This is the accessible text file for GAO report number GAO-03-673G entitled 'Government Auditing Standards: 2003 Revision' which was released on June 01, 2003. This text file was formatted by the U.S. General Accounting Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. By the Comptroller General of the United States: June 2003: Government Auditing Standards: 2003 Revision: GAO-03-673G: By the Comptroller General of the United States: June 2003: Government Auditing Standards: 2003 Revision: This revision of the standards supersedes the 1994 revision, including amendments 1 through 3. Its provisions are effective for financial audits and attestation engagements of periods ending on or after January 1, 2004, and for performance audits beginning on or after January 1, 2004. Early application is permissible. Letter: The concept of accountability for public resources is key in our nation's governing process and a critical element for a healthy democracy. Legislators, government officials, and the public want to know whether government services are being provided efficiently, effectively, economically, and in compliance with laws and regulations. They also want to know whether government programs are achieving their objectives and desired outcomes, and at what cost. Government managers are accountable to legislative bodies and the public for their activities and related results. Government auditing is a key element in fulfilling the government's duty to be accountable to the people. Auditing allows those parties and other stakeholders to have confidence in the reported information on the results of programs or operations, as well as in the related systems of internal control. Government auditing standards provide a framework to auditors so that their work can lead to improved government management, decision making, oversight and accountability. These standards are broad statements of auditors' responsibilities. They provide an overall framework for ensuring that auditors have the competence, integrity, objectivity, and independence in planning, conducting, and reporting on their work. Auditors will face many situations in which they could best serve the public by doing work exceeding the standards' minimum requirements. As performance and accountability professionals, we should not strive just to comply with minimum standards, which represent the floor of acceptable behavior, but we need to do the right thing according to the facts and circumstances of each audit situation. I encourage auditors to seek opportunities to do additional work when and where it is appropriate, particularly in connection with testing and reporting on internal control. This is the fourth revision of the overall standards since they were first issued in 1972. This revision of the standards supersedes the 1994 revision, including amendments 1 through 3. This revision makes changes to these standards in the following 3 areas: * redefining the types of audits and services covered by the standards, including an expansion of the definition of performance auditing to incorporate prospective analyses and other studies and adding attestation as a separate type of audit, * providing consistency in the field work and reporting requirements among all types of audits defined under the standards, and: * strengthening the standards and clarifying the language in areas that, by themselves, do not warrant a separate amendment to the standards. These standards contain requirements for auditor reporting on internal control, but they do not require the auditor to render an opinion on internal control. Nevertheless, I encourage auditors to evaluate those situations where they are reporting on internal control to determine whether providing an opinion on internal control would add value and be cost beneficial based on related risks. The Sarbanes-Oxley Act requires private sector auditors to attest to and report on the assessment made by management of each publicly traded company on the effectiveness of internal control over financial reporting. GAO strongly believes that auditor reporting on internal control is a critical component of monitoring the effectiveness of an organization's risk management and accountability systems. Auditors can better serve their clients and other financial statement users and better protect the public interest by having a greater role in providing assurances over the effectiveness of internal control in deterring fraudulent financial reporting, protecting assets, and providing an early warning of emerging problems. We believe auditor reporting on internal control is appropriate and necessary for publicly traded companies and major public entities. We also believe that such reporting is appropriate in other cases where management assessment and auditor examination and reporting on the effectiveness of internal control add value and mitigate risk in a cost beneficial manner. In this regard, GAO seeks to lead by example in establishing the appropriate level of auditor reporting on internal control for federal agencies, programs, and entities receiving significant amounts of federal funding. In fact, we already provide opinions on internal control for all our major federal audit clients, including the consolidated financial statements of the U.S. Government. Because of the breadth of the fourth revision to the overall standards, any new standards are applicable for financial audits and attestation engagements of periods ending on or after January 1, 2004, and for performance audits beginning on or after January 1, 2004. Early application is permissible and encouraged. An electronic version of these standards can be accessed on the Web at www.gao.gov/govaud/ ybk01.htm. We have also posted a listing of the major changes from the 1994 Revision to this Web site. Printed copies can be obtained from the U.S. Government Printing Office. This revision of the standards currently incorporates the field work and the reporting standards issued by the American Institute of Certified Public Accountants (AICPA). The Sarbanes-Oxley Act gives the Public Company Accounting Oversight Board (PCAOB) the authority to set auditing standards to be used by registered public accounting firms in the preparation and issuance of audit reports for publicly traded companies. As the PCAOB promulgates auditing standards for audits of these entities, GAO will continue to closely monitor the actions of both standard setting bodies and will issue clarifying guidance as necessary on the incorporation of future standards set by either standard setting body. This revision has gone through an extensive deliberative process including extensive public comments and input from the Comptroller General's Advisory Council on Government Auditing Standards, which includes 21 experts in financial and performance auditing and reporting drawn from all levels of government, academia, private enterprise, and public accounting. The views of all parties were thoroughly considered in finalizing the standards. I thank those who commented and suggested improvements to the standards. I especially commend the Advisory Council on Government Auditing Standards and the GAO project team for important contributions to this revision. David M. Walker Comptroller General of the United States: Signed by David M. Walker: June 2003: [End of section] Contents: Chapter 1: Introduction: Purpose: Applicability: Relationship between GAGAS and Other Professional Standards: Accountability: Roles and Responsibilities: Chapter 2: Types of Government Audits and Attestation Engagements: Introduction: Financial Audits: Attestation Engagements: Performance Audits: Nonaudit Services Provided by Audit Organizations: Chapter 3: General Standards: Introduction: Independence: Professional Judgment: Competence: Quality Control and Assurance: Chapter 4: Field Work Standards for Financial Audits: Introduction: AICPA Field Work Standards: Additional GAGAS Standards: Auditor Communication: Considering the Results of Previous Audits and Attestation Engagements: Detecting Material Misstatements Resulting from Violations of Contract Provisions or Grant Agreements, or from Abuse: Developing Elements of a Finding: Audit Documentation: Chapter 5: Reporting Standards for Financial Audits: Introduction: AICPA Reporting Standards: Additional GAGAS Reporting Standards for Financial Audits: Reporting Auditors' Compliance with GAGAS: Reporting on Internal Control and on Compliance with Laws, Regulations, and Provisions of Contracts or Grant Agreements: Reporting Deficiencies in Internal Control, Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant Agreements, and Abuse: Reporting Views of Responsible Officials: Reporting Privileged and Confidential Information: Report Issuance and Distribution: Chapter 6: General, Field Work, and Reporting Standards for Attestation Engagements: Introduction: AICPA General and Field Work Standards for Attestation Engagements: Additional GAGAS Field Work Standards for Attestation Engagements: Auditor Communication: Considering the Results of Previous Audits and Attestation Engagements: Internal Control: Detecting Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant Agreements, and Abuse That Could Have a Material Effect on the Subject Matter: Developing Elements of Findings for Attestation Engagements: Attest Documentation: AICPA Reporting Standards for Attestation Engagements: Additional GAGAS Reporting Standards for Attestation Engagements: Reporting Auditors' Compliance with GAGAS: Reporting Deficiencies in Internal Control, Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant Agreements, and Abuse: Reporting Views of Responsible Officials: Reporting Privileged and Confidential Information: Report Issuance and Distribution: Chapter 7: Field Work Standards for Performance Audits: Introduction: Planning: Supervision: Evidence: Audit Documentation: Chapter 8: Reporting Standards for Performance Audits: Introduction: Form: Report Contents: Report Quality Elements: Report Issuance and Distribution: Appendix: Appendix I Advisory Council on Government Auditing Standards: GAO Project Team: Index: Abbreviations: AICPA: American Institute of Certified Public Accountants: COSO: Committee of Sponsoring Organizations of the Treadway Commission: CPA: certified public accountant: CPE: continuing professional education: GAAP: generally accepted accounting principles: GAAS: generally accepted auditing standards: GAGAS: generally accepted government auditing standards: GAO: U.S. General Accounting Office: MD&A: Management's Discussion and Analysis: OMB: U.S. Office of Management and Budget: SAS: AICPA Statements on Auditing Standards: SSAE: AICPA Statements on Standards for Attestation Engagements: Chapter 1 Introduction: Purpose: 1.01: The standards and guidance contained in this document, often referred to as generally accepted government auditing standards (GAGAS), are intended for use by government auditors[Footnote 1] to ensure that they maintain competence, integrity, objectivity, and independence in planning, conducting, and reporting their work, and are to be followed by auditors and audit organizations when required by law, regulation, contract, agreement, or policy.[Footnote 2] The work performed in accordance with GAGAS, which is described in this chapter and more fully in chapter 2, includes financial audits, attestation engagements, and performance audits. Users of government audits and attestation engagements that are performed in accordance with GAGAS should have confidence that the work is objective and credible. 1.02: GAGAS pertain to auditors' professional qualifications and the quality of their work, the performance of field work, and the characteristics of meaningful reporting. Adherence to GAGAS can help ensure that audits and attestation engagements provide credibility to the information reported by or obtained from officials of the audited entity through objectively acquiring and evaluating evidence. When auditors perform their work in this manner and comply with GAGAS in reporting the results, their work can lead to improved government management, decision making, and oversight. Government auditing is also a key element in fulfilling the government's duty to be accountable to the public. 1.03: This chapter describes the applications of GAGAS by auditors and audit organizations. This chapter also describes the concept of accountability for public resources and discusses the responsibilities of managers of government programs, auditors, and audit organizations in the audit process. Applicability: 1.04: The standards and guidance in this document apply to audits and attestation engagements of government entities, programs, activities, and functions, and of government assistance administered by contractors, nonprofit entities, and other nongovernmental entities. A number of statutes and other mandates require that auditors follow GAGAS. Where a statute or other mandate does not exist, auditors will find it useful to follow GAGAS in work regarding the use of government funds. If auditors hold themselves out as following GAGAS, regardless of whether the auditors are required to follow such standards, the auditors need to justify any departures from GAGAS. 1.05: The following are among the laws, regulations, and guidelines that require use of GAGAS: a. The Inspector General Act of 1978, as amended, 5 U.S.C. App. (2000) requires that the statutorily appointed federal inspectors general comply with GAGAS for audits of federal establishments, organizations, programs,[Footnote 3] activities, and functions. The act further states that the inspectors general shall take appropriate steps to assure that any work performed by nonfederal auditors complies with GAGAS. b. The Chief Financial Officers Act of 1990 (Public Law 101-576), as expanded by the Government Management Reform Act of 1994 (Public Law 103-356), requires that GAGAS be followed in audits of executive branch departments' and agencies' financial statements. c. The Single Audit Act Amendments of 1996 (Public Law 104-156) require that GAGAS be followed in audits of state and local governments and nonprofit entities that receive federal awards.[Footnote 4] The Office of Management and Budget (OMB) Circular A-133, Audits of States, Local Governments, and Non-Profit Organizations, which provides the government-wide guidelines and policies on performing audits to comply with the Single Audit Act, also requires the use of GAGAS. 1.06: Auditors need to be alert to other laws, regulations, or other authoritative sources that could require the use of GAGAS. For example, state and local laws and regulations may require auditors at the state and local levels of government to follow GAGAS. Also, the terms of an agreement or contract may require auditors to comply with GAGAS. Federal audit guidelines pertaining to program requirements, such as those issued for Housing and Urban Development programs and Student Financial Aid programs, may also require that GAGAS be followed. 1.07: Even if not required to do so, auditors may find it useful to follow GAGAS in performing audits of federal, state, and local government programs as well as in performing audits of government awards administered by contractors, nonprofit entities, and other nongovernment entities. Many audit organizations not formally required to do so, both in the United States of America and in other countries, voluntarily follow GAGAS. 1.08: Auditors may provide professional services, other than audits and attestation engagements, that consist solely of gathering, providing, and explaining information requested by decision makers or by providing advice or assistance to officials of the audited entity. GAGAS are not applicable to nonaudit services, which are described more fully in chapter 2. However, providing nonaudit services may affect an audit organization's independence to conduct audits, which is discussed in chapter 3. Relationship between GAGAS and Other Professional Standards: 1.09: GAGAS may be used in conjunction with professional standards issued by other authoritative bodies. For example, the American Institute of Certified Public Accountants (AICPA) has issued professional standards that apply in financial audits and attestation engagements performed by certified public accountants (CPA). GAGAS incorporate the AICPA's field work and reporting standards and the related statements on auditing standards for financial audits unless specifically excluded, as discussed in chapters 4 and 5. GAGAS incorporate the AICPA's general standard on criteria, and the field work and reporting standards and the related statements on the standards for attestation engagements, unless specifically excluded, as discussed in chapter 6. To meet the needs of users of government audits and attestation engagements, GAGAS also prescribe requirements in addition to those provided by the AICPA for these types of work. 1.10: Other professional standards that may be used by auditors are issued by such bodies as the Institute of Internal Auditors (Codification of the Standards for the Professional Practice of Internal Auditing, The Institute of Internal Auditors, Inc.) and the American Evaluation Association (Guiding Principles for Evaluators, a report from the American Evaluation Association Task Force on Guiding Principles for Evaluators; The Program Evaluation Standards, Joint Committee on Standards for Education Evaluation; and Standards for Educational and Psychological Testing, American Psychological Association.) These other professional standards are not incorporated into GAGAS, but can be used in conjunction with GAGAS. To the extent of any inconsistencies between the standards, GAGAS should prevail as the controlling (authorative) source if GAGAS are cited in the report. Accountability: 1.11: The concept of accountability for public resources is key in our nation's governing processes. Legislators, other government officials, and the public want to know whether (1) government resources are managed properly and used in compliance with laws and regulations, (2) government programs are achieving their objectives and desired outcomes, and (3) government services are being provided efficiently, economically, and effectively. Managers of these programs are accountable to legislative bodies and the public. Auditors of these programs, when they adhere to GAGAS, provide reports that enhance the credibility and reliability of the information that is reported by or obtained from officials of the audited entity. 1.12: Financial audits contribute to making governments more accountable for the use of public resources. The auditors, in providing an independent report on whether an entity's financial information is presented fairly in accordance with recognized criteria, provide users with statements concerning the reliability of the information. Financial audits performed in accordance with GAGAS also provide information about internal control, compliance with laws and regulations, and provisions of contracts and grant agreements as they relate to financial transactions, systems, and processes. 1.13: Attestation engagements also contribute to governments' accountability for the use of public resources and the delivery of services. In an attestation engagement, auditors issue an examination, a review, or an agreed-upon procedures report on a subject matter or on an assertion about a subject matter, based on or in conformity with criteria that is the responsibility of another party. Attestation engagements can cover a broad range of financial or nonfinancial objectives and provide various levels of assurance about the subject matter or assertion dependent upon the user's needs. 1.14: Performance audits also contribute to governments' accountability for the use of public resources and the delivery of services. The term performance audit is used to include a variety of objectives to meet users' needs. Performance audits provide an independent assessment of the performance and management of government programs against objective criteria or an assessment of best practices and other information. Performance audits provide information to improve program operations, facilitate decision making by parties with responsibility to oversee or initiate corrective action, and contribute to public accountability. The term performance audit is used generically to include work classified by some audit organizations as program evaluations, program effectiveness and results audits, economy and efficiency audits, operational audits, and value-for-money audits. 1.15: Given the importance and complexity of government programs in providing a variety of public services, auditors are increasingly being called on by legislative bodies and government agencies to expand the variety of performance audits to include work that has a prospective focus or provides guidance, best practice information, or information on issues that affect multiple programs or entities already studied or under study by an audit organization. This work may also include an assessment of policy alternatives, identification of risks and risk mitigation efforts, and a variety of analytical services to aid government officials in performing their responsibilities and carrying out their stewardship of government resources. Such work, like other performance audits, (1) involves a level of analysis, research, or evaluation, (2) may provide conclusions and recommendations, and (3) results in a report. 1.16: Audit organizations may also seek to achieve improvement through cooperative engagements with affected agencies while continuing to maintain independence under the standards. Such "constructive engagement" approaches, where appropriate, can facilitate management improvements on a real-time basis without compromising the audit organization's independence and objectivity. Efforts to provide technical advice and expertise to agencies for use in responding to current risks, correcting internal control deficiencies, or responding to the audit organization's recommendations are examples of constructive engagements. Constructive engagement approaches will not impair independence when conducted within the framework of an audit or as technical advice to agencies. However, audit organizations need to take care to avoid making management decisions or to avoid situations that would result in the audit organization auditing its own work, such as directing agencies to undertake a specific activity in a specific manner as discussed more fully in chapter 3 of these standards. By limiting the audit organization's role in this way, the overarching principles of independence are not violated. Roles and Responsibilities: 1.17: Officials of the audited entity entrusted with handling public resources and auditors of government programs fulfill essential roles and responsibilities in ensuring that public resources are used efficiently, economically, effectively, and legally. Audit organizations also have the important responsibility of ensuring that auditors can meet their responsibilities. These unique roles involve using sound management practices and providing professional audits and attestation engagements. Management's Role: 1.18: Officials of the audited entity (for example, managers of a state or local governmental entity or a nonprofit entity that receives federal awards) are responsible for: a. applying those resources efficiently, economically, effectively, and legally to achieve the purposes for which the resources were furnished or the program was established;[Footnote 5] b. complying with applicable laws and regulations, including identifying the requirements with which the entity and the official must comply and implementing systems designed to achieve that compliance; c. establishing and maintaining effective internal control to help ensure that appropriate goals and objectives are met; resources are used efficiently, economically, and effectively, and are safeguarded; laws and regulations are followed; and reliable data are obtained, maintained, and fairly disclosed; d. providing appropriate reports to those who oversee their actions and to the public in order to be accountable for the resources used to carry out government programs and the results of these programs; e. addressing the findings and recommendations of auditors, and for establishing and maintaining a process to track the status of such findings and recommendations; and: f. following sound procurement practices when contracting for audits and attestation engagements, including ensuring procedures are in place for monitoring contract performance. The objectives and scope of the audit or attestation engagement need to be made clear. In addition to price, other factors that may be considered in evaluating bid proposals include the responsiveness of the bidder to the request for proposal; the prior performance and experience of the bidder; the availability of the bidder's staff who have the appropriate professional qualifications and technical abilities; and the results of the bidder's peer reviews. Auditors' Responsibilities: 1.19: In discharging their professional responsibilities, auditors need to observe the principles of serving the public interest and maintaining the highest degree of integrity, objectivity, and independence. The public interest is defined as the collective well- being of the community of people and entities the auditors serve. These principles are fundamental to the responsibilities of auditors. 1.20: Auditors should act in a way that will serve the public interest, honor the public trust, and uphold their professionalism. A distinguishing mark of a profession is acceptance of its responsibility to the public. This responsibility is critical when auditing in the government environment. GAGAS embody the concept of accountability, which is fundamental to serving the public interest. 1.21: Auditors need to make decisions that are consistent with the public interest in the program or activity under audit. In discharging their professional responsibilities, auditors may encounter conflicting pressures from management of the audited entity, various levels of government, and others who rely on the objectivity and independence of the auditors. In resolving those conflicts, auditors are responsible for acting with integrity, guided by the precept that when auditors fulfill their responsibilities to the public, these individuals' and organizations' interests are best served. 1.22: To maintain and broaden public confidence, auditors need to perform all professional responsibilities with the highest degree of integrity. Auditors need to be professional, objective, fact-based, nonpartisan, and non-ideological in their relationships with audited entities and users of the auditors' reports. Auditors should be honest and candid with the audited entity and users of the auditors' work in the conduct of their work, within the constraints of the audited entity's confidentiality laws, rules, or policies. Auditors need to be prudent in the use of information acquired in the course of their duties. They should not use such information for any personal gain or in any manner that would be detrimental to the legitimate and ethical objectives of the audited entity. 1.23: Service and the public trust should not be subordinated to personal gain and advantage. Integrity can accommodate the inadvertent error and the honest difference of opinion; it cannot accommodate deceit or subordination of principle. Integrity requires auditors to observe both the form and the spirit of technical and ethical standards; circumvention of those standards constitutes subordination of judgment. Integrity also requires auditors to observe the principles of objectivity and independence. 1.24: Auditors should be objective and free of conflicts of interest in discharging their professional responsibilities. Auditors are also responsible for being independent in fact and appearance when providing audit and attestation services. Objectivity is a state of mind that requires auditors to be impartial, intellectually honest, and free of conflicts of interest. Independence precludes relationships that may in fact or appearance impair auditors' objectivity in performing the audit or attestation engagement. The maintenance of objectivity and independence requires continuing assessment of relationships with the audited entities in the context of the auditors' responsibility to the public. 1.25: In applying GAGAS, auditors are responsible for using professional judgment when establishing scope and methodologies for their work, determining the tests and procedures to be performed, conducting the work, and reporting the results. Auditors need to maintain integrity and objectivity when doing their work to make decisions that are consistent with the broader public interest in the program or activity under review. When reporting on the results of their work, auditors are responsible for disclosing all material or significant facts known to them which, if not disclosed, could mislead knowledgeable users, misrepresent the results, or conceal improper or unlawful practices. 1.26: Auditors are responsible for helping management and other report users[Footnote 6] understand the auditors' responsibilities under GAGAS and other audit or attestation coverage required by law or regulation. To help managers and other report users understand an engagement's objectives, time frames, and data needs, auditors need to communicate information concerning planning, conduct, and reporting of the engagement to the parties involved during the planning stages of the audit or attestation engagement. Audit Organizations' Responsibilities: 1.27: Audit organizations also have responsibility for ensuring that (1) independence and objectivity are maintained in all phases of the assignment, (2) professional judgment is used in planning and performing the work and in reporting the results, (3) the work is performed by personnel who are professionally competent and collectively have the necessary skills and knowledge, and (4) an independent peer review is periodically performed resulting in an opinion issued as to whether an audit organization's system of quality control is designed and being complied with to provide reasonable assurance of conforming with professional standards. 1.28: While management is responsible for addressing audit and attestation engagement findings and recommendations and tracking their status of resolution, audit organizations are responsible for establishing policies and procedures for follow-up to determine whether previous significant findings and recommendations are addressed and are considered in planning future engagements. [End of section] Chapter 2: Types of Government Audits and Attestation Engagements: Introduction: 2.01: This chapter describes the types of audits and attestation engagements that audit organizations perform, or arrange to have performed, of government entities, programs, and federal awards administered by contractors, nonprofit entities, and other nongovernment entities. This description is not intended to limit or require the types of audits or attestation engagements that may be performed or arranged to be performed. In performing work described below in accordance with generally accepted government auditing standards (GAGAS), auditors should follow the applicable standards included and incorporated in chapters 3 through 8. This chapter also describes nonaudit services that audit organizations may provide, although these services are not covered by GAGAS. 2.02: All engagements begin with objectives, and those objectives determine the type of work to be performed and the auditing standards to be followed. The types of work, as defined by their objectives that are covered by GAGAS, are classified in this document as financial audits, attestation engagements, and performance audits. 2.03: Engagements may have a combination of objectives that include more than one type of work described in this chapter or may have objectives limited to only some aspects of one type of work. Auditors should follow the standards that are applicable to the individual objectives of the audit or attestation engagement. 2.04: In some engagements, the applicable standards that apply to the specific audit objective will be apparent. For example, if the audit objective is to express an opinion on financial statements, the standards for financial audits apply. However, for some engagements, there may be overlap between the applicable objectives. For example, if the objectives are to determine the reliability of performance measures, this work can be done in accordance with either the standards for attestation engagements or for performance audits. In cases where there is a choice between applicable standards, auditors should consider users' needs and the auditors' knowledge, skills, and experience in deciding which standards to follow. Auditors should apply the standards that are applicable to the type of assignment conducted (the financial audit standards, the attestation engagement standards, or the performance auditing standards). Financial Audits: 2.05: Financial audits are primarily concerned with providing reason- able assurance about whether financial statements are presented fairly in all material respects in conformity with generally accepted accounting principles (GAAP),[Footnote 7] or with a comprehensive basis of accounting other than GAAP. Other objectives of financial audits, which provide for different levels of assurance and entail various scopes of work, may include: a. providing special reports for specified elements, accounts, or items of a financial statement;[Footnote 8] b. reviewing interim financial information; c. issuing letters for underwriters and certain other requesting parties; d. reporting on the processing of transactions by service organizations; and: e. auditing compliance with regulations relating to federal award expenditures and other governmental financial assistance in conjunction with or as a by-product of a financial statement audit. 2.06: Financial audits are performed under the American Institute of Certified Public Accountants' (AICPA) generally accepted auditing standards for field work and reporting, as well as the related AICPA Statements on Auditing Standards (SAS). GAGAS prescribe general standards and additional field work and reporting standards beyond those provided by the AICPA when performing financial audits. (See chapters 3, 4, and 5 for standards and guidance for auditors performing a financial audit in accordance with GAGAS.): Attestation Engagements: 2.07: Attestation engagements[Footnote 9] concern examining, reviewing, or performing agreed-upon procedures on a subject matter or an assertion[Footnote 10] about a subject matter and reporting on the results. The subject matter of an attestation engagement may take many forms, including historical or prospective performance or condition, physical characteristics, historical events, analyses, systems and processes, or behavior. Attestation engagements can cover a broad range of financial or nonfinancial subjects and can be part of a financial audit or performance audit. Possible subjects of attestation engagements could include reporting on: a. an entity's internal control over financial reporting; b. an entity's compliance with requirements of specified laws, regulations, rules, contracts, or grants; c. the effectiveness of an entity's internal control over compliance with specified requirements, such as those governing the bidding for, accounting for, and reporting on grants and contracts; d. management's discussion and analysis (MD&A) presentation; e. prospective financial statements or pro-forma financial information; f. the reliability of performance measures; g. final contract cost; h. allowability and reasonableness of proposed contract amounts; and: i. specific procedures performed on a subject matter (agreed-upon procedures). 2.08: Attestation engagements are performed under the AICPA's attestation standards, as well as the related AICPA Statements on Standards for Attestation Engagements (SSAE). GAGAS prescribe general standards and additional field work and reporting standards beyond those provided by the AICPA for attestation engagements. (See chapters 3 and 6 for standards and guidance for auditors performing an attestation engagement in accordance with GAGAS.): Performance Audits: 2.09: Performance audits entail an objective and systematic examination of evidence to provide an independent assessment of the performance and management of a program against objective criteria as well as assessments that provide a prospective focus or that synthesize information on best practices or cross-cutting issues. Performance audits provide information to improve program operations and facilitate decision making by parties with responsibility to oversee or initiate corrective action, and improve public accountability. Performance audits encompass a wide variety of objectives, including objectives related to assessing program effectiveness and results; economy and efficiency; internal control;[Footnote 11] compliance with legal or other requirements; and objectives related to providing prospective analyses, guidance, or summary information. Performance audits may entail a broad or narrow scope of work and apply a variety of methodologies; involve various levels of analysis, research, or evaluation; generally provide findings, conclusions, and recommendations; and result in the issuance of a report. (See chapters 3, 7, and 8 for standards and guidance for auditors performing a performance audit in accordance with GAGAS.): 2.10: Program effectiveness and results audit objectives address the effectiveness of a program and typically measure the extent to which a program is achieving its goals and objectives. Economy and efficiency audit objectives concern whether an entity is acquiring, protecting, and using its resources in the most productive manner to achieve program objectives. Program effectiveness and results audit objectives and economy and efficiency audit objectives are often interrelated and may be concurrently addressed in a performance audit. Examples of these audit objectives include assessing: a. the extent to which legislative, regulatory, or organizational goals and objectives are being achieved; b. the relative ability of alternative approaches to yield better program performance or eliminate factors that inhibit program effectiveness; c. the relative cost and benefits or cost effectiveness of program performance;[Footnote 12] d. whether a program produced intended results or produced effects that were not intended by the program's objectives; e. the extent to which programs duplicate, overlap, or conflict with other related programs; f. whether the audited entity is following sound procurement practices; g. the validity and reliability of performance measures concerning program effectiveness and results, or economy and efficiency; and: h. the reliability, validity, or relevance of financial information related to the performance of a program. 2.11: Internal control audit objectives relate to management's plans, methods, and procedures used to meet its mission, goals, and objectives. Internal control includes the processes and procedures for planning, organizing, directing, and controlling program operations, and the system put in place for measuring, reporting, and monitoring program performance. Examples of audit objectives related to internal control include the extent that internal control of a program provides reasonable assurance that: a. organizational missions, goals, and objectives are achieved effectively and efficiently; b. resources are used in compliance with laws, regulations, or other requirements; c. resources are safeguarded against unauthorized acquisition, use, or disposition; d. management information and public reports that are produced, such as performance measures, are complete, accurate, and consistent to support performance and decision making; e. security over computerized information systems will prevent or timely detect unauthorized access; and: f. contingency planning for information systems provides essential back-up to prevent unwarranted disruption of activities and functions the systems support. 2.12: Compliance audit objectives relate to compliance criteria established by laws, regulations, contract provisions, grant agreements, and other requirements[Footnote 13] that could affect the acquisition, protection, and use of the entity's resources and the quantity, quality, timeliness, and cost of services the entity produces and delivers. Compliance objectives also concern the purpose of the program, the manner in which it is to be conducted and services delivered, and the population it serves. 