on the current audit. In some cases, it may be appropriate for the auditors to work with investigators and/or legal authorities, or withdraw from or defer further work on the audit engagement or a portion of the engagement to avoid interfering with an investigation; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; AICPA Reporting Standards; 5.03: The four AICPA generally accepted standards of reporting [footnote not shown] are as follows: [Documentation of compliance with the reporting requirements in the AICPA standards and the related statements on auditing standards (SAS) is required for financial audits conducted in accordance with GAGAS. These AICPA standards and SAS contain requirements in addition to the requirements in 5.03 a-d below. Use of a checklist for the AICPA standards may be helpful for auditors to ensure compliance with these standards.]; Must: [Check]; Should: [Check]. Chapter 5 - Reporting Standards for Financial Audits; Additional Considerations for GAGAS Financial Audits; AICPA Reporting Standards; a. The auditor must state in the auditor's report whether the financial statements are presented in accordance with generally accepted accounting principles (GAAP); Must: [Empty]; Should: [Check]. Chapter 5 - Reporting Standards for Financial Audits; Additional Considerations for GAGAS Financial Audits; AICPA Reporting Standards; b. The auditor must identify in the auditor's report those circumstances in which such principles have not been consistently observed in the current period in relation to the preceding period; Must: [Empty]; Should: [Check]. Chapter 5 - Reporting Standards for Financial Audits; Additional Considerations for GAGAS Financial Audits; AICPA Reporting Standards; c. When the auditor determines that informative disclosures are not reasonably adequate, the auditor must so state in the auditor's report; Must: [Empty]; Should: [Check]. Chapter 5 - Reporting Standards for Financial Audits; Additional Considerations for GAGAS Financial Audits; AICPA Reporting Standards; d. The auditor must either express an opinion regarding the financial statements, taken as a whole, or state that an opinion cannot be expressed, in the auditor's report. When the auditor cannot express an overall opinion, the auditor should state the reasons therefor in the auditor's report. In all cases where an auditor's name is associated with financial statements, the auditor should clearly indicate the character of the auditor's work, if any, and the degree of responsibility the auditor is taking in the auditor's report; Must: [Empty]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; 5.04: GAGAS establish reporting standards for financial audits in addition to the standards contained in the AICPA standards. Auditors should comply with these additional standards when citing GAGAS in their audit reports. The additional government auditing standards relate to: a. reporting auditors' compliance with GAGAS (see paragraphs 5.05 and 5.06); b. reporting on internal control and compliance with laws, regulations, and provisions of contracts or grant agreements (see paragraphs 5.07 through 5.09); c. reporting deficiencies in internal control, fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse (see paragraphs 5.10 through 5.22); d. communicating significant matters in the auditors' report (see paragraphs 5.23 through 5.25); e. reporting on the restatement of previously-issued financial statements (see paragraphs 5.26 through 5.31); f. reporting views of responsible officials (see paragraphs 5.32 through 5.38); g. reporting confidential or sensitive information (see paragraphs 5.39 through 5.43); and; h. distributing reports (see paragraph 5.44); Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Reporting Auditors' Compliance with GAGAS; 5.05: When auditors comply with all applicable GAGAS requirements, they should include a statement in the auditors' report that they performed the audit in accordance with GAGAS...; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Reporting on Internal Control and Compliance with Laws, Regulations, and Provisions of Contracts or Grant Agreements; 5.07: When providing an opinion or a disclaimer on financial statements, auditors must also report on internal control over financial reporting and on compliance with laws, regulations, and provisions of contracts or grant agreements; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Reporting on Internal Control and Compliance with Laws, Regulations, and Provisions of Contracts or Grant Agreements; 5.08: Auditors should include either in the same or in separate report(s) a description of the scope of the auditors' testing of internal control over financial reporting and compliance with laws, regulations, and provisions of contracts or grant agreements. If the auditors issue separate reports, they should include a reference to the separate reports in the report on financial statements. Auditors should state in the reports whether the tests they performed provided sufficient, appropriate evidence to support an opinion on the effectiveness of internal control over financial reporting and on compliance with laws, regulations, and provisions of contracts or grant agreements. The internal control reporting standard under GAGAS differs from the objective of an examination of internal control in accordance with the AICPA Statement on Standards for Attestation Engagements (SSAE), which is to express an opinion on the design or the design and operating effectiveness of an entity's internal control, as applicable. To form a basis for expressing such an opinion, the auditor must plan and perform the examination to obtain reasonable assurance about whether the entity maintained, in all material respects, effective internal control as of a point in time or for a specified period of time; Must: [Empty]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Reporting on Internal Control and Compliance with Laws, Regulations, and Provisions of Contracts or Grant Agreements; 5.09: When auditors report separately (including separate reports bound in the same document) on internal control over financial reporting and compliance with laws and regulations and provisions of contracts or grant agreements, they should state in the financial statement audit report that