2.13: Audit organizations also undertake work that provides a prospective focus or may provide guidance, best practice information, and information that cuts across program or organizational lines, or summary information on issues already studied or under study by an audit organization. Examples of objectives pertaining to this work include: a. assessing program or policy alternatives, including forecasting program outcomes under various assumptions; b. assessing the advantages and disadvantages of legislative proposals; c. analyzing views of stakeholders on policy proposals for decision makers; d. analyzing budget proposals or budget requests to assist legislatures in the budget process; e. identifying best practices for users in evaluating program or management system approaches, including financial and information management systems; and: f. producing a high-level summary or a report that affects multiple programs or entities on issues studied or under study by the audit organization. Nonaudit Services Provided by Audit Organizations: 2.14: Audit organizations may also provide nonaudit services that are not covered by GAGAS.[Footnote 14] Nonaudit services generally differ from financial audits, attestation engagements, and performance audits in that auditors may (1) perform tasks requested by management that directly support the entity's operations, such as developing or implementing accounting systems; determining account balances; developing internal control systems; establishing capitalization criteria; processing payroll; posting transactions; evaluating assets; designing or implementing information technology or other systems; or performing actuarial studies or (2) provide information or data to a requesting party without providing verification, analysis, or evaluation of the information or data, and, therefore, the work does not usually provide a basis for conclusions, recommendations, or opinions on the information or data. These services may or may not result in the issuance of a report. In the case of nongovernment auditors who conduct audits under GAGAS, the term nonaudit services is synonymous with consulting services. 2.15: GAGAS do not cover nonaudit services described in this chapter since such services are not audits or attestation engagements. Therefore, auditors should not report that nonaudit services were conducted in accordance with GAGAS. However, audit organizations are encouraged to establish policies for maintaining the quality of this type of work, and may wish to disclose such policies in any product resulting from this work, any other professional standards followed, and the quality control steps taken. 2.16: Importantly, although GAGAS do not provide standards for conducting nonaudit services, auditors providing such services need to ensure that their independence to provide audit services is not impaired by providing nonaudit services. (See chapter 3, general standards on independence.): [End of section] Chapter 3: General Standards: Introduction: 3.01: This chapter prescribes general standards and provides guidance for performing financial audits, attestation engagements,[Footnote 15] and performance audits. These general standards concern the fundamental requirements for ensuring the credibility of auditors' results. Credibility is essential to all audit organizations performing work that government leaders and other users rely on for making decisions, and is what the public expects of information provided by auditors. These general standards encompass the independence of the audit organization and its individual auditors; the exercise of professional judgment in the performance of work and the preparation of related reports; the competence of audit staff, including the need for their continuing professional education; and the existence of quality control systems and external peer reviews. 3.02: These general standards provide the underlying framework that is critical in effectively applying the field work and reporting standards described in the following chapters when performing the detailed work associated with audits or attestation engagements and when preparing related reports and other products. Therefore, these general standards are required to be followed by all auditors and audit organizations, both government and nongovernment, performing work under generally accepted government auditing standards (GAGAS). Independence: 3.03: The general standard related to independence is: In all matters relating to the audit work, the audit organization and the individual auditor, whether government or public, should be free both in fact and appearance from personal, external, and organizational impairments to independence. 3.04: Auditors and audit organizations have a responsibility to maintain independence so that opinions, conclusions, judgments, and recommendations will be impartial and will be viewed as impartial by knowledgeable third parties. Auditors should avoid situations that could lead reasonable third parties with knowledge of the relevant facts and circumstances to conclude that the auditors are not able to maintain independence and, thus, are not capable of exercising objective and impartial judgment on all issues associated with conducting and reporting on the work. 3.05: Auditors need to consider three general classes of impairments to independence--personal, external, and organizational.[Footnote 16] If one or more of these impairments affects an individual auditor's capability to perform the work and report results impartially, that auditor should either decline to perform the work, or in those situations in which the government auditor, because of a legislative requirement or for other reasons, cannot decline to perform the work, the impairment or impairments should be reported in the scope section of the audit report. 3.06: In using the work of a specialist,[Footnote 17] auditors need to consider the specialist as a member of the audit team and, accordingly, assess the specialist's ability to perform the work and report results impartially. In conducting this assessment, auditors should provide the specialist with the GAGAS independence requirements and obtain representations from the specialist regarding the specialist's independence from the activity or program under audit. If the specialist has an impairment to independence, auditors should not use the work of that specialist. Personal Impairments: 3.07: The audit organization should have an internal quality control system to help determine whether auditors have any personal impairments to independence that could affect their impartiality or the appearance of impartiality. The audit organization needs to be alert for personal impairments to independence of its staff members. Personal impairments of staff members result from relationships and beliefs that might cause auditors to limit the extent of the inquiry, limit disclosure, or weaken or slant audit findings in any way. Auditors are responsible for notifying the appropriate officials within their audit organizations if they have any personal impairments to independence. Examples of personal impairments of individual auditors include, but are not limited to, the following: a. immediate family or close family member[Footnote 18] who is a director or officer of the audited entity, or as an employee of the audited entity, is in a position to exert direct and significant influence over the entity or the program under audit; b. financial interest that is direct, or is significant/material though indirect, in the audited entity or program;[Footnote 19] c. responsibility for managing an entity or decision making that could affect operations of the entity or program being audited; for example as a director, officer, or other senior position of the entity, activity, or program being audited, or as a member of management in any decision making, supervisory, or ongoing monitoring function for the entity, activity, or program under audit;[Footnote 20],[Footnote 21] d. concurrent or subsequent performance of an audit by the same individual who maintained the official accounting records when such services involved preparing source documents or originating data, in electronic or other form; posting transactions (whether coded by management or not coded); authorizing, executing, or consummating transactions (for example, approving invoices, payrolls, claims, or other payments of the entity or program being audited); maintaining an entity's bank account or otherwise having custody of the audited entity's funds; or otherwise exercising authority on behalf of the entity, or having authority to do so;[Footnote 22] e. preconceived ideas toward individuals, groups, organizations, or objectives of a particular program that could bias the audit; f. biases, including those induced by political, ideological, or social convictions, that result from employment in, or loyalty to, a particular type of policy, group, organization, or level of government; and: g. seeking employment with an audited organization during the conduct of the audit. 3.08: Audit organizations and auditors may encounter many different circumstances or combination of circumstances that could create a personal impairment. Therefore, it is impossible to identify every situation that could result in a personal impairment. Accordingly, audit organizations should include as part of their internal quality control system requirements to identify personal impairments and assure compliance with GAGAS independence requirements. At a minimum, audit organizations should: a. establish policies and procedures that will enable the identification of personal impairments to independence, including whether performing nonaudit services affects the subject matter of audits and applying safeguards to appropriately reduce that risk (See paragraphs 3.10 through 3.18.); b. communicate the audit organization's policies and procedures to all auditors in the organization and assure understanding of requirements through training or other means such as auditors periodically acknowledging their understanding; c. establish internal policies and procedures to monitor compliance with the audit organization's policies and procedures; d. establish a disciplinary mechanism to promote compliance with the audit organization's policies and procedures; and: e. stress the importance of independence and the expectation that auditors will always act in the public interest. 3.09: When the audit organization identifies a personal impairment to independence, the impairment needs to be resolved in a timely manner. In situations in which the personal impairment is applicable only to an individual auditor on a particular assignment, the audit organization may be able to mitigate the personal impairment by requiring the auditor to eliminate the personal impairment. For example, the auditor could sell a financial interest that created the personal impairment, or the audit organization could remove that auditor from any work on that audit assignment.[Footnote 23] If the personal impairment cannot be mitigated through these means, the audit organization should withdraw from the audit. In situations in which government auditors cannot withdraw from the audit, they should follow the requirement in paragraph 3.05. 3.10: Audit organizations that provide other professional services (nonaudit services) should consider whether providing these services creates a personal impairment either in fact or appearance that adversely affects their independence for conducting audits.[Footnote 24] 3.11: Nonaudit services generally differ from financial audits, attestation engagements, and performance audits described in chapter 2 in that auditors may (1) perform tasks requested by management that directly support the entity's operations, such as developing or implementing accounting systems; determining account balances;[Footnote 25] developing internal control systems; establishing capitalization criteria; processing payroll; posting transactions; evaluating assets; designing or implementing information technology or other systems; or performing actuarial studies, or (2) provide information or data to a requesting party without providing verification, analysis, or evaluation of the information or data, circumstances in which the work does not usually provide a basis for conclusions, recommendations, or opinions on the information or data. These other services may or may not result in a report. In the case of nongovernment auditors who perform audits of government entities under GAGAS, the term "nonaudit services" is synonymous with consulting services. 3.12: Audit organizations have the capability of performing a range of services for their clients. However, in certain circumstances, it is not appropriate for the audit organization to perform both audit and certain nonaudit services for the same client. In these circumstances, auditors and/or the audited entity will have to make a choice as to which of these services the audit organization will provide. GAGAS recognize that nonaudit services are provided by audit organizations and that care needs to be taken to avoid situations that can impair auditor independence, either in fact or appearance, when performing financial audits, attestation engagements, or performance audits in accordance with GAGAS. 3.13: Before an audit organization agrees to perform nonaudit services, it should carefully consider the requirements of paragraph 3.04 that auditors should avoid situations that could lead reasonable third parties with knowledge of the relevant facts and circumstances to conclude that auditors are not able to maintain independence in conducting audits. In conducting the assessment, the audit organization should apply two overarching principles: (1) audit organizations should not provide nonaudit services that involve performing management functions or making management decisions and (2) audit organizations should not audit their own work or provide nonaudit services in situations where the nonaudit services are significant/material to the subject matter of audits. If the audit organization makes the determination that the nonaudit service does not violate these principles, it should comply with all the safeguards stated in paragraph 3.17. 3.14: Audit organizations should not perform management functions or make management decisions. Performing management functions or making management decisions creates a situation that impairs the audit organization's independence, both in fact and in appearance, to perform audits of that subject matter and may affect the audit organization's independence to conduct audits of related subject matter. For example, auditors should not serve as members of an entity's management committee or board of directors, make policy decisions that affect future direction and operation of an entity's programs, supervise entity employees, develop programmatic policy, authorize an entity's transactions, or maintain custody of an entity's assets.[Footnote 26] 3.15: Auditors may participate on committees or task forces in a purely advisory capacity to advise entity management on issues related to the knowledge and skills of the auditors without impairing their independence. However, auditors should not make management decisions or perform management functions. For example, auditors can provide routine advice to the audited entity and management to assist them in activities such as establishing internal controls or implementing audit recommendations and can answer technical questions and/or provide training. The decision to follow the auditors' advice remains with management of the audited entity. These types of interactions are normal between auditors and officials of the audited entity given the auditors' technical expertise and the knowledge auditors gain of the audited entity's operations. Auditors may also provide tools and methodologies, such as best practice guides, benchmarking studies, and internal control assessment methodologies that can be used by management. By their very nature, these are routine activities that would not require the audit organization to apply the safeguards described in paragraph 3.17. 3.16: Audit organizations should not audit their own work or provide nonaudit services if the services are significant/material to the subject matter of the audits. In considering whether the nonaudit service can have a significant or material affect on the subject matter of the audits, audit organizations should consider (1) ongoing audits; (2) planned audits; (3) requirements and commitments for providing audits, which includes laws, regulations, rules, contracts, and other agreements; and (4) policies placing responsibilities on the audit organization for providing audit services. Government auditors generally have broad audit responsibilities that may extend to a level of government or a particular entity within a level of government. Given their broad area of audit responsibility, government auditors need to be especially careful in providing nonaudit services to the entity so that their independence is not impaired for fulfilling their full range of audit responsibilities. Nongovernment audit organizations may provide audit and nonaudit services (commonly referred to as consulting) under contractual commitments to an entity and need to consider whether nonaudit services they have provided or are committed to provide have a significant or material effect on the subject matter of the audits. 3.17: Audit organizations may perform nonaudit services that do not violate the principles stated in paragraph 3.13 only if the audit organization and the audited entity comply with the following safeguards. These safeguards would not apply in connection with the type of routine activities described in paragraph 3.15. The intent in this paragraph is not for the audit organization to apply these safeguards to every interaction it has with management. a. The audit organization should document its consideration of the nonaudit services as discussed in paragraph 3.13, including documentation for its rationale that providing the nonaudit services does not violate the two overarching principles. b. Before performing nonaudit services, the audit organization should establish and document an understanding with the audited entity regarding the objectives, scope of work, and product or deliverables of the nonaudit service. The audit organization should also establish and document an understanding with management that (1) management is responsible for the substantive outcomes of the work and, therefore, has a responsibility to be in a position in fact and appearance to make an informed judgment on the results of the nonaudit service and (2) the audited entity complies with the following: 1. designates a management-level individual to be responsible and accountable for overseeing the nonaudit service, 2. establishes and monitors the performance of the nonaudit service to ensure that it meets management's objectives, 3. makes any decisions that involve management functions related to the nonaudit service and accepts full responsibility for such decisions, and: 4. evaluates the adequacy of the services performed and any findings that result. c. The audit organization should preclude personnel who provided the nonaudit services from planning, conducting, or reviewing audit work of subject matter involving the nonaudit service under the overarching principle that auditors cannot audit their own work.[Footnote 27] d. The audit organization is precluded from reducing the scope and extent of the audit work below the level that would be appropriate if the nonaudit work were performed by an unrelated party. e. The audit organization's quality control systems for compliance with independence requirements should include: (1) policies and procedures to assure consideration of the effect on the ongoing, planned, and future audits when deciding whether to provide nonaudit services, and (2) a requirement to have the understanding with management of the audited entity documented. The understanding should be communicated to management in writing and can be included in the engagement letter. In addition, the documentation should specifically identify management's compliance with the elements discussed in paragraph 3.17b, including evidence of the management-level individual responsible for overseeing the nonaudit service's qualifications to conduct the required oversight and that the tasks required of management were performed. f. By their nature, certain nonaudit services impair the audit organization's ability to meet either or both of the overarching principles in paragraph 3.13 for certain types of audit work. In these cases, the audit organization should communicate to management of the audited entity that the audit organization will not be able to perform subsequent audit work related to the subject matter of the nonaudit service. It should be clear to management up front that the audit organization would be in violation of the independence standard if it were to perform such audit work and that another audit organization that meets the independence standard will have to be engaged to perform the audit. For example, if the audit organization has been responsible for designing, developing, and/or installing the entity's accounting system or is operating the system and then performs a financial statement audit of the entity, the audit organization would clearly be in violation of the two overarching principles of the GAGAS independence standard discussed in paragraph 3.13. Likewise, if the audit organization developed an entity's performance measurement system, the audit organization would not be deemed independent in conducting a performance audit to evaluate whether the system was adequate. In both of these examples, the audit organization could decide to perform the nonaudit service but would then not be independent under GAGAS with regard to the subsequent audit because it would be in violation of one or both of the two overarching principles. It becomes a matter of choice for the audit organization and the audited entity. But the audit organization cannot maintain independence under GAGAS while providing both the nonaudit service and performing the audit if either of the two overarching principles would be violated. g. For individual audits selected for inspection during a peer review, all related nonaudit services should be disclosed to the audit organization's peer reviewer, and the audit documentation required by paragraphs 3.17a through 3.17e should be made available for inclusion in the audit organization's peer review. 3.18: Audit organizations and auditors may encounter many different circumstances or combinations of circumstances; therefore, it is impossible to define every situation that could result in an impairment, as discussed in paragraph 3.12. The following are examples of nonaudit services performed by an audit organization that typically would not create an impairment to the audit organization's independence as long as (1) auditors avoid situations that would conflict with the two overarching principles listed in paragraph 3.13 and (2) the audit organization complies with the safeguards in paragraph 3.17: a. Providing basic accounting assistance limited to services such as preparing draft financial statements that are based on management's chart of accounts and trial balance and any adjusting, correcting, and closing entries that have been approved by management; preparing draft notes to the financial statements based on information determined and approved by management; preparing a trial balance based on management's chart of accounts; maintaining depreciation schedules for which management has determined the method of depreciation, rate of depreciation, and salvage value of the asset.[Footnote 28] The audit organization, however, cannot maintain or prepare the audited entity's basic accounting records or maintain or take responsibility for basic financial or other records that the audit organization will audit.[Footnote 29] As part of this prohibition, auditors should not post transactions (whether coded or not coded) to the entity's financial records or to other records that subsequently provide data to the entity's financial records. b. Providing payroll services limited to services such as computing pay amounts for the entity's employees based on entity-maintained and approved time records, salaries or pay rates, and deductions from pay; generating unsigned payroll checks; transmitting client-approved payroll data to a financial institution provided management has approved the transmission and limited the financial institution to making payments only to previously approved individuals. In cases in which the audit organization was processing the entity's entire payroll and payroll was a material amount to the subject matter of the audit, this would be a violation of one of the overarching principles in paragraph 3.13, and auditors would not be deemed independent under GAGAS. c. Providing appraisal or valuation services limited to services such as reviewing the work of the entity or a specialist employed by the entity where the entity or specialist provides the primary evidence for the balances recorded in financial statements or other information that will be audited; valuing an entity's pension, other post-employment benefit, or similar liabilities provided management has determined and taken responsibility for all significant assumptions and data. d. Preparing an entity's indirect cost proposal[Footnote 30] or cost allocation plan provided management assumes responsibility for all significant assumptions and data. e. Providing advisory services on information technology limited to services such as advising on system design, system installation, and system security if management, in addition to the safeguards in paragraph 3.17, acknowledges responsibility for the design, installation, and internal control over the entity's system and does not rely on the auditors' work as the primary basis for determining (1) whether to implement a new system, (2) the adequacy of the new system design, (3) the adequacy of major design changes to an existing system, and (4) the adequacy of the system to comply with regulatory or other requirements. However, the audit organization should not operate or supervise the operation of the entity's information technology system. f. Providing human resource services to assist management in its evaluation of potential candidates when the services are limited to activities such as serving on an evaluation panel to review applications or interviewing candidates to provide input to management in arriving at a listing of best qualified applicants to be provided to management. The auditors should not recommend a single individual for a specific position, nor should the auditors conduct an executive search or a recruiting program for the audited entity. g. Preparing routine tax filings in accordance with federal tax laws, rules, and regulations of the Internal Revenue Service, and state and local tax authorities, and any other applicable laws. h. Gathering and reporting on unverified external or third-party data to aid legislative and administrative decision making. i. Advising an entity regarding its performance of internal control self-assessments. j. Assisting a legislative body by developing questions for use at a hearing. External Impairments: 3.19: Factors external to the audit organization may restrict the work or interfere with auditors' ability to form independent and objective opinions and conclusions. External impairments to independence occur when auditors are deterred from acting objectively and exercising professional skepticism by pressures, actual or perceived, from management and employees of the audited entity or oversight organizations. For example, under the following conditions, auditors may not have complete freedom to make an independent and objective judgment and an audit may be adversely affected: a. external interference or influence that could improperly or imprudently limit or modify the scope of an audit or threaten to do so, including pressure to reduce inappropriately the extent of work performed in order to reduce costs or fees; b. external interference with the selection or application of audit procedures or in the selection of transactions to be examined; c. unreasonable restrictions on the time allowed to complete an audit or issue the report; d. interference external to the audit organization in the assignment, appointment, and promotion of audit personnel; e. restrictions on funds or other resources provided to the audit organization that adversely affect the audit organization's ability to carry out its responsibilities; f. authority to overrule or to inappropriately influence the auditors' judgment as to the appropriate content of the report; g. threat of replacement over a disagreement with the contents of an audit report, the auditors' conclusions, or the application of an accounting principle or other criteria; and: h. influences that jeopardize the auditors' continued employment for reasons other than incompetence, misconduct, or the need for audit services. 3.20: An audit organization's internal quality control system for compliance with GAGAS independence requirements, as stated in paragraph 3.08, should include internal policies and procedures for reporting and resolving external impairments. Organizational Impairments: 3.21: In addition to the preceding paragraphs that address personal and external impairments, a government audit organization's ability to perform the work and report the results impartially can be affected by its place within government and the structure of the government entity that the audit organization is assigned to audit. Whether performing work to report externally to third parties outside the audited entity or internally to top management within the audited entity, audit organizations need to be free from organizational impairments to independence. Organizational Impairment Considerations When Reporting Externally to Third Parties: 3.22: Government auditors can be presumed to be free from organizational impairments to independence when reporting externally to third parties if their audit organization is organizationally independent from the audited entity. Government audit organizations can meet the requirement for organizational independence in a number of ways. 3.23: First, a government audit organization may be presumed to be free from organizational impairments to independence from the audited entity to report externally, if the audit organization is: a. assigned to a level of government other than the one to which the audited entity is assigned (federal, state, or local), for example, a federal auditor auditing a state government program, or: b. assigned to a different branch of government within the same level of government as the audited entity; for example, a legislative auditor auditing an executive branch program. 3.24: Second, a government audit organization may also be presumed to be free from organizational impairments for external reporting if the audit organization's head meets any of the following criteria: a. directly elected by voters of the jurisdiction being audited; b. elected or appointed by a legislative body subject to removal by a legislative body, and reports the results of audits to and is accountable to a legislative body; c. appointed by someone other than a legislative body, so long as the appointment is confirmed by a legislative body and removal from the position is subject to oversight or approval by a legislative body,[Footnote 31] and reports the results of audits to and is accountable to a legislative body; or: d. appointed by, accountable to, reports to, and can only be removed by a statutorily created governing body, the majority of whose members are independently elected or appointed and come from outside the organization being audited. 3.25: In addition to the presumptive criteria in paragraphs 3.23 and 3.24, GAGAS recognize that there may be other organizational structures under which a government audit organization could be considered to be free from organizational impairments and thereby be considered organizationally independent for reporting externally. These other structures should provide sufficient safeguards to prevent the audited entity from interfering with the audit organization's ability to perform the work and report the results impartially. For an audit organization to be considered free from organizational impairments for reporting externally under a structure different from the ones listed in paragraphs 3.23 and 3.24, the audit organization should have all of the following safeguards: a. statutory protections that prevent the abolishment of the audit organization by the audited entity; b. statutory protections that require that if the head of the audit organization is removed from office, the head of the agency should report this fact and the reasons for the removal to the legislative body; c. statutory protections that prevent the audited entity from interfering with the initiation, scope, timing, and completion of any audit; d. statutory protections that prevent the audited entity from interfering with the reporting on any audit, including the findings, conclusions, and recommendations, or the manner, means, or timing of the audit organization's reports; e. statutory protections that require the audit organization to report to a legislative body or other independent governing body on a recurring basis; f. statutory protections that give the audit organization sole authority over the selection, retention, advancement, and dismissal of its staff; and: g. statutory access to records and documents that relate to the agency, program, or function being audited.[Footnote 32] 3.26: If the head of the audit organization concludes that the organization meets all the safeguards listed in paragraph 3.25, the audit organization should be considered free from organizational impairments to independence when reporting the results of its audits externally to third parties. The audit organization should document the statutory provisions in place that allow it to meet these safeguards. Those provisions should be reviewed during an external peer review to ensure that all the necessary safeguards have been met. Organizational Impairment Considerations When Reporting Internally to Management: 3.27: Certain federal, state, or local government audit organizations or audit organizations within other government entities, such as public colleges, universities, and hospitals, employ auditors to work for management of the audited entities. These auditors may be subject to administrative direction from persons involved in the government management process. Such audit organizations are internal audit organizations. A government internal audit organization can be presumed to be free from organizational impairments to independence when reporting internally to management if the head of the audit organization meets all of the following criteria: a. accountable to the head or deputy head of the government entity, b. required to report the results of the audit organization's work to the head or deputy head of the government entity, and: c. located organizationally outside the staff or line management function of the unit under audit. 3.28: If the conditions of paragraph 3.27 are met, the audit organization should be considered free of organizational impairments to independence to audit internally and report objectively to the entity's management. Further distribution of reports outside the organization should only be made in accordance with applicable law, rule, regulation, or policy. In these situations, the fact that the auditors are auditing in their employing organizations should be clearly reflected in the auditors' reports. 3.29: Auditors need to be sufficiently removed from political pressures to ensure that they can conduct their audits objectively and report their findings, opinions, and conclusions objectively without fear of political repercussions. Whenever feasible, auditors within internal audit organizations should be under a personnel system in which compensation, training, job tenure, and advancement are based on merit. 3.30: The audit organization's independence is enhanced when it also reports regularly to the entity's independent audit committee and/or the appropriate government oversight body. 3.31: When internal audit organizations that are free of organizational impairments to independence, under the criteria in paragraph 3.27, perform audits external to the government entities to which they are directly assigned, such as auditing contractors or outside party agreements, and no personal or external impairments exist, they may be considered independent of the audited entities and free to report objectively to the heads or deputy heads of the government entities to which they are assigned and to parties outside the organizations in accordance with applicable law, rule, regulation, or policy. 3.32: The audit organization should document the conditions that allow it to be considered free of organizational impairments to independence to report internally. Those conditions should be reviewed during the peer review to ensure that all the necessary safeguards have been met. Professional Judgment: 3.33: The general standard related to professional judgment is: Professional judgment should be used in planning and performing audits and attestation engagements and in reporting the results. 3.34: This standard requires auditors to exercise reasonable care and diligence and to observe the principles of serving the public interest and maintaining the highest degree of integrity, objectivity, and independence in applying professional judgment to all aspects of their work. This standard also imposes a responsibility upon each auditor performing work under GAGAS to observe GAGAS. If auditors state they are performing their work in accordance with GAGAS, they should justify any departures from GAGAS. 3.35: Auditors should use professional judgment in determining the type of assignment to be performed and the standards that apply to the work; defining the scope of work; selecting the methodology; determining the type and amount of evidence to be gathered; and choosing the tests and procedures for their work. Professional judgment also should be applied in performing the tests and procedures and in evaluating and reporting the results of the work. 3.36: Professional judgment requires auditors to exercise professional skepticism, which is an attitude that includes a questioning mind and a critical assessment of evidence. Auditors use the knowledge, skills, and experience called for by their profession to diligently perform, in good faith and with integrity, the gathering of evidence and the objective evaluation of the sufficiency, competency, and relevancy of evidence. Since evidence is gathered and evaluated throughout the assignment, professional skepticism should be exercised throughout the assignment. 3.37: Auditors neither assume that management is dishonest nor assume unquestioned honesty. In exercising professional skepticism, auditors should not be satisfied with less than persuasive evidence because of a belief that management is honest. 3.38: The exercise of professional judgment allows auditors to obtain reasonable assurance that material misstatements or significant inaccuracies in data will likely be detected if they exist. Absolute assurance is not attainable because of the nature of evidence and the characteristics of fraud. Therefore, an audit or attestation engagement conducted in accordance with GAGAS may not detect a material misstatement or significant inaccuracy, whether from error or fraud, illegal acts, or violations of provisions of contracts or grant agreements. Accordingly, while this standard places responsibility on each auditor and audit organization to exercise professional judgment in planning and performing an assignment, it does not imply unlimited responsibility, nor does it imply infallibility on the part of either the individual auditor or the audit organization. Competence: 3.39: The general standard related to competence is: The staff assigned to perform the audit or attestation engagement should collectively possess adequate professional competence for the tasks required. 3.40: This standard places responsibility on audit organizations to ensure that each audit or attestation engagement is performed by staff who collectively have the knowledge, skills, and experience necessary for that assignment. Accordingly, audit organizations should have a process for recruitment, hiring, continuous development, and evaluation of staff to assist the organization in maintaining a workforce that has adequate competence. The nature, extent, and formality of the process will depend on various factors such as the size of the audit organization, its work, and its structure. 3.41: The competencies discussed below apply to the knowledge, skills, and experience of audit organizations and not necessarily to each individual auditor. An audit organization may need to employ personnel or hire specialists who are knowledgeable, skilled, or experienced in such areas as accounting, statistics, law, engineering, audit design and methodology, information technology, public administration, economics, social sciences, or actuarial science. Technical Knowledge and Competence: 3.42: Audit organizations should ensure that staff members assigned to conduct an audit or attestation engagement under GAGAS should collectively possess the technical knowledge, skills, and experience necessary to be competent for the type of work being performed before beginning work on that assignment. Staff members should collectively possess: a. knowledge of GAGAS applicable to the type of work they are assigned and the education, skills, and experience to apply such knowledge to the work being performed; b. general knowledge of the environment in which the audited entity operates and the subject matter under review; c. skills to communicate clearly and effectively, both orally and in writing; and: d. skills appropriate for the work being performed. For example: (1) if the work requires use of statistical sampling, the staff or specialists should include persons with statistical sampling skills; (2) if the work requires extensive review of information systems, the staff or specialists should include persons with information technology skills; (3) if the work involves review of complex engineering data, the staff or specialists should include persons with engineering skills; or: (4) if the work involves the use of specialized audit methodologies or analytical techniques, such as the use of complex survey instruments, actuarial-based estimates, or statistical analysis tests, the staff or specialists should include persons with skills in those methodologies or techniques. Additional Qualifications for Financial Audits and Attestation Engagements: 3.43: Auditors performing financial audits should be knowledgeable in generally accepted accounting principles (GAAP)[Footnote 33] and the AICPA's generally accepted auditing standards for field work and reporting and the related Statements on Auditing Standards (SAS), and they should be competent in applying these standards and SASs to the task assigned. Similarly, when performing an attestation engagement, auditors should be knowledgeable in the AICPA general attestation standard related to criteria, and the AICPA attestation standards for field work and reporting and the related Statements on Standards for Attestation Engagements (SSAE), and they should be competent in applying these standards and SSAEs to the task assigned. 3.44: Auditors engaged to perform financial audits or attestation engagements should be licensed certified public accountants or persons working for a licensed certified public accounting firm or a government auditing organization.[Footnote 34] Public accountants and accounting firms meeting licensing requirements should also comply with the applicable provisions of the public accountancy law and rules of the jurisdiction(s) where the audit is being performed and the jurisdiction(s) in which the public accountants and their firms are licensed. Continuing Professional Education: 3.45: Auditors performing work under GAGAS, including planning, directing, performing field work, or reporting on an audit or attestation engagement under GAGAS, need to maintain their professional competence through continuing professional education (CPE). Therefore, each auditor performing work under GAGAS should complete, every 2 years, at least 80 hours of CPE that directly enhance the auditor's professional proficiency to perform audits and/or attestation engagements.[Footnote 35] At least 24 of the 80 hours of CPE should be in subjects directly related to government auditing, the government environment, or the specific or unique environment in which the audited entity operates.[Footnote 36] At least 20 hours of the 80 should be completed in any 1 year of the 2-year period. 3.46: CPE may include a variety of topics that contribute to auditors' proficiency to perform audits and/or attestation engagements, such as developments in auditing standards and methodology, accounting principles, assessment of internal control, principles of management or supervision, information systems management, audit sampling, financial statement analysis, evaluation design, and data analysis. It may also include subjects related to specific fields of work, such as public administration, public policy and structure, industrial engineering, finance, economics, social sciences, and information technology. 3.47: The audit organization is responsible for ensuring that auditors meet the continuing education requirements and should maintain documentation of the CPE completed. The U.S. General Accounting Office (GAO) has developed guidance pertaining to CPE requirements to assist auditors and audit organizations in exercising professional judgment in complying with the CPE requirements.[Footnote 37] 3.48: External and internal specialists assisting in performing a GAGAS assignment should be qualified and should maintain professional competence in their areas of specialization but are not required to meet the CPE requirements described here. However, auditors who use the work of external and internal specialists should ensure that such specialists are qualified in their areas of specialization and should document such assurance. Quality Control and Assurance: 3.49: The general standard related to quality control and assurance is: Each audit organization performing audits and/or attestation engagements in accordance with GAGAS should have an appropriate internal quality control system in place and should undergo an external peer review. 3.50: An audit organization's system of quality control encompasses the audit organization's structure and the policies adopted and procedures established to provide the organization with reasonable assurance of complying with applicable standards governing audits and attestation engagements. An audit organization's internal quality control system should include procedures for monitoring, on an ongoing basis, whether the policies and procedures related to the standards are suitably designed and are being effectively applied. 3.51: The nature and extent of an audit organization's internal quality control system depends on a number of factors, such as its size, the degree of operating autonomy allowed its personnel and its audit offices, the nature of its work, its organizational structure, and appropriate cost-benefit considerations. Thus, the systems established by individual audit organizations will vary as will the need for, and extent of, their documentation of the systems. However, each audit organization should prepare appropriate documentation for its system of quality control to demonstrate compliance with its policies and procedures. The form and content of such documentation is a matter of judgment. Documentation of compliance should be retained for a period of time sufficient to enable those performing monitoring procedures and peer reviews to evaluate the extent of the audit organization's compliance with the quality control policies and procedures. 3.52: Audit organizations performing audits and attestation engagements in accordance with GAGAS should have an external peer review of their auditing and attestation engagement practices at least once every 3 years by reviewers independent of the audit organization being reviewed.[Footnote 38] The external peer review should determine whether, during the period under review, the reviewed audit organization's internal quality control system was adequate and whether quality control policies and procedures were being complied with to provide the audit organization with reasonable assurance of conforming with applicable professional standards. Audit organizations should take remedial, corrective actions as needed based on the results of the peer review. 3.53: Members of the external peer review team should meet the following requirements: a. Each review team member should have current knowledge of GAGAS and of the government environment relative to the work being reviewed. b. Each review team member should be independent (as defined in GAGAS) of the audit organization being reviewed, its staff, and the audits and attestation engagements selected for the external peer review. A review team or a member of the review team is not permitted to review the audit organization that conducted its audit organization's most recent external peer review. c. Each review team member should have knowledge on how to perform a peer review. Such knowledge may be obtained from on-the-job training, training courses, or a combination of both. 3.54: The peer review should meet the following requirements: a. The peer review should include a review of the audit organization's internal quality control policies and procedures, including related monitoring procedures, audit and attestation engagement reports, audit and attest documentation, and other necessary documents (for example, independence documentation, CPE records, and personnel management files related to compliance with hiring, performance evaluation, and assignment policies). The review should also include interviews with various levels of the reviewed audit organization's professional staff to assess their understanding of and compliance with relevant quality control policies and procedures. b. The review team should use one of the following approaches to selecting audits and attestation engagements for review: (1) select audits and attestation engagements that provide a reasonable cross section of the assignments performed by the reviewed audit organization in accordance with GAGAS or (2) select audits and attestation engagements that provide a reasonable cross section of the reviewed audit organization's work subject to quality control requirements, including one or more assignments performed in accordance with GAGAS. c. The peer review should be sufficiently comprehensive to provide a reasonable basis for concluding whether the reviewed audit organization's system of quality control was complied with to provide the organization with reasonable assurance of conforming with professional standards in the conduct of its work. The review team should consider the adequacy and results of the reviewed audit organization's monitoring efforts to efficiently plan its peer review procedures. d. The review team should prepare a written report(s) communicating the results of the external peer review. The report should indicate the scope of the review, including any limitations thereon, and should express an opinion on whether the system of quality control of the reviewed audit organization's audit and/or attestation engagement practices was adequate and was being complied with during the year reviewed to provide the audit organization with reasonable assurance of conforming with professional standards for audits and attestation engagements. The report should state the professional standards[Footnote 39] to which the reviewed audit organization is being held. The report should also describe the reasons for any modification of the opinion. When there are matters that resulted in a modification to the opinion, reviewers should report a detailed description of the findings and recommendations, either in the peer review report or in a separate letter of comment or management letter, to enable the reviewed audit organization to take appropriate actions. The written report should refer to the letter of comment or management letter if such a letter is issued along with a modified report. 3.55: Audit organizations seeking to enter into a contract to perform an assignment in accordance with GAGAS should provide their most recent external peer review report and any letter of comment, and any subsequent peer review reports and letters of comment received during the period of the contract, to the party contracting for the audit or attestation engagement. Information in the external peer review report and letter of comment is often relevant to decisions on procuring audit or attestation engagement services. Auditors who are relying on another audit organization's work should request a copy of the audit organization's peer review report and any letter of comment, and the audit organization should provide the peer review report and letter of comment when requested. 3.56: Government audit organizations also should transmit their external peer review reports to appropriate oversight bodies. It is also recommended that, upon request, the peer review report and letter of comment be made available to the public in a timely manner. [End of section] Chapter 4: Field Work Standards for Financial Audits: Introduction: 4.01: This chapter prescribes field work standards and provides guidance for financial audits performed in accordance with generally accepted government auditing standards (GAGAS). Financial audits consist of all work performed under the American Institute of Certified Public Accountants' (AICPA) generally accepted auditing standards and governed by the AICPA Statements on Auditing Standards (SAS). GAGAS incorporate the AICPA generally accepted field work standards for audits and the related SASs unless the Comptroller General of the United States excludes them by formal announcement. [Footnote 40] This chapter identifies the AICPA field work standards and prescribes additional standards for financial audits performed in accordance with GAGAS. 4.02: Financial audits performed in a government environment primarily include audits of financial statements.[Footnote 41] The SASs also govern and provide guidance for other types of financial audits which may be performed in a government environment, such as compliance auditing, issuing special reports,[Footnote 42] audits of service organizations, reviews of interim financial information, and issuing letters to underwriters and certain other requesting parties. These other services may be performed in conjunction with an audit of financial statements. AICPA Field Work Standards: 4.03: The three AICPA generally accepted standards of field work are as follows: a. The work is to be adequately planned, and assistants, if any, are to be properly supervised. b. A sufficient understanding of internal control[Footnote 43] is to be obtained to plan the audit and to determine the nature, timing, and extent of tests to be performed. c. Sufficient competent evidential matter is to be obtained through inspection, observation, inquiries, and confirmations to afford a reasonable basis for an opinion regarding the financial statements under audit. 4.04: Auditors should use professional judgment and consider the needs of users in applying the AICPA standards and related guidance to audits of a government entity or an entity that receives government awards. For example, auditors may need to set lower materiality levels than in audits in the private sector because of the public accountability of the audited entity, various legal and regulatory requirements, and the visibility and sensitivity of government programs. Also, auditors need to be sensitive to the concerns of oversight officials regarding previously reported internal control deficiencies of the audited entity and, accordingly, may need to test the effectiveness of internal control that have been changed in response to reported deficiencies even if auditors do not plan to rely on the effectiveness of such internal control. Additional GAGAS Standards: 4.05: GAGAS prescribe additional standards for financial audits that go beyond the requirements contained in the AICPA SASs. Auditors must comply with these additional standards when citing GAGAS in their audit reports. The additional GAGAS standards relate to: a. auditor communication (see paragraphs 4.06 through 4.13); b. considering the results of previous audits and attestation engagements (see paragraphs 4.14 through 4.16); c. detecting material misstatements resulting from violations of contract provisions or grant agreements or from abuse (see paragraphs 4.17 through 4.20); d. developing elements of a finding for financial audits (see paragraph 4.21); and: e. audit documentation (see paragraphs 4.22 through 4.26). Auditor Communication: 4.06: The standard related to auditor communication for financial audits performed in accordance with GAGAS is: Auditors should communicate information regarding the nature, timing, and extent of planned testing and reporting and the level of assurance provided to officials of the audited entity and to the individuals contracting for or requesting the audit. 4.07: AICPA standards and GAGAS require auditors to establish an understanding with the client and to communicate with audit committees. GAGAS broaden the parties with whom auditors must communicate and require auditors to communicate specific information during the planning stages of a financial audit, including any potential restriction of the auditors' reports, to reduce the risk that the needs or expectations of the parties involved may be misinterpreted. Auditors should use their professional judgment to determine the form, content, and frequency of the communication, although written communication is preferred. Auditors may use an engagement letter, if appropriate, to communicate the information. Auditors should document the communication in their audit documentation. 4.08: Auditors should communicate their responsibilities for the engagement to the appropriate officials of the audited entity, including: a. the head of the audited entity, b. the audit committee or board of directors or other equivalent oversight body in the absence of an audit committee, and: c. the individual who possesses a sufficient level of authority and responsibility for the financial reporting process, such as the chief financial officer. 4.09: In situations in which auditors are performing the audit under a contract with a party other than the officials of the audited entity, or pursuant to a third-party request, auditors should also communicate with the individuals contracting for or requesting the audit, such as contracting officials or members or staff of legislative committees. When auditors are performing the audit pursuant to a law or regulation, auditors should communicate with the members or staff of legislative committees who have oversight of the auditee.[Footnote 44] Auditors should coordinate communications with the responsible government audit organization and/or management of the audited entity and may use the engagement letter to keep interested parties informed. If an audit is terminated before it is completed, auditors should write a memorandum for the record that summarizes the results of the work and explains the reasons why the audit was terminated. In addition, auditors should communicate the reason for terminating the audit to management of the audited entity, the entity requesting the audit, and other appropriate officials, preferably in writing. This communication should be documented. 4.10: In communicating the nature of services and level of assurance provided, auditors should specifically address their planned work and reporting related to testing internal control over financial reporting and compliance with laws, regulations, and provisions of contracts or grant agreements. During the planning stages of an audit, auditors should communicate their responsibilities for testing and reporting on internal control over financial reporting and compliance with laws, regulations, and provisions of contracts or grant agreements. Such communication should include the nature of any additional testing of internal control and compliance required by laws, regulations, and provisions of contracts or grant agreements, or otherwise requested, and whether the auditors are planning on providing opinions on internal control over financial reporting and compliance with laws, regulations, and provisions of contracts or grant agreements. 4.11: To assist in understanding the limitations of auditors' responsibilities for testing and reporting on internal control over financial reporting and compliance with laws, regulations, and provisions of contracts or grant agreements, auditors may want to contrast those responsibilities with other audits of internal control and compliance. The discussion in paragraphs 4.12 and 4.13 may be helpful to auditors in explaining their responsibilities for testing and reporting on internal control over financial reporting and compliance to officials of the audited entity and other interested parties. 4.12: Tests of internal control over financial reporting and compliance with laws, regulations, and provisions of contracts or grant agreements in a financial statement audit contribute to the evidence supporting the auditors' opinion on the financial statements or other conclusions regarding financial data. However, such tests generally are not sufficient in scope to opine on internal control over financial reporting or compliance with laws, regulations, and provisions of contracts or grant agreements. To meet certain audit report users' needs, laws and regulations sometimes prescribe testing and reporting on internal control over financial reporting and compliance with laws, regulations, and provisions of contracts and grant agreements to supplement coverage of these areas.[Footnote 45] 4.13: Even after auditors perform and report the results of additional tests of internal control over financial reporting and compliance with laws, regulations, and provisions of contracts and grant agreements, some reasonable needs of officials of the audited entity or individuals contracting for or requesting the audit still may be unmet. Auditors may meet these needs by performing further tests of internal control and compliance with laws, regulations, and provisions of contracts or grant agreements using the AICPA Statements on Standards for Attestation Engagements and additional GAGAS requirements (see chapter 6), or the performance audit standards (see chapters 7 and 8), to achieve these objectives. Considering the Results of Previous Audits and Attestation Engagements: 4.14: The standard related to considering the results of previous audits and attestation engagements for financial audits performed in accordance with GAGAS is: Auditors should consider the results of previous audits and attestation engagements and follow up on known significant findings and recommendations that directly relate to the objectives of the audit being undertaken. 4.15: Auditors should ask audited entity officials to identify previous financial audits, attestation engagements, performance audits, or other studies related to the objectives of the audit being undertaken and to identify corrective actions taken to address significant findings and recommendations,[Footnote 46] including those related to reportable conditions. For example, an audit report on an entity's computerized information systems may contain significant findings that could relate to the financial audit if the entity uses such systems to process its accounting information. Auditors should use professional judgment in determining (1) prior periods to be considered, (2) the level of work necessary to follow up on significant findings and recommendations that affect the audit, and (3) the effect on the risk assessment and audit procedures in planning the current audit. 4.16: Providing continuing attention to significant findings and recommendations is important to ensure that the benefits of the auditors' work are realized. Ultimately, the benefits of audit work occur when management of the audited entity takes meaningful and effective corrective action in response to the auditors' findings and recommendations. Management of the audited entity is responsible for resolving audit findings and recommendations directed to them and for having a process to track their status. If management of the audited entity does not have such a process, auditors may wish to establish their own process. Detecting Material Misstatements Resulting from Violations of Contract Provisions or Grant Agreements, or from Abuse: 4.17: The standard related to violations of contract provisions or grant agreements or abuse for financial audits performed in accordance with GAGAS is: a. Auditors should design the audit to provide reasonable assurance of detecting material misstatements resulting from violations of provisions of contracts or grant agreements that have a direct and material effect on the determination of financial statement amounts or other financial data significant to the audit objectives. If specific information comes to the auditors' attention that provides evidence concerning the existence of possible violations of provisions of contracts or grant agreements that could have a material indirect effect on the determination of financial statement amounts or other financial data significant to the audit objectives, auditors should apply audit procedures specifically directed to ascertain whether violations of provisions of contracts or grant agreements have occurred or are likely to have occurred. b. Auditors should be alert to situations or transactions that could be indicative of abuse, and if indications of abuse exist that could significantly affect the financial statement amounts or other financial data, auditors should apply audit procedures specifically directed to ascertain whether abuse has occurred and the effect on the financial statement amounts or other financial data. 4.18: AICPA standards and GAGAS require auditors to assess the risk of material misstatements of financial statement amounts or other financial data significant[Footnote 47] to the audit objectives due to fraud and to consider that assessment in designing the audit procedures to be performed.[Footnote 48] Auditors are also required to design the audit to provide reasonable assurance of detecting material misstatements resulting from direct and material illegal acts (violations of laws and regulations) and to be aware of the possibility that indirect illegal acts[Footnote 49] may have occurred.[Footnote 50] Under GAGAS, auditors have the same responsibilities for detecting material misstatements arising from violations of provisions of contracts or grant agreements as they do for detecting those arising from fraud and illegal acts. Auditors should design the audit to provide reasonable assurance of detecting material misstatements resulting from direct and material violations of provisions of contracts or grant agreements. If specific information comes to the auditors' attention that provides evidence concerning the existence of possible violations of provisions of contracts or grant agreements that could have a material indirect effect on the financial statements or significant indirect effect on other financial data needed to achieve audit objectives, auditors should apply audit procedures specifically directed to ascertain whether violations have occurred or are likely to have occurred. 4.19: Abuse is distinct from fraud, illegal acts, and violations of provisions of contracts or grant agreements. When abuse occurs, no law, regulation, or provision of a contract or grant agreement is violated. Rather, abuse involves behavior that is deficient or improper when compared with behavior that a prudent person would consider reasonable and necessary business practice given the facts and circumstances.[Footnote 51] Auditors should be alert to situations or transactions that could be indicative of abuse. When information comes to the auditors' attention (through audit procedures, allegations received through a fraud hotline, or other means) indicating that abuse may have occurred, auditors should consider whether the possible abuse could affect the financial statement amounts or other financial data significantly. If indications of possible abuse exist that significantly affect the financial statement amounts or other financial data, the auditors should extend the audit steps and procedures, as necessary, to (1) determine whether the abuse occurred and, if so, (2) determine its effect on the financial statement amounts or other financial data. Auditors should consider both quantitative and qualitative factors in making judgments regarding the materiality of possible abuse and whether they need to extend the audit steps and procedures. However, because the determination of abuse is subjective, auditors are not expected to provide reasonable assurance of detecting abuse. 4.20: Auditors should exercise professional judgment in pursuing indications of possible fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse, in order not to interfere with potential investigations, legal proceedings, or both. Under some circumstances, laws, regulations, or policies require auditors to report indications of certain types of fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse to law enforcement or investigatory authorities before extending audit steps and procedures. Auditors may also be required to withdraw from or defer further work on the engagement or a portion of the engagement in order not to interfere with an investigation. Developing Elements of a Finding: 4.21 Audit findings, such as deficiencies in internal control, fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse, have often been regarded as containing the elements of criteria, condition, and effect, plus cause when problems are found. However, the elements needed for a finding depend entirely on the objectives of the audit. Thus, a finding or set of findings is complete to the extent that the audit objectives are satisfied. When problems are identified, to the extent possible, auditors should plan audit procedures to develop the elements of a finding to facilitate developing the auditors' report. (See paragraph 5.15 for a description of the elements of a finding.): Audit Documentation: 4.22: The standard related to audit documentation for financial audits performed in accordance with GAGAS is: Audit documentation related to planning, conducting, and reporting on the audit should contain sufficient information to enable an experienced auditor who has had no previous connection with the audit to ascertain from the audit documentation the evidence that supports the auditors' significant judgments and conclusions. Audit documentation should contain support for findings, conclusions, and recommendations before auditors issue their report. 4.23: AICPA standards and GAGAS require auditors to prepare and maintain audit documentation. The form and content of audit documentation should be designed to meet the circumstances of the particular audit. The information contained in audit documentation constitutes the principal record of the work that the auditors have performed in accordance with professional standards and the conclusions that the auditors have reached. The quantity, type, and content of audit documentation are a matter of the auditors' professional judgment. 4.24: Audit documentation serves to (1) provide the principal support for the auditors' report, (2) aid auditors in conducting and supervising the audit, and (3) allow for the review of audit quality. The preparation of audit documentation should be appropriately detailed to provide a clear understanding of its purpose and source and the conclusions the auditors reached, and it should be appropriately organized to provide a clear link to the findings, conclusions, and recommendations contained in the audit report. Audit documentation for financial audits performed under GAGAS should contain the following additional items not explicitly addressed in the AICPA standards or elsewhere in GAGAS: a. the objectives, scope, and methodology of the audit. b. the auditors' determination that certain additional government auditing standards do not apply or that an applicable standard was not followed, the reasons therefor, and the known effect that not following the applicable standard had, or could have had, on the audit. c. the auditors' consideration that the planned audit procedures are designed to achieve audit objectives when evidential matter obtained is highly dependent on computerized information systems and is material to the objective of the audit and that the auditors are not relying on the effectiveness of internal control over those computerized systems that produced the information. The audit documentation should specifically address (1) the rationale for determining the nature, timing, and extent of planned audit procedures; (2) the kinds and competence of available evidential matter produced outside a computerized information system and/or plans for direct testing of data produced from a computerized information system; and (3) the effect on the audit report if evidential matter to be gathered does not afford a reasonable basis for achieving the objectives of the audit.[Footnote 52] d. evidence of supervisory review, before the audit report is issued, of the work performed that supports findings, conclusions, and recommendations contained in the audit report. 4.25: Underlying GAGAS audits is the premise that federal, state, and local governments and other organizations cooperate in auditing programs of common interest so that auditors may use others' work and avoid duplication of audit efforts. Auditors should make arrangements to make audit documentation available, upon request, in a timely manner to other auditors or reviewers. Contractual arrangements for GAGAS audits should provide for full and timely access to audit documentation to facilitate reliance by others on the auditors' work. 4.26: Audit organizations need to adequately safeguard the audit documentation associated with any particular engagement. Audit organizations should develop clearly defined policies and criteria to deal with situations where requests are made by outside parties to obtain access to audit documentation, especially in connection with situations where an outside party attempts to obtain indirectly through the auditor information that it is unable to obtain directly from the audited entity. In developing such policies, audit organizations need to consider applicable laws and regulations that apply to the audit organizations or the audited entity. [End of section] Chapter 5: Reporting Standards for Financial Audits: [End of section] Introduction: 5.01: This chapter prescribes reporting standards and provides guidance for financial audits performed in accordance with generally accepted government auditing standards (GAGAS). Financial audits consist of all work performed under the American Institute of Certified Public Accountants' (AICPA) generally accepted auditing standards and related Statements on Auditing Standards (SAS). GAGAS incorporate the AICPA reporting standards and SASs unless the Comptroller General of the United States excludes them by formal announcement.[Footnote 53] This chapter identifies the AICPA reporting standards and prescribes additional standards for financial audits performed in accordance with GAGAS. 5.02:Financial audits performed in a government environment primarily include audits of financial statements. The AICPA SASs also govern and provide guidance for other types of financial audits that may be performed in a government environment, such as compliance auditing, issuing special reports, audits of service organizations, reviews of interim financial information, and issuing letters to underwriters and certain other requesting parties. These other services may be performed in conjunction with an audit of financial statements. AICPA Reporting Standards: 5.03: The four AICPA generally accepted standards of reporting are as follows: a. The report shall state whether the financial statements are presented in accordance with generally accepted accounting principles. b. The report shall identify those circumstances in which such principles have not been consistently observed in the current period in relation to the preceding period. c. Informative disclosures in the financial statements are to be regarded as reasonably adequate unless otherwise stated in the report. d. The report shall either contain an expression of opinion regarding the financial statements, taken as a whole, or an assertion to the effect that an opinion cannot be expressed. When an overall opinion cannot be expressed, the reasons therefor should be stated. In all cases where an auditor's name is associated with financial statements, the report should contain a clear-cut indication of the character of the auditor's work, if any, and the degree of responsibility the auditor is taking. Additional GAGAS Reporting Standards for Financial Audits: 5.04: GAGAS prescribe additional reporting standards for financial audits that go beyond the requirements contained in the AICPA SASs. Auditors must comply with these additional standards when citing GAGAS in their audit reports. The additional GAGAS standards relate to: a. reporting auditors' compliance with GAGAS (see paragraphs 5.05 through 5.07); b. reporting on internal control and on compliance with laws, regulations, and provisions of contracts or grant agreements (see paragraphs 5.08 through 5.11); c. reporting deficiencies in internal control, fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse (see paragraphs 5.12 through 5.25); d. reporting views of responsible officials (see paragraph 5.26 through 5.30); e. reporting privileged and confidential information (see paragraphs 5.31 through 5.33); and: f. report issuance and distribution (see paragraphs 5.34 through 5.38). Reporting Auditors' Compliance with GAGAS: 5.05: The standard related to reporting auditors' compliance with GAGAS for financial audits performed in accordance with GAGAS is: Audit reports should state that the audit was performed in accordance with GAGAS. 5.06: When the report on the financial audit is submitted to comply with a legal, regulatory, or contractual requirement for a GAGAS audit, or when GAGAS are voluntarily followed, the report should specifically cite GAGAS and may also cite AICPA standards. "GAGAS" refers to all the applicable standards that the auditors should follow during the audit, and the statement of compliance should be qualified in situations in which the auditors did not follow an applicable standard. In these situations, the auditors should disclose in the scope section of the report the applicable standard that was not followed, the reasons therefor, and how not following the standard affected, or could have affected, the results of the audit. In assessing the impact on the results of the audit of not following an applicable standard, auditors may need to qualify the assurances provided, disclaim from providing any assurances, or withdraw from the audit. 5.07: An audited entity receiving a GAGAS audit report may also request auditors to issue a financial audit report for purposes other than complying with requirements calling for a GAGAS audit. For example, the audited entity may need audited financial statements to issue bonds or for other financing purposes. GAGAS do not prohibit auditors from issuing a separate report conforming only to the requirements of AICPA standards. When a GAGAS audit is the basis for an auditors' subsequent report under the AICPA standards, it would be advantageous to users of the subsequent report for the auditors' report to include the information on internal control, compliance with laws, regulations, and provisions of contracts or grant agreements, fraud, and abuse that is required by GAGAS but not required by AICPA standards. Reporting on Internal Control and on Compliance with Laws, Regulations, and Provisions of Contracts or Grant Agreements: 5.08: The standard related to reporting on internal control and compliance for financial statement audits performed in accordance with GAGAS is: When providing an opinion or a disclaimer on financial statements, auditors should include in their report on the financial statements either a (1) description of the scope of the auditors' testing of internal control over financial reporting and compliance with laws, regulations, and provisions of contracts or grant agreements and the results of those tests or an opinion, if sufficient work was performed, or (2) reference to the separate report(s) containing that information. If auditors report separately, the opinion or disclaimer should contain a reference to the separate report containing this information and state that the separate report is an integral part of the audit and should be considered in assessing the results of the audit. 