they are issuing those additional reports. They should include a reference to the separate reports[54] and also state that the reports on internal control over financial reporting and compliance with laws and regulations and provisions of contracts or grant agreements are an integral part of a GAGAS audit and important for assessing the results of the audit. If auditors issued or intend to issue a management letter, they should refer to that management letter in the reports; [54] This requirement applies to financial statement audits described in paragraph 1.22a. It does not apply to other types of financial audits described in paragraph 1.22b; Must: [Empty]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Reporting Deficiencies in Internal Control, Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant Agreements, and Abuse; 5.10: For financial audits, including audits of financial statements in which auditors provide an opinion or disclaimer, auditors should report, as applicable to the objectives of the audit, and based upon the audit work performed, (1) significant deficiencies in internal control, identifying those considered to be material weaknesses; (2) all instances of fraud and illegal acts unless inconsequential; and (3) violations of provisions of contracts or grant agreements and abuse that could have a material effect on the financial statements. [Footnote not shown.]; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Deficiencies in Internal Control; 5.11: For all financial audits, auditors should report the following deficiencies in internal control: a. Significant deficiency: a deficiency in internal control, or combination of deficiencies, that adversely affects the entity's ability to initiate, authorize, record, process, or report financial data reliably in accordance with GAAP such that there is more than a remote [footnote not shown] likelihood that a misstatement of the entity's financial statements that is more than inconsequential [footnote not shown]will not be prevented or detected. [Footnote not shown.]; b. Material weakness: a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Deficiencies in Internal Control; 5.13: Auditors should include all significant deficiencies in the auditors' report on internal control over financial reporting and indicate those that represent material weaknesses. If (1) a significant deficiency is remediated before the auditors' report is issued and (2) the auditors obtain sufficient, appropriate evidence supporting the remediation of the significant deficiency, then the auditors should report the significant deficiency and the fact that it was remediated before the auditors' report was issued; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Deficiencies in Internal Control; 5.14 Determining whether and how to communicate to officials of the audited entity internal control deficiencies that have an inconsequential effect on the financial statements is a matter of professional judgment. Auditors should document such communications; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant Agreements, and Abuse; 5.15 Under AICPA standards and GAGAS, auditors have responsibilities for detecting fraud and illegal acts that have a material effect on the financial statements and determining whether those charged with governance are adequately informed about fraud and illegal acts. GAGAS include additional reporting standards. When auditors conclude, based on sufficient, appropriate evidence, that any of the following either has occurred or is likely to have occurred, they should include in their audit report the relevant information about; a. fraud and illegal acts [footnote not shown] that have an effect on the financial statements that is more than inconsequential,; b. violations of provisions of contracts or grant agreements that have a material effect on the determination of financial statement amounts or other financial data significant to the audit, and; c. abuse that is material, either quantitatively or qualitatively...; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant Agreements, and Abuse; 5.16: When auditors detect violations of provisions of contracts or grant agreements or abuse that have an effect on the financial statements that is less than material but more than inconsequential, they should communicate those findings in writing to officials of the audited entity. Determining whether and how to communicate to officials of the audited entity fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse that is inconsequential is a matter of professional judgment. Auditors should document such communications; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Reporting Findings Directly to Parties Outside the Audited Entity; 5.18: Auditors should report known or likely fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse directly to parties outside the audited entity in the following two circumstances. [Footnote not shown.]; a. When entity management fails to satisfy legal or regulatory requirements to report such information to external parties specified in law or regulation, auditors should first communicate the failure to report such information to those charged with governance. If the audited entity still does not report this information to the specified external parties as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the information directly to the specified external parties; b. When entity management fails to take timely and appropriate steps to respond to known or likely fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse that (1) is likely to have a material effect on the financial statements and (2) involves funding received directly or indirectly from a government agency, auditors should first report management's failure to take timely and appropriate steps to those charged with governance. If the audited entity still does not take timely and appropriate steps as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the entity's failure to take timely and appropriate steps directly to the funding agency; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Reporting Findings Directly to Parties Outside the Audited Entity; 5.19: The reporting in paragraph 5.18 is in addition to any legal requirements to report such information