5.09: For audits of financial statements in which auditors provide an opinion or disclaimer, auditors should report the scope of their testing of internal control over financial reporting and of compliance with laws, regulations, and provisions of contracts or grant agreements including whether or not the tests they performed provided sufficient evidence to support an opinion on the effectiveness of internal control over financial reporting and on compliance with laws, regulations, and provisions of contracts or grant agreements. 5.10: Auditors may report on internal control over financial reporting and on compliance with laws, regulations, and provisions of contracts or grant agreements in the opinion or disclaimer on the financial statements or in a separate report or reports. When auditors report on internal control over financial reporting and compliance as part of the opinion or disclaimer on the financial statements, they should include an introduction summarizing key findings in the audit of the financial statements and the related internal control and compliance work. Auditors should not issue this introduction as a stand-alone report. 5.11: When auditors report separately (including separate reports bound in the same document) on internal control over financial reporting and compliance with laws and regulations and provisions of contracts or grant agreements, the opinion or disclaimer on the financial statements should state that the auditors are issuing those additional reports. The opinion or disclaimer on the financial statements should also state that the reports on internal control over financial reporting and compliance with laws and regulations and provisions of contracts or grant agreements are an integral part of a GAGAS audit and should be considered in assessing the results of the audit. Reporting Deficiencies in Internal Control, Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant Agreements, and Abuse: 5.12: The standard related to reporting deficiencies in internal control, fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse for financial audits performed in accordance with GAGAS is: For financial audits, including audits of financial statements in which the auditor provides an opinion or disclaimer, auditors should report, as applicable to the objectives of the audit, (1) deficiencies in internal control considered to be reportable conditions as defined in AICPA standards, (2) all instances of fraud and illegal acts unless clearly inconsequential,[Footnote 54] and (3) significant violations of provisions of contracts or grant agreements and abuse. In some circumstances, auditors should report fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse directly to parties external to the audited entity. Reporting Deficiencies in Internal Control: 5.13: For all financial audits, auditors should report deficiencies in internal control considered to be reportable conditions as defined in AICPA standards.[Footnote 55] The following are examples of matters that may be reportable conditions: a. absence of appropriate segregation of duties consistent with appropriate control objectives; b. absence of appropriate reviews and approvals of transactions, accounting entries, or systems output; c. inadequate provisions for the safeguarding of assets; d. evidence of failure to safeguard assets from loss, damage, or misappropriation; e. evidence that a system fails to provide complete and accurate output consistent with the control objectives of the audited entity because of the misapplication of control activities; f. evidence of intentional override of internal control by those in authority to the detriment of the overall objectives of the system; g. evidence of failure to perform tasks that are a significant part of internal control, such as reconciliations not prepared or not timely prepared; h. a weakness in the control environment at an entity such as the absence of a sufficient positive and supportive attitude towards internal control by management within the organization; i. deficiencies in the design or operation of internal control that could result in violations of laws, regulations, provisions of contracts or grant agreements; fraud; or abuse having a direct and material effect on the financial statements or the audit objectives; and: j. failure to follow up and correct previously identified deficiencies in internal control. 5.14: When reporting deficiencies in internal control, auditors should identify those reportable conditions that are individually or in the aggregate considered to be material weaknesses.[Footnote 56] Auditors should place their findings in proper perspective by providing a description of the work performed that resulted in the finding. To give the reader a basis for judging the prevalence and consequences of these findings, the instances identified should be related to the population or the number of cases examined and be quantified in terms of dollar value, if appropriate. 5.15: To the extent possible, in presenting audit findings such as deficiencies in internal control, auditors should develop the elements of criteria, condition, cause, and effect to assist management or oversight officials of the audited entity in understanding the need for taking corrective action. In addition, if auditors are able to sufficiently develop the findings, they should provide recommendations for corrective action. Following is guidance for reporting on elements of findings: a. Criteria: An audit report is improved when it provides information so that the report user will be able to determine what is the required or desired state or what is expected from the program or operation. The criteria are easier to understand when stated fairly, explicitly, and completely, and the source of the criteria is identified in the audit report.[Footnote 57] b. Condition: The audit report is improved when it provides evidence of what the auditors found regarding the actual situation. Reporting the scope or extent of the condition allows the report user to gain an accurate perspective. c. Cause: The audit report is improved when it provides persuasive evidence on the factor or factors responsible for the difference between condition and criteria. In reporting the cause, auditors may consider whether the evidence provides a reasonable and convincing argument for why the stated cause is the key factor or factors contributing to the difference as opposed to other possible causes, such as poorly designed criteria or factors uncontrollable by program management. The auditors also may consider whether the identified cause could serve as a basis for the recommendations. d. Effect: The audit report is improved when it provides a clear, logical link to establish the impact of the difference between what the auditors found (condition) and what should be (criteria). Effect is easier to understand when it is stated clearly, concisely, and, if possible, in quantifiable terms. The significance of the reported effect can be demonstrated through credible evidence. 5.16: When auditors detect deficiencies in internal control that are not reportable conditions, they should communicate those deficiencies separately in a management letter to officials of the audited entity unless the deficiencies are clearly inconsequential considering both quantitative and qualitative factors. Auditors should refer to that management letter in the report on internal control. Auditors should use their professional judgment in deciding whether or how to communicate to officials of the audited entity deficiencies in internal control that are clearly inconsequential. Auditors should include in their audit documentation evidence of all communications to officials of the audited entity about deficiencies in internal control found during the audit. Reporting Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant Agreements, and Abuse: 5.17: AICPA standards and GAGAS require auditors to address the effect fraud or illegal acts may have on the audit report and to determine that the audit committee or others with equivalent authority and responsibility are adequately informed about the fraud or illegal acts. GAGAS further require that this information be in writing and also include reporting on significant violations of provisions of contracts or grant agreements and significant abuse.[Footnote 58] Therefore, when auditors conclude, on the basis of evidence obtained, that fraud, an illegal act, a significant violation of a contract or grant agreement, or significant abuse either has: occurred or is likely to have occurred,[Footnote 59] they should include in their audit report the relevant information.[Footnote 60] 5.18: When reporting instances of fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse, auditors should place their findings in proper perspective by providing a description of the work performed that resulted in the finding. To give the reader a basis for judging the prevalence and consequences of these findings, the instances identified should be related to the population or the number of cases examined and be quantified in terms of dollar value, if appropriate. If the results cannot be projected, auditors should limit their conclusion to the items tested. 5.19: To the extent possible, auditors should develop in their report the elements of criteria, condition, cause, and effect when fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse is found. Auditors should develop their findings following the guidance for reporting deficiencies in internal control in paragraph 5.15. 5.20: When auditors detect inmaterial violations of provisions of contracts or grant agreements or abuse, they should communicate those findings in a management letter to officials of the audited entity unless the findings are clearly inconsequential considering both qualitative and quantitative factors. Auditors should refer to that management letter in their audit report on compliance. Auditors should use their professional judgment in determining whether and how to communicate to officials of the audited entity fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse that is clearly inconsequential. Auditors should include in their audit documentation evidence of all communications to officials of the audited entity about fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse. Direct Reporting of Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant Agreements, and Abuse: 5.21: GAGAS require auditors to report fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse directly to parties outside the audited entity in two circumstances, as discussed below.[Footnote 61] These requirements are in addition to any legal requirements for direct reporting of fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse. Auditors should meet these requirements even if they have resigned or been dismissed from the audit prior to its completion. 5.22: The audited entity may be required by law or regulation to report certain fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse to specified external parties, such as a federal inspector general or a state attorney general. If auditors have communicated such fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse to the audited entity and the audited entity fails to report them, then the auditors should communicate such an awareness to the governing body of the audited entity. If the audited entity does not make the required report as soon as possible after the auditors' communication with the entity's governing body, then the auditors should report such fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse directly to the external party specified in the law or regulation. 5.23: Management of the audited entity is responsible for taking timely and appropriate steps to remedy fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse that auditors report to it. When fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse involve awards received directly or indirectly from a government agency, auditors may have a duty to report directly if management fails to take remedial steps. If auditors conclude that such failure is likely to cause them to depart from the standard report on the financial statements or resign from the audit, they should communicate that conclusion to the governing body of the audited entity. Then, if the audited entity does not report the fraud, illegal act, violation of provisions of contracts or grant agreements, or abuse as soon as possible to the entity that provided the government assistance, the auditors should report the fraud, illegal act, violation of provisions of contracts or grant agreements, or abuse directly to that entity. 5.24: In these situations, auditors should obtain sufficient, competent, and relevant evidence, such as confirmation from outside parties, to corroborate assertions by management that it has reported fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse. If they are unable to do so, then the auditors should report such fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse directly as discussed above. 5.25: Laws, regulations, or policies may require auditors to report promptly indications of certain types of fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse to law enforcement or investigatory authorities. In such circumstances, when auditors conclude that these types of fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse either have occurred or are likely to have occurred, they should ask those authorities and/or legal counsel if publicly reporting certain information about the potential fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse would compromise investigative or legal proceedings. Auditors should limit their public reporting to matters that would not compromise those proceedings, such as information that is already a part of the public record. Reporting Views of Responsible Officials: 5.26: The standard related to reporting the views of responsible officials for financial audits performed in accordance with GAGAS is: If the auditors' report discloses deficiencies in internal control, fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse, auditors should obtain and report the views of responsible officials concerning the findings, conclusions, and recommendations, as well as planned corrective actions. 5.27: One of the most effective ways to ensure that a report is fair, complete, and objective is to obtain advance review and comments by responsible officials of the audited entity and others, as may be appropriate. Including the views of responsible officials results in a report that presents not only the deficiencies in internal control, fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse the auditors identified but also what the responsible officials of the audited entity think about the deficiencies in internal control, fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse and what corrective actions officials of the audited entity plan to take. Auditors should include in their report a copy of the officials' written comments or a summary of the comments received. 5.28: Auditors should normally request that the responsible officials submit in writing their views on the auditors' reported findings, conclusions, and recommendations, as well as management's planned corrective actions. Oral comments are acceptable as well, and, in some cases, may be the only or most expeditious way to obtain comments. Cases in which obtaining oral comments can be effective include when there is a time-critical requirement to meet a user's needs; auditors have worked closely with the responsible officials throughout the conduct of the work and the parties are very familiar with the findings and issues addressed in the draft report; or the auditors do not expect major disagreements with the draft report's findings, conclusions, and recommendations, or perceive any major controversies with regard to the issues discussed in the draft report. Auditors should prepare a summary of the officials' oral comments and provide a copy of the summary to officials of the audited entity to verify that the comments are accurately stated prior to finalizing the report. 5.29: Comments should be fairly and objectively evaluated and recognized, as appropriate, in the final report. Comments, such as a promise or plan for corrective action, should be noted but should not be accepted as justification for deleting a significant finding or a related recommendation. 5.30: When the audited entity's comments oppose the report's findings, conclusions, or recommendations, and are not, in the auditors' opinion, valid, or when planned corrective actions do not adequately address the auditors' recommendations, the auditors should state their reasons for disagreeing with the comments or planned corrective actions. The auditors' disagreement should be stated in a fair and objective manner. Conversely, the auditors should modify their report as necessary if they find the comments valid. Reporting Privileged and Confidential Information: 5.31: The standard related to reporting privileged and confidential information for financial audits performed in accordance with GAGAS is: If certain pertinent information is prohibited from general disclosure, the audit report should state the nature of the information omitted and the requirement that makes the omission necessary. 5.32: Certain information may be prohibited from general disclosure by federal, state, or local laws or regulations. In such circumstances, auditors may issue a separate limited-official-use report containing such information and distribute the report only to persons authorized by law or regulation to receive it. Additional circumstances associated with public safety and security concerns could also justify the exclusion of certain information in the report. For example, detailed information related to computer security for a particular program may be excluded from publicly available reports because of the potential damage that could be caused by the misuse of this information. In such circumstances, auditors may issue a limited-official-use report containing such information and distribute the report only to those parties responsible for acting on the auditors' recommendations. The auditors should, when appropriate, consult with legal counsel regarding any requirements or other circumstances that may necessitate the omission of certain information. 5.33: Auditors' judgments that certain information should be excluded from publicly available reports should be made in a manner consistent with consideration of the broader public interest in the program or activity under review. When circumstances call for omission of certain information, auditors should consider whether this omission could distort the engagement results or conceal improper or unlawful practices. If auditors make the judgment that certain information should be excluded from a publicly available report, they should state the general nature of the information omitted and the reasons that make the omission necessary in the report. Report Issuance and Distribution: 5.34: The standard related to report issuance and distribution for financial audits performed in accordance with GAGAS is: Government auditors should submit audit reports to the appropriate officials of the audited entity and to appropriate officials of the organizations requiring or arranging for the audits, including external funding organizations such as legislative bodies, unless legal restrictions prevent it. Auditors should also send copies of the reports to other officials who have legal oversight authority or who may be responsible for acting on audit findings and recommendations and to others authorized to receive such reports. Unless the report is restricted by law or regulation, or contains privileged and confidential information, auditors should clarify that copies are made available for public inspection. Nongovernment auditors should clarify report distribution responsibilities with the party contracting for the audit and follow the agreements reached. 5.35: Audit reports should be distributed in a timely manner to officials interested in the results.[Footnote 62] Such officials include those designated by law or regulation to receive such reports, those responsible for acting on the findings and recommendations contained in the report, those in other levels of government that have provided assistance to the audited entity, and legislators. However, if the subject of the audit involves material that is classified for security purposes or not releasable to particular parties or the public for other valid reasons, auditors should limit the report distribution. See paragraphs 5.31 through 5.33 for additional guidance on limited report distribution when reports contain privileged or confidential information. The availability of the report for public inspection should be documented in the audit documentation. 5.36: When public accountants are engaged to conduct an audit under GAGAS, they should clarify report distribution responsibilities with the engaging organization. If the public accountants are to make the distribution, the engagement agreement should indicate which officials or organizations should receive the report and other steps being taken to ensure the availability of the report for public inspection. The availability of the report for public inspection should be documented in the audit documentation. 5.37: Internal auditors should follow their entity's own arrangements and statutory requirements for distribution. Usually, they report to their entity's head or deputy head, who are responsible for distribution of the report. Further distribution of reports outside the organization should be made in accordance with applicable laws, rules, regulations, or policy. 5.38: If an audit is terminated before it is completed but the auditors do not issue an audit report, auditors should write a memorandum for the record that summarizes the results of the work to the date of termination and explains why the audit was terminated. In addition, auditors should communicate the reasons for terminating the audit to management of the audited entity, the entity requesting the audit, and other appropriate officials, preferably in writing. This communication should be documented. [End of section] Chapter 6: General, Field Work, and Reporting Standards for Attestation Engagements: [End of section] Introduction: 6.01: This chapter prescribes standards and provides guidance for attestation engagements performed in accordance with generally accepted government auditing standards (GAGAS). Attestation engagements consist of work governed by the American Institute of Certified Public Accountants' (AICPA) standards for attestation engagements. GAGAS incorporate the AICPA general standard on criteria, its field work standards, and its reporting standards for attestation engagements, as well as the AICPA Statements on Standards for Attestation Engagements (SSAE), unless the Comptroller General of the United States excludes them by formal announcement.[Footnote 63] This chapter identifies the AICPA general standard on criteria,[Footnote 64] field work standards, and reporting standards for attestation engagements and prescribes additional standards for attestation engagements performed in accordance with GAGAS. In addition to the AICPA general standard on criteria, auditors should also follow all of the general standards for work performed under GAGAS, as discussed in chapter 3. 6.02:In an attestation engagement, auditors issue an examination, a review, or an agreed-upon procedures report on a subject matter, or an assertion about a subject matter, that is the responsibility of another party. Attestation engagements can cover a broad range of financial or nonfinancial objectives[Footnote 65] and can be part of an audit or a separate engagement. The three levels of attestation engagements include the following. a. Examination: Auditors perform sufficient testing to express an opinion on whether the subject matter is based on (or in conformity with) the criteria in all material respects or the assertion is presented (or fairly stated), in all material respects, based on the criteria. b. Review: Auditors perform sufficient testing to express a conclusion about whether any information came to the auditors' attention on the basis of the work performed that indicates the subject matter is not based on (or in conformity with) the criteria or the assertion is not presented (or fairly stated) in all material respects based on the criteria.[Footnote 66] c. Agreed-Upon Procedures: Auditors perform testing to issue a report of findings based on specific procedures performed on subject matter. AICPA General and Field Work Standards for Attestation Engagements: 6.03: The AICPA general standard related to criteria states the following: The practitioner [auditor] shall perform an engagement only if he or she has reason to believe that the subject matter is capable of evaluation against criteria that are suitable and available to users. 6.04: The two AICPA field work standards for attestation engagements are as follows: a. The work shall be adequately planned and assistants, if any, shall be properly supervised. b. Sufficient evidence shall be obtained to provide a reasonable basis for the conclusion that is expressed in the report. Additional GAGAS Field Work Standards for Attestation Engagements: 6.05: GAGAS prescribe additional attestation engagement field work standards that go beyond the requirements contained in the AICPA SSAEs. Auditors must comply with these additional standards when citing GAGAS in their attestation engagement reports. The additional GAGAS field work standards relate to: a. auditor communication (see paragraphs 6.06 through 6.09); b. considering the results of previous audits and attestation engagements (see paragraphs 6.10 through 6.12); c. internal control (see paragraphs 6.13 and 6.14); d. detecting fraud, illegal acts, violations of contract provisions or grant agreements, and abuse that could have a material effect on the subject matter (see paragraphs 6.15 through 6.20); e. developing elements of findings for attestation engagements (paragraph 6.21); and: f. attest documentation (see paragraphs 6.22 through 6.26). Auditor Communication: 6.06: The standard related to auditor communication for attestation engagements performed in accordance with GAGAS is: Auditors should communicate information regarding the nature, timing, and extent of planned testing and reporting on the subject matter or assertion about the subject matter, including the level of assurance provided, to officials of the audited entity and to the individuals contracting for or requesting the attestation engagement. 6.07: During the planning stages of an attestation engagement, auditors should communicate to officials of the audited entity and to individuals contracting for or requesting the servicesinformation regarding the nature, timing, and extent of testing and reporting including the level of assurance provided and any potential restriction of reports associated with the different levels of assurance services, to reduce the risk that the needs or expectations of the parties involved may be misinterpreted. See paragraph 6.02 for a discussion of the levels of attestation services. Auditors should use their professional judgment to determine the form and content of the communication, although written communication is preferred. Auditors may use an engagement letter, if appropriate, to communicate the information. If the attestation engagement is part of a larger audit, this information may be communicated as part of that audit. Auditors should document the communication in their attest documentation. 6.08: Auditors should communicate their responsibilities for the engagement to the appropriate officials of the audited entity, including: a. the head of the audited entity, b. the audit committee or board of directors or other equivalent oversight body in the absence of an audit committee, and: c. the individual who possesses a sufficient level of authority and responsibility for the subject matter or the assertion. 6.09: In situations where auditors are performing the engagement under a contract with a party other than the officials of the audited entity, or pursuant to a third-party request, auditors should also communicate with the individuals contracting for or requesting the engagement, such as contracting officials or legislative members or staff. When auditors are performing the engagement pursuant to a law or regulation, auditors should communicate with the legislative members or staff who have oversight of the auditee.[Footnote 67] Auditors should coordinate communications with the responsible government audit organization and/ or management of the audited entity, and may use the engagement letter to keep interested parties informed. If an engagement is terminated before it is completed, auditors should write a memorandum for the record that summarizes the results of the work and explains why the engagement was terminated. In addition, auditors should communicate the reason for terminating the engagement to management of the audited entity, the entity requesting the engagement, and other appropriate officials, preferably in writing. This communication should be documented. Considering the Results of Previous Audits and Attestation Engagements: 6.10: The standard related to considering the results of previous audits and attestation engagements for attestation engagements performed in accordance with GAGAS is: Auditors should consider the results of previous audits and attestation engagements and follow up on known significant findings and recommendations that directly relate to the subject matter or the assertion of the attestation engagement being undertaken. 6.11: Auditors should ask audited entity officials to identify previous financial audits, attestation engagements, performance audits, or other studies related to the subject matter or assertions of the attestation engagement being undertaken and to identify corrective actions taken to address significant findings and recommendations.[Footnote 68] For example, an audit report on an entity's computerized information systems may contain significant findings that could relate to the attestation engagement if the entity uses such systems to process information about the subject matter or contained in an assertion about the subject matter. Following up on known significant findings and recommendations identified in previous audits, attestation engagements, or studies can help auditors evaluate the subject matter or the assertion associated with the attestation engagement. Auditors should use professional judgment in determining (1) prior periods to be considered, (2) the level of work necessary to follow up on significant findings and recommendations that affect the attestation engagement, and (3) the effect on the risk assessment and attestation procedures in planning the current attestation engagement. 6.12: Providing continuing attention to significant findings and recommendations is important to ensure that the benefits of the auditors' work are realized. Ultimately, the benefits of auditors' work occur when management of the audited entity takes meaningful and effective corrective action in response to the auditors' findings and recommendations. Management of the audited entity is responsible for resolving findings and recommendations directed to them and for having a process to track their status. If management of the audited entity does not have such a process, auditors may wish to establish their own process. Internal Control: 6.13: The standard related to internal control for examination-level attestation engagements performed in accordance with GAGAS is: In planning examination-level attestation engagements, auditors should obtain a sufficient understanding of internal control that is material to the subject matter or assertion to plan the engagement and design procedures to achieve the objectives of the attestation engagement. 6.14: In planning an examination-level attestation engagement, auditors should obtain an understanding of internal control[Footnote 69] as it relates to the subject matter or assertion to which the auditors are attesting. The subject matter or assertion may be of a financial or nonfinancial nature, and internal control material to the subject matter or assertion the auditor is testing may relate to: a. effectiveness and efficiency of operations, including the use of an entity's resources; b. reliability of financial reporting, including reports on budget execution and other reports for internal and external use; c. compliance with applicable laws and regulations, provisions of contract, or grant agreements; and: d. safeguarding of assets. Detecting Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant Agreements, and Abuse That Could Have a Material Effect on the Subject Matter: 6.15: The standard related to fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse for attestation engagements performed in accordance with GAGAS is: a. In planning examination-level attestation engagements, auditors should design the engagement to provide reasonable assurance of detecting fraud, illegal acts, or violations of provisions of contracts or grant agreements that could have a material effect on the subject matter or assertion of the attestation engagement, and should be alert to situations or transactions that could be indicative of abuse. b. In planning review-level or agreed-upon-procedure-level attestation engagements, auditors should be alert to situations or transactions that could be indicative of fraud, illegal acts, violations of provisions of contracts or grant agreements, and if indications of fraud, illegal acts, violations of provisions of contracts or grant agreements, exist that could materially affect the subject matter or assertion, auditors should apply procedures specifically directed to ascertain whether violations of provisions of contracts or grant agreements, and if indications of fraud, illegal acts, violations of provisions of contracts or grant agreements, has occurred and the effect on the subject matter or assertion. c. Auditors should be alert to situations or transactions that could be indicative of abuse, and if indications of abuse exist that could significantly affect the results of the attestation engagement, auditors should apply audit procedures specifically directed to ascertain whether abuse has occurred and the effect on the results of the attestation engagement. 6.16: Auditors should exercise professional judgment in planning an examination-level attestation engagement by obtaining an understanding of the possible effects of fraud,[Footnote 70] illegal acts, or violations of provisions of contracts or grant agreements on the subject matter or assertion of the attestation engagement and by identifying and assessing any associated risks that could have a material effect on the attestation engagement. Auditors should include attest documentation on their assessment of risk, and, when risk factors are identified as being present, the documentation should include: a. those risk factors identified, and: b. the auditors' response to those risk factors, individually or in combination. 6.17: In addition, if during the performance of the attestation engagement, risk factors or other conditions are identified that cause the auditors to believe that an additional response is required, such factors or other conditions, and any future response the auditors conclude is appropriate, should be documented. 6.18: For attestation engagements involving review-level or agreed-upon- procedure-level of reporting, auditors should be alert to situations or transactions that could be indicative of fraud, illegal acts, or violations of provisions of contracts or grant agreements. When information comes to the auditors' attention (through audit procedures, allegations received through fraud hotlines, or other means) indicating that fraud, illegal acts, or violations of provisions of contracts or grant agreements may have occurred, auditors should consider whether the possible fraud, illegal acts, or violation of provisions of contracts or grant agreements could materially affect the results of the attestation engagement. If such acts could materially affect the results of the engagement, auditors should extend the audit steps and procedures, as necessary, to (1) determine if fraud, illegal acts, or violations of provisions of contracts or grant agreements are likely to have occurred and, if so, (2) determine their effect on the results of the attestation engagement. Because the scope of review-level and agreed-upon-procedures-level engagements is limited, auditors are not expected to provide reasonable assurance of detecting fraud, illegal acts, or violations of contract or grant agreements for these types of engagements. 6.19: Abuse is distinct from fraud, illegal acts, or violations of provisions of contracts or grant agreements. When abuse occurs, no law, regulation, or provision of a contract or grant agreement is violated. Rather, abuse involves behavior that is deficient or improper when compared with behavior that a prudent person would consider reasonable and necessary business practice given the facts and circumstances.[Footnote 71] For all levels of attestation engagements, auditors should be alert to situations or transactions that could be indicative of abuse. When information comes to the auditors' attention (through audit procedures, allegations received through a fraud hotline, or other means) indicating that abuse may have occurred, auditors should consider whether the possible abuse could affect the assertion significantly. Auditors should consider both quantitative and qualitative factors in making judgments regarding the significance of possible abuse and whether they need to extend the audit steps and procedures. If indications of the possible abuse exist that significantly affect the results of the attestation engagement, the auditors should extend the audit steps and procedures, as necessary, to (1) determine whether the abuse occurred and, if so, (2) determine its effect on the results of the attestation engagement. However, because the determination of abuse is so subjective, auditors are not expected to provide reasonable assurance of detecting abuse. 6.20: Auditors should exercise professional judgment in pursuing indications of possible fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse, in order not to interfere with potential investigations, legal proceedings, or both. Under some circumstances, laws, regulations, or policies require auditors to report indications of certain types of fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse to law enforcement or investigatory authorities before extending audit steps and procedures. Auditors may also be required to withdraw from or defer further work on the engagement or a portion of the engagement in order not to interfere with an investigation. Developing Elements of Findings for Attestation Engagements: 6.21: Attest findings, such as deficiencies in internal control, illegal acts, violations of provisions of contracts or grant agreements, and abuse, have often been regarded as containing the elements of criteria, condition, and effect, plus cause when problems are found. However, the elements needed for a finding depend entirely on the objectives of the attestation engagement. Thus, a finding or set of findings is complete to the extent that the objectives of the attestation engagement are satisfied. When problems are identified, to the extent possible, auditors should plan attest procedures to develop the elements of a finding to facilitate developing the auditors' report. (See paragraph 6.34: for a description of the elements of a finding.): Attest Documentation: 6.22: The standard related to attest documentation for attestation engagements performed in accordance with GAGAS is: Attest documentation related to planning, conducting, and reporting on the attestation engagement should contain sufficient information to enable an experienced auditor who has had no previous connection with the attestation engagement to ascertain from the attest documentation the evidence that supports the auditors' significant judgments and conclusions. Attest documentation should contain support for findings, conclusions, and recommendations before auditors issue their report. 6.23: AICPA standards and GAGAS require that auditors prepare and maintain attest documentation. The form and content of attest documentation should be designed to meet the circumstances of the particular attestation engagement. The information contained in attest documentation constitutes the principal record of the work that the auditors have performed in accordance with professional standards and the conclusions that the auditors have reached. The quantity, type, and content of attest documentation are a matter of the auditors' professional judgment. 6.24: Attest documentation serves to (1) provide the principal support for the auditors' report, (2) aid auditors in conducting and supervising the attestation engagement, and (3) allow for the review of the quality of the attestation engagement. The preparation of attest documentation should be appropriately detailed to provide a clear understanding of its purpose and source and the conclusions the auditors reached, and it should be appropriately organized to provide a clear link to the findings, conclusions, and recommendations contained in the auditors' report. Attest documentation for attestation engagements performed under GAGAS should contain the following additional items not explicitly addressed in the AICPA SSAEs or elsewhere in GAGAS: a. the objectives, scope, and methodology of the attestation engagement, including any sampling and other selection criteria used; b. the auditor's determination that certain additional government auditing standards do not apply or that an applicable standard was not followed, the reasons therefor, and the known effect that not following the applicable standard had, or could have had, on the attestation engagement; c. the work performed to support significant judgments and conclusions, including descriptions of transactions and records examined;[Footnote 72] d. the auditors' consideration that the planned attestation procedures are designed to achieve objectives of the attestation engagement when evidential matter obtained is highly dependent on computerized information systems and is material to the objective of the engagement, and the auditors are not relying on the effectiveness of internal control over those computerized systems that produced the information. The attest documentation should specifically address (1) the rationale for determining the nature, timing, and extent of planned audit procedures; (2) the kinds and competence of available evidential matter produced outside a computerized information system, and/or plans for direct testing of data produced from a computerized information system; and (3) the effect on the attestation engagement report if evidential matter to be gathered does not afford a reasonable basis for achieving the objectives of the engagement; and: e. evidence of supervisory reviews, before the report on the attestation engagement is issued, of the work performed that supports findings, conclusions, and recommendations contained in the report. 6.25: Underlying GAGAS attestation engagements is the premise that federal, state, and local governments and other organizations cooperate in auditing programs of common interest so that auditors may use others' work and avoid duplication of efforts. Auditors should make arrangements to make attest documentation available, upon request, in a timely manner to other auditors or reviewers. Contractual arrangements for GAGAS attestation engagements should provide for full and timely access to attest documentation to facilitate reliance by others on the auditors' work. 6.26: Audit organizations need to adequately safeguard the audit documentation associated with any particular engagement. Audit organizations should develop clearly defined policies and criteria to deal with situations where requests are made by outside parties to obtain access to audit documentation, especially in connection with situations where an outside party attempts to obtain indirectly through the auditor information that it is unable to obtain directly from the audited entity. In developing such policies, audit organizations need to consider applicable laws and regulations applying to the audit organizations or the audited entity. AICPA Reporting Standards for Attestation Engagements: 6.27: As discussed in paragraph 6.02, the AICPA SSAEs provide for different levels of reporting based on the type of assurance the auditors are providing. The four AICPA reporting standards for all levels of reporting under attestation engagements are as follows: a. The report shall identify the subject matter or the assertion being reported on and state the character of the engagement. b. The report shall state the practitioner's [auditor's] conclusions about the subject matter or the assertion in relation to the criteria against which the subject matter was evaluated. c. The report shall state all of the practitioner's [auditor's] significant reservations about the engagement, the subject matter, and, if applicable, the assertion related thereto. d. The report shall state that the use of the report is restricted to specified parties under the following circumstances:[Footnote 73] (1) when the criteria used to evaluate the subject matter are determined by the practitioner to be appropriate only for a limited number of parties who either participated in their establishment or can be presumed to have an adequate understanding of the criteria, (2) when the criteria used to evaluate the subject matter are available only to specified parties, (3) when reporting on subject matter and a written assertion has not been provided by the responsible party, and (4) when the report is on an attest engagement to apply agreed-upon procedures to the subject matter. Additional GAGAS Reporting Standards for Attestation Engagements: 6.28: GAGAS prescribe additional reporting standards for attestation engagements that go beyond the requirements contained in the AICPA SSAEs. Auditors must comply with these additional standards when citing GAGAS in their attestation engagement reports. The additional GAGAS standards relate to: a. reporting auditors' compliance with GAGAS (see paragraphs 6.29 through 6.31); b. reporting deficiencies in internal control, fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse (see paragraphs 6.32 through 6.40); c. reporting views of responsible officials (see paragraphs 6.41 through 6.45); d. reporting privileged and confidential information (see paragraphs 6.46 through 6.48); and: e. report issuance and distribution (see paragraphs 6.49 through 6.54). Reporting Auditors' Compliance with GAGAS: 6.29: The standard related to reporting auditors' compliance with GAGAS for attestation engagements performed in accordance with GAGAS is: Reports on attestation engagements should state that the engagement was made in accordance with GAGAS. 6.30: When the report on the attestation engagement is submitted to comply with a legal, regulatory, or contractual requirement, or when GAGAS are voluntarily used, the report should specifically cite GAGAS and may cite AICPA standards as well. The statement referencing compliance with GAGAS refers to all the applicable standards that the auditors should have followed during the attestation engagement, and the statement of compliance should be qualified in situations in which the auditors did not follow an applicable standard. In these situations, the auditors should disclose in the scope section of the report the applicable standard that was not followed, the reasons therefor, and how not following the standard affected, or could have affected, the results of the attestation engagement. In assessing the impact of not following an applicable standard on the results of the attestation engagement, auditors may need to qualify the assurances provided, disclaim from providing any assurances, or withdraw from the engagement. 6.31: An audited entity receiving a GAGAS report on an attestation engagement may also need a report on the attestation engagement for purposes other than complying with requirements calling for a GAGAS attestation engagement. GAGAS do not prohibit auditors from issuing a separate report conforming only to the requirements of AICPA standards. When a GAGAS attestation engagement is the basis for an auditors' subsequent report under the AICPA standards, it would be advantageous to users of the subsequent report for the auditors' report to include the information on internal control and fraud, illegal acts, violations of provisions of contracts and grant agreements, and abuse that are required by GAGAS but not required by AICPA standards. Reporting Deficiencies in Internal Control, Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant Agreements, and Abuse: 6.32: The standard related to reporting deficiencies in internal control, fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse for attestation engagements performed in accordance with GAGAS is: The report on an attestation engagement should disclose (1) deficiencies in internal control, including internal control over compliance with laws, regulations, and provisions of contracts or grant agreements that are material to the subject matter or assertion, (2) all instances of fraud and illegal acts unless clearly inconsequential, and (3) violations of provisions of contracts or grant agreements and abuse that are material to the subject matter or assertion of the engagement. In some circumstances, auditors should report fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse directly to parties external to the audited entity. 6.33: When reporting deficiencies in internal control or instances of fraud, illegal acts,[Footnote 74] violations of provisions of contracts or grant agreements, or abuse, auditors should place their findings in proper perspective by providing a description of the work performed that resulted in the finding. To give the reader a basis for judging the prevalence and consequences of these findings, the deficiencies or instances identified should be related to the population or the number of cases examined and be quantified in terms of dollar value, if appropriate. If the results cannot be projected, auditors should limit their conclusion to the items tested. 6.34: To the extent possible, in presenting findings, auditors should develop the elements of criteria, condition, cause, and effect to assist management or oversight officials of the audited entity in understanding the need for taking corrective action. In addition, if auditors are able to sufficiently develop the findings, auditors should provide recommendations for corrective action. The following list contains guidance for reporting on elements of findings: a. Criteria: An attestation engagement report is improved when it provides information so that the report user will be able to determine what is the required or desired state or what is expected from the program or operation. The criteria are easier to understand when stated fairly, explicitly, and completely, and the source of the criteria is identified in the attestation engagement report.[Footnote 75] b. Condition: The attestation engagement report is improved when it provides evidence of what the auditors found regarding the actual situation. Reporting the scope or extent of the condition allows the report user to gain an accurate perspective. c. Cause: The attestation engagement report is improved when it provides persuasive evidence on the factor or factors responsible for the difference between condition and criteria. In reporting the cause, auditors may consider whether the evidence provides a reasonable and convincing argument for why the stated cause is the key factor or factors contributing to the difference as opposed to other possible causes, such as poorly designed criteria or factors uncontrollable by program management. The auditors also may consider whether the identified cause could serve as a basis for the recommendations. d. Effect: The attestation engagement report is improved when it provides a clear, logical link to establish the impact of the difference between what the auditors found (condition) and what should be (criteria). Effect is easier to understand when it is stated clearly, concisely, and, if possible, in quantifiable terms. The significance of the reported effect can be demonstrated through credible evidence. 6.35: When auditors detect internal control deficiencies, fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse that is not material to the subject matter or assertion, they should communicate those findings to the audited entity in a management letter, unless they are clearly inconsequential, considering both qualitative and quantitative factors. The auditor should refer to the management letter in the report on the attestation engagement. Auditors should use their professional judgment in determining whether and how to communicate to officials of the audited entity internal control deficiencies, fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse that are clearly inconsequential. Auditors should include in their attest documentation evidence of all communication to officials of the audited entity about fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse. Direct Reporting of Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant Agreements, and Abuse: 6.36: GAGAS require auditors to report fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse directly to parties outside the audited entity in two circumstances, as discussed below.[Footnote 76] These requirements are in addition to any legal requirements for direct reporting of fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse. Auditors should meet these requirements even if they have resigned or been dismissed from the attestation engagement prior to its completion. 6.37: The audited entity may be required by law or regulation to report certain fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse to specified external parties, such as a federal inspector general or a state attorney general. If auditors have communicated such fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse to the audited entity and the entity fails to report them, then the auditors should communicate such an awareness to the governing body of the audited entity. If the audited entity does not make the required report as soon as possible after the auditors' communication with the entity's governing body, then the auditors should report such fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse directly to the external party specified in the law or regulation. 6.38: Officials of the audited entity are responsible for taking timely and appropriate steps to remedy fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse that auditors report to them. When fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse involves assistance received directly or indirectly from a government agency, auditors may have a duty to report directly if management fails to take remedial steps. If auditors conclude that such failure is likely to cause them to depart from the standard report on the attestation engagement or resign from the engagement, they should communicate that conclusion to the governing body of the audited entity. Then, if the audited entity does not report the fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse as soon as possible to the entity that provided the government assistance, the auditors should report the fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse directly to that entity. 6.39: In these situations, auditors should obtain sufficient, competent, and relevant evidence, such as confirmation from outside parties, to corroborate assertions by management that management has reported fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse. If they are unable to do so, the auditors should report the fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse directly as discussed above. 6.40: Laws, regulations, or policies may require auditors to report promptly indications of certain types of fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse to law enforcement or investigatory authorities. In such circumstances, when auditors conclude that these types of fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse either have occurred or are likely to have occurred, they should ask those authorities and/or legal counsel if publicly reporting certain information about the potential fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse would compromise investigative or legal proceedings. Auditors should limit their public reporting to matters that would not compromise those proceedings, such as information that is already a part of the public record. Reporting Views of Responsible Officials: 6.41: The standard related to reporting the views of responsible officials for attestation engagements performed in accordance with GAGAS is: If the auditors' report on the attestation engagement discloses deficiencies in internal control, fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse, auditors should obtain and report the views of responsible officials concerning the findings, conclusions, and recommendations, as well as planned corrective actions. 6.42: One of the most effective ways to ensure that a report is fair, complete, and objective is to obtain advance review and comments by responsible officials of the audited entity and others, as may be appropriate. Including the views of responsible officials results in a report that presents not only the deficiencies in internal control, fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse the auditors identified, but also what the responsible officials of the audited entity think about the deficiencies in internal control, fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse and what corrective actions the officials plan to take. Auditors should include in their report a copy of the officials' written comments or a summary of the comments received. 6.43: Auditors should normally request that the responsible officials submit in writing their views on the auditors' reported findings, conclusions, and recommendations, as well as management's planned corrective actions. Oral comments are acceptable as well, and, in some cases, may be the only or most expeditious way to obtain comments. Cases in which obtaining oral comments can be effective include circumstances in which there is a time-critical requirement to meet a user's needs; the auditors have worked closely with the responsible officials throughout the conduct of the work and the parties are familiar with the findings and issues addressed in the draft product; or the auditors do not expect major disagreements with the draft report's findings, conclusions, and recommendations, or perceive any major controversies with regard to the issues discussed in the draft report. Before finalizing the report, auditors should prepare a summary of the officials' oral comments and provide a copy of the summary to officials of the audited entity to verify that the comments are accurately stated. 6.44: Comments should be fairly and objectively evaluated and recognized, as appropriate, in the final report. Comments, such as a promise or plan for corrective action, should be noted but should not be accepted as justification for deleting a significant finding or a related recommendation. 6.45: When the audited entity's comments oppose the report's findings, conclusions, or recommendations, and are not, in the auditors' opinion, valid, or when planned corrective actions do not adequately address the auditors' recommendations, the auditors should state their reasons for disagreeing with the comments or planned corrective actions. The auditors' disagreement should be stated in a fair and objective manner. Conversely, the auditors should modify their report as necessary if they find the comments valid. Reporting Privileged and Confidential Information: 6.46: The standard related to reporting privileged and confidential information for attestation engagements performed in accordance with GAGAS is: If certain pertinent information is prohibited from general disclosure, the report on the attestation engagement should state the nature of the information omitted and the requirement that makes the omission necessary. 6.47: Certain information may be prohibited from general disclosure by federal, state, or local laws or regulations. In such circumstances, auditors may issue a separate limited-official-use report containing such information and distribute the report only to persons authorized by law or regulation to receive it. Additional circumstances associated with public safety and security concerns could also justify the exclusion of certain information in the report. For example, detailed information related to computer security for a particular program may be excluded from publicly available reports if potential damage could be caused by the misuse of this information. In such circumstances, auditors may issue a limited-official-use report containing such information and distribute the report only to those parties responsible for acting on the auditors' recommendations. The auditors should, when appropriate, consult with legal counsel regarding any requirements or other circumstances that may necessitate the omission of certain information. 6.48: Auditors' judgments that certain information should be excluded from publicly available reports should be made in a manner consistent with consideration of the broader public interest in the program or activity under review. When circumstances call for omission of certain information, auditors should consider whether this omission could distort the engagement results or conceal improper or unlawful practices. If auditors make the judgment that certain information should be excluded from a publicly available report, they should state the general nature of the information omitted and the reasons that make the omission necessary in the report. Report Issuance and Distribution: 6.49: The standard related to report issuance and distribution for attestation engagements performed in accordance with GAGAS is: Government auditors should submit reports on the attestation engagement to the appropriate officials of the audited entity and to the appropriate officials of the organizations requiring or arranging for the engagement, including external funding organizations such as legislative bodies, unless legal restrictions prevent it. Auditors should also send copies of the reports to other officials who have legal oversight authority or who may be responsible for acting on the findings and recommendations and to others authorized to receive such reports. Unless the report is restricted by law or regulation, or contains privileged or confidential information, auditors should clarify that copies are made available for public inspection. Nongovernment auditors should clarify report distribution responsibilities with the party contracting for the audit and follow the agreements reached. 6.50: Reports on attestation engagements should be distributed in a timely manner to officials interested in the results. Such officials include those designated by law or regulation to receive such reports, those responsible for acting on the findings and recommendations contained in the reports, those in other levels of government that have provided assistance to the audited entity, and legislators. However, if the subject matter or assertion of the attestation engagement involves material that is classified for security purposes or not releasable to particular parties or the public for other valid reasons, auditors should limit the report distribution. The availability of the report for public inspection should be documented in the audit documentation. 6.51: Although AICPA standards require that a report on an engagement to evaluate an assertion based on agreed-upon criteria or on an engagement to apply agreed-upon procedures should contain a statement limiting its use to the parties who have agreed upon such criteria or procedures, such a statement does not require that the report distribution be limited. (See paragraphs 6.46 through 6.48 for additional guidance on limited report distribution.) The availability of the report for public inspection should be documented in the audit documentation. 6.52: When nongovernment auditors are engaged to conduct an attestation engagement under GAGAS, they should clarify report distribution responsibilities with the engaging organization. If the public accountants are to make the distribution, the engagement agreement should indicate which officials or organizations should receive the report and the steps being taken to ensure the availability of the report for public inspection. The availability of the report for public inspection should be documented in the audit documentation. 6.53: Internal auditors should follow their entity's own arrangements and statutory requirements for distribution. Usually, they report to their entity's head or deputy head, who is responsible for distribution of the report. Further distribution of reports outside the organization should be made in accordance with applicable laws, rules, regulations, or policies. 6.54: If an attestation engagement is terminated before it is completed but the auditors do not issue a report on the engagement, auditors should write a memorandum for the record that summarizes the results of the work to the date of termination and explains why the attestation engagement was terminated. In addition, auditors should communicate the reasons for terminating the attest engagement to management of the audited entity, the entity requesting the attestation engagement, and other appropriate officials, preferably in writing. This communication should be documented. [End of section] Chapter 7: Field Work Standards for Performance Audits: [End of section] Introduction: 7.01: This chapter prescribes field work standards and provides guidance to auditors conducting performance audits in accordance with generally accepted government auditing standards (GAGAS). The field work standards for performance audits relate to planning the audit; supervising staff; obtaining sufficient, competent, and relevant evidence; and preparing audit documentation. Planning: 7.02:The field work standard related to planning for performance audits performed in accordance with GAGAS are: Work is to be adequately planned. 7.03: In planning the audit, auditors should define the audit objectives, as well as the scope and methodology to achieve those objectives. Audit objectives, scope, and methodologies are not determined in isolation. Auditors determine these three elements of the audit plan together, as the considerations in determining each often overlap. Planning is a continuous process throughout the audit. Therefore, auditors should consider the need to make adjustments to the audit objectives, scope, and methodology as work is being completed. 7.04: The objectives are what the audit is intended to accomplish. They identify the audit subjects and performance aspects to be included, as well as the potential finding and reporting elements that the auditors expect to develop.[Footnote 77] Audit objectives can be thought of as questions about the program[Footnote 78] that auditors seek to answer. (See paragraphs 2.09 through 2.13.): 7.05: Scope is the boundary of the audit and should be directly tied to the audit objectives. For example, the scope defines parameters of the audit such as the period of time reviewed, the availability of necessary documentation or records, and the locations at which field work will be performed. 7.06: The methodology comprises the work involved in gathering and analyzing data to achieve the objectives. Audit procedures are the specific steps and tests auditors will carry out to address the audit objectives. Auditors should design the methodology to provide sufficient, competent, and relevant evidence to achieve the objectives of the audit. Methodology includes both the types and extent of audit procedures used to achieve the audit objectives. 7.07: Planning should be documented and should include: a. considering the significance of various programs and the needs of potential users of the audit report (see paragraphs 7.08 and 7.09); b. obtaining an understanding of the program to be audited (see paragraph 7.10); c. obtaining an understanding of internal control as it relates to the specific objectives and scope of the audit (see paragraphs 7.11 through 7.16); d. designing methodology and procedures to detect significant violations of legal and regulatory requirements, contract provisions, or grant agreements (see paragraphs 7.17 through 7.27); e. identifying the criteria needed to evaluate matters subject to audit (see paragraph 7.28); f. considering the results of previous audits and attestation engagements that could affect the current audit objectives (see paragraphs 7.29 and 7.30); g. identifying potential sources of data that could be used as audit evidence (see paragraph 7.31); h. considering whether the work of other auditors and experts may be used to satisfy some of the audit objectives (see paragraphs 7.32 through 7.34); i. providing appropriate and sufficient staff and other resources to perform the audit (see paragraphs 7.35 through 7.38); j. communicating general information concerning the planning and performance of the audit to management officials responsible for the program being audited and others as applicable (see paragraphs 7.39 and 7.40); and: k. preparing an audit plan (see paragraphs 7.41 through 7.43). Program Significance: 7.08: The significance of a matter is its relative importance to the audit objectives and potential users of the audit report. Auditors should consider the significance of a program or program component and the potential use that will be made of the audit results or report as they plan a performance audit. Indicators of significance and/or use to consider include: a. visibility and sensitivity of the program under audit, b. newness of the program or changes in its conditions, c. role of the audit in providing information that can improve public accountability and decision making, and: d. level and extent of review or other forms of independent oversight. 7.09: One group of users of the auditors' report is government officials who may have authorized or requested the audit. Other important users of the auditors' report are the entity being audited and legislative bodies, which are responsible for acting on the auditors' recommendations. Other potential users of the auditors' report include government legislators or officials (other than those who may have authorized or requested the audit), the media, interest groups, and individual citizens. In addition to an interest in the program, potential users may have an ability to influence the conduct of the program. An awareness of these potential users' interests and influence can help auditors understand why the program operates the way it does. This awareness can also help auditors judge whether possible findings could be significant to various possible users. Understanding the Program: 7.10: Auditors should obtain an understanding of the program to be audited to help assess, among other matters, the significance of possible audit objectives and the feasibility of achieving them. The auditors' understanding may come from knowledge they already have about the program or knowledge they gain from inquiries and observations they make in planning the audit. The extent and breadth of those inquiries and observations will vary among audits based on the audit objectives, as will the need to understand individual aspects of the program, such as the following: a. Laws, regulations, and provisions of contracts or grant agreements: Government programs usually are created by law and are subject to specific laws and regulations. For example, laws and regulations usually set forth what is to be done, who is to do it, the purpose to be achieved, the population to be served, and how much can be spent on what. Government programs may also be subject to provisions of contracts and grant agreements. Thus, understanding the laws and the legislative history establishing a program and the provisions of any contracts or grant agreements can be essential to understanding the program itself. Obtaining that understanding is also a necessary step in identifying provisions of laws, regulations, contracts, or grant agreements significant to audit objectives. b. Purpose and goals: Purpose is the result or effect that is intended or desired from a program's operation. Legislatures usually establish the program purpose when they provide authority for the program. Entity officials may provide more detailed guidance on program purpose to supplement the authorizing legislation. Entity officials are sometimes asked to set goals for program performance and operations, including both output and outcome goals. Auditors may use the stated program purpose and goals as criteria for assessing program performance or may develop additional criteria or best practices to compare the program against. c. Internal control: Internal control, often referred to as management controls, in the broadest sense includes the plan of organization, methods, and procedures adopted by management to meet its missions, goals, and objectives. Internal control includes the processes for planning, organizing, directing, and controlling program operations. It includes the systems for measuring, reporting, and monitoring program performance. Internal control also serves as the first line of defense in safeguarding assets and preventing and detecting errors, fraud, and violations of laws, regulations, and provisions of contracts and grant agreements. Paragraphs 7.11 through 7.16 contain guidance pertaining to internal control. d. Efforts: Efforts are the amount of resources (in terms of money, material, personnel, etc.) that are put into a program. These resources may come from within or outside the entity operating the program. Measures of efforts can have a number of dimensions, such as cost, timing, and quality. Examples of measures of efforts are dollars, employee-hours, and square feet of building space. e. Program operations: Program operations are the strategies, processes, and activities management uses to convert efforts into outputs. Program operations are subject to internal control. f. Outputs: Outputs represent the quantity of goods or services produced by a program. For example, an output measure for a job training program could be the number of persons completing training, and an output measure for an aviation safety inspection program could be the number of safety inspections completed. g. Outcomes: Outcomes are accomplishments or results of programs. For example, an outcome measure for a job training program could be the percentage of trained persons obtaining a job and still in the work place after a specified period of time. Examples of outcome measures for an aviation safety inspection program could be the percentage reduction in significant safety problems found in subsequent inspections and/or the percentage of significant problems deemed corrected in follow-up inspections. Such outcome measures show progress in achieving the stated program purposes of helping unemployable citizens obtain and retain jobs, and improving the safety of aviation operations. Auditors should be aware that outcomes may be influenced by cultural, economic, physical, or technological factors outside the program. Auditors may use approaches drawn from other disciplines, such as program evaluation, to try to isolate the effects of the program from these other influences. Considering Internal Control: 7.11: The lack of administrative continuity in government units because of changes in elected legislative bodies and in other government officials increases the need for effective internal control. Auditors should obtain an understanding of internal control significant to the audit objectives and consider whether specific internal control procedures have been properly designed and placed in operation. Auditors also need to consider whether they plan to modify the nature, timing, or extent of their audit procedures based on the effectiveness of internal controls. If so, auditors should include specific tests of the effectiveness of internal control and consider the results in designing: audit procedures.[Footnote 79] Officials of the audited entity are responsible for establishing effective internal control. 7.12: The following discussion of internal control objectives is intended to help auditors better understand internal controls and determine their significance to the audit objectives: a. Effectiveness and efficiency of program operations: Controls over program operations include policies and procedures that officials of the audited entity have implemented to reasonably ensure that a program meets its objectives and that unintended actions do not result. Understanding these controls can help auditors understand the program operations that convert efforts to outputs or outcomes. b. Validity and reliability of data: Controls over the validity and reliability of data include policies and procedures that officials of the audited entity have implemented to reasonably ensure that valid and reliable data are obtained, maintained, and fairly disclosed in reports. These controls help assure management that it is getting valid and reliable information about whether programs are operating properly on an ongoing basis. Understanding these controls can help auditors (1) assess the risk that the data gathered by the entity may not be valid or reliable and (2) design appropriate tests of the data. c. Compliance with applicable laws and regulations and provisions of contracts or grant agreements: Controls over compliance include policies and procedures that officials of the audited entity have implemented to reasonably ensure that program implementation is consistent with laws, regulations, and provisions of contracts or grant agreements. Understanding the relevant controls concerning compliance with those laws and regulations and provisions of contracts or grant agreements that the auditors have determined are significant can help auditors assess the risk of illegal acts[Footnote 80] and violations of provisions of contracts or grant agreements. 7.13: A subset of these categories of internal control objectives is the safeguarding of resources. Controls over the safeguarding of resources include policies and procedures that officials of the audited entity have implemented to reasonably prevent or promptly detect unauthorized acquisition, use, or disposition of resources. 7.14: Auditors can obtain an understanding of internal control through inquiries, observations, inspection of documents and records, or review of other auditors' reports. The procedures auditors perform to obtain an understanding of internal control will vary among audits. One factor influencing the extent of these procedures is the auditors' knowledge about internal control gained in prior audits. Also, the need to understand internal control will depend on the particular aspects of the program the auditors consider in setting objectives, scope, and methodology. The following are examples of how the auditors' understanding of internal control can influence the audit plan: a. Audit objectives: Poorly controlled aspects of a program have a higher risk of failure, so they may be more significant than others in terms of where auditors may want to focus their efforts. b. Audit scope: Knowledge that internal controls are not properly designed or placed in operation at a certain location may lead auditors to target their efforts there. c. Audit methodology: Effective controls at the audited entity over collecting, summarizing, and reporting data may enable auditors to limit the extent of their direct testing of data validity and reliability. In contrast, evidence suggesting ineffective controls may lead auditors to perform more direct testing of the data, look for data from outside the entity, or develop their own data. 7.15: When internal controls are significant to the audit objectives, auditors should plan to obtain sufficient evidence to support their judgments about those controls. The following are examples of circumstances in which internal controls can be significant to audit objectives: a. In determining the cause of unsatisfactory performance, auditors may consider that unsatisfactory performance could result from deficiencies in internal controls. b. When assessing the validity and reliability of performance measures developed by the audited entity, effective internal control by the audited entity over collecting, summarizing, and reporting data will help ensure that the performance measures are valid and reliable. 