directly to parties outside the audited entity. Auditors should comply with these requirements even if they have resigned or been dismissed from the audit prior to its completion; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Reporting Findings Directly to Parties Outside the Audited Entity; 5.20: Auditors should obtain sufficient, appropriate evidence, such as confirmation from outside parties, to corroborate assertions by management of the audited entity that it has reported such findings in accordance with laws, regulations, and funding agreements. When auditors are unable to do so, they should report such information directly as discussed in paragraph 5.18; Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Reporting Findings Directly to Parties Outside the Audited Entity; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Presenting Findings in the Auditors' Report; 5.21: In presenting findings such as deficiencies in internal control, fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse, auditors should develop the elements of the findings to the extent necessary to achieve the audit objectives...; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Presenting Findings in the Auditors' Report; 5.22 Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the finding. To give the reader a basis for judging the prevalence and consequences of these findings, auditors should, as applicable, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures, as appropriate. If the results cannot be projected, auditors should limit their conclusions appropriately; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Reporting on Restatement of Previously-Issued Financial Statements; 5.26: AICPA Professional Standards, AU Section 561, "Subsequent Discovery of Facts Existing at the Date of the Auditor's Report," establish standards and provide guidance for situations when auditors become aware of new information that could have affected their report on previously-issued financial statements. [Footnote not shown.] Under AU Section 561, if auditors become aware of new information that might have affected their opinion on previously-issued financial statement(s), then the auditors should advise entity management to determine the potential effect(s) of the new information on the previously-issued financial statement(s) as soon as reasonably possible. Such new information may lead management to conclude that previously-issued financial statements were materially misstated and to restate and reissue the misstated financial statements. In such circumstances, auditors should advise management to make appropriate disclosure of the newly discovered facts and their impact on the financial statements to those who are likely to rely on the financial statements. [Footnote not shown.]; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Reporting on Restatement of Previously-Issued Financial Statements; 5.27: Under GAGAS, auditors should advise management to make appropriate disclosures when the auditors believe that the following conditions exist: (1) it is likely that previously-issued financial statements are misstated and (2) the misstatement is or reasonably could be material. Under GAGAS, auditors also should perform the following procedures related to restated financial statements:[65]; [65] These additional GAGAS requirements also apply to other financial information on which auditors opine, such as schedules of expenditures of federal awards; a. evaluate the timeliness and appropriateness of management's disclosure and actions to determine and correct misstatements in previously-issued financial statements (see paragraph 5.28),; b. report on restated financial statements (see paragraphs 5.29 and 5.30), and; c. report directly to appropriate officials when the audited entity does not take the necessary steps (see paragraph 5.31); Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Evaluate the Timeliness and Appropriateness of Management's Disclosure and Actions to Determine and Correct Misstatements in Previously-Issued Financial Statements; 5.28: Auditors should evaluate the timeliness and appropriateness of management's disclosure to those who are likely to rely on the financial statements and management's actions to determine and correct misstatements in previously-issued financial statements in accordance with AU Sections 561.06 through 561.08. Under GAGAS, auditors also should evaluate whether management; a. acted in an appropriate time frame after new information was available to (1) determine the financial statement effects of the new information and (2) notify those who are likely to rely on the financial statements; b. disclosed the nature and extent of the known or likely material misstatements on Web pages where management has published the auditors' report on the previously-issued financial statements; and; c. disclosed the following information in the entity's restated financial statements: (1) the nature and cause(s) of the misstatement(s) that led to the need for restatement, (2) the specific amount(s) of the material misstatement(s), and (3) the related effect(s) on the previously-issued financial statement(s) (e.g., year(s) being restated, specific financial statement(s) affected and line items restated, actions the agency's management took after discovering the misstatement), and (4) the impact on the financial statements as a whole (e.g., change in overall net position, change in the audit opinion) and on key information included in the Management Discussion & Analysis; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Report on Restated Financial Statements; 5.29: When management restates financial statements, auditors should perform audit procedures sufficient to reissue or update the auditors' report on the restated financial statements regardless of whether the restated financial statements are separately issued or presented on a comparative basis with those of a subsequent period. [Footnote not shown.] Auditors should include the following in an explanatory paragraph in the reissued or updated auditors' report: a. a statement disclosing that the previously-issued financial statements have been restated; b. a statement that (1) the previously-issued auditors' report (identified by report date) is not to be relied