7.16: Internal auditing is an important part of internal control.[Footnote 81] When an assessment of internal control is called for, the work of the internal auditors can be used to help provide reasonable assurance that internal controls are effectively designed and functioning properly, and to prevent duplication of effort. Designing the Audit to Detect Violations of Legal and Regulatory Requirements, Contract Provisions, or Grant Agreement, Fraud, and Abuse: 7.17: When laws, regulations, or provisions of contracts or grant agreements are significant to the audit objectives, auditors should design the audit methodology and procedures to provide reasonable assurance of detecting violations that could have a significant effect on the audit results. Auditors should determine which laws, regulations, and provisions of contracts or grant agreements are significant to the audit objectives and assess the risk that illegal acts or violations of provisions of contracts or grant agreements could occur. Based on that risk assessment, the auditors design and perform procedures to provide reasonable assurance of detecting significant instances of illegal acts or violations of provisions of contracts or grant agreements. Auditors should include audit documentation on their assessment of risk. 7.18: It is not practical to set precise standards for determining whether laws, regulations, or provisions of contracts or grant agreements are significant to audit objectives because government programs are subject to many laws, regulations, and provisions of contracts or grant agreements, and audit objectives vary widely. However, auditors may find the following approach helpful in making that determination: a. Reduce each audit objective to questions about specific aspects of the program being audited (that is, purpose and goals, internal control, efforts, program operations, outputs, and outcomes, as discussed in paragraph 7.10). b. Identify laws, regulations, and provisions of contracts or grant agreements that directly relate to specific aspects of the program included in questions that reflect the audit objectives. c. Determine if violations of those laws, regulations, or provisions of contracts or grant agreements could significantly affect the auditors' answers to the questions that relate to the audit objectives. If they could, then those laws, regulations, and provisions of contracts or grant agreements are likely to be significant to the audit objectives. 7.19: Auditors may find it necessary to rely on the work of legal counsel to (1) determine those laws and regulations that are significant to the audit objectives, (2) design tests of compliance with laws and regulations, or (3) evaluate the results of those tests.[Footnote 82] Auditors also may find it necessary to rely on the work of legal counsel when audit objectives require testing compliance with provisions of contracts or grant agreements. Depending on the circumstances of the audit, auditors may find it necessary to obtain information on compliance matters from others, such as investigative staff, other audit organizations or government entities that provided assistance to the audited entity, or the applicable law enforcement authority. 7.20: In planning tests of compliance with significant laws, regulations, and provisions of contracts or grant agreements, auditors should assess the risk that violations could occur. That risk may be affected by such factors as the complexity or newness of the laws, regulations, and provisions of contracts or grant agreements. The auditors' assessment of risk includes consideration of whether the entity has controls that are effective in preventing or detecting violations of laws, regulations, and provisions of contracts or grant agreements. If auditors obtain sufficient evidence of the effectiveness of these controls, they can reduce the extent of their tests of compliance. 7.21: In planning the audit, auditors should consider risks due to fraud[Footnote 83] that could significantly[Footnote 84] affect their audit objectives and the results of their audit. The audit team should discuss potential fraud risks, considering fraud factors such as individuals' incentives or pressures to commit fraud, the opportunity for fraud to occur, and rationalizations or attitudes that could allow individuals to commit fraud. Auditors should gather and assess information necessary to identify fraud risks which could be relevant to the audit objectives or affect the results of their audit. For example, auditors may need to obtain information through discussion with officials of the audited entity or through other means to determine the susceptibility of the program to fraud, the status of internal controls the entity has established to detect and prevent fraud, or the risk that officials of the audited entity could override internal control. Auditors should exercise professional skepticism in assessing these risks to determine which factors or risks could significantly affect the results of their work if fraud has occurred or is likely to have occurred. 7.22: When auditors identify factors or risks related to fraud that they believe could significantly affect the audit objectives or the results of the audit, auditors should respond by designing procedures to provide reasonable assurance of detecting fraud significant to the audit objectives. Auditors should prepare audit documentation related to their identification and assessment of and response to fraud risks. Auditors should also be aware that assessing the risk of fraud is an ongoing process throughout the audit and relates not only to planning the audit but also to evaluating evidence obtained during the audit. 7.23: Auditors should also be alert to situations or transactions that could be indicative of fraud. When information comes to the auditors' attention (through audit procedures, allegations received through fraud hotlines, or other means) indicating that fraud may have occurred, auditors should consider whether the possible fraud could significantly affect the audit results. If the fraud could significantly affect the audit results, auditors should extend the audit steps and procedures, as necessary, to (1) determine if fraud likely has occurred and (2) if so, determine its effect on the audit results. 7.24: Auditors' training, experience, and understanding of the program being audited may provide a basis for recognizing that some acts coming to their attention may be indicative of fraud. Whether an act is, in fact, fraud is a determination to be made through the judicial or other adjudicative system and is beyond auditors' professional expertise and responsibility. However, auditors are responsible for being aware of vulnerabilities to fraud associated with the area being audited in order to be able to identify indications that fraud may have occurred. In some circumstances, conditions such as the following might indicate a heightened risk of fraud: a. weak management that fails to enforce existing internal control or to provide adequate oversight over the control process; b. inadequate separation of duties, especially those that relate to controlling and safeguarding resources; c. transactions that are out of the ordinary and are not satisfactorily explained, such as unexplained adjustments in inventories or other resources; d. instances when employees of the audited entity refuse to take vacations or accept promotions; e. missing or altered documents, or unexplained delays in providing information; f. false or misleading information; or: g. a history of impropriety, such as past audits or investigations with findings of questionable or criminal activity. 7.25: Abuse is distinct from fraud, illegal acts, or violations of provisions of contracts or grant agreements. When abuse occurs, no law, regulation, or provision of a contract or grant agreement is violated. Rather, abuse involves behavior that is deficient or improper when compared with behavior that a prudent person would consider reasonable and necessary business practice given the facts and circumstances.[Footnote 85] Auditors should be alert to situations or transactions that could be indicative of abuse. When information comes to the auditors' attention (through audit procedures, allegations received through a fraud hotline, or other means) indicating that abuse may have occurred, auditors should consider whether the possible abuse affects the audit results significantly. If indications of abuse exist that significantly affect the audit results, the auditors should extend the audit steps and procedures, as necessary, to (1) determine whether the abuse occurred and, if so, (2) determine its effect on the audit results. However, because the determination of abuse is subjective, auditors are not expected to provide reasonable assurance of detecting it. Auditors should consider both quantitative and qualitative factors in making judgments regarding the significance of possible abuse and whether they need to extend the audit steps and procedures. 7.26: Auditors should exercise professional judgment in pursuing indications of possible fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse in order to not interfere with potential investigations, legal proceedings, or both. Under some circumstances, laws, regulations, or policies require auditors to report indications of certain types of fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse to law enforcement or investigatory authorities before extending audit steps and procedures. Auditors may also be required to withdraw from or defer further work on the audit or a portion of the audit in order not to interfere with an investigation. 7.27: An audit made in accordance with these standards provides reasonable assurance of detecting illegal acts, violations of provisions of contracts or grant agreements, or fraud that could significantly affect the audit results; however, it does not guarantee the discovery of illegal acts, violations of provisions of contracts or grant agreements, or fraud. Nor does the subsequent discovery of illegal acts, violations of contracts or grant agreements, or fraud committed during the audit period necessarily mean that the auditors' performance was inadequate, provided the audit was made in accordance with these standards. Identifying Audit Criteria: 7.28: Criteria are the standards, measures, expectations of what should exist, best practices, and benchmarks against which performance is compared or evaluated. Criteria, one of the elements of a finding, provide a context for understanding the results of the audit. (See paragraphs 7.62 through 7.65 for a discussion on the other elements of a finding.) The audit plan, where possible, should state the criteria to be used. In selecting criteria, auditors have a responsibility to use criteria that are reasonable, attainable, and relevant to the objectives of the performance audit. The following are some examples of possible criteria: a. purpose or goals prescribed by law or regulation or set by officials of the audited entity, b. policies and procedures established by officials of the audited entity, c. technically developed standards or norms, d. expert opinions, e. prior periods' performance, f. performance of similar entities, g. performance in the private sector, or: h. best practices of leading organizations. Considering the Results of Previous Audits and Attestation Engagements: 7.29: Auditors should consider the results of previous audits and attestation engagements and follow up on known significant findings and recommendations[Footnote 86] identified in previous audit reports that directly relate to the objectives of the audit being undertaken. Auditors should ask audited entity officials to identify previous financial audits, attestation engagements, performance audits, or other studies related to the objectives of the audit being undertaken and to identify corrective actions taken to address significant findings and recommendations. For example, an audit report on an entity's computerized information systems may contain significant findings that could relate to the performance audit if the entity uses such systems to process its accounting or other information the auditors plan on using. Auditors should use professional judgment in determining (1) prior periods to be considered, (2) the level of work necessary to follow up on significant findings and recommendations that affect the audit, and (3) the risk assessment used in planning the current audit and designing audit procedures to be performed. 7.30: Providing continuing attention to significant findings and recommendations is important to ensure that the benefits of audit work are realized. Ultimately, the benefits of audit work occur when officials of the audited entity take meaningful and effective corrective action in response to the auditors' findings and recommendations. Officials of the audited entity are responsible for resolving audit findings and recommendations directed to them and for having a process to track their status. If the audited entity does not have such a process, auditors may wish to establish their own process. Identifying Sources of Audit Evidence: 7.31: In identifying potential sources of data that could be used as audit evidence, auditors should consider the validity and reliability of the data, including data collected by the audited entity, data generated by the auditors, or data provided by third parties, as well as the sufficiency and relevance of the evidence. (See paragraphs 7.48 through 7.65 for standards and guidance concerning evidence.): Considering Work of Others: 7.32: Auditors should determine whether other auditors have previously done, or are doing, audits of the program or the entity that operates it. Whether other auditors have done performance audits, financial audits, or attestation engagements, the other auditors may be useful sources of information for planning and performing the audit. If other auditors have identified areas that warrant further study, their work may influence the auditors' selection of performance audit objectives. The availability of other auditors' work may also influence the selection of methodology, since the auditors may be able to rely on that work to limit the extent of their own testing. 7.33: If auditors intend to rely on the work of other auditors, they should perform procedures regarding the specific work to be relied on that provide a sufficient basis for that reliance. Auditors should obtain evidence concerning the other auditors' qualifications and independence through prior experience, inquiry, and/or review of the other auditors' external quality control review report. Auditors should determine the sufficiency, relevance, and competence of other auditors' evidence by reviewing their report, audit program, or audit documentation, or by performing supplemental tests of the other auditors' work. The nature and extent of evidence needed will depend on the significance of the other auditors' work, on the extent to which the auditors will rely on that work, and whether auditors will refer to that work in their work. 7.34: Auditors face similar considerations when using the work of nonauditors (such as specialists). In addition, auditors should obtain an understanding of the methods and significant assumptions used by the nonauditors. (See paragraph 3.06 for independence considerations when relying on the work of others.): Assigning Staff and Other Resources: 7.35: Staff planning should include, among other things: a. assigning staff with the appropriate collective knowledge, skills, and experience for the job; b. assigning an adequate number of staff and supervisors to the audit; c. providing for on-the-job training of staff; and: d. engaging specialists when necessary. 7.36: The availability of staff and other resources and the need for specialized skills are important considerations in establishing the audit objectives, scope, and methodology. For example, limitations on travel funds may preclude auditors from visiting certain critical locations, or lack of appropriate expertise in a particular methodology or with computerized information systems may preclude auditors from undertaking certain objectives. Auditors may be able to overcome such limitations by engaging specialists with the necessary expertise. 7.37: If the use of a specialist is planned, auditors should have sufficient knowledge to: a. articulate the objectives required of the specialist, b. evaluate whether the specified procedures will meet auditors' objectives, and: c. evaluate the results of the procedures applied as they relate to other planned audit procedures. 7.38: Auditors without sufficient knowledge to perform the functions listed above should consider alternative measures for ensuring audit quality related to the specialist's work, such as engaging another specialist to review the specialist's work. Communicating with Management and Others: 7.39: Auditors should communicate information about the specific nature of the performance audit, as well as general information concerning the planning and conduct of the audit and reporting--such as the form of the report and any potential restrictions on the report--to the various parties involved in the audit to help them understand the objectives, time frames, and any data needs. Parties involved may include: a. the head of the audited entity; b. the audit committee or, in the absence of an audit committee, the board of directors or other equivalent oversight body; c. the individual who possesses a sufficient level of authority and responsibility for the program or activity being audited; and: d. the individuals contracting for or requesting audit services, such as contracting officials or legislative members or staff, if applicable. 7.40: Auditors should use their professional judgment to determine the form, content, and frequency of the communication, although written communication is preferred. Auditors may use an engagement letter, if appropriate, to communicate the information. Auditors should include the communication in the audit documentation. If the audit does not result in a product, auditors should document the audit by preparing a memorandum for the record that summarizes the results of the work and explain the reason the audit was terminated. If the audit is terminated before it is completed, auditors should communicate the reason for terminating it to management of the audited entity, the entity requesting the audit, and other appropriate officials, preferably in writing. This communication should be documented. Preparing the Audit Plan: 7.41: A written audit plan should be prepared for each audit. The form and content of the written audit plan will vary among audits but should include an audit program or project plan, a memorandum, or other appropriate documentation of key decisions about the audit objectives, scope, and methodology and of the auditors' basis for those decisions. It should be updated, as necessary, to reflect any significant changes to the plan made during the audit. 7.42: Documenting the audit plan is an opportunity for the auditors to supervise audit planning and to determine whether: a. the proposed audit objectives are likely to result in a useful report, b. the proposed audit scope and methodology are adequate to satisfy the audit objectives, and: c. sufficient staff and other resources are available to perform the audit and to meet expected time frames for completing the work. 7.43: Written audit plans may include the following: a. information about the legal authority for the audited program, its history and current objectives, its principal locations, and other background that can help auditors understand and carry out the audit plan; b. information about the responsibilities of each member of the audit team (such as preparing audit programs, conducting audit work, supervising and reviewing audit work, drafting reports, handling comments from officials of the audited program, and processing the final report), which can help auditors when the work is conducted at several different locations. In these audits, use of comparable audit methods and procedures can help make the data obtained from participating locations comparable; c. audit programs describing procedures to accomplish the audit objectives and providing a systematic basis for assigning work to staff and for summarizing the work performed; and: d. the general format of the audit report and the types of information to be included, which can help auditors focus their field work on the information to be reported. Supervision: 7.44: The field work standard related to supervision for performance audits performed in accordance with GAGAS is: Staff are to be properly supervised. 7.45: Supervision involves directing the efforts of staff assigned to the audit to ensure that the audit objectives are accomplished. Elements of supervision include providing sufficient guidance to staff members, staying informed about significant problems encountered, reviewing the work performed, and providing effective on-the-job training. 7.46: Supervisors should satisfy themselves that staff members clearly understand what work they are to do, why the work is to be conducted, and what the work is expected to accomplish. With experienced staff, supervisors may outline the scope of the work and leave details to the staff. With less experienced staff, supervisors may have to specify audit procedures to be performed as well as techniques for gathering and analyzing data. 7.47: Reviews of audit work should be documented. The nature and extent of the review of audit work may vary depending on a number of factors, such as the size of the audit organization, the significance of the work, and the experience of the staff. Evidence: 7.48: The field work standard related to evidence for performance audits performed in accordance with GAGAS is: Sufficient, competent, and relevant evidence is to be obtained to provide a reasonable basis for the auditors' findings and conclusions. 7.49: A large part of auditors' work on an audit concerns obtaining and evaluating evidence that ultimately supports their judgments and conclusions pertaining to the audit objectives. In evaluating evidence, auditors consider whether they have obtained the evidence necessary to achieve specific audit objectives. When internal control or compliance requirements are significant to the audit objectives, auditors should also collect and evaluate evidence relating to controls or compliance. 7.50: Evidence may be categorized as physical, documentary, testimonial, and analytical. Physical evidence is obtained by auditors' direct inspection or observation of people, property, or events. Such evidence may be documented in memoranda, photographs, drawings, charts, maps, or physical samples. Documentary evidence consists of created information such as letters, contracts, accounting records, invoices, and management information on performance. Testimonial evidence is obtained through inquiries, interviews, or questionnaires. Analytical evidence includes computations, comparisons, separation of information into components, and rational arguments. 7.51: The guidance in the following paragraphs is intended to help auditors judge the quality and quantity of evidence needed to satisfy audit objectives. Paragraphs 7.52 through 7.61 are intended to help auditors determine what constitutes sufficient, competent, and relevant evidence to support their findings and conclusions. Paragraphs 7.62 through 7.65 describe the elements of an audit finding. Tests of Evidence: 7.52: Evidence should be sufficient, competent, and relevant to support a sound basis for audit findings, conclusions, and recommendations: a. Evidence should be sufficient to support the auditors' findings. In determining the sufficiency of evidence, auditors should ensure that enough evidence exists to persuade a knowledgeable person of the validity of the findings. When appropriate, statistical methods may be used to establish sufficiency. b. Evidence is competent if it is valid, reliable, and consistent with fact. In assessing the competence of evidence, auditors should consider such factors as whether the evidence is accurate, authoritative, timely, and authentic. When appropriate, auditors may use statistical methods to derive competent evidence. c. Evidence is relevant if it has a logical relationship with, and importance to, the issue being addressed. 7.53: The following presumptions are useful in judging the competence of evidence. However, these presumptions are not to be considered sufficient in themselves to determine competence. The amount and kinds of evidence required to support auditors' conclusions should be based on auditors' professional judgment. a. Evidence obtained when internal controls are effective is more competent than evidence obtained when controls are weak or nonexistent. Auditors should be particularly careful in cases where controls are weak or nonexistent and should, therefore, plan alternative audit procedures to corroborate such evidence. b. Evidence obtained through the auditors' direct physical examination, observation, computation, and inspection is more competent than evidence obtained indirectly. c. Examination of original documents provides more competent evidence than do copies. d. Testimonial evidence obtained under conditions where persons may speak freely is more competent than testimonial evidence obtained under compromising conditions (for example, where the persons may be intimidated). e. Testimonial evidence obtained from an individual who is not biased or has complete knowledge about the area is more competent than testimonial evidence obtained from an individual who is biased or has only partial knowledge about the area. f. Evidence obtained from a credible third party may in some cases be more competent than that secured from management or other officials of the audited entity. 7.54: Auditors may find it useful to obtain written representations concerning the competence and completeness of certain evidence from officials of the audited entity. Written representations ordinarily confirm oral representations given to auditors, indicate and document the continuing appropriateness of such representations, and reduce the possibility of misunderstandings concerning the matters that are the subject of the representations. Written representations can take several forms, including summary documents prepared by the auditors and signed by the entity's management. If officials of the audited entity refuse to provide a written representation that the auditors have requested, the auditors should consider the effects of the refusal on results of the audit. 7.55: The auditors' approach to determining the sufficiency, competence, and relevance of evidence depends on the source of the information that constitutes the evidence. Information sources include original data gathered by auditors and existing data gathered by either officials of the audited entity or a third party. Data from any of these sources may be obtained from computer-based systems. (See paragraphs 7.63 through 7.65 for additional documentation requirements when using information from a computer-based system.): 7.56: Data gathered by auditors: Data gathered by auditors include the auditors' own observations and measurements. Among the methods for gathering this type of data are questionnaires, structured interviews, direct observations, and computations. The design of these methods and the skill of the auditors applying them are the keys to ensuring that these data constitute sufficient, competent, and relevant evidence. When these methods are applied to determine cause, auditors are concerned with eliminating conflicting explanations. 7.57: Data gathered by management: Auditors can use data gathered by officials of the audited entity as part of their evidence. However, auditors should determine the validity and reliability of data that are significant to the audit objectives and may do so by direct tests of the data. Auditors can reduce the direct tests of the data if they test the effectiveness of the entity's internal controls over the validity and reliability of the data and these tests support the conclusion that the controls are effective. The nature and extent of data testing will depend on the significance of the data to support the auditors' findings. How the use of unaudited data gathered by officials of the audited entity affect the auditors' report depends on the data's significance to the auditors' findings. For example, in some circumstances, auditors may use unaudited data to provide background information; however, the use of such unaudited data would generally not be appropriate to support audit findings and conclusions. 7.58: Data gathered by third parties: The auditors' evidence may also include data gathered by third parties. In some cases, these data may have been audited by others, or the auditors may be able to audit the data themselves. In other cases, however, it will not be practical to obtain evidence of the data's validity and reliability. How the use of unaudited third-party data affects the auditors' report depends on the data's significance to the auditors' findings. For example, in some circumstances, auditors may use unaudited data to provide background information; however, the use of such unaudited data would generally not be appropriate to support audit findings and conclusions. 7.59: Validity and reliability of data from computer-based systems: Auditors should obtain sufficient, competent, and relevant evidence that computer-processed data are valid and reliable when these data are significant to the auditors' findings. This work is necessary regardless of whether the data are provided to auditors or auditors independently extract them. Auditors should determine if officials of the audited entity or other auditors have worked to establish the validity and reliability of the data or the effectiveness of the controls over the system that produced the data. If the results of such work are current, auditors may be able to rely on that work. (See paragraphs 7.32 through 7.34 for requirements when relying on the work of others.) Auditors may also determine the validity and reliability of computer-processed data by direct tests of the data. 7.60: Auditors can reduce the direct tests of the data if they test the effectiveness of general and application controls over computer- processed data and these tests support the conclusion that the controls are effective. If auditors determine that internal controls over data that are significantly dependent upon computerized information systems are not effective or if auditors do not plan to test the effectiveness of such controls, auditors should include audit documentation regarding the basis for that conclusion by addressing (1) the reasons why the design or operation of the controls is ineffective, or (2) the reasons why it is inefficient to test the controls. In such circumstances, auditors should also include audit documentation regarding their reasons for concluding that the planned audit procedures, such as direct tests of the data, are effectively designed to achieve specific audit objectives. This documentation should address: a. the rationale for determining the types and extent of planned audit procedures; b. the kinds and competence of available evidence produced outside a computerized information system; and: c. the effect on the audit report if the evidence gathered during the audit does not allow the auditors to achieve audit objectives. 7.61: When the auditors' tests of data disclose errors in the data, or when they are unable to obtain sufficient, competent, and relevant evidence about the validity and reliability of the data, they may find it necessary to: a. seek evidence from other sources, b. redefine the audit's objectives to eliminate the need to use the data, or: c. use the data, but clearly indicate in their report the data's limitations and refrain from making unwarranted conclusions or recommendations. Audit Findings: 7.62: Audit findings often have been regarded as containing the elements of criteria, condition, and effect, plus cause when problems are found. However, the elements needed for a finding depend entirely on the objectives of the audit. Thus, a finding or set of findings is complete to the extent that the audit objectives are satisfied and the report clearly relates those objectives to the elements of a finding. Criteria are discussed in paragraph 7.28, and the other elements of a finding-- condition, effect, and cause--are discussed in the following paragraphs: 7.63: Condition: Condition is a situation that exists. It has been determined and documented during the audit. 7.64: Effect: Effect has two meanings that depend on the audit objectives. When the auditors' objectives include identifying the actual or potential consequences of a condition that varies (either positively or negatively) from the criteria identified in the audit, "effect" is a measure of those consequences. Auditors often use effect in this sense to demonstrate the need for corrective action in response to identified problems. When the auditors' objectives include estimating the extent to which a program has caused changes in physical, social, or economic conditions, "effect" is a measure of the impact achieved by the program. Here, effect is the extent to which positive or negative changes in actual physical, social, or economic conditions can be identified and attributed to program operations. 7.65: Cause: Like effect, cause also has two meanings that depend on the audit objectives. When the auditors' objectives include explaining why a particular type of positive or negative performance identified in the audit occurred, the reasons for that performance are referred to as "cause." Identifying the cause of problems can assist auditors in making constructive recommendations for correction. Because problems can result from a number of plausible factors or multiple causes, the recommendation can be more persuasive if auditors can clearly demonstrate and explain with evidence and reasoning the link between the problems and the factor or factors they have identified as the cause. When the auditors' objectives include estimating the program's effect on changes in physical, social, or economic conditions, auditors seek evidence of the extent to which the program itself is the "cause" of those changes. Auditors may identify significant deficiencies in internal control as the cause of deficient performance. In reporting this type of finding, the internal control deficiency would be described as the "cause.": Audit Documentation: 7.66: The field work standard related to audit documentation for performance audits performed in accordance with GAGAS is: Auditors should prepare and maintain audit documentation. Audit documentation related to planning, conducting, and reporting on the audit should contain sufficient information to enable an experienced auditor, who has had no previous connection with the audit, to ascertain from the audit documentation the evidence that supports the auditors' significant judgments and conclusions. Audit documentation should contain support for findings, conclusions, and recommendations before auditors issue their report. 7.67: The form and content of audit documentation should be designed to meet the circumstances of the particular audit. The information contained in audit documentation constitutes the principal record of the work that the auditors have performed in accordance with standards and the conclusions that the auditors have reached. The quantity, type, and content of audit documentation are a matter of the auditors' professional judgment. 7.68: Audit documentation serves to (1) provide the principal support for the auditors' report, (2) aid auditors in conducting and supervising the audit, and (3) allow for the review of audit quality. Audit documentation should be appropriately detailed to provide a clear understanding of its purpose and source and the conclusions the auditors reached, and it should be appropriately organized to provide a clear link to the findings, conclusions, and recommendations contained in the audit report. Audit documentation for performance audits should contain the following items not explicitly addressed elsewhere in GAGAS: a. the objectives, scope, and methodology of the audit, including sampling and other selection criteria used; b. the auditors' determination that certain standards do not apply or that an applicable standard was not followed, the reasons therefor, and the known effect that not following the applicable standard had, or could have had, on the audit; c. the work performed to support significant judgments and conclusions, including descriptions of transactions and records examined;[Footnote 87] and: d. evidence of supervisory reviews, before the audit report is issued, of the work performed that supports findings, conclusions, and recommendations contained in the audit report. 7.69: Audit organizations should establish reasonable policies and procedures for the safe custody and retention of audit documentation for a time sufficient to satisfy legal and administrative requirements. Audit documentation allows for the review of audit quality by providing the reviewer with documentation, either in written or electronic formats, of the evidence supporting the auditors' significant judgments and conclusions. If audit documentation is only retained electronically, the audit organization should ensure that the electronic documentation is capable of being accessed throughout the specified retention period established for audit documentation and that it is safeguarded through sound computer security. 7.70: Underlying GAGAS audits is the premise that federal, state, and local governments and other organizations cooperate in auditing programs of common interest so that the auditors may use others' work and avoid duplication of effort. Auditors should make arrangements to make audit documentation available, upon request, in a timely manner to other auditors or reviewers. Contractual arrangements for GAGAS audits should provide for full and timely access to audit documentation to facilitate reliance by others on the auditors' work. 7.71: Audit organizations need to adequately safeguard the audit documentation associated with any particular engagement. Audit organizations should develop clearly defined policies and criteria to deal with situations where requests are made by outside parties to obtain access to audit documentation, especially in connection with situations where an outside party attempts to obtain indirectly through the auditor information that it is unable to obtain directly from the audited entity. In developing such policies, audit organizations need to consider applicable laws and regulations applying to the audit organizations or the audited entity. [End of section] Chapter 8: Reporting Standards for Performance Audits: Introduction: 8.01: This chapter prescribes reporting standards and provides guidance to auditors reporting on performance audits in accordance with generally accepted government auditing standards (GAGAS). The reporting standards for performance audits relate to the form of the report, the report contents, report quality, and report issuance and distribution. Form: 8.02:The reporting standard related to the form of the report for performance audits performed in accordance with GAGAS is: Auditors should prepare audit reports communicating the results of each audit. 8.03: The form of the audit report should be appropriate for its intended use, but should be written or in some other retrievable form. Auditors should use their professional judgment including consideration of users' needs, likely demand, and distribution in determining the form of the audit report. In addition to a more formal presentation of audit results, such as a chapter report or a letter report, briefing slides may be considered audit reports. Audit reports also may be presented on electronic media that are retrievable by report users and the audit organization, such as video or compact disc formats. However, regardless of form, audit reports should comply with all applicable reporting standards. 8.04: This standard is not intended to limit or prevent discussion of findings, judgments, conclusions, and recommendations with persons who have responsibilities involving the area being audited. On the contrary, such discussions are encouraged. 8.05: Audit reports (1) communicate the results of audits to officials at various levels of government, (2) make the results less susceptible to misunderstanding, (3) make the results available for public inspection, and (4) facilitate follow-up to determine whether appropriate corrective actions have been taken. The need to maintain public accountability for government programs demands that audit reports be retrievable. 8.06: If an audit is terminated before it is completed but the auditors do not issue an audit report, auditors should follow the requirements in paragraph 7.40. Report Contents: 8.07: The reporting standard related to the contents of the report for performance audits conducted in accordance with GAGAS is: The audit report should include the objectives, scope, and methodology; the audit results, including findings, conclusions, and recommendations, as appropriate; a reference to compliance with generally accepted government auditing standards; the views of responsible officials; and, if applicable, the nature of any privileged and confidential information omitted. Objectives, Scope, and Methodology: 8.08: Auditors should include in the report the audit objectives and the scope and methodology used for achieving the audit objectives. This information is needed by report users to understand the purpose of the audit and the nature of the audit work performed, to provide perspective as to what is reported, and to understand any significant limitations in audit objectives, scope, or methodology. 8.09: Audit objectives should be communicated in the audit report in a clear, specific, and neutral manner that avoids unstated assumptions. Auditors should explain why the audit organization undertook the assignment and state what the report is to accomplish and why the subject matter is important. Articulating what the report is to accomplish normally involves identifying the audit subject and the aspect of performance examined. The reported audit objectives provide more meaningful information to report users if they are measurable and feasible and avoid being presented in a broad or general manner. To reduce misunderstanding in cases where the objectives are particularly limited and broader objectives can be inferred, it may be necessary to state objectives that were not pursued. 8.10: In reporting the scope of the audit, auditors should describe the depth and coverage of work conducted to accomplish the audit's objectives. Auditors should, as applicable, explain the relationship between the population of items sampled and what was audited; identify organizations, geographic locations, and the period covered; report the kinds and sources of evidence; and explain any problems with the evidence. Auditors should also report significant constraints imposed on the audit approach by data limitations or scope impairments, including demands of access to certain records or individuals. 8.11: To report the methodology used, auditors should clearly explain how the audit objectives were accomplished, including the evidence gathering and analysis techniques used, in sufficient detail to allow knowledgeable users of their reports to understand the work. This explanation should identify any significant assumptions made in conducting the audit; describe any comparative techniques applied; describe the criteria used; and, when sampling significantly supports auditors' findings, describe the sample design and state why it was chosen, including whether the results can be projected to the intended population. 8.12: Auditors should attempt to avoid misunderstanding by the report user concerning the work that was and was not done to achieve the audit objectives, particularly when the work was limited because of constraints on time or resources. The auditors' report should clearly describe the scope of the work performed and any limitations; any applicable standards that were not followed, and the reasons therefor; and how not following the applicable standards affected or could affect the results of the work. For example, if the auditors are unable to determine the reliability of information from an agency's database, and information from this database is critical to achieving the audit objectives, the report should clearly state the limitations associated with the information and refrain from making unwarranted conclusions or recommendations. In these situations, the audit report should also include the reasons the auditors were unable to perform this work and the potential impact on the findings if the information is not reliable.[Footnote 88] Findings: 8.13: Auditors should report findings by providing credible evidence that relates to the audit objectives. These findings should be supported by sufficient, competent, and relevant evidence. They also should be presented in a manner to promote adequate understanding of the matters reported and to provide convincing but fair presentations in proper perspective. The audit report should provide selective background information to provide the context for the overall message and to help the reader understand the findings and significance of the issues discussed.[Footnote 89] 8.14: As discussed in chapter 7, audit findings have often been regarded as containing the elements of criteria, condition, cause, and effect. However, the elements needed for a finding depend on the audit objectives. For example, an audit objective may be limited to determining the current status or condition of implementing legislative requirements, and not the related cause or effect. Thus, a finding or set of findings is complete to the extent that the audit objectives are satisfied and the report clearly relates those objectives to the elements of the finding. 8.15: To the extent possible, in presenting findings, auditors should develop the elements of criteria, condition, cause, and effect to assist officials of the audited entity or oversight officials of the audited entity in understanding the need for taking corrective action. In addition, if auditors are able to sufficiently develop the findings, auditors should provide recommendations for corrective action. Following is guidance for reporting on elements of findings: a. Criteria provides information so that the report user will be able to determine what is the required or desired state or what is expected from the program or operation. The criteria are easier to understand when stated fairly, explicitly, and completely and when the source of the criteria is identified in the audit report.[Footnote 90] b. Condition provides evidence on what the auditors found regarding the actual situation. Reporting the scope or extent of the condition allows the report user to gain an accurate perspective. c. Cause provides persuasive evidence on the factor or factors responsible for the difference between condition and criteria. In reporting the cause, auditors may consider whether the evidence provides a reasonable and convincing argument for why the stated cause is the key factor or factors contributing to the difference as opposed to other possible causes, such as poorly designed criteria or factors uncontrollable by program management. The auditors also may consider whether the identified cause could serve as a basis for the recommendations. d. Effect provides a clear, logical link to establish the impact of the difference between what the auditors found (condition) and what should be (criteria). Effect is easier to understand when it is stated clearly, concisely, and, if possible, in quantifiable terms. The significance of the reported effect can be demonstrated through credible evidence. 8.16: The audit report should also include any significant deficiencies[Footnote 91] in internal control, all instances of fraud and illegal acts unless they are clearly inconsequential,[Footnote 92] significant violations of provisions of contracts or grant agreements, and significant abuse. Internal Control Deficiencies: 8.17: Auditors should include in the audit report the scope of their work on internal control and any significant deficiencies found during the audit. When auditors detect deficiencies in internal control that are not significant, they should communicate those deficiencies in a separate letter to officials of the audited entity unless the deficiencies are clearly inconsequential considering both qualitative and quantitative factors. If the auditors have communicated deficiencies in a separate letter to officials of the audited entity, they should refer to that letter in the audit report. Auditors should use professional judgment in determining whether or how to communicate deficiencies that are clearly inconsequential to officials of the audited entity. Auditors should include in their audit documentation evidence of all communications about internal control deficiencies found during the audit. 8.18: In a performance audit, auditors may identify significant deficiencies in internal control as the cause of deficient performance. In reporting this type of finding, the internal control weakness would be described as the cause. Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant Agreements, and Abuse: 8.19: When auditors conclude, based on evidence obtained, that fraud, illegal acts, significant violations of provisions of contracts or grant agreements, or significant abuse either has occurred or is likely to have occurred, they should include in their audit report relevant information.[Footnote 93] Abuse occurs when the conduct of a government program or entity falls far short of behavior that is expected to be reasonable and necessary business practices by a prudent person. 8.20: When reporting instances of fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse, auditors should place their findings in proper perspective by providing a description of the work conducted that resulted in the finding. To give the reader a basis for judging the prevalence and consequences of these findings, the instances identified should be related to the population or the number of cases examined and be quantified in terms of dollar value, if appropriate. If the results cannot be projected, auditors should limit their conclusion to the items tested. 8.21: When auditors detect violations of provisions of contracts or grant agreements; or abuse that is not significant, they should communicate those findings in a separate letter to officials of the audited entity unless the findings are clearly inconsequential, considering both qualitative and quantitative factors. If the auditors have communicated instances of fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse in a separate letter to officials of the audited entity, auditors should refer to that letter in the audit report. Auditors should use their professional judgment in determining whether and how to communicate to officials of the audited entity fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse that are clearly inconsequential. Auditors should include in their audit documentation evidence of all communications to officials of the audited entity about instances of fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse. Direct Reporting of Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant Agreements, and Abuse: 8.22: GAGAS require auditors to report fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse directly to parties outside the audited entity in certain circumstances, as discussed below.[Footnote 94] These requirements are in addition to any legal requirements for direct reporting of fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse. Auditors should meet these requirements even if they have resigned or been dismissed from the audit. 8.23: The audited entity may be required by law or regulation to report certain fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse to specified external parties, such as a federal inspector general or a state attorney general. If auditors have communicated such fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse to the audited entity and it fails to report them, then the auditors should communicate their awareness of that failure to the governing body of the audited entity. If the audited entity does not make the required report as soon as possible after the auditors' communication with the entity's governing body, then the auditors should report such fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse directly to the external party specified in the law or regulation. 8.24: Officials of the audited entity are responsible for taking timely and appropriate steps to remedy fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse that auditors report to them. When fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse involves assistance received directly or indirectly from a government agency, auditors may have a duty to report such fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse directly to that government agency if officials of the audited entity fail to take remedial steps. If auditors conclude that such failure is likely to cause them to report such findings or resign from the audit, they should communicate that conclusion to the governing body of the audited entity. Then, if the audited entity does not report the fraud, illegal act, violation of provisions of contracts or grant agreements, or abuse as soon as possible to the entity that provided the government assistance, the auditors should report the fraud, illegal act, violation of provisions of contracts or grant agreements, or abuse directly to that entity. 8.25: In these situations, auditors should obtain sufficient, competent, and relevant evidence, such as confirmation with outside parties, to corroborate assertions by officials of the audited entity that the officials have reported fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse. If the officials are unable to do so, then the auditors should report such fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse directly as discussed above. 8.26: Laws, regulations, or other authority may require auditors to report promptly indications of certain types of fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse to law enforcement or investigatory authorities. In such circumstances, when auditors conclude that these types of fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse either have occurred or are likely to have occurred, they should ask those authorities or legal counsel if publicly reporting certain information about the potential fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse would compromise investigative or legal proceedings. Auditors should limit the extent of their public reporting to matters that would not compromise those proceedings, such as information that is already a part of the public record. Conclusions: 8.27: Auditors should report conclusions when called for by the audit objectives and the results of the audit. Conclusions are logical inferences about the program based on the auditors' findings and should represent more than just a summary of the findings. Conclusions should be clearly stated, not implied. The strength of the auditors' conclusions depends on the persuasiveness of the evidence supporting the findings and the soundness of the logic used to formulate the conclusions. Conclusions are stronger if they set up the report's recommendations and convince the knowledgeable user of the report that action is necessary. Recommendations: 8.28: If warranted, auditors should make recommendations for actions to correct problems identified during the audit and to improve programs and operations. Auditors should make recommendations when the potential for improvement in programs, operations, and performance is substantiated by the reported findings and conclusions. Recommendations should logically flow from the findings and conclusions and need to state clearly the actions to be taken. Recommendations to effect compliance with laws and regulations and improve internal control also should be made when significant instances of possible fraud, illegal acts, or violations of provisions of contracts or grant agreements are noted, or when abuse or deficiencies in internal control are found. 8.29: Constructive recommendations can encourage improvements in the conduct of government programs and operations. For recommendations to be most constructive, they should be directed at resolving the cause of identified problems, action oriented and specific, addressed to parties that have the authority to act, practical and, to the extent feasible, cost effective and measurable. Statement on Compliance with GAGAS: 8.30: Auditors should report that the audit was made in accordance with GAGAS. The statement of compliance with GAGAS refers to all the applicable standards that the auditors should have followed during the audit. The statement referencing compliance with GAGAS should be qualified in situations in which the auditors did not follow an applicable standard. In these situations, auditors should disclose in the scope section of the report the applicable standard that was not followed, the reasons therefor, and how not following the standard affected, or could have affected, the results of the audit. In assessing the impact of not following an applicable standard on the results of the audit, auditors may need to qualify any assurances, disclaim from providing any assurances, or withdraw from the audit. Reporting Views of Responsible Officials: 8.31: Auditors should report the views of responsible officials of the audited program concerning auditors' findings, conclusions, and recommendations; as well as planned corrective actions. One of the most effective ways to ensure that a report is fair, complete, and objective is to obtain advance review and comments by responsible officials of the audited entity and others, as may be appropriate. Including the views of responsible officials results in a report that presents not only the auditors' findings, conclusions, and recommendations, but also what the responsible officials of the audited entity think about the audit results and what corrective actions officials of the audited entity plan to take. Auditors should include in their report a copy of the officials' written comments or a summary of the comments received. 8.32: Auditors should normally request that the responsible officials submit in writing their views on reported findings, conclusions, and recommendations, as well as management's planned corrective actions. Oral comments are acceptable as well and, in some cases, may be the only or most expeditious way to obtain comments. Cases in which obtaining oral comments can be effective include when there is a time- critical requirement to meet a user's needs; the auditors have worked closely with the responsible officials throughout the conduct of the work and the parties are very familiar with the findings and issues addressed in the draft report; or the auditors do not expect major disagreements with the draft report's findings, conclusions, and recommendations, or perceive any major controversies with regard to the issues discussed in the draft report. Auditors should prepare a summary of the officials' oral comments and provide a copy of the summary to officials of the audited entity to verify that the comments are accurately stated prior to finalizing the report. 8.33: Comments should be fairly and objectively evaluated and recognized, as appropriate, in the final report. Comments, such as a promise or plan for corrective action, should be noted but should not be accepted as justification for dropping a finding or a related recommendation. 8.34: When the audited entity's comments oppose the report's findings, conclusions, or recommendations and are not, in the auditors' opinion, valid, or when planned corrective actions do not adequately address the auditors' recommendations, the auditors should state their reasons for disagreeing with the comments or planned corrective actions. The auditors' disagreement should be stated in a fair and objective manner. Conversely, the auditors should modify their report as necessary if they find the comments valid. Reporting Privileged and Confidential Information: 8.35: If certain pertinent information is prohibited from general disclosure, the audit report should state the nature of the information omitted and the requirement that makes the omission necessary. 8.36: Certain information may be prohibited from general disclosure by federal, state, or local laws or regulations. In such circumstances, auditors may issue a separate limited-official-use report containing such information and distribute the report only to persons authorized by law or regulation to receive it. Additional circumstances associated with public safety and security concerns could also justify the exclusion of certain information in the report. For example, detailed information related to computer security for a particular program may be excluded from publicly available reports because of the potential damage that could be caused by the misuse of this information. In such circumstances, auditors may issue a limited-official-use report containing such information and distribute the report only to those parties responsible for acting on the auditors' recommendations. The auditors should, when appropriate, consult with legal counsel regarding any requirements or other circumstances that may necessitate the omission of certain information. 8.37: Auditors' judgments that certain information should be excluded from publicly available reports should be made in a manner consistent with consideration of the broader public interest in the program or activity under review. When circumstances call for omission of certain information, auditors should consider whether this omission could distort the engagement results or conceal improper or unlawful practices. If auditors make the judgment that certain information should be excluded from a publicly available report, they should state the general nature of the information omitted and the reasons that make the omission necessary in the report. Report Quality Elements: 8.38: The reporting standard related to report quality for performance audits performed in accordance with GAGAS is: The report should be timely, complete, accurate, objective, convincing, clear, and as concise as the subject permits. Timely: 8.39: To be of maximum use, the audit report needs to provide relevant information in time to respond to officials of the audited entity, legislative officials, and other users' legitimate needs. Likewise, the information provided in the report needs to be current. Therefore, auditors should plan for the appropriate issuance of the report and conduct the audit with these goals in mind. 8.40: During the audit, the auditors should consider interim reporting of significant matters to appropriate entity officials. Such communication, which may be oral or written, is not a substitute for a final report, but it does alert officials to matters needing immediate attention and permits them to take corrective action before the final report is completed. Complete: 8.41: Being complete requires that the report contain all evidence needed to satisfy the audit objectives and promote an adequate and correct understanding of the matters reported. It also means the report states information and findings completely, including all necessary facts and explanations. Giving report users an adequate and correct understanding means providing perspective on the extent and significance of reported findings, such as the frequency of occurrence relative to the number of cases or transactions tested and the relationship of the findings to the entity's operations. 8.42: In most cases, a single example of a deficiency is not sufficient to support a broad conclusion or a related recommendation. All that it supports is that a deviation, an error, or a weakness existed. Sufficient detailed supporting data should be included to make convincing presentations. Accurate: 8.43: Accuracy requires that the evidence presented be true and that findings be correctly portrayed. The need for accuracy is based on the need to assure report users that what is reported is credible and reliable. One inaccuracy in a report can cast doubt on the reliability of an entire report and can divert attention from the substance of the report. Also, use of inaccurate evidence can damage the credibility of the issuing audit organization and reduce the effectiveness of its reports. 8.44: The report should include only information, findings, and conclusions that are supported by sufficient, competent, and relevant evidence in the audit documentation. If data are significant to the audit findings and conclusions, but are not audited, the auditors should clearly indicate in their report the data's limitations and not make unwarranted conclusions or recommendations based on those data. 8.45: Evidence included in audit reports should demonstrate the correctness and reasonableness of the matters reported. Correct portrayal means describing accurately the audit scope and methodology and presenting findings and conclusions in a manner consistent with the scope of audit work. The report also should not have errors in logic and reasoning. One way to help ensure that the audit report meets these reporting standards is to use a quality control process such as referencing. Referencing is a process in which an experienced auditor who is independent of the audit verifies that statements of facts, figures, and dates are correctly reported, that the findings are adequately supported by the audit documentation, and that the conclusions and recommendations flow logically from the support. Objective: 8.46: Objectivity requires that the presentation of the entire report be balanced in content and tone. A report's credibility is significantly enhanced when it presents evidence in an unbiased manner so that report users can be persuaded by the facts. The report should be fair and not misleading and should place the audit results in perspective. This means presenting the audit results impartially and fairly. In describing shortcomings in performance, auditors should put findings in context. For example, the audited entity may have faced unusual difficulties or circumstances. 8.47: The tone of reports should encourage decision makers to act on the auditors' findings and recommendations. This tone should be balanced by requiring reports to present sound and logical evidence to support conclusions while refraining from using adjectives or adverbs that characterize evidence in a way that implies criticism or unsupported conclusions. 8.48: The report should recognize the positive aspects of the program reviewed if applicable to the audit objectives. Inclusion of positive program aspects may lead to improved performance by other government organizations that read the report. Such information allows for a fairer presentation of the situation by providing appropriate balance to the report. In addition, inclusion of such accomplishments may lead to improved performance by other government organizations that read the report. Convincing: 8.49: Being convincing requires that the audit results be responsive to the audit objectives, that the findings be presented persuasively, and that the conclusions and recommendations follow logically from the facts presented. The information presented should be sufficient to convince the report users to recognize the validity of the findings, the reasonableness of the conclusions, and the benefit of implementing the recommendations. Reports designed in this way can help focus the attention of responsible officials on the matters that warrant attention and can provide an incentive for taking corrective action. Clear: 8.50: Clarity requires that the report be easy to read and understand. Reports should be prepared in language as clear and simple as the subject permits. Use of straightforward, nontechnical language is essential to simplicity of presentation. Whenever technical terms, abbreviations, and acronyms are used, they should be clearly defined. 8.51: Auditors may consider using a summary within the report to capture the report user's attention and highlight the overall message. If a summary is used, it generally should focus on the specific answers to the questions in the audit objectives, summarize the audit's most significant findings and the report's principal conclusions, and prepare users to anticipate the major recommendations. 8.52: Logical organization of material, and accuracy and precision in stating facts and in drawing conclusions, are essential to clarity and understanding. Effective use of titles and captions and topic sentences makes the report easier to read and understand. Visual aids (such as pictures, charts, graphs, and maps) should be used when appropriate to clarify and summarize complex material. Concise: 8.53: Being concise requires that the report be no longer than necessary to convey and support the message. Extraneous detail detracts from a report, may even conceal the real message, and may confuse or distract the users. Also, needless repetition should be avoided. Although room exists for considerable judgment in determining the content of reports, those that are fact-based but concise are likely to achieve greater results. Report Issuance and Distribution: 8.54: The reporting standard related to report issuance and distribution for performance audits performed in accordance with GAGAS is: Government auditors should submit audit reports to the appropriate officials of the audited entity and to the appropriate officials of the organizations requiring or arranging for the audits, including external funding organizations, such as legislative bodies, unless legal restrictions prevent it. Auditors should also send copies of the reports to other officials who have legal oversight authority or who may be responsible for acting on audit findings and recommendations, and also to others authorized to receive such reports. Unless the report is restricted by law or regulation, or contains privileged or confidential information, auditors should clarify that copies are made available for public inspection. Nongovernment auditors should clarify report distribution responsibilities with the party contracting for the audit and follow the agreements reached. 8.55: Audit reports should be distributed in a timely manner to officials interested in the results. Such officials include those designated by law or regulation to receive such reports, those responsible for acting on the findings and recommendations contained in the report, those in other levels of government who have provided assistance to the audited entity, and legislators. However, if the subject of the audit involves material that is classified for security purposes or is not releasable to particular parties or the public for other valid reasons, auditors should limit the report distribution. (See paragraphs 8.35 through 8.37 for additional guidance on limited report distribution.) The availability of the report for public inspection should be documented in the audit documentation. 8.56: When nongovernment auditors are engaged to perform the audit under GAGAS, they should clarify report distribution responsibilities with the engaging organization. If the nongovernment auditors are to make the distribution, the engagement agreement should indicate which officials or organizations should receive the report and any other steps being taken to ensure the availability of the report for public inspection. The availability of the report for public inspection should be documented in the audit documentation. 8.57: Internal auditors should follow their entity's own arrangements and statutory requirements for distribution. Usually, they report to their entity's head or deputy head, who is responsible for distribution of the report. Further distribution of reports outside the organization should be made in accordance with applicable laws, rules, regulations, or policy. [End of section] Appendixes: Appendix I Advisory Council on Government Auditing Standards: Advisory Council Members: Mr. Jack R. Miller, Chair KMPG LLP (member 1997-1998; chair 2001-2003): Mr. Richard C. Tracy, Former Chair Office of City Auditor Portland, Oregon (member 1997-1998; chair 1999-2000): The Honorable James B. Thomas, Former Chair Office of the Chief Inspector General State of Florida (chair 1997-1998): The Honorable Ernest A. Almonte Office of the Auditor General State of Rhode Island (member 2001-2003): Mr. Robert H. Attmore Office of the Comptroller New York State (member 1997-1999): The Honorable Thomas R. Bloom Defense Finance and Accounting Service (member 1997-2000): The Honorable June Gibbs Brown U.S. Department of Health and Human Services (member 1997-1999): The Honorable Ralph Campbell, Jr. Office of the State Auditor State of North Carolina (member 2000-2002): Mr. Donald H. Chapin Consultant (member 1997-1998): Ms. Patricia A. Dalton U.S. Department of Labor (member 1997-1999): The Honorable Debra K. Davenport Office of the Auditor General State of Arizona (member 2002-2004): The Honorable Bert T. Edwards Department of Interior (member 2000- 2002): Dr. John H. Engstrom University of Northern Illinois (member 2002- 2004): The Honorable Richard L. Fair Office of the State Auditor State of New Jersey (member 2002-2004): Dr. Ehsan Feroz University of Minnesota Duluth (member 2002-2004): The Honorable Gregory H. Friedman Department of Energy (member 2002- 2004): The Honorable Gaston L. Gianni, Jr. Federal Deposit Insurance Corporation (member 1999-2001): Ms. Barbara J. Hinton Office of the Legislative Post Auditor State of Kansas (member 1999-2001): Mr. David G. Hitchcock Standards & Poor's (member 1999-2001): Dr. Jesse W. Hughes Consultant (member 2000-2002): Dr. Rhoda C. Icerman Florida State University (member 2001-2003): Mr. Norwood J. Jackson, Jr. U.S. Office of Management and Budget (member 1997-2000): The Honorable Auston G. Johnson Office of the State Auditor State of Utah (member 2000-2002): The Honorable Margaret B. Kelly Office of the State Auditor State of Missouri (member 1997-1998): Dr. Daniel G. Kyle Office of the Legislative Auditor State of Louisiana (member 1997-1998): Mr. Philip A. Leone Joint Legislative Audit and Review Commission Commonwealth of Virginia (member 1997-2000): Mr. George A. Lewis Broussard, Poche, Lewis & Breaux (member 1997- 2000): Ms. Nora J.E. Masters Deliotte & Touche LLP (member 1997-1999): Mr. Sam M. McCall Office of the City Auditor Tallahassee, Florida (member 1997-1998; 2000-2002): Mr. Harold L. Monk Davis, Monk & Company, CPAs (member 2002-2004): Mr. Stephen L. Morgan Office of the City Auditor Austin, Texas (member 2001-2003): The Honorable Everett L. Mosley U.S. Agency for International Development (member 2001-2003): Mr. Bruce A. Myers Office of the Legislative Auditor State of Maryland (member 1999-2001): Dr. Kathryn E. Newcomer George Washington University (member 1999- 2001): Mr. Robert M. Reardon, Jr. State Farm Insurance Companies (member 2002- 2004): Ms. Roberta Reese Office of the Controller State of Nevada (member 1997-1999): Mr. George A. Scott Deloitte & Touche LLP (member 1999-2001): Mr. Gerald Silva Office of the City Auditor City of San Jose, California (member 2002-2004): The Honorable Kurt R. Sjoberg Office of the State Auditor State of California (member 1997-2000): Mr. Barry R. Snyder Federal Reserve Board (member 2001-2003): Dr. Daniel Stufflebeam Western Michigan University (member 2002-2004): Dr. Paul M. Thompson AMBAC Indemnity Corporation (member 1997-1998): Mr. Cornelius E. Tierney George Washington University (member 1997- 1999): The Honorable Nikki Tinsley Environmental Protection Agency (member 2002-2004): Ms. Leslie E. Ward Office of the City Auditor Kansas City, Missouri (member 1999-2001): The Honorable Jacquelyn L. Williams-Bridgers U.S. Department of State (member 2000-2002): Dr. Earl R. Wilson University of Missouri-Columbia (member 1999-2001): GAO Project Team: Jeffrey C. Steinhoff, Managing Director Jeanette M. Franzel, Director Marcia B. Buchanan, Assistant Director Cheryl E. Clark, Assistant Director Michael C. Hrapsky, Project Manager Robert W. Gramling, Consultant: [End of section] Index: abuse: attestation engagement; 6.15, 6.19-6.20, 6.32-6.40. defined; 4.19, 6.19, 7.25, 8.19. financial audit; 4.17, 4.19, 4.20, 5.12, 5.17-5.25. performance audit; 7.25-7.26, 8.19-8.26. pursuing indications of; 4.20, 6.20, 7.26. reporting; 5.12, 5.17-5.25, 6.32-6.40, 8.19-8.26. reporting, direct; 5.21-5.25, 6.36-6.40, 8.22-8.26. accountability; 1.11-1.16. AICPA standards: attestation engagement; 2.08, 6.01, 6.03-6.04, 6.23, 6.27, 6.51. financial audit; 2.06, 4.01-4.02, 4.03-4.04, 5.01-5.02, 5.03, 5.17. relationship to GAGAS; 1.09, 4.01, 5.01, 6.01. American Institute of Certified Public Accountants (see AICPA standards). attestation engagements; 1.13, 2.07-2.08, 6.01-6.54. abuse; 6.15, 6.19-6.20, 6.32-6.40. communication, auditor; 6.06-6.09, 6.35, 6.54. compliance with GAGAS, reporting auditors'; 6.29-6.31. corrective actions; 6.34, 6.41-6.45. defined; 1.13, 2.07, 6.02. distribution, report issuance and; 6.46, 6.49-6.54. distribution, limited; 6.27d, 6.47, 6.50-6.51. documentation: access to; 6.25-6.26. attest; 6.07, 6.16-6.17, 6.22-6.26, 6.35, 6.54. of communication; 6.07, 6.09, 6.35, 6.54. safeguarding; 6.26. findings; 6.21, 6.33-6.35. fraud and illegal acts; 6.15-6.18, 6.20, 6.32-6.40. internal control; 2.07, 6.13-6.14, 6.32-6.35. levels of; 6.02. agreed-upon-procedures; 6.02c, 6.15b, 6.18, 6.27d, 6.51. examination; 6.02a, 6.13-6.14, 6.15a, 6.16. review; 6.02b, 6.15b, 6.18. planning; 6.04, 6.13-6.14, 6.15-6.16. previous engagements, considering results of; 6.10-6.12. privileged and confidential information; 6.46-6.48. recommendations; 6.34. reporting; 6.27-6.54. reporting, direct; 6.36-6.40. qualifications for auditors, additional; 3.43-3.44. termination; 6.54. views of responsible officials; 6.41-6.45. violations of provisions of contracts or grant agreements; 6.15-6.18, 6.20, 6.32-6.35, 6.36-6.40. work of others, using; 6.25. audit objectives (see objectives). audit organizations' responsibilities (see also under independence); 1.27-1.28, 3.38. auditors, qualifications of (see competence). auditors' responsibilities; 1.19-1.26, 4.11, 4.18. audits and attestation engagements, types of (see also attestation engagements; financial audits; performance audits); 2.01-2.16. cause; 5.15c, 6.34c, 7.65, 8.15c, 8.18. comments (see letters of comment; views of responsible officials); [Empty]. communication, auditor (see also under attestation engagements; financial audits; performance audits); 1.26, 3.17e-3.17f. competence (see also continuing professional education); 3.39-3.48. technical knowledge; 3.42. qualifications for financial audits and attestation engagements, additional; 3.43-3.44. compliance; 1.18b, 4.12-4.13, 4.17-4.18, 5.08-5.11, 6.15-6.20, 6.32, 6.36-6.40, 7.12c, 7.19-7.20, 7.49. tests of; 4.12-4.13, 4.17-4.18, 6.15-6.20, 7.07d, 7.17-7.20. compliance with GAGAS (see under GAGAS). computer-based systems, data from; 7.59-7.61. conclusions; 6.27b, 8.27, 8.42, 8.44, 8.47, 8.49. condition; 5.15b, 6.34b, 7.63, 8.15b. conditions, reportable (see reportable conditions under financial audits). confidential information (see privileged and confidential information under attestation engagements; financial audits; performance audits); [Empty]. conflict of interest (see independence). constructive engagement; 1.16. consulting services (see nonaudit services). continuing professional education (CPE) (see also documentation, continuing professional education); 3.45-3.48. corrective actions (see under attestation engagements; financial audits; performance audits). criteria; 5.15a, 6.03, 6.34a, 7.28, 8.15a. data (see also evidence); 7.31, 7.55-7.61. sources of; 