on because the previously-issued financial statements were materially misstated and (2) the previously-issued auditors' report is replaced by the auditors' report on the restated financial statements; c. a reference to the note(s) to the restated financial statements that discusses the restatement; and; d. if applicable, a reference to the report on internal control containing a discussion of any significant internal control deficiency identified by the auditors as having failed to prevent or detect the misstatement and any corrective action taken by management to address the deficiency; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Evaluate the Timeliness and Appropriateness of Management's Disclosure and Actions to Determine and Correct Misstatements in Previously-Issued Financial Statements; 5.30: Management's failure to include appropriate disclosures, as discussed in paragraph 5.28c, in restated financial statements may have implications for the audit. In addition, auditors should include the omitted disclosures in the auditors' report, if practicable; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Report Directly to Appropriate Officials When the Audited Entity Does Not Take the Necessary Steps; 5.31: Auditors should notify those charged with governance if entity management (1) does not act in an appropriate time frame after new information was available to determine the financial statement effects of the new information and take the necessary steps to timely inform those who are likely to rely on the financial statements and the related auditors' reports of the situation or (2) does not restate with reasonable timeliness the financial statements under circumstances in which auditors believe they need to be restated. Auditors should inform those charged with governance that the auditors will take steps to prevent further reliance on the auditors' report and advise them to notify oversight bodies and funding agencies that rely on the financial statements. If those charged with governance do not notify appropriate oversight bodies and funding agencies, then the auditors should do so. [Footnote not shown.]; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Reporting Views of Responsible Officials; 5.32: If the auditors' report discloses deficiencies in internal control, fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse, auditors should obtain and report the views of responsible officials concerning the findings, conclusions, and recommendations, as well as planned corrective actions; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Reporting Views of Responsible Officials; 5.34: When auditors receive written comments from the responsible officials, they should include in their report a copy of the officials' written comments, or a summary of the comments received. When the responsible officials provide oral comments only, auditors should prepare a summary of the oral comments and provide a copy of the summary to the responsible officials to verify that the comments are accurately stated; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Reporting Views of Responsible Officials; 5.35: Auditors should also include in the report an evaluation of the comments, as appropriate...; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Reporting Views of Responsible Officials; 5.37: When the audited entity's comments are inconsistent or in conflict with findings, conclusions, or recommendations in the draft report, or when planned corrective actions do not adequately address the auditors' recommendations, the auditors should evaluate the validity of the audited entity's comments. If the auditors disagree with the comments, they should explain in the report their reasons for disagreement. Conversely, the auditors should modify their report as necessary if they find the comments valid and supported with sufficient, appropriate evidence; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Reporting Views of Responsible Officials; 5.38: If the audited entity refuses to provide comments or is unable to provide comments within a reasonable period of time, the auditors may issue the report without receiving comments from the audited entity. In such cases, the auditors should indicate in the report that the audited entity did not provide comments; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Reporting Confidential or Sensitive Information; 5.39: If certain pertinent information is prohibited from public disclosure or is excluded from a report due to the confidential or sensitive nature of the information, auditors should disclose in the report that certain information has been omitted and the reason or other circumstances that makes the omission necessary; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Reporting Confidential or Sensitive Information; 5.42: Considering the broad public interest in the program or activity under review assists auditors when deciding whether to exclude certain information from publicly available reports. When circumstances call for omission of certain information, auditors should evaluate whether this omission could distort the audit results or conceal improper or illegal practices; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Reporting Confidential or Sensitive Information; 5.43: When audit organizations are subject to public records laws, auditors should determine whether public records laws could impact the availability of classified or limited use reports and determine whether other means of communicating with management and those charged with governance would be more appropriate...; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Distributing Reports; 5.44: Distribution of reports completed under GAGAS depends on the relationship of the auditors to the audited organization and the nature of the information contained in the report. If the subject of the audit involves material that is classified for security purposes or contains confidential or sensitive information, auditors may limit the report distribution. Auditors should document any limitation on report distribution. The following discussion outlines distribution for reports completed under GAGAS: [One of the following will apply depending on the type of audit organization.]; a. Audit organizations in government entities should distribute audit reports to those charged with governance, to the appropriate officials of the audited entity, and to the appropriate oversight bodies or organizations requiring or arranging for the audits. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority or who may be responsible for acting on audit findings and recommendations, and to others authorized to receive such reports; b. Internal audit organizations in government entities may follow the Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing. Under GAGAS and IIA standards, the head of the internal audit organization should communicate results to the parties who can ensure that the results are given due consideration. If not otherwise mandated by statutory or regulatory requirements, prior to releasing results to parties outside the organization, the head of the internal audit organization should: (1) assess the potential risk to the organization, (2) consult with senior management and/or legal counsel as appropriate, and (3) control dissemination by indicating the intended users in the report; c. Public accounting firms contracted to perform an audit under GAGAS should clarify report distribution responsibilities with the engaging organization. If the contracted firm is to make the distribution, it should reach agreement with the party contracting for the audit about which officials or organizations will receive the report and the steps being taken to make the report available to the public; Must: [Check]; Should: [Empty]. [End of table] Specific Requirements for Attestation Engagements: GAGAS incorporate the AICPA general standard on criteria, and the field work and reporting standards and the related Statements on Standards for Attestation Engagements (SSAE). The requirements listed in this professional requirements tool for attestation engagements represent the supplemental GAGAS requirements for attestation engagements. In addition to the requirements contained in this tool, documentation of compliance with the requirements in the AICPA general standard on criteria and the field work and reporting standards is required for attestation engagements conducted in accordance with GAGAS. Auditors are advised to refer to the entire text of the both GAGAS and the AICPA general standard on criteria, and the field work and reporting standards and the related Statements on Standards for Attestation Engagements to obtain a comprehensive understanding of all the requirements for attestation engagements conducted in accordance with GAGAS. See paragraph 6.01. Must: [Check]; Should: [Empty]. Chapter 1 - Use and Application of GAGAS; Stating Compliance with GAGAS in the Auditors' Report; 1.11: When auditors are required to follow GAGAS or are representing to others that they followed GAGAS, they should follow all applicable GAGAS requirements and should refer to compliance with GAGAS in the auditors' report as set forth in paragraphs 1.12 and 1.13; Must: [Check]; Should: [Empty]. Chapter 1 - Use and Application of GAGAS; Stating Compliance with GAGAS in the Auditors' Report; 1.12: Auditors should include one of the following types of GAGAS compliance statements in reports on GAGAS audits and attestation engagements, as appropriate. [Footnote not shown.]; a. Unmodified GAGAS compliance statement: Stating that the auditor performed the audit or attestation engagement in accordance with GAGAS. Auditors should include an unmodified GAGAS compliance statement in the audit report when they have (1) followed all applicable unconditional and presumptively mandatory GAGAS requirements, or (2) have followed all unconditional requirements and documented justification for any departures from applicable presumptively mandatory requirements, and have achieved the objectives of those requirements through other means; b. Modified GAGAS compliance statement: Stating either that (1) the auditor performed the audit or attestation engagement in accordance with GAGAS, except for specific applicable requirements that were not followed or, (2) because of the significance of the departure(s) from the requirements, the auditor was unable to and did not perform the audit or attestation engagement in accordance with GAGAS. Situations when auditors use modified compliance statements include scope limitations, such as restrictions on access to records, government officials, or other individuals needed to conduct the audit. When auditors use a modified GAGAS statement, they should disclose in the report the applicable requirement(s) not followed, the reasons for not following the requirement(s), and how not following the requirements affected, or could have affected, the audit and the assurance provided; Must: [Check]; Should: [Empty]. Chapter 1 - Use and Application of GAGAS; Stating Compliance with GAGAS in the Auditors' Report; 1.13: When auditors do not comply with any applicable requirements, they should (1) assess the significance of the noncompliance to the audit objectives, (2) document the assessment, along with their reasons for not following the requirement, and (3) determine the type of GAGAS compliance statement. [Footnote not shown.] The auditors' determination will depend on the significance of the requirements not followed in relation to the audit objectives; Must: [Check]; Should: [Empty]. Chapter 1 - Use and Application of GAGAS; Relationship between GAGAS and Other Professional Standards; 1.14: Auditors may use GAGAS in conjunction with professional standards issued by other authoritative bodies. Auditors may also cite the use of other standards in their audit reports, as appropriate. If the auditor is citing compliance with GAGAS and inconsistencies exist between GAGAS and other standards cited, the auditor should use GAGAS as the prevailing standard for conducting the audit and reporting the results; Must: [Check]; Should: [Empty]. Chapter 1 - Use and Application of GAGAS; Types of GAGAS Audits and Attestation Engagements; 1.19: In some audits and attestation engagements, the standards applicable to the specific audit objective will be apparent...However, some engagements may have multiple or overlapping objectives...In cases in which there is a choice between applicable standards, auditors should evaluate users' needs and the auditors' knowledge, skills, and experience in deciding which standards to follow; Must: [Check]; Should: [Empty]. Chapter 1 - Use and Application of GAGAS; Attestation Engagements; 1.23: Attestation engagements can cover a broad range of financial or nonfinancial objectives and may provide different levels of assurance about the subject matter or assertion depending on the users' needs. Attestation engagements result in an examination, a review, or an agreed-upon procedures report on a subject matter or on an assertion about a subject matter that is the responsibility of another party. The three types of attestation engagements are: a. Examination: Consists of obtaining sufficient, appropriate evidence to express an opinion on whether the subject matter is based on (or in conformity with) the criteria in all material respects or the assertion is presented (or fairly stated), in all material respects, based on the criteria; b. Review: Consists of sufficient testing to express a conclusion about whether any information came to the auditors' attention on the basis of the work performed that indicates the subject matter is not based on (or not in conformity with) the criteria or the assertion is not presented (or not fairly stated) in all material respects based on the criteria. As stated in the AICPA SSAE, auditors should not perform review-level work for reporting on internal control or compliance with laws and regulations; c. Agreed-Upon Procedures: Consists of specific procedures performed on a subject matter; Must: [Check]; Should: [Empty]. Chapter 1 - Use and Application of GAGAS; Professional Services Other Than Audits (Nonaudit Services) Provided by Audit Organizations; 1.33: GAGAS do not cover professional services other than audits or attestation engagements (nonaudit services). … Therefore, auditors must not report that the nonaudit services were conducted in accordance with GAGAS. When performing nonaudit services for an entity for which the audit organization performs a GAGAS audit or attestation engagement, audit organizations should communicate, as appropriate, with requestors and those charged with governance to clarify that the scope of work performed does not constitute an audit under GAGAS; Must: [Empty]; Should: [Check]. Chapter 3 - General Standards; Independence; 3.02: In all matters relating to the audit work, the audit organization and the individual auditor, whether government or public, must be free from personal, external, and organizational impairments to independence, and must avoid the appearance of such impairments of independence; Must: [Empty]; Should: [Check]. Chapter 3 - General Standards; Independence; 3.03: Auditors and audit organizations must maintain independence so that their opinions, findings, conclusions, judgments, and recommendations will be impartial and viewed as impartial by objective third parties with knowledge of the relevant information. Auditors should avoid situations that could lead objective third parties with knowledge of the relevant information to conclude that the auditors are not able to maintain independence and thus are not capable of exercising objective and impartial judgment on all issues associated with conducting the audit and reporting on the work; Must: [Empty]; Should: [Empty]. Chapter 3 - General Standards; Independence; 3.04: When evaluating whether independence impairments exist either in fact or appearance with respect to the entities for which audit organizations perform audits or attestation engagements, auditors and audit organizations must take into account the three general classes of impairments to independence--personal, external, and organizational. [Footnote not shown.] If one or more of these impairments affects or can be perceived to affect independence, the audit organization (or auditor) should decline to perform the work--except in those situations in which an audit organization in a government entity, because of a legislative requirement or for other reasons, cannot decline to perform the work, in which case the government audit organization must disclose the impairment(s) and modify the GAGAS compliance statement...; Must: [Empty]; Should: [Empty]. Chapter 3 - General Standards; Independence; 3.05: When auditors use the work of a specialist, [footnote not shown] auditors should assess the specialist's ability to perform the work and report results impartially as it relates to their relationship with the program or entity under audit. If the specialist's independence is impaired, auditors should not use the work of that specialist; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Personal Impairments; 3.07: Auditors participating on an audit assignment must be free from personal impairments to independence. [Footnote not shown.] Personal impairments of auditors result from relationships or beliefs that might cause auditors to limit the extent of the inquiry, limit disclosure, or weaken or slant audit findings in any way. Individual auditors should notify the appropriate officials within their audit organizations if they have any personal impairment to independence...; Must: [Empty]; Should: [Empty]. Chapter 3 - General Standards; Professional Judgment; 3.31: Auditors must use professional judgment in planning and performing audits and attestation engagements and in reporting the results; Must: [Empty]; Should: [Check]. Chapter 3 - General Standards; Professional Judgment; 3.38: Auditors should document significant decisions affecting the audit objectives, scope, and methodology; findings; conclusions; and recommendations resulting from professional judgment; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Competence; 3.40: The staff assigned to perform the audit or attestation engagement must collectively possess adequate professional competence for the tasks required; Must: [Empty]; Should: [Check]. Chapter 3 - General Standards; Technical Knowledge and Competence; 3.43: The staff assigned to conduct an audit or attestation engagement under GAGAS must collectively possess the technical knowledge, skills, and experience necessary to be competent for the type of work being performed before beginning work on that assignment. The staff assigned to a GAGAS audit or attestation engagement should collectively possess; a. knowledge of GAGAS applicable to the type of work they are assigned and the education, skills, and experience to apply this knowledge to the work being performed; b. general knowledge of the environment in which the audited entity operates and the subject matter under review; c. skills to communicate clearly and effectively, both orally and in writing; and; d. skills appropriate for the work being performed. For example, staff or specialist skills in; (1) statistical sampling if the work involves use of statistical sampling; (2) information technology if the work involves review of information systems; (3) engineering if the work involves review of complex engineering data; (4) specialized audit methodologies or analytical techniques, such as the use of complex survey instruments, actuarial-based estimates, or statistical analysis tests, as applicable; or: (5) specialized knowledge in subject matters, such as scientific, medical, environmental, educational, or any other specialized subject matter, if the work calls for such expertise; Must: [Empty]; Should: [Empty]. Chapter 3 - General Standards; Additional Qualifications for Financial Audits and Attestation Engagements; 3.44: Auditors performing financial audits should be knowledgeable in generally accepted accounting principles (GAAP), the American Institute of Certified Public Accountants (AICPA) generally accepted auditing standards for field work and reporting and the related Statements on Auditing Standards (SAS), and the application of these standards. Also, if auditors use GAGAS in conjunction with any other standards, they should be knowledgeable and competent in applying those standards. Auditors engaged to perform financial audits or attestation engagements should be licensed certified public accountants or persons working for a licensed certified public accounting firm or a government audit organization. [Footnote not shown.]; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Additional Qualifications for Financial Audits and Attestation Engagements; 3.45: Similarly, for attestation engagements, GAGAS incorporate the AICPA attestation standards. Auditors should be knowledgeable in the AICPA general attestation standard related to criteria, the AICPA attestation standards for field work and reporting, and the related Statements on Standards for Attestation Engagements (SSAE), and they should be competent in applying these standards and SSAE to the task assigned. Also, if auditors use GAGAS in conjunction with any other standards, they should be knowledgeable and competent in applying those standards; Chapter 3 - General Standards; Continuing Professional Education; 3.46: Auditors performing work under GAGAS, including planning, directing, performing field work, or reporting on an audit or attestation engagement under GAGAS, should maintain their professional competence through continuing professional education (CPE). Therefore, each auditor performing work under GAGAS should complete, every 2 years, at least 24 hours of CPE that directly relates to government auditing, the government environment, or the specific or unique environment in which the audited entity operates. For auditors who are involved in any amount of planning, directing, or reporting on GAGAS assignments and those auditors who are not involved in those activities but charge 20 percent or more of their time annually to GAGAS assignments should also obtain at least an additional 56 hours of CPE (for a total of 80 hours of CPE in every 2-year period) that enhances the auditor's professional proficiency to perform audits or attestation engagements. Auditors required to take the total 80 hours of CPE should complete at least 20 hours of CPE in each year of the 2-year period; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Continuing Professional Education; 3.49 External specialists assisting in performing a GAGAS assignment should be qualified and maintain professional competence in their areas of specialization but are not required to meet the GAGAS CPE requirements described. However, auditors who use the work of external specialists should assess the professional qualifications of such specialists and document their findings and conclusions. Internal specialists who are part of the audit organization and perform as a member of the audit team should comply with GAGAS, including the CPE requirements; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Quality Control and Assurance; External Peer Review; 3.63: Auditors who are using another audit organization's work should request a copy of the audit organization's latest peer review report and any letter of comment, and the audit organization should provide these documents when requested...; Must: [Check]; Should: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; AICPA General and Field Work Standards for Attestation Engagements; 6.03: The AICPA general standard related to criteria is as follows: The practitioner [auditor] must have reason to believe that the subject matter is capable of evaluation against criteria that are suitable and available to users. [Documentation of compliance with the AICPA general standard related to criteria is required for attestation engagements conducted in accordance with GAGAS. These AICPA standards and SSAE contain requirements in addition to the requirements in 6.03 above. Use of a checklist for the AICPA standards may be helpful for auditors to ensure compliance with these standards.]; Must: [Empty]; Should: [Check]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; AICPA General and Field Work Standards for Attestation Engagements; 6.04: The two AICPA field work standards for attestation engagements are as follows: [Documentation of compliance with the field work requirements in the AICPA standards and the related statements on standards for attestation engagements (SSAE) is required for attestation engagements conducted in accordance with GAGAS. These AICPA standards and SSAE contain requirements in addition to the requirements in 6.04 a-b below. Use of a checklist for the AICPA standards may be helpful for auditors to ensure compliance with these standards.]; Must: [Check]; Should: [Check]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; AICPA General and Field Work Standards for Attestation Engagements; a. The practitioner [auditor] must adequately plan the work and must properly supervise any assistants; Must: [Empty]; Should: [Check]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; AICPA General and Field Work Standards for Attestation Engagements; b. The practitioner [auditor] must obtain sufficient evidence to provide a reasonable basis for the conclusion that is expressed in the report; Must: [Empty]; Should: [Check]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Additional Government Auditing Standards; 6.05: GAGAS establish attestation engagement field work standards in addition to the requirements contained in the AICPA standards. Auditors should comply with these additional standards when citing GAGAS in their attestation engagement reports. The additional government auditing standards relate to; a. auditor communication during planning (see paragraphs 6.06 through 6.08); b. previous audits and attestation engagements (see paragraph 6.09); c. internal control (see paragraphs 6.10 through 6.12); d. fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse that could have a material effect on the subject matter (see paragraphs 6.13 and 6.14); e. developing elements of a finding (see paragraphs 6.15 through 6.19); and; f. documentation (see paragraphs 6.20 through 6.26); Must: [Check]; Empty: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Auditor Communication During Planning. 6.06: Under AICPA standards and GAGAS, auditors should establish an understanding with the entity regarding the services to be performed for each engagement. Auditors also should obtain written acknowledgment or other evidence of the entity's responsibilities for the subject matter or the written assertion as it relates to the objectives of the engagement. GAGAS broaden the parties included in the communications during planning and contain additional items in the communications; Must: [Check]; Empty: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Auditor Communication During Planning; 6.07: Under GAGAS, when planning the engagement, auditors should communicate certain information, including their understanding of the services to be performed for each engagement, in writing to entity management, those charged with governance, [footnote not shown] and to the individuals contracting for or requesting the engagement. When auditors perform the engagement pursuant to a law or regulation or they conduct the work for the legislative committee that has oversight of the entity, auditors should communicate with the legislative committee. In those situations where there is not a single individual or group that both oversees the strategic direction of the entity and the fulfillment of its accountability obligations or in other situations where the identity of those charged with governance is not clearly evident, the auditors should document the process followed and conclusions reached for identifying the appropriate individuals to receive the required auditor communications. Auditors should communicate the following additional information under GAGAS: a. the nature, timing, and extent of planned testing and reporting; b. the level of assurance the auditor will provide; and; c. any potential restriction on the auditors' reports, in order to reduce the risk that the needs or expectations of the parties involved may be misinterpreted; Must: [Check]; Empty: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Auditor Communication During Planning; 6.08: If an engagement is terminated before it is completed and a report is not issued, auditors should document the results of the work to the date of termination and why the engagement was terminated...; Must: [Check]; Empty: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Previous Audits and Attestation Engagements; 6.09: Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a material effect on the subject matter. When planning the engagement, auditors should ask entity management to identify previous audits, attestation engagements, and other studies that directly relate to the subject matter of the attestation engagement being undertaken, including whether related recommendations have been implemented. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current work, including determining the extent to which testing the implementation of the corrective actions is applicable to the current engagement objectives; Must: [Check]; Empty: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Internal Control; 6.10: In planning examination-level attestation engagements, auditors should obtain a sufficient understanding of internal control that is material to the subject matter in order to plan the engagement and design procedures to achieve the objectives of the attestation engagement; Must: [Check]; Empty: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Internal Control; 6.11: In planning an examination-level attestation engagement, auditors should obtain an understanding of internal control as it relates to the subject matter to which the auditors are attesting. The subject matter may be financial or nonfinancial...; Must: [Check]; Empty: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant Agreements, or Abuse That Could Have a Material Effect on the Subject Matter; 6.13 :The auditors' responsibility with regard to fraud, [footnote not shown] illegal acts, violations of provisions of contracts or grant agreements, or abuse for attestation engagements performed in accordance with GAGAS is as follows: Must: [Check]; Empty: [Check]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant Agreements, or Abuse That Could Have a Material Effect on the Subject Matter; a. Examination-level engagements: In planning, auditors should design the engagement to provide reasonable assurance of detecting fraud, illegal acts, or violations of provisions of contracts or grant agreements that could have a material effect on the subject matter of the attestation engagement. Thus, auditors should assess the risk and possible effects of material fraud, illegal acts, or violations of provisions of contracts or grant agreements on the subject matter of the attestation engagement. When risk factors are identified, auditors should document the risk factors identified, the auditors' response to those risk factors individually or in combination, and the auditor