7.31, 7.55-7.59. tests of; 7.60-7.61. unaudited; 8.44. validity and reliability of; 7.12b, 7.15b, 7.57, 7.59. diligence (see professional judgment). direct reporting (see under attestation engagements; financial audits; performance audits). distribution, limited (see under attestation engagements; financial audits; performance audits). distribution, report issuance and; 5.31-5.33, 5.34-5.38, 6.46-6.48, 6.49-6.54, 8.35-8.37, 8.54-8.57. documentation: access to; 4.25-4.26, 6.25-6.26, 7.69-7.71. attestation engagement; 6.07, 6.09, 6.16-6.17, 6.22-6.26, 6.35, 6.50- 6.51, 6.54. audit plan; 7.41-7.43. of audit reviews; 7.47. of communication; 4.07, 4.09, 5.16, 5.20, 5.38, 6.07, 6.09, 6.35, 6.54, 7.40, 8.17, 8.21. of continuing professional education; 3.47. of evidence; 7.54, 7.60, 7.66-7.68. financial audit; 4.07, 4.09, 4.22-4.26, 5.16, 5.20, 5.35-5.36, 5.38. independence; 3.17a, 3.17e, 3.26, 3.32. peer review; 3.17g, 3.54. performance audit; 7.07, 7.17, 7.22, 7.40-7.43, 7.47, 7.54, 7.60, 7.66- 7.71, 8.17, 8.21, 8.55-8.56. of planning; 7.07. quality control; 3.51. safeguarding; 4.26, 6.26, 7.69, 7.71. of specialists' qualifications; 3.48. economy and efficiency (see under objectives). effect; 5.15d, 6.34d, 7.64, 8.15d. effectiveness (see under objectives). engagement letter; 3.17e, 4.07-4.09, 6.07-6.09, 7.40. evidence (see also data): attestation engagement; 6.04b, 6.34, 6.39. financial audits; 4.03c, 4.12, 5.15, 5.24. performance audit; 7.31, 7.48-7.51, 7.52-7.65, 8.13, 8.15, 8.25, 8.41- 8.47. tests of; 7.52-7.61. types of; 7.50. external quality control review (see peer review). field work; 4.01-4.26, 6.03-6.26, 7.01-7.71. financial audits; 1.12, 2.05-2.06, 4.01-4.26, 5.01-5.38. abuse; 4.17, 4.19, 4.20, 5.12, 5.17-5.25. communication, auditor; 4.06-4.13, 5.16, 5.20, 5.22-5.23, 5.38. compliance; 4.10-4.13, 4.17-4.20, 5.08-5.11, 5.12, 5.17-5.25. compliance with GAGAS, reporting auditors'; 5.05-5.07. conclusions; 5.18. corrective actions; 4.15-4.16, 5.15, 5.26-5.30. defined; 1.12, 2.05, 4.02. distribution, limited; 5.32, 5.35. distribution, report issuance and; 5.31-5.33, 5.34-5.38. documentation: access to; 4.25-4.26. audit; 4.22-4.26. of communication; 4.07, 4.09, 5.16, 5.20, 5.38. safeguarding; 4.26. field work; 4.01-4.26. findings; 4.21, 5.14-5.15, 5.18-5.20. fraud and illegal acts; 4.17-4.18, 4.20, 5.12, 5.17-5.25. internal control; 4.03b, 4.04, 4.10-4.13, 5.08-5.11, 5.12-5.16. material misstatement, detecting; 4.17-4.18. material weakness; 5.14. previous engagements, considering results of; 4.04, 4.14-4.16. privileged and confidential information; 5.31-5.33. procedures, audit; 4.17-4.21. reportable conditions; 5.12-5.16. reporting; 5.01-5.38. reporting, direct; 5.12, 5.21-5.25. qualifications for auditors, additional; 3.43-3.44. termination; 4.09, 5.38. users (of the audit report); 4.04, 5.07, 5.15. views of responsible officials; 5.26-5.30. violations of provisions of contracts or grant agreements; 4.17-4.18, 4.20, 5.12, 5.17-5.25. findings; 4.21, 5.14-5.15, 5.18-5.20, 6.21, 6.33-6.35, 7.28, 7.62-7.65, 8.13-8.16. findings, elements of; 5.15, 6.34, 7.28, 7.62-7.65, 8.14-8.15. follow-up (see also previous engagements, considering results of); 1.28. fraud and illegal acts (see also laws, regulations, and provisions of contracts or grant agreements): attestation engagement; 6.15-6.18, 6.20, 6.32-6.35, 6.36-6.40. financial audit; 4.17-4.18, 4.20, 5.12, 5.17-5.19, 5.21-5.25. performance audit; 7.17, 7.21-7.24, 7.26-7.27, 8.16, 8.19-8.26. pursuing indications of; 4.20, 6.20, 7.26. reporting; 5.12, 5.17-5.19, 5.21-5.25, 6.32-6.40, 8.19-8.26. reporting, direct; 5.21-5.25, 6.36-6.40, 8.22-8.26. GAGAS (generally accepted government auditing standards; see also individual standards); 1.01-1.03. applicability; 1.04-1.08. attestation engagement standards; 1.09, 2.08, 6.01-6.45. compliance with, reporting auditors'; 2.15, 5.05-5.07, 6.29-6.31, 8.30. financial audit standards; 1.09, 2.06, 4.01-4.26, 5.01-5.38. laws, regulations, and guidelines requiring; 1.05-1.06. and nonaudit services; 2.14-2.16. performance audit standards; 7.01-7.71, 8.01-8.57. professional judgment; 3.34. relationship to other standards; 1.09-1.10, 4.01, 5.01, 6.01. illegal acts (see fraud and illegal acts). independence; 3.03-3.32. external impairments; 3.19-3.20. and nonaudit services; 3.07, 3.10-3.18. organizational impairments; 3.21-3.32. organizations, responsibilities of audit; 3.07-3.10, 3.12-3.14, 3.16- 3.18, 3.20, 3.26, 3.28, 3.32. and reporting; 3.22-3.32. personal impairments; 3.07-3.18. specialists, using work of; 3.06. internal auditing; 3.27-3.29, 3.31-3.32, 5.37, 6.53, 7.16, 8.57. internal control: attestation engagement; 6.13-6.14, 6.32-6.35. and compliance; 5.08-5.11, 6.13, 6.32. components of; 4.03 (footnote). deficiencies; 5.12-5.16, 6.32-6.35, 7.65, 8.16, 8.17-8.18. financial audit; 4.03b, 4.04, 4.10-4.13, 5.08-5.11, 5.12-5.16. management's role; 1.18. performance audit; 2.11, 7.10c, 7.11-7.16, 7.49, 7.65, 8.16, 8.17-8.18. safeguarding resources; 7.13. tests of; 4.12-4.13, 5.08-5.09, 7.60. understanding; 7.14. internal quality control system (see also quality control and assurance); 3.07-3.08, 3.17e, 3.20, 3.49-3.52. issuance and distribution, report (see distribution, report issuance and). laws, regulations, and provisions of contracts or grant agreements (see also fraud and illegal acts; violations of provisions of contracts or grant agreements); 7.10a, 7.12c, 7.17-7.20, 8.23, 8.26. legal counsel; 7.19. letters of comment; 3.54-3.56. limited official use (see distribution, limited, under attestation engagements, financial audits, performance audits). management letters; 5.16, 5.20, 6.35, 8.17, 8.21. management controls (see internal control). management's role (see also officials, responsibilities of); 1.17, 1.18, 1.28, 3.17b, 4.16, 6.12, 7.30. material misstatements, detecting; 4.17-4.18. material weakness; 5.14. methodology and procedures; 7.03, 7.06, 7.14c, 7.17-7.27, 7.32, 8.08, 8.11. nonaudit services; 1.08, 2.14-2.16, 3.08a, 3.10-3.18. objectives; 2.02-2.04, 2.09-2.13. compliance; 2.12, 7.10a, 7.12c. economy and efficiency; 2.10, 7.12a. effectiveness and results; 2.10, 7.10g, 7.12a. internal control; 2.11, 7.12-7.16. performance audit; 2.09-2.13, 7.03-7.06, 7.12-7.16, 7.18a, 8.08-8.12. prospective; 2.13. types of; 2.10-2.13. objectivity (see also auditors' responsibilities; audit organizations' responsibilities; independence); 8.46-8.48. officials, reporting views of responsible (see views of responsible officials). officials, responsibilities of (see also management's role); 4.16, 5.23, 6.12, 6.38, 7.30, 8.24. peer review (see also under documentation); 1.27, 3.17g, 3.26, 3.32, 3.49, 3.52-3.56. performance audits; 1.14-1.15, 2.09-2.13, 7.01-7.71, 8.01-8.57. abuse; 7.25-7.26, 8.19-8.26. accomplishments, reporting; 8.48. communication, auditor; 7.39-7.40, 8.17, 8.21, 8.40. compliance; 2.12, 7.07d, 7.12c, 7.19-7.20, 7.49. compliance with GAGAS, auditors'; 8.30. conclusions; 8.20, 8.27, 8.47, 8.49. corrective actions; 7.29-7.30, 8.05, 8.15, 8.31-8.34, 8.40, 8.49,. defined; 2.09. distribution, limited; 8.36, 8.55. distribution, report issuance and; 8.36, 8.54-8.57. documentation: access to; 7.69-7.71. audit; 7.22, 7.60, 7.66-7.71. audit plan; 7.41-7.43. of communication; 7.40, 8.17, 8.21. of evidence; 7.54, 7.60, 7.66-7.68. of planning; 7.07. safeguarding; 7.69, 7.71. field work; 7.01-7.71. findings; 7.28, 7.62-7.65, 8.13-8.16, 8.20. fraud and illegal acts; 7.17, 7.21-7.24, 7.26-7.27, 8.16, 8.19-8.26, 8.28. internal control; 2.11, 7.10c, 7.11-7.16, 7.49, 7.65, 8.16, 8.17-8.18. methodology and procedures; 7.03, 7.06, 7.14, 7.17-7.27, 7.32, 8.08, 8.12. objectives; 2.10-2.13, 7.03-7.06, 7.12-7.16, 7.18, 8.08-8.12. planning; 7.02-7.43. plan, preparing an audit; 7.03, 7.14, 7.28, 7.41-7.43. previous engagements, considering results of; 7.29-7.30. privileged and confidential information; 8.35-8.37. program significance; 7.08-7.09. program, understanding; 7.10, 7.12. recommendations; 8.28-8.29. referencing; 8.45. report: contents; 8.07-8.37. elements; 8.38-8.53. form; 8.02-8.06. reporting; 8.01-8.57. accurate; 8.43-8.45. clear; 8.50-8.52. complete; 8.41-8.42. concise; 8.53. convincing; 8.49. objective; 8.46-8.48. timely; 8.39-8.40. reporting, direct; 8.22-8.26. reporting, interim; 8.40. scope; 7.03, 7.05, 7.14b, 7.36, 8.08, 8.10, 8.12, 8.17, 8.30, 8.45. significance; 4.15 (footnote), 4.18 (footnote), 7.08. staffing; 7.35-7.38. supervision; 7.44-7.47. termination of audit; 7.40, 8.06. users (of the audit report); 2.04, 7.08-7.09, 8.03, 8.08-8.09, 8.11- 8.12, 8.32, 8.39. views of responsible officials; 8.31-8.34. violations of provisions of contracts or grant agreements; 7.17-7.20, 7.26-7.27, 8.16, 8.19-8.21, 8.22-8.26. work of others, considering; 7.32-7.34, 7.70. planning; 4.03, 4.06-4.07, 4.15-4.18, 6.04, 6.06-6.16, 7.02-7.43. previous engagements, considering results of (see also work of others, considering); 4.04, 4.14-4.16, 6.10-6.12, 7.07, 7.29-7.30. privileged and confidential information (see under attestation engagements; financial audits; performance audits). procurement for audits; 1.18f. professional judgment; 1.25, 3.33-3.38, 4.04. program (see also performance audits): aspects; 7.10. significance; 7.08-7.09. program audits (see performance audits). quality control and assurance (see also internal quality control system; see also under documentation); 3.49-3.56. recommendations; 5.15, 6.34, 8.28-8.29. referencing (see under performance audits). reportable conditions (see under financial audits). reporting (see also under attestation engagements; financial audits; performance audits); 1.26, 5.01-5.38, 6.27-6.54, 8.01-8.57. roles and responsibilities (see also audit organizations' responsibilities; auditors' responsibilities; management's role; officials, responsibilities of); 1.17-1.28. scope; 5.08-5.09, 7.03, 7.05, 7.14b, 7.36, 8.08, 8.10, 8.12, 8.17, 8.45. significance; 4.15, 4.18, 7.08-7.09. significance, program (see under program). specialists, use of (see also under documentation); 3.06, 3.48, 7.37. supervision; 4.03, 6.03, 7.44-7.47. users (of the audit report) (see also under financial audits, performance audits); 1.01, 1.22, 1.25-1.26, 2.04, 3.01. views of responsible officials; 5.26-5.30, 6.41-6.45, 8.31-8.34. violations of provisions of contracts or grant agreements (see also laws, regulations, and provisions of contracts and grant agreements): attestation engagement; 6.15-6.18, 6.20, 6.32-6.35, 6.36-6.40. financial audit; 4.17-4.18, 4.20, 5.12, 5.17-5.25. performance audit; 7.17-7.20, 7.26-7.27, 8.16, 8.19-8.21, 8.22-8.26. pursuing indications of; 4.20, 6.20, 7.26. reporting; 5.12, 5.17-5.25, 6.32-6.40, 8.19-8.26. reporting, direct; 5.21-5.25, 6.36-6.40, 8.22-8.26. working papers (see documentation). work of others, considering (see also previous engagements, considering the results of); 4.25, 6.25, 7.32-7.34, 7.70. [End of table] FOOTNOTES [1] This document addresses the standards that should be used by the individuals in audit organizations conducting the broad array of work that is described more fully in chapter 2. Accordingly, the focus of this document is not on the wide variety of titles that are used by individuals conducting and reporting on this work, but instead the nature of the work that is being performed. The term "auditor" throughout this document includes individuals who may be titled auditor, analyst, evaluator, inspector, or who may have a similar position. [2] Requirements in GAGAS are identified by statements that include the word "should." Auditors are expected to comply with these requirements if they apply to the type of work being performed. [3] Henceforth, the term "program" will be used in this document to include government establishments, organizations, programs, activities, and functions. [4] Under the Single Audit Act, as amended, federal awards include federal financial assistance (grants, loans, loan guarantees, property, cooperative agreements, interest subsidies, insurance, food commodities, direct appropriations, or other assistance) and cost- reimbursement contracts. [5] This responsibility applies to all resources, both financial and physical, as well as informational resources, whether entrusted to public officials or others by their own constituencies or by other levels of government. [6] Other report users may include officials of the audited entity, the audit committee, the board of directors or other audit oversight body, management or auditors of granting or funding agencies, and individuals contracting for or requesting audit services. [7] The three authoritative bodies for establishing accounting principles and financial reporting standards are the Federal Accounting Standards Advisory Board (federal government), the Governmental Accounting Standards Board (state and local governments), and the Financial Accounting Standards Board (nongovernmental entities). [8] Special reports apply to auditors' reports issued in connection with the following: (1) financial statements that are prepared in conformity with a comprehensive basis of accounting other than generally accepted accounting principles; (2) specified elements, accounts, or items of a financial statement; (3) compliance with aspects of contractual agreements or regulatory requirements related to audited financial statements; (4) financial presentations to comply with contractual agreements or regulatory requirements; or (5) financial information presented in prescribed forms or schedules that require a prescribed form of auditors' report. [9] For consistency within GAGAS, the word "auditor" is used to describe individuals conducting and reporting on attestation engagements. [10] An assertion is any declaration or set of declarations made by management about whether the subject matter is based on or in conformity with the criteria selected. [11] The term "internal control" in this document is synonymous with the term management control and, unless otherwise stated, covers all aspects of an entity's operations (programmatic, financial, and compliance). [12] These objectives focus on combining cost information with information about outputs or the benefit provided and outcomes or the results achieved. [13] Compliance requirements can be either financial or nonfinancial in nature. [14] If audit organizations provide nonaudit services, audit organizations need to consider whether providing these services creates a personal impairment either in fact of appearance that adversely affects their independence for conducting audits. [15] See chapter 6 for an additional general standard auditors should follow when performing an attestation engagement. [16] Nongovernment auditors should also follow the AICPA code of professional conduct and the code of professional conduct of the state board with jurisdiction over the practice of the public accountant and the audit organization. All auditors should also be aware of and comply with any applicable government ethics laws and regulations and any other ethics requirements (such as those of the state boards of accountancy) associated with their activities. [17] Specialists to whom this section applies include, but are not limited to, actuaries, appraisers, attorneys, engineers, environmental consultants, medical professionals, statisticians, and geologists. This section applies to external consultants and firms performing work for the audit organization. [18] Immediate family member is a spouse, spouse equivalent, or dependent (whether or not related). A close family member is a parent, sibling, or nondependent child. [19] Auditors are not precluded from auditing pension plans that they participate in if (1) the auditor has no control over the investment strategy, benefits, or other management issues associated with the pension plan and (2) the auditor belongs to such pension plan as part of his/her employment with the audit organization, provided that the plan is normally offered to all employees in equivalent employment positions. [20] If the auditor has performed nonaudit services for a client that affect information that is the subject of the audit, and management is unable or unwilling to take responsibility for this information, the risk that the auditor may be perceived to have a personal impairment to independence is increased. See paragraphs 3.10 through 3.18 for additional guidance on impairments to independence associated with the scope of services that may be provided by audit organizations to entities they audit. [21] The auditor needs to be free from this personal impairment for the period covered by the activity under audit, including any financial statements being audited, and for the period in which the audit is being performed and reported. [22] See footnote 21. [23] Auditors participating in the audit assignment need to be free from personal impairments. This includes those who review the work or the report, and all others within the audit organization who can directly influence the outcome of the audit. [24] GAO has issued further guidance in the form of questions and answers to assist in implementation of the standards associated with nonaudit services. This guidance, Answers to Independence Standard Questions, can be found on GAO's Government Auditing Standards Web page (http://www.gao.gov/govaud/ybk01.htm). [25] The determination of account balances is used by management to prepare financial statements, such as determining for management the balance of accounts receivable or accounts payable or the value of inventory as of a specific date. [26] Entity assets are intended to include all of the entity's property including bank accounts, investment accounts, inventories, equipment or other assets owned, leased, or otherwise in the entity's possession, and financial records, both paper and electronic. [27] Personnel who provided the nonaudit service are permitted to convey to the audit assignment team the knowledge gained about the audited entity and its operations. [28] If the audit organization has prepared draft financial statements and notes and performed the financial statement audit, management should acknowledge the audit organization's role in preparing the financial statements and related notes and management's review, approval, and responsibility for the financial statements and related notes in the management representation letter. Likewise, if the audit organization converts cash-based financial statements to accrual-based financial statements, management should also acknowledge the audit organization's role in reflecting accruals and management's review, approval, and responsibility for the accrual adjustments in the management representation letter. A management representation letter is required by generally accepted auditing standards (GAAS) and GAGAS. [29] Proposing adjusting and correcting entries that are identified during the audit is a routine byproduct of audit services that is always permissible so long as management makes the decision to accept the entries. [30] The Office of Management and Budget prohibits an auditor who prepared the entity's indirect cost proposal from conducting the required audit when indirect costs recovered by the entity during the prior year exceeded $1 million under OMB Circular A-133, Audits of States, Local Governments, and Non-Profit Organizations, Subpart C.305(b), revised June 24, 1997. [31] Legislative bodies may exercise their confirmation powers through a variety of means as long as they are involved in the approval of the individual to head the audit organization. This involvement can be demonstrated by approving the individual after the appointment or by initially selecting or nominating an individual or individuals for appointment by the appropriate authority. [32] Statutory authority to issue a subpoena to obtain the needed records is one way to meet the requirement for statutory access to records. [33] If GAAP is not the basis of accounting being used on a particular assignment, then auditors should be knowledgeable about the appropriate accounting principles used, such as regulatory accounting principles. [34] Public accountants licensed on or before December 31, 1970, or persons working for a public accounting firm licensed on or before December 31, 1970, are also considered qualified under this standard. [35] Although staff members must collectively possess the technical knowledge, skills, and experience necessary to be competent for the type of work being performed before beginning work on a GAGAS assignment as discussed in paragraph 3.42, individual auditors have 2 years from the date they start an audit or attestation engagement conducted under GAGAS to comply with the CPE requirements. [36] Staff members not involved in planning, directing, or reporting on the audit or attestation engagement, and who charge less than 20 percent annually of their time to audits and attestation engagements following GAGAS, do not have to comply with the 24-hour CPE requirement. [37] This guidance, Interpretation of Continuing Education and Training Requirements, can be found on GAO's Government Auditing Standards Web page (http://www.gao.gov/govaud/ybk01.htm). [38] Audit organizations should have an external peer review conducted within 3 years from the date they start (that is, start of field work) their first assignment in accordance with GAGAS. Subsequent external peer reviews should be conducted every 3 years. Extensions of these time frames beyond 3 months to meet the external peer review requirements can only be granted by GAO and should only be requested for extraordinary circumstances. [39] "Professional standards" refers to both the auditing standards and quality control standards used by the reviewed audit organization. [40] To date, the Comptroller General has not excluded any field work standards or SASs. [41] The term "financial statements" refers to a presentation of financial data, including accompanying notes, derived from accounting records and intended to communicate an entity's economic resources or obligations at a point in time or the changes for a period of time in conformity with an identifiable framework, such as generally accepted accounting principles (GAAP) or another comprehensive basis of accounting. Audits of financial statements include all services governed by the AICPA SASs for which the auditors are engaged to provide a level of assurance on the fair presentation of financial statements in accordance with stated criteria. [42] The term "special report" applies to auditors' reports issued in connection with the following: (1) financial statements that are prepared in conformity with a comprehensive basis of accounting other than GAAP; (2) specified elements, accounts, or items of a financial statement; (3) compliance with aspects of contractual agreements or regulatory requirements related to audited financial statements; (4) financial presentations to comply with contractual agreements or regulatory provisions; or (5) financial information presented in prescribed forms or schedules that require a prescribed form of auditors' report. Under GAGAS, an audit of financial statements prepared in conformity with a comprehensive basis of accounting other than GAAP (item 1 above) would be subject to the same GAGAS requirements applicable to audits of financial statements prepared in conformity with GAAP. [43] The AICPA standards incorporate the concepts contained in Internal Control - Integrated Framework, published by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission. Internal control consists of five interrelated components, which are (1) control environment, (2) risk assessment, (3) control activities, (4) information and communication, and (5) monitoring. The objectives of internal control relate to (1) financial reporting, (2) operations, and (3) compliance. Safeguarding of assets is a subset of these objectives. In that respect, internal control should be designed to provide reasonable assurance regarding prevention of or prompt detection of unauthorized acquisition, use, or disposition of assets. [44] This requirement applies only to situations where the law or regulation specifically identifies the entity to be audited, such as an audit of a specific agency's financial statements required by the Chief Financial Officers Act of 1990, as expanded by the Government Management Reform Act of 1994. Situations in which the mandate to audit financial statements applies to entities not specifically identified, such as audits required by the Single Audit Act Amendments of 1996, are excluded. [45] For example, when engaged to perform audits under the Single Audit Act Amendments of 1996 for state and local government entities and nonprofit entities that receive federal awards, auditors should be familiar with the Office of Management and Budget (OMB) Circular A-133 on single audits. The act and circular include specific audit requirements, mainly in the areas of internal control and compliance with laws and regulations, that exceed the minimum audit requirements in the standards in chapters 4 and 5 of this document. Audits performed under the Chief Financial Officers Act of 1990, as expanded by the Government Management Reform Act of 1994, also have specific audit requirements prescribed by OMB in the areas of internal control and compliance. In addition, some state and local governments may have additional audit requirements that the auditors would need to consider in planning the audit. [46] Significant findings and recommendations are those matters that, if not corrected, could affect the results of the auditors' work and the auditors' conclusions and recommendations about those results. [47] The terms "material" and "significant" are synonymous under GAGAS. "Material" is used in the AICPA standards in relation to audits of financial statements. "Significant" is used in relation to other types of audits governed by GAGAS, such as performance audits, where the term "material" is generally not used. [48] Two types of misstatements are relevant to the auditors' consideration of fraud in an audit of financial statements-- misstatements arising from fraudulent financial reporting and misstatements arising from misappropriation of assets. The primary factor that distinguishes fraud from error is whether the underlying action that results in the misstatement in the financial statements is intentional or unintentional. [49] Indirect illegal acts are violations of laws and regulations having material but indirect effects on the financial statements. [50] Whether a particular act is, in fact, illegal may have to await final determination by a court of law or other adjudicative body. Thus, when auditors disclose matters that have led them to conclude that an illegal act is likely to have occurred, they should not imply that they have made a determination of illegality. [51] For example, in a financial statement audit, auditors might find abuse when examining sensitive payments such as travel of senior management officials to locations chosen for personal reasons rather than less costly locations which would have been appropriate to satisfy the business objectives of the travel. While auditors generally will not view travel expenses of senior management officials as quantitatively material to the financial statements, this expense generally would be considered qualitatively material to the financial statements. [52] This documentation requirement does not increase the auditors' responsibility for testing internal control but is intended to assist the auditors in ensuring that audit objectives are met and audit risk is reduced to an acceptable level. [53] To date, the Comptroller General has not excluded any reporting standards or SASs. [54] If the auditor is performing an audit in accordance with OMB Circular A-133, Audits of States, Local Governments, and Non-Profit Organizations, the thresholds for reporting are defined in the circular. These reporting thresholds are sufficient to meet the requirements of GAGAS. [55] AICPA standards define reportable conditions as significant deficiencies in the design or operation of internal control that could adversely affect the entity's ability to record, process, summarize, and report financial data consistent with the assertions of management in the financial statements. [56] The AICPA standards define a material weakness as a reportable condition in which the design or operation of one or more of the internal control components does not reduce to a relatively low level the risk that misstatements caused by error or fraud in amounts that would be material in relation to the financial statements being audited may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions. [57] Common sources for criteria include laws, regulations, policies, procedures, and best or standard practices. The Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1 (Washington, D.C.: Nov. 1999) and Internal Control--Integrated Framework, published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) are two sources of established criteria auditors can use to support their judgments and conclusions about internal control. The related Internal Control Management and Evaluation Tool (GAO-01-1008G, Aug. 2001), based on the federal internal control standards, provides a systematic, organized, and structured approach to assessing internal control. [58] See paragraph 4.19 for a discussion of abuse. [59] Whether a particular act is, in fact, illegal may have to await final determination by a court of law or other adjudicative body. Thus, when auditors disclose matters that have led them to conclude that an illegal act is likely to have occurred, they should not unintentionally imply that a final determination of illegality has been made. [60] Auditors should include information about fraud or abuse in the audit reports required by paragraph 5.08 as applicable to internal control and compliance with laws, regulations, and provisions of contracts and grant agreements. [61] Internal audit organizations do not have a duty to report outside that entity unless required by law, rule, regulation, or policy. See paragraph 3.28 for reporting requirements for internal audit organizations when reporting externally. [62] See the Single Audit Act Amendments of 1996 and Office of Management and Budget (OMB) Circular A-133 on single audits for the distribution of reports on single audits of state and local governmental entities and nonprofit organizations that receive federal awards. [63] To date, the Comptroller General has not excluded any field work standards, reporting standards, or SSAEs. [64] GAGAS incorporate only one of the AICPA general standards for attestation engagements. [65] See chapter 2 for examples of subjects of attestation engagements. [66] As stated in the AICPA SSAEs, auditors should not perform review- level work for reporting on internal control or compliance with laws and regulations. [67] This requirement applies only to situations in which the law or regulation specifically identifies the entity to be subject to an attestation engagement. Situations in which the mandate to have an attestation engagement not specifically identified, such as attestation engagements required by the U.S. Department of Education, are excluded. [68] Significant findings and recommendations are those matters that, if not corrected, could affect the results of the auditors' work and the auditors' conclusions and recommendations regarding those results. [69] Although not applicable to attestation engagements, the AICPA SASs may provide useful guidance related to internal control for auditors performing attestation engagements in accordance with GAGAS. In addition, auditors performing attestation engagements may wish to refer to the internal control guidance published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The Standards for Internal Control in the Federal Government, GAO/AIMD-00- 21.3.1 (Washington, D.C.: Nov. 1999), which incorporates the relevant guidance developed by COSO, provides definitions and fundamental concepts pertaining to internal control at the federal level and may be useful to auditors at any level of government. The related Internal Control Management and Evaluation Tool, GAO-01-1008G (Washington, D.C.: Aug. 2001) based on the federal internal control standards, provides a systematic, organized, and structured approach to assessing internal control. [70] Fraud is a type of illegal act involving the obtaining of something of value through willful misrepresentation. Although not applicable to attestation engagements, the AICPA SASs may provide useful guidance related to fraud for auditors performing attestation engagements in accordance with GAGAS. [71] For example, in an attestation engagement that has as its subject reporting on an entity's internal controls over compliance with specified requirements governing the procurement of motor vehicles, auditors might find abuse when considering purchases of passenger cars for official senior management use if costly luxury cars were purchased when less expensive models would have been appropriate. While auditors generally will not view the procurement of costly luxury cars as quantitatively significant to the subject matter, this action generally would be considered qualitatively significant to the subject matter or assertion. [72] Auditors may meet this requirement by listing voucher numbers, check numbers, or other means of identifying specific documents they examined. Auditors are not required to include copies of documents they examined as part of the attest documentation, nor are auditors required to list detailed information from those documents. [73] Auditors should, however, follow the report distribution standard (see paragraphs 6.49 through 6.54). [74] Whether a particular act is, in fact, illegal may have to await final determination by a court of law. Thus, when auditors disclose matters that have led them to conclude that an illegal act is likely to have occurred, they should not unintentionally imply that a final determination of illegality has been made. [75] Common sources for criteria are laws, regulations, policies, procedures, best or standard practices, or assertions. The Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1 (Washington, D.C.: Nov. 1999) and Internal Control--Integrated Framework, published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) are two sources of established criteria auditors can use to support their judgments and conclusions about internal control. The related Internal Control Management and Evaluation Tool (GAO-01-1008G, Aug. 2001), based on the federal internal control standards, provides a systematic, organized, and structured approach to assessing internal control. [76] Internal audit organizations do not have a duty to report outside that entity unless required by law, rule, regulation, or policy. See paragraph 3.28 for reporting requirements for internal audit organizations when reporting externally. [77] See discussion of the elements of a finding in paragraph 7.28 and paragraphs 7.62 through 7.65. [78] This chapter uses only the term "program;" however, the concepts presented also apply to audits of entities, activities, and services. [79] Refer to the internal control guidance contained in Internal Control--Integrated Framework, published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As discussed in the COSO study, internal control consists of five interrelated components, which are (1) control environment, (2) risk assessment, (3) control activities, (4) information and communication, and (5) monitoring. The objectives of internal control relate to (1) financial reporting, (2) operations, and (3) compliance. Safeguarding of assets is a subset of these objectives. In that respect, internal control should be designed to provide reasonable assurance regarding prevention of or prompt detection of unauthorized acquisition, use, or disposition of assets. In addition to the COSO document, the publication, Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1 (Washington, D.C.: Nov. 1999), which incorporates the relevant guidance developed by COSO, provides definitions and fundamental concepts pertaining to internal control at the federal level and may be useful to other auditors at any level of government. The related Internal Control Management and Evaluation Tool, GAO-01-1008G (Washington, D.C.: Aug. 2001), based on the federal internal control standards, provides a systematic, organized, and structured approach to assessing the internal control structure. [80] Violations of laws or regulations are illegal acts. [81] Many government entities have these activities identified by other names, such as inspection, appraisal, investigation, organization and methods, or management analysis. These activities assist management by reviewing selected functions. [82] Paragraphs 7.32 through 7.34 discuss relying on the work of others. [83] Fraud is a type of illegal act involving the obtaining something of value through willful misrepresentation. [84] The terms "material" and "significant" are synonymous under GAGAS. "Material" is used in the AICPA standards in relation to audits of financial statements. "Significant" is used in relation to other types of audits governed by GAGAS, such as performance audits, where the term "material" is generally not used. [85] For example, in a performance audit of management's efficient use of funds for office building maintenance, auditors might find abuse if renovation of senior management's offices far exceed usual office space specifications. While auditors might not view the renovation costs as quantitatively significant to the audit results, these expenses would be considered qualitatively significant to this audit objective. [86] Significant findings and recommendations are those matters that, if not corrected, could affect the results of the auditors' work and the auditors' conclusions and recommendations about those results. [87] Auditors may meet this requirement by listing file numbers, case numbers, or other means of identifying specific documents they examined. They are not required to include copies of documents they examined as part of the audit documentation, nor are they required to list detailed information from those documents. [88] When computer-processed data are included in the report for background or informational purposes and are not significant to the auditors' findings, citing the source of the data and stating that they were not verified will satisfy the reporting standards. [89] Appropriate background information may include information on how programs and operations work; the significance of programs and operations (e.g., dollars, impact, purposes, and past audit work if relevant); a description of the audited entity's responsibilities; and explanation of terms, organizational structure, and the statutory basis for the program and operations. [90] Common sources for criteria include laws, regulations, policies, procedures, and best or standard practices. The Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1 (Washington, D.C.: Nov. 1999) and Internal Control--Integrated Framework, published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) are two sources of established criteria auditors can use to support their judgments and conclusions about internal control. The related Internal Control Management and Evaluation Tool, GAO-01-1008G (Washington, D.C.: Aug. 2001), based on the federal internal control standards, provides a systematic, organized, and structured approach to assessing internal control. [91] Significant deficiencies are those matters coming to the auditor's attention that, in the auditor's judgment, affect the results of the auditors' work and the auditors' conclusions and recommendations about those results. [92] Whether a particular act is, in fact, illegal may have to await final determination by a court of law. Thus, when auditors disclose matters that have led them to conclude that an illegal act is likely to have occurred, they should take care not to unintentionally imply that a final determination of illegality has been made. [93] See paragraphs 8.22 through 8.26 for additional reporting considerations. [94] Internal audit organizations do not have a duty to report outside the entity unless required by law, rule, regulation, or policy. See paragraph 3.28 for reporting requirements for internal audit organizations when reporting externally. GAO's Mission: The General Accounting Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. General Accounting Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. General Accounting Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: